How to view common mini-filter file
system driver using fltmc tool?
What is FLTMC?
FLTMC.exe is a Filter Management Control Program. It is a command-line utility that is used
for common minifilter driver management operations. It is often used by developers to load
and unload minifilter drivers, attach or detach these filters to volumes.
However, this tool can be quite handy in troubleshooting performance related issues or even
BSOD [Blue Screen of Death].
A file system mini filter driver intercepts requests targeted at a file system or another file
system filter driver. By intercepting the request before it reaches its intended target, the
filter driver can extend or replace functionality provided by the original target of the
request. Examples of File Systems and File System Filter Drivers include anti-virus filters,
backup agents, and encryption products.
Note: Unlike a legacy filter driver, a minifilter driver can be loaded at any time and attached
at the appropriate location as determined by its altitude.
The Filter Manager Control (FltMC) Utility tracks minifilter attached to the hardware (hard
disk) or the other Storage Systems (Hard drive on the SAN).
IMP: Use this tool with caution.
For troubleshooting purposes the results can be saved to a text file.
C:WINDOWSsystem32>fltmc instances > C:FilterInstance.log
C:WINDOWSsystem32>fltmc > c:windowsfltmc.log
One can use the FLTMC.EXE program to enumerate the filter drivers for a specific volume.
Right click command prompt and select runs as „Administrator‟ and then type fltmc:
Here is a sample output from my laptop:
Next logical step was to find out what these filters are and if they are safe? So I googled
and discovered following information:
What is sftredir.sys? [file is Safe]
Related to Sftredirxp.sys Application Virtualization SystemGuard from Microsoft Corporation
What is savonaccess.sys? [file is safe]
Savonaccess.sys is filename of the driver running on Microsoft Windows operating system. This
driver belongs in most cases to product Sophos Anti-Virus On-Access Driver and is developed
by Sophos Limited Company.
What is LCRECM.sys? [file is safe]
It is SOPHOS SafeGuard LAN Crypt filter drivers:
What is luafv.sys? [file is safe]
Microsoft Windows LUA file virtualization filter driver file.
What is fileinfo.sys? [file is safe]
This is a Microsoft supplied mini-filter driver that is enabled and loaded by default on Vista.
Following commands are available with FLTMC
To unload the Filter driver:
C:WINDOWSsystem32>Fltmc unload Filterdriver
To load the Filter driver:
C:WINDOWSsystem32>Fltmc load Filterdriver
Use this mode to list the number of instances the driver is attached tor. These filters are
loaded and have at least one instance attached to a particular volume. A filter may have
To view all instances of loaded drivers:
The number of instances for specific driver can be seen by the FltMC command check the
“Num Instances” Colum in the above.
To attach the driver to a specific volume:
C:WINDOWSsystem32>Fltmc attach Filter C:
To detach the driver from a specific volume:
C:WINDOWSsystem32>Fltmc detach Filter C:
Types of Windows Drivers
There are two basic types of Microsoft Windows drivers:
User-mode drivers execute in user mode, and they typically provide an interface
between a Win32 application and kernel-mode drivers or other operating system
components. For example, in Windows Vista, all printer drivers execute in user mode.
For more information about printer driver components, see Introduction to Printing.
Kernel-mode drivers execute in kernel mode as part of the executive, which consists
of kernel-mode operating system components that manage I/O, Plug and Play
memory, processes and threads, security, and so on. Kernel-mode drivers are typically
layered. Generally, higher-level drivers typically receive data from applications, filter
the data, and pass it to a lower-level driver that supports device functionality.
Kernel-mode drivers are further classified as:
Each type differs only slightly in structure but greatly in functionality, for more information
What Is a File System Filter Driver?
A file system filter driver is an optional driver that adds value to or modifies the behaviour of
a file system. A file system filter driver is a kernel-mode component that runs as part of the
A file system filter driver can filter I/O operations for one or more file systems or file system
volumes. Depending on the nature of the driver, filter can mean log, observe, modify, or even
prevent. Typical applications for file system filter drivers include antivirus utilities,
encryption programs, and hierarchical storage management systems.
Simplest definition of file system filer driver would be:
A file system filter driver attaches itself to one or more mounted volumes and filters all I/O
operations on them.
How File System Filter Drivers Are Different from Device Drivers?
Although file system filter drivers and device drivers both create device objects, they differ
in the number and kinds of device objects that they create.
Device drivers create physical and functional device objects to represent devices. The Plug
and Play (PnP) Manager builds and maintains a global device tree that contains all device
objects that are created by device drivers. The device objects that file system filter drivers
create are not contained in this device tree.
File system filter drivers do not create physical or functional device objects. Instead, they
create control device objects and filter device objects. The control device object represents
the filter driver to the system and to user-mode applications. The filter device object
performs the actual work of filtering a specific file system or volume. A file system filter
driver normally creates one control device object and one or more filter device objects.
Please Note: File system filter drivers cannot be Windows Driver Model (WDM) drivers. The
Microsoft Windows Driver Model is only for device drivers.
Installing a Minifilter Driver
For Microsoft Windows XP and later operating systems, you should install your minifilter driver
by using an INF file and an installation application. (On Windows 2000 and earlier operating
systems, minifilter drivers were commonly installed by the Service Control Manager.)
In the future, INF-based installation is expected meet Windows Hardware
Certification Kit requirements for minifilter drivers. Note that "INF-based installation"
means only that you will need to use an INF file to copy files and to store information
in the registry. You will not be required to install your entire product by using only an
INF file, and you will not be required to provide a "right-click install" option for your
Is file system filter driver upper filter or lower filter?
Unlike device filter drivers, which can attach above or below a target device's function driver,
file system filter drivers can attach only above a target file system driver. Thus, in device-
driver terms, a file system filter driver can be only an upper filter, never a lower filter.
Attaching a Filter to a File System or Volume?
File system filter drivers can attach to, and filter I/O for, any file system volume. They cannot
attach directly to storage devices, such as disk drives or partitions. Also, they cannot attach
to individual directories or files.
Where are drivers stored on windows?
Starting with Windows Vista, the driverstore is a new and a central location where all the
driver files will be stored, before they are copied to their final destination during the device
The location of the driver store is – C:WindowsSystem32DriverStore
Within this folder are the driver files (.sys), driver setup files (.inf), pre-compiled INF
files(.pnf), and an XML manifest file that contains the manifest of all the files within the
driver package. Together, all of these different files add up to the driver package, which
contains all the files needed to install the device. To protect these files, the NTFS permissions
on the driver store and its sub-folders and files is full control for the local system account and
Read& Execute for the Everyone built in identity.
Earlier in Windows XP and 2000, the driver source files needed for installing the devices were
typically found in several locations.
.inf files under %windir%inf
.sys files under %SystemRoot%System32Drivers
Support DLLs under %SystemRoot%System32
Third Party co-installers in various locations.
Advantages of maintaining a central store:
Allows for potentially faster device installation and more reliable driver rollback and
is a single standard for un-installing drivers.
Allows you to protect drivers by using the Windows Resource Protection (WRP).
Uses index files to minimize the performance impact on installing devices when the
driver store grows in size as a result of new package additions.
What is the other purpose of this tool?
`fltmc.exe` can be used to check if the filter drivers are available to the I/O stack.
For example - For quota enforcement to work, the quota minifilter driver must be working
properly, and it must be correctly attached to the volume. If the quota minifilter driver is
experiencing problems, quota scans might fail, and updated quota usage information of
volumes and folders will not be available. If the driver cannot attach to the volume, quotas
cannot be enforced on that volume.
Two mini-filter drivers required for this is:
datascren.sys = A kernel-mode mini-filter that implements file screening.
quota.sys = A kernel-mode mini-filter that implements quota check.
In order to load and attach the driver:
C:>fltmc load Datascrn
C:>fltmc load Quota
In order to view what volumes are available, you can type:
To attach to a particular volume:
C:>fltmc attach Datascrn DeviceHarddiskVolume1
C:>fltmc attach Quota DeviceHarddiskVolume1
How to use FLTMC.exe to load and unload the evfilter mini-filter driver for Enterprise
Vault (EV) for File System Archiving (FSA)
To unload the EvFilter driver:
Fltmc unload EvFilter
To load the EvFilter driver:
Fltmc load EvFilter
To view all instances of loaded drivers:
To attach the driver to a specific volume:
Fltmc attach EvFilter C:
To detach the driver from a specific volume:
Fltmc detach EvFilter C:
Mini-filter driver from VMware can cause file copy slow performance issues in the
Filter driver 'vsepflt.sys' can impact performance of file copy operations to or from a Windows
network share might. Starting with ESXi 5.0, VMware Tools ships with the vShield Endpoint
filter drive (vsepflt). This driver is automatically loaded when VMware Tools is installed using
the Full option, rather than the Typical default.
This is a known issue and has been resolved in VMware ESXi 5.0 Update 2. Please update to
resolve this issue. If you cannot update and you are not using vShield Endpoint for antivirus
protection, unload the filter driver and disable it.
Filter Name Num Instances Altitude Frame
---------------------- ------------- ------------ -----
vsepflt 5 328200 0
luafv 1 135000 0
To unload the vsepflt driver, run the command:
C:> fltmc unload vsepflt
For more info:
For more information you can even run 'msinfo32' to check the driver loaded on the server:
Start | Run | Msinfo32 expand the “Software Environment” | System driver
Request for Altitude:
As a third party application developer, you can request Microsoft for minifilter driver altitude
position using this format:
Minifilter Altitude Request
Microsoft reserves right on requested altitude:
Microsoft reserves the right to assign an altitude that is different from the requested altitude,
depending on altitude availability and the filter driver functionality.
How mini-filter driver works?
Mini-filter driver is loaded using the 'Filter Manager' framework.
The Filter Manager provides a framework for developing File Systems and File System Filter
Drivers without having to manage all the complexities of file I/O. The Filter Manager
simplifies the development of third-party filter drivers and solves many of the problems with
the existing legacy filter driver model, such as the ability to control load order through an
A filter driver developed to the Filter Manager model is called a minifilter. Every minifilter
driver has an assigned altitude, which is a unique identifier that determines where the
minifilter is loaded relative to other minifilters in the I/O stack. Altitudes are allocated and
managed by Microsoft. This component called 'filter manager' is installed with Windows, but it
becomes active only when a minifilter driver is loaded.
A legacy filter driver's position in the file system I/O stack relative to other filter drivers is
determined at system startup by its load order group. Therefore, filter drivers in the FSFilter
Anti-Virus load order group are loaded before filter drivers in the FSFilter Replication group.
For example, an antivirus filter driver should be higher in the stack than a replication filter
driver, so it can detect viruses and disinfect files before they are replicated to remote
The following figure shows a simplified I/O stack with the filter manager and three minifilter
List of Allocated Altitudes?
Installable File System Drivers
More on FLTMC
An incompatible filter driver caused cluster node into re-directed mode: Filter drivers
introduced by third party application(s) that may be running on a cluster node and
are incompatible with CSV. When these filter drivers are detected by the cluster, the
CSV volume is placed in redirected mode to help prevent potential data corruption on
a CSV volume.