![Windows file system minifilter driver](https://kumkoniak.com/25.jpg)
This will sit within a range that is specific to the function of the minifilter.Į.g. Minifilters are assigned a specific altitude by Microsoft. If no instanceName is given, the default instance for the Volume specified will be removed. The instanceName is the identifier returned by the attach command. The filterName is the name for the Filter that is used by the driver to register and to load the Filter using this command line. If the attachment is successful, an Instance Name will be displayed to identify the instance created by this attachment. If a name is specified as well, the new instance will be given the name specified. If specified, this new instance is placed at this explicit altitude. The altitude is optional if an instanceName is provided. InstanceName is optional if an altitude is provided If no altitude is provided, the necessary keys must already exist in the registry to describe the altitude for the given name. The FLTMC command allows the option to display existing filters and delete malicious ones. It is therefore good practice to document the known minidrivers installed on your key systems. Enforcing file quotas and most commonly anti-virus software scanning file activity.Ī malicious rootkit infection, may obfuscate its presence by installing a minifilter driver which intercepts and filters calls between other (legitimate) drivers and the system. Typical uses are: encryption software transparently encrypting new files. These filter drivers process all filesystem activity including background processes. v List the instances associated with the volume identified by volumeName.įLTMC requires an Elevated command prompt (either CMD or PowerShell) File System Minifilter DriversĪ file system filter driver (Minifilter) is an optional driver that adds value to or modifies the behavior of a file system. f List the instances associated with the filter identified by filterName. InstanceName The name for the instance to be attached or detached. VolumeName The name of the volume, such as c: or d: To load the Filter using this command line. SyntaxįLTMC instances |įLTMC attach ]įLTMC detach ĭriverName The full path to the sys file for the Filter driver.įilterName The name for the Filter used by the driver to register and Load a Filter driver, Unload a Filter driver, List filter information, List all instances or the instances associated with a Filter or Volume, List all volumes (including the network redirectors), Attach or Detach a filter from a Volume.
![Windows file system minifilter driver](https://kumkoniak.com/25.jpg)