Installing the Driver

Step-by-step guide to installing, verifying, and removing the WindowsFileSystemMinifilter kernel driver on a target machine.

Related: Getting Started · Building the Project · Driver Lifecycle · Kernel Driver Module

1. Prerequisites

Enable Test Signing

Since the driver is not signed by a commercial certificate authority, you must enable test signing on the target machine:

bcdedit /set testsigning on

Reboot required. After reboot, you’ll see a “Test Mode” watermark on the desktop. This is expected.

Administrator Access

All driver installation commands require an elevated (Administrator) command prompt.

2. Installation Methods

The project includes a comprehensive install/remove script.

flowchart TD
    Run["Run InstallDriver.cmd\n(as Administrator)"]
    
    Run --> Menu{"Select option"}
    
    Menu -->|"1"| Install["Install driver\n(latest Release build)"]
    Menu -->|"2"| Remove["Remove driver\ncompletely"]
    Menu -->|"3"| Reinstall["Reinstall\n(remove + install)"]
    Menu -->|"4"| Exit["Exit"]

    Install --> Find["Auto-find .sys file\n(searches Release then Debug,\nARM64 then x64)"]
    Find --> Clean["Clean any existing install"]
    Clean --> Copy["Copy to System32\\drivers"]
    Copy --> Service["Create service\n(sc.exe create)"]
    Service --> Registry["Configure registry\n(altitude, group, instance)"]
    Registry --> Start["Start service\n(sc.exe start)"]
    Start --> Verify{"Running?"}
    Verify -->|Yes| Success["✅ Installed"]
    Verify -->|No| Fail["❌ Check test signing"]

    style Success fill:#2d6a4f,color:#fff
    style Fail fill:#e63946,color:#fff

Usage

# Interactive menu
InstallDriver.cmd

# Direct install
InstallDriver.cmd install

# Direct remove
InstallDriver.cmd remove

What the script does

  1. Finds the driver — Searches multiple paths in priority order:
    • Windows File System Minifilter\ARM64\Release\
    • Windows File System Minifilter\x64\Release\
    • ARM64\Release\
    • x64\Release\
    • Falls back to Debug builds

  2. Cleans existing installation — Unloads, stops, deletes service, removes old .sys

  3. Copies drivercopy /Y to C:\Windows\System32\drivers\

  4. Creates servicesc.exe create WindowsFileSystemMinifilter type=filesys start=demand

  5. Configures registry: 
    DependOnService = FltMgr
Group = FSFilter Activity Monitor
DefaultInstance = "WindowsFileSystemMinifilter Instance"
Altitude = 47777
Flags = 0
  6. Starts the driversc.exe start WindowsFileSystemMinifilter

Method 2: Manual Installation

If you prefer manual control:

# 1. Copy driver
copy "Windows File System Minifilter\ARM64\Release\WindowsFileSystemMinifilter.sys" C:\Windows\System32\drivers\

# 2. Create service
sc.exe create WindowsFileSystemMinifilter type= filesys start= demand binPath= "C:\Windows\System32\drivers\WindowsFileSystemMinifilter.sys"

# 3. Configure registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WindowsFileSystemMinifilter" /v "DependOnService" /t REG_MULTI_SZ /d "FltMgr" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WindowsFileSystemMinifilter" /v "Group" /t REG_SZ /d "FSFilter Activity Monitor" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WindowsFileSystemMinifilter\Instances" /v "DefaultInstance" /t REG_SZ /d "WindowsFileSystemMinifilter Instance" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WindowsFileSystemMinifilter\Instances\WindowsFileSystemMinifilter Instance" /v "Altitude" /t REG_SZ /d "47777" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WindowsFileSystemMinifilter\Instances\WindowsFileSystemMinifilter Instance" /v "Flags" /t REG_DWORD /d 0 /f

# 4. Start
sc.exe start WindowsFileSystemMinifilter

3. Verification

Check Minifilter is Loaded

fltmc

Expected output:

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------    --------    -----
WindowsFileSystemMinifilter     X                47777       0

Check Service Status

sc query WindowsFileSystemMinifilter

Expected:

STATE : 4  RUNNING

Check Debug Output

If you have a kernel debugger or DebugView (with “Capture Kernel” enabled):

FsMinifilter: DriverEntry
FsMinifilter: Communication port created
FsMinifilter: Started successfully

4. Removal

Using the Script

InstallDriver.cmd remove

Manual Removal

# 1. Unload minifilter
fltmc unload WindowsFileSystemMinifilter

# 2. Stop service
sc.exe stop WindowsFileSystemMinifilter

# 3. Delete service
sc.exe delete WindowsFileSystemMinifilter

# 4. Remove driver file
del /f C:\Windows\System32\drivers\WindowsFileSystemMinifilter.sys

# 5. Clean registry
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WindowsFileSystemMinifilter" /f

5. Updating the Driver

To update after a new build:

flowchart LR
    Build["Build new .sys"] --> Reinstall["InstallDriver.cmd\nOption 3: Reinstall"]
    
    Reinstall --> Unload["Unload old driver"]
    Unload --> Copy["Copy new .sys"]
    Copy --> Start["Start new driver"]

    style Reinstall fill:#e07a5f,color:#fff

Use Option 3 (Reinstall) from the script menu, which performs a clean remove followed by a fresh install.

6. Troubleshooting

Driver Won’t Start

Error Cause Fix
ERROR_FILE_NOT_FOUND .sys not in System32\drivers Re-copy the file
ERROR_SIGNED_MODE_POLICY_VIOLATION Test signing not enabled bcdedit /set testsigning on + reboot
ERROR_SERVICE_ALREADY_EXISTS Old service registration sc.exe delete WindowsFileSystemMinifilter then re-install
ERROR_SHARING_VIOLATION on copy Old driver still loaded Unload with fltmc unload first
Architecture mismatch ARM64 .sys on x64 machine (or vice versa) Build for the correct platform

Driver Loads But Crashes (BSOD)

  1. Check Event Viewer → Windows Logs → System for bug check codes
  2. Enable kernel debugging (bcdedit /debug on)
  3. Use WinDbg to analyze the crash dump
  4. Check DbgPrint output for the last successful operation

Driver File Locked

If the .sys file cannot be deleted:

  1. Make sure the minifilter is unloaded: fltmc unload WindowsFileSystemMinifilter
  2. Stop the service: sc stop WindowsFileSystemMinifilter
  3. Wait 3–5 seconds
  4. Try takeown /f <file> followed by del /f
  5. If still locked, reboot and delete before starting the service

7. Registry Reference

flowchart TB
    subgraph Registry["HKLM\\SYSTEM\\CurrentControlSet\\Services\\WindowsFileSystemMinifilter"]
        Type["Type = 2 (FILE_SYSTEM_DRIVER)"]
        Start["Start = 3 (DEMAND_START)"]
        Error["ErrorControl = 1 (NORMAL)"]
        Image["ImagePath = ...\\WindowsFileSystemMinifilter.sys"]
        Depend["DependOnService = FltMgr"]
        Group["Group = FSFilter Activity Monitor"]
        
        subgraph Instances["Instances"]
            Default["DefaultInstance = 'WindowsFileSystemMinifilter Instance'"]
            subgraph Instance1["WindowsFileSystemMinifilter Instance"]
                Altitude["Altitude = '47777'"]
                Flags["Flags = 0"]
            end
        end
    end

    style Registry fill:#1a1a2e,color:#fff
    style Instances fill:#4361ee,color:#fff

Next Steps