Getting Started
This guide walks you through setting up the development environment, building all components, and running the system for the first time.
Related: Building the Project · Installing the Driver · System Overview
1. Prerequisites
Required Software
| Software | Version | Purpose |
|---|---|---|
| Visual Studio 2022 | 17.x+ | IDE, MSVC compiler, MSBuild |
| Windows SDK | 10.0.22621.0+ | Windows API headers and libraries |
| Windows Driver Kit (WDK) | 10.0.22621.0+ | Kernel driver development (fltKernel.h, fltlib.lib) |
| Windows 10/11 | 20H2+ | Target OS for driver deployment |
Required Visual Studio Workloads
- Desktop development with C++
- Windows Driver Kit (available as individual component or VSIX)
Target Machine Requirements
- Windows 10/11 (x64 or ARM64)
- Test signing enabled (for unsigned driver loading):
bcdedit /set testsigning onRequires reboot after enabling.
2. Quick Start
flowchart TD
Start["Clone Repository"]
Start --> Build["Build all 3 projects\n(Visual Studio)"]
Build --> TestSign["Enable test signing\n(target machine)"]
TestSign --> Install["Run InstallDriver.cmd\n(as Admin)"]
Install --> Scanner["Launch Scanner.exe\n(Mode 1: Pipe Server)"]
Scanner --> Monitor["Launch FsMinifilterMonitor.exe"]
Monitor --> Done["✅ System is monitoring!\nOpen any .exe/.dll to see events"]
style Done fill:#2d6a4f,color:#fff
Step-by-Step
-
Clone the repository
-
Open the solution — Open
Windows File System Minifilter.sln(root solution) or open each sub-project individually - Build all three components — See Building the Project for detailed instructions:
Windows File System Minifilter(kernel driver) → produces.sysfileFsMinifilterMonitor(monitor) → produces.exefilescanner(scanner) → produces.exefile
- Enable test signing on the target machine (one-time, as Administrator):
bcdedit /set testsigning onReboot required.
- Install the driver (as Administrator):
InstallDriver.cmd install - Start the scanner (in a terminal):
scanner.exeSelect
1for pipe server mode. - Start the monitor (in another terminal):
FsMinifilterMonitor.exe - Test it — Open any
.exeor.dllfile on the system. You should see:- Events printed in the Monitor window
- Scan results in the Scanner window
3. Architecture Refresher
Before diving deeper, understand the three components and how they connect:
flowchart LR
Driver["WindowsFileSystemMinifilter.sys\n(Kernel)"]
Monitor["FsMinifilterMonitor.exe\n(Bridge)"]
Scanner["Scanner.exe\n(Analysis)"]
Driver -->|"Filter Port"| Monitor
Monitor -->|"Named Pipe"| Scanner
style Driver fill:#e63946,color:#fff
style Monitor fill:#e07a5f,color:#fff
style Scanner fill:#2d6a4f,color:#fff
| Start Order | Component | Why |
|---|---|---|
| 1st | Driver (InstallDriver.cmd) | Must be running before monitor can connect |
| 2nd | Scanner.exe (Mode 1) | Must create the named pipe before monitor tries to connect |
| 3rd | FsMinifilterMonitor.exe | Connects to both driver port and scanner pipe |
4. Verifying the Installation
Check driver is loaded
fltmc
You should see WindowsFileSystemMinifilter in the list with altitude 47777.
Check service is running
sc query WindowsFileSystemMinifilter
State should show RUNNING.
Check communication
When the monitor connects, the driver prints to the debug output:
FsMinifilter: Client connected
View this in WinDbg, DebugView, or the kernel debugger.
5. Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| “Failed to connect to minifilter” | Driver not running | Run InstallDriver.cmd install as Admin |
| “Driver failed to start” | Test signing not enabled | bcdedit /set testsigning on + reboot |
| “Failed to connect to scanner pipe” | Scanner not started | Start Scanner.exe before Monitor |
| Architecture mismatch | Built for x64, running on ARM64 | Build for the correct target architecture |
| “Access denied” on install | Not running as Admin | Right-click → Run as Administrator |
6. Next Steps
- Deep-dive into building: Building the Project
- Driver installation details: Installing the Driver
- Understand the system: System Overview
- Add custom detection rules: Adding Detection Rules