Windows File System Filter Driver Development

This tutorial provides you with easy to understand steps for a simple file system filter driver development. The demo driver that we show you how to create prints names of open files to debug output.

Windows

This article is written for engineers with basic Windows device driver development experience as well as knowledge of C/C++. In addition, it could also be useful for people without a deep understanding of Windows driver development.

What is Windows file system filter driver?

A Windows file system filter driver is called during each file system I/O operation (create, read, write, rename, etc.). Therefore, it is able to modify the behavior of the file system. File system filter drivers are comparable to legacy drivers, although they require several special development steps. Security, backup, snapshot, and anti-viruse software uses such drivers.

Developing a Simple File System Filter Driver

Before starting development

First, in order to develop a file system filter driver, you need the IFS or WDK kit from the Microsoft website. You also have to set the %WINDDK% environment variable to the path, where you have installed the WDK/IFS kit.

Attention: Even the smallest error in a file system driver can cause BSOD or system instability.

Main.c

File system filter driver entry

It is an access point for any driver, including for file system filter driver. The first thing we should do is store DriverObject as a global variable.

Related:- Best Free Epub Readers for Windows

How To Install a File System Filter Driver

SC.EXE overview

We will use sc.exe (sc – service control) to manage our driver. We can use this command-line utility to query or modify the installed services database. It is shipped with Windows XP and higher, or you can find it in Windows SDK/DDK.

Install file system filter driver

To install the file system filter driver, call:

sc create FsFilter type= filesys binPath= c:\FSFilter.sys

This will create a new service entry with the name FsFilter with a service type of filesystem and a binary path of c:\FsFilter.sys.

Start file system filter driver

To start the file system filter driver, call:

sc start FsFilter

The FsFilter service will be started.

Stop file system driver

To stop the file system filter driver, call:

sc stop FsFilter

The FsFilter service will be stopped.

Uninstall file system filter driver

To uninstall the file system filter driver, call:

sc delete FsFilter

This command instructs the service manager to remove the service entry with the name FsFilter.

Resulting script

We can put all those commands into a single batch file to make driver testing easier. Below are the contents of our Install.cmd command file:

sc create FsFilter type= filesys binPath= c:\FsFilter.sys sc start FsFilter pause sc stop FsFilter sc delete FsFilter pause

Related:- The 4 Best Password Managers of 2020

Running a Sample of the File System Filter Driver

Now we are going to show how the file system filter works. For this purpose, we will use Sysinternals DebugView for Windows to monitor debug output as well as OSR Device Tree to view devices and drivers.

First, let’s build the driver. After that, we’ll copy the resultant FsFilter.sys file and the Install.cmd script to the root of the C drive.

Getting more advanced

The file system filter driver described above is very simple, and it lacks a number of functions, required for a common driver. The idea of this article was to show the easiest way to create a file system filter driver, which is why we described this simple and easy-to-understand development process. You can write an IRP_MJ_FILE_SYSTEM_CONTROL handler of your own to track newly arrived volumes.

Conclusion

In our tutorial, we’ve provided you with simple steps for creating a file system filter driver. We’ve shown how to install, start, stop, and uninstall a file system filter driver using the command line. Other file system filter driver issues have also been discussed. We’ve considered the file system device stack with attached filters and have discussed how to monitor debug output from the driver. You can use the resources in this article as a skeleton for developing your own file system filter driver and modify its behavior according to your needs.