#1 29 May 2017 12:10

Dee
Member
Registered: 29 May 2017
Posts: 5

Consider adding FLTMC

Hello,

Please consider adding the filter command to your listings.

C:\WINDOWS\system32>fltmc help
Valid commands:
    load        Loads a Filter driver
    unload      Unloads a Filter driver
    filters     Lists the Filters currently registered in the system
    instances   Lists the Instances for a Filter or Volume currently
                registered in the system
    volumes     Lists all volumes/RDRs in the system
    attach      Creates a Filter Instance to a Volume
    detach      Removes a Filter Instance from a Volume

    Use fltmc help [ command ] for help on a specific command

Thank you,

Dee

Offline

#2 29 May 2017 13:40

Aacini
Member
Registered: 05 Dec 2012
Posts: 125

Re: Consider adding FLTMC

If you want to promote a certain command/program, you should describe what is the purpose of the command and give some examples, at least. Otherwise, your post is not useful and just force the rest of us to repeat the same effort you did the first time you used such a program...

Sorry, but I have not enough spare time to spend it in learning how to use a program I don't even know the purpose of.

Offline

#3 31 May 2017 04:43

Dee
Member
Registered: 29 May 2017
Posts: 5

Re: Consider adding FLTMC

Hi Aacini,

When the SmartService rootkit infects a computer, one of the tactics it employs to obfuscate its presence is to install a driver which intercepts and filters calls between other (legitimate) drivers and the system. When you run fltmc in CMD (admin), it will display all the filters on the system. That info allows you to identify and delete the malicious filter.

FLTMC is really the best tool for the job. It's a native part of every Windows installation and should be listed on your very useful site.

Thank you for your consideration.

Dee

Offline

#4 31 May 2017 04:48

Dee
Member
Registered: 29 May 2017
Posts: 5

Re: Consider adding FLTMC

Hi Aacini,

Here's an example of the use of fltmc. I ran it on my own PC. All of the filters displayed by the command are legitimate in this instance:

C:\WINDOWS\system32>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
aswSP                                  12       388401         0
epp                                    13       328900         0
aswMonFlt                              14       320700         0
storqosflt                              0       244000         0
FileCrypt                               2       141100         0
aswSnx                                  9       137600         0
luafv                                   1       135000         0
npsvctrig                               1        46000         0
FileInfo                               14        45000         0
Wof                                     9        40700         0 

Regards,

Dee

Offline

#5 02 Jun 2017 02:39

Shadow Thief
Member
Registered: 12 Jul 2012
Posts: 157

Re: Consider adding FLTMC

What the hell is a filter?

Offline

#6 02 Jun 2017 06:08

Dee
Member
Registered: 29 May 2017
Posts: 5

Re: Consider adding FLTMC

Hi Shadow Thief,

See "Development and Testing Tools" at microsoft.com

Excerpt:

Fltmc.exe Control Program

The Fltmc.exe control program is a command-line utility for common minifilter driver management operations. Developers can use Fltmc.exe to load and unload minifilter drivers, attach minifilter drivers to volumes or detach them from volumes, and enumerate minifilter drivers, instances, and volumes.

As previously mentioned, filters are sometimes used by malware to intercept calls between legitimate drivers and the operating system on Windows PCs. The FLTMC command allows researchers to display existing filters and delete malicious ones.

Dee

Offline

#7 02 Jun 2017 18:24

Simon Sheppard
Super Administrator
Registered: 27 Aug 2005
Posts: 902
Website

Re: Consider adding FLTMC

I have now added a page for this here
https://ss64.com/nt/fltmc.html

Also welcome to the forum Dee, and thanks for the suggestion

Last edited by Simon Sheppard (02 Jun 2017 18:25)

Offline

#8 02 Jun 2017 21:54

Shadow Thief
Member
Registered: 12 Jul 2012
Posts: 157

Re: Consider adding FLTMC

Dee wrote:

Hi Shadow Thief,

See "Development and Testing Tools" at microsoft.com

Excerpt:

Fltmc.exe Control Program

The Fltmc.exe control program is a command-line utility for common minifilter driver management operations. Developers can use Fltmc.exe to load and unload minifilter drivers, attach minifilter drivers to volumes or detach them from volumes, and enumerate minifilter drivers, instances, and volumes.

As previously mentioned, filters are sometimes used by malware to intercept calls between legitimate drivers and the operating system on Windows PCs. The FLTMC command allows researchers to display existing filters and delete malicious ones.

Dee

That really doesn't answer my question at all. It's a kind of driver? What's a minifilter and how is it different from a regular filter?

Offline

#9 03 Jun 2017 07:18

Dee
Member
Registered: 29 May 2017
Posts: 5

Re: Consider adding FLTMC

@Simon Sheppard,

>I have now added a page for this here
>https://ss64.com/nt/fltmc.html

Excellent addition to an already stellar resource!

Many thanks,

Dee

Offline

#10 03 Jun 2017 16:25

Aacini
Member
Registered: 05 Dec 2012
Posts: 125

Re: Consider adding FLTMC

Shadow Thief wrote:

That really doesn't answer my question at all. It's a kind of driver? What's a minifilter and how is it different from a regular filter?

I agree with you. There is a good explanation of what "minifilter drivers" are at this site, but IMHO this info, or at least a much more detailed explanation of this topic, should be provided by user Dee since the very beginning... After Dee's reply to my first question it seems that you should "consider using fltmc command to check if SmartService rootkit infected your computer" sad

It seems that Dee don't realize that technicall users like to know the technical reasons to test anything new in our own computers!

Antonio

Offline

#11 03 Jun 2017 18:36

Simon Sheppard
Super Administrator
Registered: 27 Aug 2005
Posts: 902
Website

Re: Consider adding FLTMC

I moved this into the 'Meta' subforum because it is more about adding a page to the website than a specific technical Q&A type thing.

[edit: OK I added a redirect]

Last edited by Simon Sheppard (05 Jun 2017 21:28)

Offline

#12 03 Jun 2017 22:30

Aacini
Member
Registered: 05 Dec 2012
Posts: 125

Re: Consider adding FLTMC

The problem is that there is not a single indication of this movement in the original subforum, like if this topic was just deleted! I find it here after a complex search thru my Profile and MyPosts. Also, there is not any link in the Q&A subforum to this Meta one...

Antonio

Last edited by Aacini (03 Jun 2017 22:34)

Offline

Board footer

Powered by FluxBB