Windows File System Filter Driver Development
This tutorial provides you with easy to understand steps for a simple file system filter driver development. The demo driver that we show you how to create prints names of open files to debug output.
This article is written for engineers with basic Windows device driver development experience as well as knowledge of C/C++. In addition, it could also be useful for people without a deep understanding of Windows driver development.
What is Windows file system filter driver?
A Windows file system filter driver is called during each file system I/O operation (create, read, write, rename, etc.). Therefore, it is able to modify the behavior of the file system. File system filter drivers are comparable to legacy drivers, although they require several special development steps. Security, backup, snapshot, and anti-viruse software uses such drivers.
Developing a Simple File System Filter Driver
Before starting development
First, in order to develop a file system filter driver, you need the IFS or WDK kit from the Microsoft website. You also have to set the %WINDDK% environment variable to the path, where you have installed the WDK/IFS kit.
Attention: Even the smallest error in a file system driver can cause BSOD or system instability.
File system filter driver entry
It is an access point for any driver, including for file system filter driver. The first thing we should do is store
DriverObject as a global variable.
Related:- Best Free Epub Readers for Windows
How To Install a File System Filter Driver
We will use sc.exe (sc – service control) to manage our driver. We can use this command-line utility to query or modify the installed services database. It is shipped with Windows XP and higher, or you can find it in Windows SDK/DDK.
Install file system filter driver
To install the file system filter driver, call:
sc create FsFilter type= filesys binPath= c:\FSFilter.sys
This will create a new service entry with the name
FsFilter with a service type of filesystem and a binary path of c:\FsFilter.sys.
Start file system filter driver
To start the file system filter driver, call:
sc start FsFilter
FsFilter service will be started.
Stop file system driver
To stop the file system filter driver, call:
sc stop FsFilter
FsFilter service will be stopped.
Uninstall file system filter driver
To uninstall the file system filter driver, call:
sc delete FsFilter
This command instructs the service manager to remove the service entry with the name
We can put all those commands into a single batch file to make driver testing easier. Below are the contents of our Install.cmd command file:
sc create FsFilter type= filesys binPath= c:\FsFilter.sys sc start FsFilter pause sc stop FsFilter sc delete FsFilter pause Related:- The 4 Best Password Managers of 2020
Running a Sample of the File System Filter Driver
Now we are going to show how the file system filter works. For this purpose, we will use Sysinternals DebugView for Windows to monitor debug output as well as OSR Device Tree to view devices and drivers.
First, let’s build the driver. After that, we’ll copy the resultant FsFilter.sys file and the Install.cmd script to the root of the C drive.
Getting more advanced
The file system filter driver described above is very simple, and it lacks a number of functions, required for a common driver. The idea of this article was to show the easiest way to create a file system filter driver, which is why we described this simple and easy-to-understand development process. You can write an
IRP_MJ_FILE_SYSTEM_CONTROL handler of your own to track newly arrived volumes.
In our tutorial, we’ve provided you with simple steps for creating a file system filter driver. We’ve shown how to install, start, stop, and uninstall a file system filter driver using the command line. Other file system filter driver issues have also been discussed. We’ve considered the file system device stack with attached filters and have discussed how to monitor debug output from the driver. You can use the resources in this article as a skeleton for developing your own file system filter driver and modify its behavior according to your needs.