ss64.com Open in urlscan Pro
216.92.186.205  Public Scan

Form analysis
1 forms found in the DOM

GET https://www.google.com/search

<form action="https://www.google.com/search" method="get">
  <input type="text" name="q" id="qu" size="27" maxlength="255">
  <input class="submit mousetrap" value="Search" id="btn" type="submit">
  <input type="hidden" name="sitesearch" value="ss64.com/nt/">
</form>

Text Content

 * SS64
 * CMD
 * How-to
 * 


FLTMC.EXE

Manage MiniFilter drivers. Load a Filter driver, Unload a Filter driver, List
filter information, List all instances or the instances associated with a Filter
or Volume, List all volumes (including the network redirectors), Attach or
Detach a filter from a Volume.

Syntax
      FLTMC load [ driverName ]
      FLTMC unload [ driverName ]
      FLTMC filters
      FLTMC instances [-f filterName ]|[-v volumeName ]
      FLTMC volumes
      FLTMC attach [ filterName ] [ volumeName ] [[-i instanceName ][-a altitude]]
      FLTMC detach [ filterName ] [ volumeName ] [ instanceName ]

Key

   driverName  The full path to the sys file for the Filter driver.

   filterName  The name for the Filter used by the driver to register and
               to load the Filter using this command line.

   volumeName  The name of the volume, such as c: or d:

   instanceName The name for the instance to be attached or detached.

   -f          List the instances associated with the filter identified by filterName.

   -v          List the instances associated with the volume identified by volumeName.


FLTMC requires an Elevated command prompt (either CMD or PowerShell)


FILE SYSTEM MINIFILTER DRIVERS

> A file system filter driver (Minifilter) is an optional driver that adds value
> to or modifies the behavior of a file system.
> 
> These filter drivers process all filesystem activity including background
> processes. Typical uses are: encryption software transparently encrypting new
> files. Enforcing file quotas and most commonly anti-virus software scanning
> file activity.
> 
> A malicious rootkit infection, may obfuscate its presence by installing a
> minifilter driver which intercepts and filters calls between other
> (legitimate) drivers and the system. It is therefore good practice to document
> the known minidrivers installed on your key systems.
> 
> The FLTMC command allows the option to display existing filters and delete
> malicious ones.


ATTACHING A FILTER TO A VOLUME

> The instanceName is optional if an altitude is provided If no altitude is
> provided, the necessary keys must already exist in the registry to describe
> the altitude for the given name.
> 
> The altitude is optional if an instanceName is provided. If specified, this
> new instance is placed at this explicit altitude. If a name is specified as
> well, the new instance will be given the name specified.
> 
> If the attachment is successful, an Instance Name will be displayed to
> identify the instance created by this attachment.


DETACHING A FILTER FROM A VOLUME

> The filterName is the name for the Filter that is used by the driver to
> register and to load the Filter using this command line.
> 
> The instanceName is the identifier returned by the attach command.
> If no instanceName is given, the default instance for the Volume specified
> will be removed.


ALTITUDE

> Minifilters are assigned a specific altitude by Microsoft. This will sit
> within a range that is specific to the function of the minifilter.
> e.g. Anti-Virus minifilters are assigned an altitude between 320,000 and
> 329,999.
> and encryption minifilters are assigned an altitude between 140,000 and
> 149,999.
> 
> For file Writes, Altitudes are processed in descending order.
> For file Reads, Altitudes are processed in ascending order.
> 
> So when writing anti-virus is handled before encryption, but when reading
> decryption is handled before anti-virus.
> 
> Legacy filter drivers do not use the minifilter model, this means they don’t
> slot into place based on their altitude. For interoperability with legacy
> filter drivers, the filter manager can attach filter device objects to a file
> system I/O stack in more than one location [example]. However you should still
> consider replacing legacy filters with minifilters.


OFFLOADING READS AND/OR WRITES ON NTFS DRIVES

> Starting with Windows 8, a filter may specify offload capability .
> FLTMC instances will display the Supported Features (SprtFtrs)
> 1 = FSCTL_OFFLOAD_READ
> 2 = FSCTL_OFFLOAD_WRITE
> So 3 = Offload Read + Write are supported.


COMMON MINIFILTERS (\SYSTEM32\DRIVERS)

> WdFilter.sys – Windows Defender
> storqosflt.sys - Storage QoS Filter Driver
> luafv.sys – UAC File Virtualization
> npsvctrig.sys – Named Pipe Service Trigger Provider
> FileCrypt.sys - Windows sandboxing and encryption
> FileInfo.sys – FileInfo Filter Driver (SuperFetch / ReadyBoost)
> wcifs.sys - File System Filter
> Wof.sys – Windows Image File Boot

Examples

Display the installed filters:

C:\> FLTMC

Display the instance names, altitude and supported features:

C:\> FLTMC instances

“A complex system that works is invariably found to have evolved from a simple
system that worked. The inverse proposition also appears to be true: A complex
system designed from scratch never works and cannot be made to work." ~ John
Gall

Related commands:

Load Order Groups and Altitudes for Minifilter Drivers - Docs.Microsoft.com
FSUTIL - File and Volume utilities.

Powered by pixfutureⓘ

--------------------------------------------------------------------------------

 
Copyright © 1999-2022 SS64.com
Some rights reserved