The Microsoft documentation defines different load order groups for filter drivers and also lists unique altitude values that have been assigned to filter drivers ( ). The lower the altitude of a filter driver, the nearer it is to the file system. Filter drivers are set to unique altitude values that describe their relative order towards the file system. This is where the altitude of a minifilter driver comes into play. For example, anti-virus software can use minifilter drivers to intercept and prevent IO operations.
However, different applications may use filter drivers for other purposes. This minifilter driver is required such that procmon is able to intercept IO operations and log them. You can see that by starting the procmon executable, the PROCMON24 minifilter driver was loaded. The output of this command lists the minifilter drivers that are active on your operating system. You may ask yourself: What is this altitude you are speaking about and why should I want to reduce it? Well, after you downloaded and successfully started procmon, you can run fltmc instances in an elevated cmd or PowerShell.
#Windows procmon how to
In this blog post, I present how to reduce the altitude of the procmon in the filter driver stack. The Process Monitor (also known as procmon) is part of Microsoft’s Sysinternals Suite and a well-known tool for troubleshooting a Windows system.
0 kommentar(er)
