Device Tree (File System Filter Driver)

Can anyone tell me whether if someone were to create a file system filter driver would it show up in device tree under DRV Driver\Disk node ?

Hi Victor.

A legacy file system filter will show up on the device tree, but minifilters don’t.
Minifilters are based on Instances. Filter Manager creates it’s devices so that minifilters can receive/send IRPs on its behalf. This also makes device stacks smaller.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development

Thank you for the response. But where does a system filter driver show up in device tree ? Thanks in advance.

I’m having a hard time answering your question…Do you mean the OSR utility “Device Tree” or THE device tree in Windows? Why are you asking (so that I can better try to answer your question)?

-scott
OSR
@OSRDrivers

@Scott Noone.

I’m trying to understand how device tree the OSR utility works. In particular how a driver that filters the TCP protocol will show up in the list of kernel mode drivers as shown in device tree the utility. Would it branch off an existing node (as I call it) become like a child node or show up as a separate branch by itself like a parent node.

Device Tree enumerates every driver in the system. For every driver it then finds every device. For every device is then sends it an IRP_MJ_PNP/IRP_MN_QUERY_DEVICE_RELATIONS request.

A TCP protocol filter is much different from a file system filter…

Back in the day, people wrote their TCP filters as TDI filters. These would attach to the legacy device objects responsible for the protocols (e.g. \Device\TcpIp, IIRC…). Legacy device objects aren’t really in the Windows device tree, show these filters would show up in our utility attached to some device object in the “Driver View”.

Nowadays TCP filtering is done through WFP. AFAIK these filters don’t have device objects and therefore would not show up in Device Tree.

-scott
OSR
@OSRDrivers