FilterUnloadCallback

Hi,

Citing from MS page “A minifilter driver’s FilterUnloadCallback routine is called when the minifilter driver is unloaded. This routine closes any open communication server ports, calls FltUnregisterFilter, and performs any needed cleanup. Registering this routine is optional. However, if the minifilter driver does not register a FilterUnloadCallback routine, the minifilter driver cannot be unloaded”

Link: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/loading-and-unloading

How can one unload a mini filter driver if it does not support the unload callback?
One option I know is to shut down the entire filter manager.

  1. What other options to I have?
  2. What privileges are required?
  3. Is there some way to make the filter driver robust in a way that is can not be interrupted even with admin privileges?

>How can one unload a mini filter driver if it does not support the unload

callback?

Disable the filter’s service and reboot. This is the only supported way.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

Hi,

Citing from MS page “A minifilter driver’s FilterUnloadCallback routine is
called when the minifilter driver is unloaded. This routine closes any open
communication server ports, calls FltUnregisterFilter, and performs any
needed cleanup. Registering this routine is optional. However, if the
minifilter driver does not register a FilterUnloadCallback routine, the
minifilter driver cannot be unloaded”

Link:
https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/loading-and-unloading

How can one unload a mini filter driver if it does not support the unload
callback?
One option I know is to shut down the entire filter manager.

  1. What other options to I have?
  2. What privileges are required?
  3. Is there some way to make the filter driver robust in a way that is can
    not be interrupted even with admin privileges?

Shutting down the entire filter manager will disrupt the entire system
because there might be many filters ( AVs, encryption ,virtualization
etc…) that are built to run withing the filter manager. All the MSFT
filter are based on filter manager now.
By shutting down the filter manager you will for sure disrupt the normal
behavior of the system.
If you have admin privileges then you can do whatever you want anyway
without having to stop the filter manager from working.
You can simply delete the filter. The filter may support manual instance
detach. So you can detach the filter from all the attached volumes. You
could also mark the start type of the filter service in registry as
disabled ( 4 ) this way the filter will not be loaded all together.

To unload it during run-time without the unload callback is not an option.

Cheers,
Gabriel
www.kasardia.com

On Wed, Mar 15, 2017 at 6:29 PM, Scott Noone wrote:

> How can one unload a mini filter driver if it does not support the unload
>> callback?
>>
>
> Disable the filter’s service and reboot. This is the only supported way.
>
> -scott
> OSR
> @OSRDrivers
>
> wrote in message news:xxxxx@ntfsd…
>
>
> Hi,
>
> Citing from MS page “A minifilter driver’s FilterUnloadCallback routine is
> called when the minifilter driver is unloaded. This routine closes any open
> communication server ports, calls FltUnregisterFilter, and performs any
> needed cleanup. Registering this routine is optional. However, if the
> minifilter driver does not register a FilterUnloadCallback routine, the
> minifilter driver cannot be unloaded”
>
> Link: https://msdn.microsoft.com/en-us/windows/hardware/drivers/if
> s/loading-and-unloading
>
> How can one unload a mini filter driver if it does not support the unload
> callback?
> One option I know is to shut down the entire filter manager.
> 1. What other options to I have?
> 2. What privileges are required?
> 3. Is there some way to make the filter driver robust in a way that is can
> not be interrupted even with admin privileges?
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Bercea. G.</http:>