How to view common mini-filter file system driver using fltmc tool?

ashwinwriter@gmail.com April, 2014

What is FLTMC? FLTMC.exe is a Filter Management Control Program. It is a command-line utility that is used for common minifilter driver management operations. It is often used by developers to load and unload minifilter drivers, attach or detach these filters to volumes. However, this tool can be quite handy in troubleshooting performance related issues or even BSOD [Blue Screen of Death]. A file system mini filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. Examples of File Systems and File System Filter Drivers include anti-virus filters, backup agents, and encryption products. Note: Unlike a legacy filter driver, a minifilter driver can be loaded at any time and attached at the appropriate location as determined by its altitude. The Filter Manager Control (FltMC) Utility tracks minifilter attached to the hardware (hard disk) or the other Storage Systems (Hard drive on the SAN). IMP: Use this tool with caution. For troubleshooting purposes the results can be saved to a text file. i.e:

C:\WINDOWS\system32>fltmc instances > C:\FilterInstance.log Or

C:\WINDOWS\system32>fltmc > c:\windows\fltmc.log One can use the FLTMC.EXE program to enumerate the filter drivers for a specific volume. Right click command prompt and select runs as „Administrator‟ and then type fltmc: Here is a sample output from my laptop:

Next logical step was to find out what these filters are and if they are safe? So I googled

and discovered following information:

What is sftredir.sys? [file is Safe] Related to Sftredirxp.sys Application Virtualization SystemGuard from Microsoft Corporation

What is savonaccess.sys? [file is safe] Savonaccess.sys is filename of the driver running on Microsoft Windows operating system. This driver belongs in most cases to product Sophos Anti-Virus On-Access Driver and is developed by Sophos Limited Company.

What is LCRECM.sys? [file is safe] It is SOPHOS SafeGuard LAN Crypt filter drivers: %Windir%\system32\drivers\lcfiltm.sys %Windir%\system32\drivers\lcencm.sys %Windir%\system32\drivers\lcrecm.sys

What is luafv.sys? [file is safe] Microsoft Windows LUA file virtualization filter driver file.

What is fileinfo.sys? [file is safe] This is a Microsoft supplied mini-filter driver that is enabled and loaded by default on Vista. Following commands are available with FLTMC

To unload the Filter driver: C:\WINDOWS\system32>Fltmc unload Filterdriver

To load the Filter driver: C:\WINDOWS\system32>Fltmc load Filterdriver

Instances Use this mode to list the number of instances the driver is attached tor. These filters are loaded and have at least one instance attached to a particular volume. A filter may have multiple instances.

To view all instances of loaded drivers: C:\WINDOWS\system32>Fltmc instances

The number of instances for specific driver can be seen by the FltMC command check the “Num Instances” Colum in the above.

To attach the driver to a specific volume: C:\WINDOWS\system32>Fltmc attach Filter C:

To detach the driver from a specific volume: C:\WINDOWS\system32>Fltmc detach Filter C:

Types of Windows Drivers

There are two basic types of Microsoft Windows drivers:

User-mode drivers execute in user mode, and they typically provide an interface between a Win32 application and kernel-mode drivers or other operating system components. For example, in Windows Vista, all printer drivers execute in user mode. For more information about printer driver components, see Introduction to Printing.

Kernel-mode drivers execute in kernel mode as part of the executive, which consists of kernel-mode operating system components that manage I/O, Plug and Play memory, processes and threads, security, and so on. Kernel-mode drivers are typically layered. Generally, higher-level drivers typically receive data from applications, filter the data, and pass it to a lower-level driver that supports device functionality.

Kernel-mode drivers are further classified as:

highest-level,

Intermediate

Lowest-level. Each type differs only slightly in structure but greatly in functionality, for more information read this: http://msdn.microsoft.com/en-us/library/windows/hardware/ff564864(v=vs.85).aspx What Is a File System Filter Driver? A file system filter driver is an optional driver that adds value to or modifies the behaviour of a file system. A file system filter driver is a kernel-mode component that runs as part of the Windows executive. A file system filter driver can filter I/O operations for one or more file systems or file system volumes. Depending on the nature of the driver, filter can mean log, observe, modify, or even prevent. Typical applications for file system filter drivers include antivirus utilities, encryption programs, and hierarchical storage management systems. Simplest definition of file system filer driver would be: A file system filter driver attaches itself to one or more mounted volumes and filters all I/O operations on them. How File System Filter Drivers Are Different from Device Drivers? Although file system filter drivers and device drivers both create device objects, they differ in the number and kinds of device objects that they create. Device drivers create physical and functional device objects to represent devices. The Plug and Play (PnP) Manager builds and maintains a global device tree that contains all device objects that are created by device drivers. The device objects that file system filter drivers create are not contained in this device tree.

File system filter drivers do not create physical or functional device objects. Instead, they create control device objects and filter device objects. The control device object represents the filter driver to the system and to user-mode applications. The filter device object performs the actual work of filtering a specific file system or volume. A file system filter driver normally creates one control device object and one or more filter device objects. Please Note: File system filter drivers cannot be Windows Driver Model (WDM) drivers. The Microsoft Windows Driver Model is only for device drivers.

Installing a Minifilter Driver For Microsoft Windows XP and later operating systems, you should install your minifilter driver by using an INF file and an installation application. (On Windows 2000 and earlier operating systems, minifilter drivers were commonly installed by the Service Control Manager.)

In the future, INF-based installation is expected meet Windows Hardware Certification Kit requirements for minifilter drivers. Note that "INF-based installation" means only that you will need to use an INF file to copy files and to store information in the registry. You will not be required to install your entire product by using only an INF file, and you will not be required to provide a "right-click install" option for your driver.

Is file system filter driver upper filter or lower filter? Unlike device filter drivers, which can attach above or below a target device's function driver, file system filter drivers can attach only above a target file system driver. Thus, in device-driver terms, a file system filter driver can be only an upper filter, never a lower filter. Attaching a Filter to a File System or Volume? File system filter drivers can attach to, and filter I/O for, any file system volume. They cannot attach directly to storage devices, such as disk drives or partitions. Also, they cannot attach to individual directories or files. Where are drivers stored on windows? Starting with Windows Vista, the driverstore is a new and a central location where all the driver files will be stored, before they are copied to their final destination during the device driver installation. The location of the driver store is – C:\Windows\System32\DriverStore Within this folder are the driver files (.sys), driver setup files (.inf), pre-compiled INF files(.pnf), and an XML manifest file that contains the manifest of all the files within the driver package. Together, all of these different files add up to the driver package, which contains all the files needed to install the device. To protect these files, the NTFS permissions on the driver store and its sub-folders and files is full control for the local system account and Read& Execute for the Everyone built in identity. Earlier in Windows XP and 2000, the driver source files needed for installing the devices were typically found in several locations.

%SystemRoot%\Driver Cache\i386\drivers.cab

%SystemRoot%\Driver Cache\i386\service_pack.cab

.inf files under %windir%inf

.sys files under %SystemRoot%\System32\Drivers

Support DLLs under %SystemRoot%\System32

Third Party co-installers in various locations.

Advantages of maintaining a central store:

Allows for potentially faster device installation and more reliable driver rollback and is a single standard for un-installing drivers.

Allows you to protect drivers by using the Windows Resource Protection (WRP).

Uses index files to minimize the performance impact on installing devices when the driver store grows in size as a result of new package additions.

What is the other purpose of this tool? `fltmc.exe` can be used to check if the filter drivers are available to the I/O stack. For example - For quota enforcement to work, the quota minifilter driver must be working properly, and it must be correctly attached to the volume. If the quota minifilter driver is experiencing problems, quota scans might fail, and updated quota usage information of volumes and folders will not be available. If the driver cannot attach to the volume, quotas cannot be enforced on that volume. Two mini-filter drivers required for this is: datascren.sys = A kernel-mode mini-filter that implements file screening. quota.sys = A kernel-mode mini-filter that implements quota check. In order to load and attach the driver: To load: C:\>fltmc load Datascrn C:\>fltmc load Quota In order to view what volumes are available, you can type: C:\>fltmc volumes To attach to a particular volume: C:\>fltmc attach Datascrn \Device\HarddiskVolume1 C:\>fltmc attach Quota \Device\HarddiskVolume1

USE CASES

How to use FLTMC.exe to load and unload the evfilter mini-filter driver for Enterprise Vault (EV) for File System Archiving (FSA)

To unload the EvFilter driver:

Fltmc unload EvFilter

To load the EvFilter driver:

Fltmc load EvFilter

To view all instances of loaded drivers:

Fltmc instances

To attach the driver to a specific volume:

Fltmc attach EvFilter C:

To detach the driver from a specific volume:

Fltmc detach EvFilter C:

Mini-filter driver from VMware can cause file copy slow performance issues in the virtual machine:

Filter driver 'vsepflt.sys' can impact performance of file copy operations to or from a Windows network share might. Starting with ESXi 5.0, VMware Tools ships with the vShield Endpoint filter drive (vsepflt). This driver is automatically loaded when VMware Tools is installed using the Full option, rather than the Typical default. This is a known issue and has been resolved in VMware ESXi 5.0 Update 2. Please update to resolve this issue. If you cannot update and you are not using vShield Endpoint for antivirus protection, unload the filter driver and disable it. C:\> fltmc Filter Name Num Instances Altitude Frame ---------------------- ------------- ------------ ----- vsepflt 5 328200 0 luafv 1 135000 0 To unload the vsepflt driver, run the command: C:\> fltmc unload vsepflt For more info: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034490

MSINFO32: For more information you can even run 'msinfo32' to check the driver loaded on the server: Start | Run | Msinfo32 expand the “Software Environment” | System driver Request for Altitude: As a third party application developer, you can request Microsoft for minifilter driver altitude position using this format: Minifilter Altitude Request http://msdn.microsoft.com/en-us/library/windows/hardware/dn508284 Microsoft reserves right on requested altitude: Microsoft reserves the right to assign an altitude that is different from the requested altitude, depending on altitude availability and the filter driver functionality.

How mini-filter driver works?

Mini-filter driver is loaded using the 'Filter Manager' framework. The Filter Manager provides a framework for developing File Systems and File System Filter Drivers without having to manage all the complexities of file I/O. The Filter Manager simplifies the development of third-party filter drivers and solves many of the problems with the existing legacy filter driver model, such as the ability to control load order through an assigned altitude. A filter driver developed to the Filter Manager model is called a minifilter. Every minifilter driver has an assigned altitude, which is a unique identifier that determines where the minifilter is loaded relative to other minifilters in the I/O stack. Altitudes are allocated and managed by Microsoft. This component called 'filter manager' is installed with Windows, but it becomes active only when a minifilter driver is loaded. A legacy filter driver's position in the file system I/O stack relative to other filter drivers is determined at system startup by its load order group. Therefore, filter drivers in the FSFilter Anti-Virus load order group are loaded before filter drivers in the FSFilter Replication group. For example, an antivirus filter driver should be higher in the stack than a replication filter driver, so it can detect viruses and disinfect files before they are replicated to remote servers. The following figure shows a simplified I/O stack with the filter manager and three minifilter drivers.

USEFUL LINKS

List of Allocated Altitudes? http://msdn.microsoft.com/en-us/library/windows/hardware/dn265170(v=vs.85).aspx

Installable File System Drivers http://msdn.microsoft.com/en-us/library/windows/hardware/ff551834(v=vs.85).aspx

More on FLTMC http://msdn.microsoft.com/en-us/library/ff540115(v=vs.85).aspx

An incompatible filter driver caused cluster node into re-directed mode: Filter drivers introduced by third party application(s) that may be running on a cluster node and are incompatible with CSV. When these filter drivers are detected by the cluster, the CSV volume is placed in redirected mode to help prevent potential data corruption on a CSV volume.

http://blogs.technet.com/b/askcore/archive/2012/03/18/fixed-cluster-shared-volumes-csv-in-redirected-access-mode-after-installing-mcafee-vse-8-7-patch-5-or-8-8-patch-1.aspx Courtesy: Microsoft http://msdn.microsoft.com/en-us/library/windows/hardware/ff557282(v=vs.85).aspx Courtesy: http://mbrownnyc.wordpress.com/2013/05/22/filter-driver-attachments-to-volumes-the-file-server-resource-manager-and-whole-disk-encryption-specifically-truecrypt/

ashwinwriter@gmail.com April, 2014