Filter Driver in Windows

In Usual troubleshooting scenarios, we may have to uninstall a 3rd party component to isolate an issue. Sometime even after uninstalling the application doesn’t remove the filter driver associated with it i.e SEP & in seldom scenarios customer is not comfortable in uninstalling the Application. In order to rule out the issue, we have to unload the filter driver on Windows Server.

Solution

In following steps, I have taken an example of Veeam Backup & Replication services intalled on Hyper-v host.
1) Always take fltc output to verify the associated filter driver, in this case it is VeeamFCT.
Filter Name                     Num Instances    Altitude    Frame

------------------------------  -------------  ------------  -----

VeeamFCT                                2       405100         0

CsvNSFlt                                1       404900         0

CsvFlt                                  0       404800         0

CCFFilter                               1       261160         0

ResumeKeyFilter                         0       202000         0

svhdxflt                                0       135100         0

npsvctrig                               1        46000         0

2) Before we move ahead & try to disable the driver, ensure that the services are in a disabled state because, if the service is running, you may disable the driver successfully but during next reboot services will try to load the driver again. So as a precaution always disable these services in prior. So in my case I have to disable Veeam Backup & Replication services first. Merely disabling services is not going to help because the filter drivers gets loaded in the registry.

  • So first step here would be to disable all services related to Veeam Backup application, so it doesn’t come online during reboot.

Get-Service veeam* | Set-Service -StartupType disabled

  • Once they are disabled, ensure that they are disabled by executing following command from powershell.
 Get-Service -name veeam* | ft

 Status   Name               DisplayName

 ------   ----               -----------

 Stopped  VeeamDeployment... Veeam Installer Service

 Stopped  VeeamHvIntegrat... Veeam Hyper-V Integration Service

 Stopped  VeeamTransportSvc  Veeam Data Mover Service
  • Now go to registry {regedit}, lookup following system hive (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services) & search for the assocaited filter driver key, which in our case is VeeamFCT.
  • Set the registry key of the corresponding filter drivers (VeeamFCT) to 4. A value of 4 will disable the filter driver.
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VeeamFCT

Steps

  • Create a backup of the HKEY_LOCAL_MACHINE\System\Services registry hive.
  • Locate, and then click the following registry subkey:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  • Click the entry for the filter driver that you want to disable.
  • Double-click the Start registry setting, and then set it to a value of 0x4.
Usually these are Automatic startup drivers {Start 2 = SERVICE_AUTO_START } & started by Windows Service Control Manager & loads after System Drivers are loaded, Changing the start value to 4 means we  are disabling the driver {SERVICE_DISABLED}. So once this value is changes this driver will not be initialised by SCM & moreover the Services are already disabled so there will be no call happen in the background to load the drivers.
This has been explained in the following Microsoft Article.
How to temporarily deactivate the kernel mode filter driver in Windows
4 Once system is up, go to CMD & type fltmc again, this time you will not see the driver loaded anymore.
Filter Name                     Num Instances    Altitude    Frame

------------------------------  -------------  ------------  -----

CsvNSFlt                                1       404900         0

CsvFlt                                  0       404800         0

CCFFilter                               1       261160         0

ResumeKeyFilter                         0       202000         0

svhdxflt                                0       135100         0

npsvctrig                               1        46000         0
Advertisements