Writing INF Files for Minifilters
What's an INF File?
An INF (Installation Information) file tells Windows how to install your driver. For Minifilters, it must:
- Define the driver as a
File System Filter - Register a unique altitude
- Specify the Filter Manager as a required service
- Define registry settings for filter loading
Sample INF for a Minifilter:
[Version]
Signature="$WINDOWS NT$"
Class=ActivityMonitor
ClassGuid={b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider=%CompanyName%
DriverVer=07/24/2025,1.0.0.0
CatalogFile=MyMinifilter.cat
[DestinationDirs]
DefaultDestDir = 12
[DefaultInstall]
CopyFiles = DriverCopy
AddReg = Minifilter.AddReg
[DriverCopy]
MyFilter.sys
[SourceDisksFiles]
MyFilter.sys=1
[SourceDisksNames]
1 = %DiskName%,,,
[DefaultInstall.Services]
AddService = MyFilter, 0x00000002, Service_Inst
[Service_Inst]
ServiceType = 2 ; FILE_SYSTEM_DRIVER
StartType = 3 ; Manual start
ErrorControl = 1
LoadOrderGroup = "FSFilter Activity Monitor"
ServiceBinary = %12%\MyFilter.sys
[Minifilter.AddReg]
HKLM,"System\CurrentControlSet\Services\MyFilter","Altitude",0x00000000,"370010"
HKLM,"System\CurrentControlSet\Services\MyFilter","Instances",0x00000012
HKLM,"System\CurrentControlSet\Services\MyFilter\Instances","DefaultInstance",0x00000000,"MyFilter Instance"
HKLM,"System\CurrentControlSet\Services\MyFilter\Instances\MyFilter Instance","Altitude",0x00000000,"370010"
HKLM,"System\CurrentControlSet\Services\MyFilter\Instances\MyFilter Instance","Flags",0x00010001,0
[Strings]
CompanyName = "YourCompany"
DiskName = "MyFilter Driver Disk"
Understanding Filter Altitudes
What Is an Altitude?
- A numeric string (e.g.,
“370010”) that determines filter order - Managed by the Filter Manager
- Must be unique withing a stack type (e.g., file system filters)
Microsoft-Assigned Ranges:
| Range | Use Case |
|---|---|
| 320000–329999 | Antivirus |
| 360000–369999 | Backup solutions |
| 370000–379999 | General utilities |
| 400000–409999 | Encryption, DLP |
Best Practice:
- Use a Microsoft-assigned altitude for production
- For testing, use a private value in your own range (
<400000)
Loading and Unloading Filters
Using fltmc (Filter Manager Console)
fltmc is the go-to tool for managing Minifilters.
Load a Filter:
fltmc load MyFilterView Loaded Filters:
fltmc filtersCheck Volume Attachments:
fltmc instancesUnload a Filter:
fltmc unload MyFilterUsing sc.exe for Device Filters:
sc start MyFilter
sc stop MyFilter
Leave a comment
Your email address will not be published. Required fields are marked *