Minifilter Enumeration
Ring 0Enumerate and unlink filesystem minifilter drivers registered with the Filter Manager.
Stability Warning
Unlinking minifilter callbacks can destabilize security products and the system. Use only on test systems for security research.
Overview
Minifilters are the modern Windows filesystem filtering mechanism, replacing legacy filter drivers. EDR/AV products use minifilters to monitor file operations. This feature allows enumeration and selective callback unlinking.
MinifilterInfo Structure
crates/callback/src/types.rs
pub struct MinifilterInfo {
pub filter_name: String, // Filter driver name (e.g., "WdFilter")
pub altitude: String, // Filter altitude (load order priority)
pub filter_address: u64, // Address of FLT_FILTER structure
pub frame_id: u64, // Filter frame ID
pub num_instances: u32, // Number of active instances
pub flags: u32, // Filter flags
pub callbacks: MinifilterCallbacks, // Pre/Post callbacks
pub owner_module: String, // Driver module that owns this filter
pub index: u32,
}
pub struct MinifilterCallbacks {
pub pre_create: u64,
pub post_create: u64,
pub pre_read: u64,
pub post_read: u64,
pub pre_write: u64,
pub post_write: u64,
// ... more operations
}Altitude System
Minifilters are loaded in a specific order based on their altitude (a numeric string). Higher altitudes load first and see I/O requests before lower altitudes:
| Altitude Range | Category | Examples |
|---|---|---|
| 420000-429999 | Filter | General filtering |
| 320000-329999 | Anti-Virus | WdFilter (328010) |
| 260000-269999 | Activity Monitor | SentinelMonitor (264000) |
| 140000-149999 | Encryption | EFS, BitLocker |
Implementation
Algorithm
// Enumeration using documented Filter Manager API
NTSTATUS EnumerateMinifilters(PMINIFILTER_INFO* Filters, PULONG Count) {
PFLT_FILTER FilterList[256];
ULONG FilterCount;
// 1. Use FltEnumerateFilters to get all registered filters
status = FltEnumerateFilters(FilterList, 256, &FilterCount);
for (ULONG i = 0; i < FilterCount; i++) {
PFLT_FILTER Filter = FilterList[i];
// 2. Get filter information
status = FltGetFilterInformation(
Filter,
FilterFullInformation,
Buffer,
BufferSize,
&BytesReturned
);
// 3. Extract filter name and altitude from FILTER_FULL_INFORMATION
Info->FilterName = FullInfo->FilterNameBuffer;
Info->Altitude = ParseAltitude(FullInfo);
// 4. Get instance count
Info->NumInstances = FullInfo->NumberOfInstances;
// 5. Resolve owner module from filter address
Info->OwnerModule = GetModuleFromAddress(Filter);
}
return STATUS_SUCCESS;
}
// Unlink callbacks (dangerous operation)
NTSTATUS UnlinkMinifilter(PCWSTR FilterName) {
// 1. Find filter by name
// 2. Locate callback node list in FLT_FILTER structure
// 3. Unlink Pre/Post operation callbacks from linked list
// Note: Does not unload the filter, just disables monitoring
}IOCTLs
| IOCTL | Code | Description |
|---|---|---|
| ENUM_MINIFILTERS | 0x00222044 | Enumerate all registered minifilters |
| UNLINK_MINIFILTER | 0x0022205C | Unlink minifilter callbacks by name |
Known EDR/AV Minifilters
| Filter Name | Product | Altitude |
|---|---|---|
| WdFilter | Windows Defender | 328010 |
| SentinelMonitor | SentinelOne | 264000 |
| CarbonBlackK | Carbon Black | 264000 |
| csagent | CrowdStrike Falcon | 264000 |
| mfeaskm | McAfee | 323100 |
| symefasi | Symantec/Broadcom | 311050 |
UI Features
Access via Kernel Utilities tab → Minifilters sub-tab:
- • Minifilter table — Name, Altitude, Address, Instances, Pre/Post callbacks
- • Sorting — Default descending by altitude (highest first)
- • Search filter — Filter by name, altitude, or owner module
- • CSV export — Export to minifilters.csv
- • Context menu — Copy Filter Name, Altitude, Address, Unlink Callbacks
- • Altitude highlighting — Yellow highlight for visibility
Use Cases
- • Identify EDR/AV minifilters monitoring file operations
- • Disable specific minifilter callbacks for security research
- • Analyze minifilter load order via altitude values
- • Test minifilter bypass techniques in controlled environments
- • Forensic analysis of installed filesystem filters