fltmc

File System Minifilter Drivers

How does your anti-virus software know you’re trying to open a file that it needs to scan? How does your encryption software transparently encrypt and decrypt your files? How do file quotas get enforced? In each of these cases the answer probably relates to a specific File System Minifilter Driver.

In this post we’re going to gain an understanding of what File System Minifilter Drivers are and what they do. Along the way we’re going to touch on User Account Control (UAC), WIM Boot, SuperFetch, ReadyBoost, and Windows Defender.

File System Minifilter Drivers are drivers that attach to the filter manager in the I/O stack and for the most part either observe or modify I/O Request Packets (IRPs)* that they’re interested in.

*Technically not just IRPs, also Fast I/O and FSFilter operations.

Start an elevated command prompt and run fltmc.exe
You should see something similar to this…

Filter Name          Num Instances             Altitude          Frame
—————-          ——————-               ———-          ———
WdFilter                            4                          328010           0
luafv                                  1                          135000           0
npsvctrig                          1                          46000             0
FileInfo                            4                          45000             0
Wof                                   0                          40700             0

We’ll explain instances, altitude, and frames as we go. Altitude is especially important, so let’s start there.

Altitude

Assuming an attempt to read data from a file system, it wouldn’t be much good if an anti-virus minifilter tried to read the contents of an IRP before an encryption minifilter had the opportunity to decrypt it. To ensure this kind of event doesn’t happen, minifilters are assigned a specific altitude by Microsoft. The assigned altitude will sit within a range of altitudes that are specific to the function of the minifilter.

For example, Anti-Virus minifilters will be assigned an altitude between 320,000 and 329,999. Encryption minifilters will be assigned an altitude between 140,000 and 149,999.

A list of altitude ranges can be found here: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549689(v=vs.85).aspx

Altitudes are processed in descending order for writers (so anti-virus is handled before encryption), and ascending order for reads (so encryption is handled before anti-virus).

Instances

To properly understand instances, we need to first understand volumes in the context of the filter manager. From your elevated command prompt run fltmc volumes

Let’s take a look at some of the entries you probably have…

\Device\HarddiskVolume1, 2, 3, …
Look at the Dos Name column and you’ll see if any of these volumes have been assigned a drive letter.

\Device\Mup
The MUP is the Multiple UNC (Universal Naming Convention) Provider. Acronyms within acronyms… Acronymception? MUP channels requests made in UNC format (e.g. \\server\share\file.ext) to the UNC provider for resolution. More information can be found here: http://msdn.microsoft.com/en-us/library/windows/hardware/ff556761(v=vs.85).aspx

\Device\NamedPipe and \Device\Mailslot
I’ve put these two together deliberately since they have their similarities. You may have used a NamedPipe to enable remote kernel debugging in WinDbg between two VMs. Take a look at this short article for more information: http://technet.microsoft.com/en-us/library/cc958776.aspx

Not all minifilter drivers are going to be interested in all these different endpoints. From your elevated command prompt run fltmc instances

In this view you can see the mapping of minifilter drivers to endpoints. For example, npsvctrig is only mapped to \Device\NamedPipe. That makes sense when you consider that npsvctrig is the named pipe service trigger provider. We’ll look at that more later.

One thing to note, the column SprtFtrs is short for Supported Features. If the value of supported features is equal to 3 then the minifilter supports both read and write Offloaded Data Transfers (ODX). More info here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn265282(v=vs.85).aspx

Running fltmc from an elevated command prompt shows the total number of instances for each minifilter driver.

Frames and legacy drivers

From your elevated command prompt, run fltmc

Up until now, I’ve called everything a minifilter driver, but that isn’t necessarily accurate. You may have legacy filter drivers installed that don’t use the minifilter model. Unfortunately legacy filter drivers don’t slot neatly into place based on their altitude. The filter manager has to work around them by creating multiple frames, points at which the filter manager attaches to a file system’s I/O stack to load minifilters around legacy drivers so that the correct altitudes are maintained. The best explanation of this concept is available here: http://msdn.microsoft.com/en-us/library/windows/hardware/ff541610(v=vs.85).aspx

If you have legacy filters installed contact the manufacturer to see if a newer minifilter is available, or if they at least have a transition to the minifilter model on their roadmap. Why are minifilters better? Check this out: http://msdn.microsoft.com/en-us/library/windows/hardware/ff538896(v=vs.85).aspx

Examples

Let’s take a look at some of the minifilters on a standard Windows 8.1 system and what they do:

WdFilter.sys – Windows Defender
Windows 8.1 runs Windows Defender by default as an anti-virus solution. Wdfilter.sys is most likely the on-access scanning component of Windows Defender ensuring that files are scanned for viruses before being opened. That being said, there’s not a lot of documentation for WdFilter.sys and I couldn’t find anyone to ask, so it’s an educated guess!

luafv.sys – UAC File Virtualization
A bit of trivia for you that will help explain the filename, User Account Control (UAC) used to be known as Limited User Account (LUA). UAC File Virtualization provides a method for applications that aren’t running with administrative privileges to write to system locations in the file system and registry without encountering access denied errors. It does this by transparently redirecting file system requests into the VirtualStore which is not a system location. This whole thing is better illustrated with an example, for which we’ll turn to trusty Notepad.

Start Notepad without elevation
Try to save to C:\Windows\System32\standarddemo.txt

You should get an error message along the lines of:

You don’t have permission to save in this location.
Contact the administrator to obtain permission.
Would you live to save in the Documents folder instead?

Quit Notepad, and start it again with elevation (i.e. right-click, Run as administrator)
Try to save to C:\Windows\System32\elevateddemo.txt

That should be successful
Navigate to the file in Windows Explorer and delete it. Make sure you delete the right file

Quit Notepad and start it again without elevation
(This is where it gets interesting, promise.)

Start Task Manager
Click on the Details tab (I’ll assume you’re running Windows 8.1)
Right-click on the column headings, and click Select columns
Scroll to the bottom of the list and check UAC virtualization
Click OK
Find notepad.exe in the list of processes
Note that UAC virtualization is shown as Disabled for this process
Right-click on notepad.exe in the list and select UAC virtualization

You should see a message stating that:

Changing virtualization for a process may lead to undesired results including loss of data. You should do this only for debugging.

Absolutely, this is only for a demo after all

Click Change virtualization

Switch back to Notepad, and try to save to C:\Windows\System32\luafvdemo.txt

That should be successful
Now try navigating to the file in Windows Explorer. It’s not there is it?
Okay, try navigating to C:\Users\<currently logged on user>\AppData\Local\VirtualStore\Windows\System32\luafvdemo.txt

So now you know what luafv.sys does, and hopefully you’ve learned a bit about UAC along the way!

npsvctrig.sys – Named Pipe Service Trigger Provider
Provides a service trigger for named pipes… That is pretty much the sum total of my research to date! I don’t know much about the function of this minifilter driver but I’ve reached out to Microsoft for comment.

FileInfo.sys – FileInfo Filter Driver (SuperFetch / ReadyBoost)
SuperFetch aims to decrease boot time and application load times. It uses the FileInfo.sys minifilter driver to determine the files that the user is accessing so they can be optimized. ReadyBoost uses information from SuperFetch to cache data to a USB flash drive or SD card.

More information on both features can be found here: http://blogs.technet.com/b/askperf/archive/2007/03/29/windows-vista-superfetch-readyboost.aspx

Wof.sys – Windows Image File Boot
This minifilter enables the ability to run Windows directly from a compressed Windows Image File (WIM). Since it’s only needed if you’re running this scenario, it’s likely to have 0 instances in most cases. More information can be found here: http://msdn.microsoft.com/en-us/library/windows/desktop/dn641833(v=vs.85).aspx

Conclusion

Well, that’s everything I have for you! Hopefully you now understand:

  • What a File System Minifilter Driver is and what they’re used for
  • The difference between a legacy filter driver and a minifilter driver
  • How UAC file virtualization works (kind of a bonus!)

I’m planning a post on troubleshooting that will look at how we can use the Windows Performance Toolkit (WPT) and WinDbg to troubleshoot File System Minifilter Driver performance, so stay tuned for that!

Finally, I’ve got a couple more links for you…

http://blogs.msdn.com/b/ntdebugging/archive/2013/03/25/understanding-file-system-minifilter-and-legacy-filter-load-order.aspx

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034490

I hope you enjoyed this post and found it genuinely useful! If so, please tell your friends. If not, tell me how I can improve it. Until next time!

Ross

Advertisements