You are not logged in.
Pages: 1
Hello,
Please consider adding the filter command to your listings.
C:\WINDOWS\system32>fltmc help
Valid commands:
load Loads a Filter driver
unload Unloads a Filter driver
filters Lists the Filters currently registered in the system
instances Lists the Instances for a Filter or Volume currently
registered in the system
volumes Lists all volumes/RDRs in the system
attach Creates a Filter Instance to a Volume
detach Removes a Filter Instance from a Volume
Use fltmc help [ command ] for help on a specific command
Thank you,
Dee
Offline
If you want to promote a certain command/program, you should describe what is the purpose of the command and give some examples, at least. Otherwise, your post is not useful and just force the rest of us to repeat the same effort you did the first time you used such a program...
Sorry, but I have not enough spare time to spend it in learning how to use a program I don't even know the purpose of.
Offline
Hi Aacini,
When the SmartService rootkit infects a computer, one of the tactics it employs to obfuscate its presence is to install a driver which intercepts and filters calls between other (legitimate) drivers and the system. When you run fltmc in CMD (admin), it will display all the filters on the system. That info allows you to identify and delete the malicious filter.
FLTMC is really the best tool for the job. It's a native part of every Windows installation and should be listed on your very useful site.
Thank you for your consideration.
Dee
Offline
Hi Aacini,
Here's an example of the use of fltmc. I ran it on my own PC. All of the filters displayed by the command are legitimate in this instance:
C:\WINDOWS\system32>fltmc
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
aswSP 12 388401 0
epp 13 328900 0
aswMonFlt 14 320700 0
storqosflt 0 244000 0
FileCrypt 2 141100 0
aswSnx 9 137600 0
luafv 1 135000 0
npsvctrig 1 46000 0
FileInfo 14 45000 0
Wof 9 40700 0
Regards,
Dee
Offline
What the hell is a filter?
Offline
Hi Shadow Thief,
See "Development and Testing Tools" at microsoft.com
Excerpt:
Fltmc.exe Control Program
The Fltmc.exe control program is a command-line utility for common minifilter driver management operations. Developers can use Fltmc.exe to load and unload minifilter drivers, attach minifilter drivers to volumes or detach them from volumes, and enumerate minifilter drivers, instances, and volumes.
As previously mentioned, filters are sometimes used by malware to intercept calls between legitimate drivers and the operating system on Windows PCs. The FLTMC command allows researchers to display existing filters and delete malicious ones.
Dee
Offline
I have now added a page for this here
https://ss64.com/nt/fltmc.html
Also welcome to the forum Dee, and thanks for the suggestion
Last edited by Simon Sheppard (02 Jun 2017 18:25)
Offline
Hi Shadow Thief,
See "Development and Testing Tools" at microsoft.com
Excerpt:
Fltmc.exe Control Program
The Fltmc.exe control program is a command-line utility for common minifilter driver management operations. Developers can use Fltmc.exe to load and unload minifilter drivers, attach minifilter drivers to volumes or detach them from volumes, and enumerate minifilter drivers, instances, and volumes.
As previously mentioned, filters are sometimes used by malware to intercept calls between legitimate drivers and the operating system on Windows PCs. The FLTMC command allows researchers to display existing filters and delete malicious ones.
Dee
That really doesn't answer my question at all. It's a kind of driver? What's a minifilter and how is it different from a regular filter?
Offline
@Simon Sheppard,
>I have now added a page for this here
>https://ss64.com/nt/fltmc.html
Excellent addition to an already stellar resource!
Many thanks,
Dee
Offline
That really doesn't answer my question at all. It's a kind of driver? What's a minifilter and how is it different from a regular filter?
I agree with you. There is a good explanation of what "minifilter drivers" are at this site, but IMHO this info, or at least a much more detailed explanation of this topic, should be provided by user Dee since the very beginning... After Dee's reply to my first question it seems that you should "consider using fltmc command to check if SmartService rootkit infected your computer"
It seems that Dee don't realize that technicall users like to know the technical reasons to test anything new in our own computers!
Antonio
Offline
I moved this into the 'Meta' subforum because it is more about adding a page to the website than a specific technical Q&A type thing.
[edit: OK I added a redirect]
Last edited by Simon Sheppard (05 Jun 2017 21:28)
Offline
The problem is that there is not a single indication of this movement in the original subforum, like if this topic was just deleted! I find it here after a complex search thru my Profile and MyPosts. Also, there is not any link in the Q&A subforum to this Meta one...
Antonio
Last edited by Aacini (03 Jun 2017 22:34)
Offline
Pages: 1