Windows driver for event detection


I need a Windows driver for a scanning/antivirus project, which can access the events of Windows to detect user interactions. As antivirus software I use ClamAV which only has a native on-access feature under Linux.

Now my question, can someone recommend me such a driver, which is suitable for my purpose or write me a driver. Unfortunately I am not really experienced in developing drivers.

An interface to transfer the event information from the driver to my API would also be good, if it is a ready-made driver, how could I access it?

Thanks in advance for any tips.


Hmmmm… I’m not really sure what you’re looking for here, or what your constraints are.

A professionally written and designed solution to do what you’ve described is a big project. You’re free to contact various consulting firms, including OSR, to discuss your needs and constraints.

But, you’re not going to find anything off the shelf, and commercial discussions (such as discussing potential projects, rates, and quotations) are strictly forbidden in this forum… as you no doubt already know, having read the forum guidelines before posting.

I’m going to leave this discussion open for now, but you have been warned: no commercial discussions are allowed.

Thank you for your reply.

It is not a commercial project, but an opensource solution which I am developing for myself and would like to make available to the community later, when the software is secure and stable. (according to the current status)

I did not know that such requests as I have made, is problematic here, I apologize for this circumstance.

Do you think it is such a big undertaking to create a driver for recognizing user interactions in windows? It should "only" read the event tracing for Windows (ETW) and possibly (WMI) and send these events to an event_handler from my application? Unfortunately I have no budget for this project, what a pity ... I would still be grateful for a clue as to how I could continue with my project without spending a fortune (for me) on it?

Hmmmm... I still don't really know which events you want to capture. "ETW and possibly WMI" is suggesting a technical approach, not describing the events in which you're interested.

There are a lot of example drivers in the Windows Driver Kit, see here, for some file-activity related drivers.

Or, perhaps, you can elaborate on what you're trying to accomplish. For example, how about you post something like: "I am trying to capture all the CreateFile operations for all local files on a Windows system; I would also like to capture all process creations, and executables and DLLs that are loaded on a given system... can you folks suggest a sample from which to start, or what I might look at to begin to learn how to do this? Please be aware that this is a hobby project, not a professional software development exercise."

1 Like

Ah, thanks I understand better now.

Specifically, I want to inspect all user interactions with the operating system, i.e. when a user accesses a file or wants to write a file, no matter what kind of file it is, whether it is an exe or a DLL or a text document. With event I mean the interaction between the user and the file/meomory system, a state change could also be a event. In my understanding, changing the state is something as trivial as the transition from exe to ->exe executed

This interaction should be recorded on-access, i.e. live, at which location in the system (memory address or file path) and at what time. I don't want to go as far as monitoring all files at the same time, I think that would be far too complicated and would require too many system resources. It would be important to record the current interaction between user and file system/memory.

If for an event (copying an exe file to C:\ or executing a file from C:), path or address are fixed, this information is sent via my API to ClamAV (Free/opensource AV) via my API and is used there. The file is scanned by ClamAV-Antivir software, the decision whether the file has potential danger and needs to be removed is made solely by the ClamAV engine.

I initially thought that this would be handled internally in Windows in a kind of event_management system. But I would like to take a closer look at kernel development and learn something in the process. And as already mentioned, this is a hobby/community project! (not commercial!)

If you are interested, I would be happy to share my code with you here before the release, if you are interested.

Please can someone help me to get into the subject and show me which way i can go without learning the whole knowledge of kernel development in the next 20 years.

You need to develop, at a minimum, a file system minifilter. This is not a trivial exercise (no development in kernel-mode is ever trivial, and Windows is a particularly complicated kernel-mode environment).

You can try looking at the minispy and/or AVScan minifilter examples (described on the page I linked earlier).

I don't want to go as far as monitoring all files at the same time, I think that would be far too complicated and would require too many system resources

Hmmm... Sadly, it doesn't really WORK the way you seem to be envisioning. Basically, you monitor particular disk volumes for the type of file system activity you're interested in (such as "file opens" or "file reads"). You see all the activity on the volume that you're monitoring.

This isn't simple, and (free advice) looking at the minifilter examples can make it look a LOT easier than it actually is when you're trying to do something useful.

Windows kernel-mode development tends not to be something that you can "cowboy" your way through... IOW, you can't just grab a sample, read for a couple of hours, hack on it in the editor, and expect to have something working. To give you some perspective: We teach a week-long seminar on minifilter development, and we just barely scratch the surface in terms of what you need to know to do a real project. I understand that this is a hobby project for you, so I'm not suggesting you take that seminar (I mean... you'd be welcome to if you wanted to spend the money :slight_smile: ).

I realize this isn't what you want to hear.


Okay, thank you very much for the information.

I was also thinking about compiling ready-made avscan minifilter drivers directly and later filtering out the accesses I need at a higher level...

Unfortunately I can't get the driver installed, the compile doesn't return an .inf file and if I customize it manually and add it to the compiled driver, I can't install the driver either.