File System Filter Drivers (Minifilters)

What Is a File System Filter Driver?

A file system filter driver sits between the I/O Manager and the file system (e.g., NTFS, ReFS) to observe or modify the system activity.

Instead of directly managing file systems, filter drivers attach to the stack to:

• Monitor file operations (audit or log)
• Block certain I/O (e.g., writes to protected files)
• Modify data on-the-fly (e.g., encryption)

Microsoft provides a robust framework called the Filter Manger, allowing developers to write Minifilters rather than complex legacy file system drivers.

Minifilter Architecture Overview

Minifilers work within the Filer Manager (FltMgr) system component. The OS supports stacking multiple Minifilters at different altitudes (priorities).

I/O Flow:

[ Application ]
     ↓
[ I/O Manager ]
     ↓
[ Filter Manager (FltMgr) ]
     ↓
[ Minifilter A ]
     ↓
[ Minifilter B ]
     ↓
[ File System Driver (e.g., NTFS) ]

Each Minifilter registers callback functions for specific IRPs (I/O operations), such as:

• IRP_MJ_CREATE → File open
• IRP_MJ_WRITE → File write
• IRP_MJ_SET_INFORMATION → File rename/delete

Key Components of a Minifilter

1 DriverEntry

• Initializes the Minifilter
• Calls FltRegisterFilter
• Registers the Minifilter's operations

2 Operation Registration Table

Defines which IRPs your driver will handle and whether it intercepts pre-operation, post-operation, or both.

CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
    { IRP_MJ_CREATE, 0, PreCreate, PostCreate },
    { IRP_MJ_WRITE, 0, PreWrite, NULL },
    { IRP_MJ_OPERATION_END }
};

3 Callback Functions

Each callback receives:

• A PFLT_CALLBACK_DATA structure (the IRP info)
• A PCFLT_RELATED_OBJECTS context (device, volume, file)
• A pointer to context data

Sample PreCreate:

FLT_PREOP_CALLBACK_STATUS
PreCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext) {
    UNREFERENCED_PARAMETER(FltObjects);
    PFLT_FILE_NAME_INFORMATION nameInfo;
    FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED, &nameInfo);
    if (wcsstr(nameInfo->Name.Buffer, L".exe")) {
        return FLT_PREOP_COMPLETE;
    }
    return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

Installing and Managing Minifilters

INF File Setup

INF files for Minifilters must:

• Register the driver under Class=ActivityMonitor or similar
• Define Altitude (e.g., 370000 for antivirus)
• Reference FltMgr.sys as a dependency

Loading and Testing

Use the following tools:

• fltmc load <drivername> – load the Minifilter
• fltmc instances – view attached filters and altitues
• fltmc unload <drivername> – safely unload the driver

Ensure Test Signing is enabled for development builds.

Altitude Values

The altitude determines the Miniffilter's position in the filter stack.

Register your driver's altitude with Microsoft to avoid conflicts.