Kernel Mode Driver Windows 10

Posted on |

  1. Kernel Mode Driver Framework 1 11
  2. Windows 10 Wdk
  3. Kernel Mode Printer Driver Windows 10
  4. Windows Driver Kit
-->

If the file driver was contained in a zip file, unzip the file to a designated location or folder. Open Device Manager: For Windows 8 and Windows 8.1: Press Windows + X keys together; For Windows 10: Right-click Windows Start icon; Click Yes when prompted for permission from User Account Control. Expand the Display adapters section. Right-click the IntelĀ® graphics entry and select Update Driver Software. There is a strong possibility that the drivers installed on your computer are not compatible with Windows 10. Updating your drivers is not difficult.Just head to the Device Manager to do the needful. Starting with Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Microsoft through the Hardware Dev Center. Valid signatures can be obtained by either Hardware Certification or Attestation. 64-bit versions of Windows starting with Windows Vista.

This article describes how to deactivate the kernel mode filter driver without removing the corresponding software.

Original product version: Windows Server 2012 R2, Windows 10 - all editions
Original KB number: 816071

Important

This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

Summary

You may want to deactivate the filter driver when you are troubleshooting the following issues:

  • File copy or backup problems.

  • Program errors that occur when you are opening files from network drives or you are saving files to network drives. For more information about these program errors, see Slow network performance when you open a file that is located in a shared folder on a remote network computer.

  • Event ID 2022 errors messages that occur in the System log, for example:

Disable filter drivers

When you are troubleshooting any one of these issues, frequently, you have to do more than just stop or disable the services that are associated with the software. Even if you disable the software component, the filter driver is still loaded when you restart the computer. You may be forced to remove a software component to find the cause of an issue. As an alternative to removing the software component, you can stop the relevant services and disable the corresponding filter drivers in the registry. For example, if you prevent antivirus software from scanning or filtering files on your computer, you must also disable the corresponding filter drivers.

To disable filter drivers, you must first identify third-party services and their corresponding filter drivers. After you do this, follow these steps.

Warning

This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Important

An antivirus program is designed to help protect your computer from viruses. You must not download or open files from sources that you do not trust, visit Web sites that you do not trust, or open e-mail attachments when your antivirus program is disabled.

For more information about computer viruses, see How to prevent and remove viruses and other malware.

  1. Stop all services that belong to the software package.

  2. Set the Startup type to Disabled. To do this, follow these steps:

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.
    2. In the Details pane, right-click the service that you want to configure, and then click Properties.
    3. On the General tab, click Disabled in the Startup type box.

  3. Set the Start registry key of the corresponding filter drivers to 0x4. A value of 0x4 will disable the filter driver. To do this, follow these steps.

    Important

    This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

    1. Start Registry Editor.
    2. Create a backup of the HKEY_LOCAL_MACHINESystem registry hive.
    3. Locate, and then click the registry subkey HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.
    4. Click the entry for the filter driver that you want to disable.
    5. Double-click the Start registry setting, and then set it to a value of 0x4.

    Note

    This registry entry typically has a value of 0x3.

  4. Restart the computer.

Most antivirus software uses filter drivers that work together with a service to scan for viruses. These filter drivers are still loaded after the service is deactivated. These filter drivers scan files as they are opened and closed on a hard disk. For troubleshooting purposes, temporarily remove the antivirus software or contact the manufacturer of the software to determine whether a newer version is available.

Example of filter drivers

This section describes some of the typical filter driver names by product:

Antivirus

  • Inoculan: INO_FLPY and INO_FLTR
  • Norton: SYMEVENT, NAVAP, NAVEN, and NAVEX
  • McAfee (NAI): NaiFiltr and NaiFsRec
  • Trend Micro: Tmfilter.sys and Vsapint.sys

Backup agent

  • Backup Agent for Open Files: Ofant.sys

  • Open Transaction Manager from Veritas BackupExec: Otman.sys (Otman4.sys or Otman5.sys)

    Note

    Use caution if you disable these filter drivers by using the method that is described in this article. If you do this, you may receive a stop 0x7b error message.

    The stop 0x7b Inaccessible_Boot_Device error message may occur if the following registry keys exist and contain references to the Otman5 driver when the Otman5.sys driver either does not exist on the hard disk or if the driver is set to disabled.

    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{4D36E967-E325 -11CE-BFC1-08002BE10318}UpperFilters

    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{71A27CDD-812A -11D0-BEC7-08002BE2092F}UpperFilters

      If you experience the stop 0x7b error message, you should back up these registry keys and delete the Otman5 reference.

Driver registry settings

The following table lists valid settings and their description for the driver's Start and Type registry settings:

Value NameValue SettingDescription of Value Setting
Start0 = SERVICE_BOOT_STARTNtldr or Osloader preloads the driver so that it is in memory when the computer starts.
These drivers are initialized just before the SERVICE_SYSTEM_START drivers.
Start1 = SERVICE_SYSTEM_STARTThe driver loads and initializes after SERVICE_BOOT_START drivers have initialized.
Start2 = SERVICE_AUTO_STARTService Control Manager (SCM) starts the driver or service.
Start3 = SERVICE_DEMAND_STARTSCM must start the driver or service on demand.
Start4 = SERVICE_DISABLEDThe driver or service does not load or initialize.
Type1 = SERVICE_KERNEL_DRIVERDevice driver.
Type2 = SERVICE_FILE_SYSTEM_DRIVERKernel-mode file system driver.
Type8 = SERVICE_RECOGNIZER_DRIVERFile system recognizer driver.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Microsoft always does significant changes in windows kernel and the way to communicate with kernel in every new release and make it difficult to follow the old method of doing certain stuff. Over that, the scattered and less interactive official documentation is always painful to follow. Same goes with windows driver development and loading of driver. The old methods available online doesn't work anymore due to introduction of multiple new features and handling tools like code signing etc.

Since I myself have faced a lot of difficulties in finding a correct way to compile and load the windows driver. I have decided to write a quick guide to help others to do that job in less than 10 minutes for windows 10(excluding downloading and installation time).

Installation

Note: I am using visual studio 2019 for this tutorial.
  • For kernel driver development it is obvious that you need to have Visual Studio installed on your machine. Inside visual studio installer you need to select the 'Desktop development with C++' checkbox(other workload packages are optional according to your need).
Note: Don't forget to check the package named MSVC's latest version with Specter-mitigation( as shown in last 3rd checkbox in right list of above image) rather than the one without specter-mitigation. Otherwise while compiling your driver, you will get a dependency missing error .
  • Install SDK: link
  • Install WDK from here.

Setup and development

Since we have already installed the dependencies by now. We can create our first test driver. For this, follow these steps.

  • Open visual studio and click on 'Create a new project'
Kernel Mode Driver Windows 10
  • Select the Driver option in project type.
  • Select the Kernel Mode Driver(KMDF). Enter the details on the next prompt.
If you can't see the Driver option then you must have not installed one of the component mentioned in Installation section. Also verify that the sdk and wdk package have same version and try to install the WDK extension again from %programfiles(x86)%Windows Kit{WDK version}Vsix{Vs Version}WDK.exe location.
  • Add a new file by right clicking on source files in upper right box. Then Add-> New item ->C++ file. Give the name filename with extension .c.
  • Choose correct target architecture.
  • Now start the coding

Kernel Mode Driver Framework 1 11

Let's put a minimal code here that will just print a string on driver loading and unloading.

DriverEntry is the entry point, that will going to execute when you will load the driver.

Kernel Mode Driver Windows 10

DriverUnload is the exit function that will execute when you unload the driver.

  • Compile the code by clicking Build->Build Solution.

Configuration

Configuration is the most important part to make driver loading work. Usually it is recommended to do the testing of driver on other machine then the development one, but we will do everything in same machine because that's what most people do on their initial development phase(also we are too lazy to use two machines).

  • Turn on loading of our test signed drivers.

bcdedit /set testsigning on

  • Turn on kernel debugging.
Kernel mode driver signing windows 10

Windows 10 Wdk

bcdedit -debug on

  • Create a DWORD value IHVDRIVER under HKLMSYSTEMCCSControlSession ManagerDebug Print Filter and set the value to 0xf.
  • Reboot the machine.

Deployment/Loading

To load our driver we will be using devcon tool that is part of WDK. devcon require following driver related file in the same directory.

  • .sys - driver file
  • .inf - configuration file
  • .cat -catalog file

They must have been already generated after you have build the driver.

In case there is no catalog file created, you can use inf2cat to generate one. You can use following command for this Inf2Cat /driver:C:MyDriver /os:2000,XP_X86,XP_X64,Server2003_X86,Server2003_X64,Vista_X86,Vista_X64. The tool will look for a .cer certificate file in the same folder which should be created while building the driver. Refer here for more info.

you can run the following devcon command from the folder having all above mentioned file to load the driver

& 'C:Program Files (x86)Windows Kits10Toolsx64devcon.exe' install .KMDFDriver.inf RootMyDriver

Windows
Use admin privilege for above command.

Kernel Mode Printer Driver Windows 10

Rootmydriver is your hardware id that will be present in the .inf file.

To unload the driver you can use following command

Debug logs

You can check the debug logs using dbgview which is part of sysinternal suite. Run it as admin and check following options(you may require to do a restart to make it work) .

Now next time when you install the driver, make sure dbgview is running in the background. After loading, you will see the string from DriverEntry in dbgview.

Deploying/Loading a filter driver

Most of the time our driver is just a mini filter driver which doesn't require the use of devcon to get loaded. For minifilter drivers follow below steps after build

  • Open filter's ini file and update all the TODO values with the values mentioned in the comment.For example: updating Class and ClassGuid

Windows Driver Kit

  • In the same file update Instance1.Altitude with the value 361000 or refer following link for other possible values range.
  • Install the .ini file with right click-> install
  • load the driver with net install drivername and unload using net stop drivername