Filesystem filter drivers sit between the Windows I/O manager and the filesystem, intercepting and potentially modifying I/O requests. They're commonly used by antivirus software, backup solutions, and encryption tools. Knowing which drivers are loaded is crucial for troubleshooting performance issues or system conflicts.
The fastest way to view loaded filter drivers is using the fltmc utility (Filter Manager Control) included with Windows:
C:\>fltmc Filter Name Num Instances Altitude Frame ------------------------------ ------------- ----------- ----- luafv 1 135000 0 FileInfo 6 45000 0 WdFilter 3 328010 0
This shows the driver name, number of instances, altitude (load order position), and frame information. The altitude value is particularly important as it determines the driver's position in the filter stack.
For more detailed information, PowerShell provides additional flexibility:
PS C:\> Get-WmiObject -Query "SELECT * FROM Win32_SystemDriver WHERE State='Running'" |
Where-Object { $_.PathName -like '*\Drivers\*.sys' } |
Select-Object Name,DisplayName,PathName
To get specific information about a particular filter driver, use:
C:\>fltmc instances -f WdFilter Instances for filter WdFilter: Volume Name Altitude Instance Name Frame VlStatus -------------------------------------- ------------ -------------------- ----- -------- C: 328010 WdFilter Instance 0 0 D: 328010 WdFilter Instance 0 0
Some typical filter drivers you might encounter include:
- luafv: UAC file virtualization driver
- FileInfo: File system minifilter for file information
- WdFilter: Windows Defender filter driver
- SRTSP: Symantec real-time scanning protection
If you suspect filter driver conflicts, check the System Event Log for filter-related errors. You can also temporarily unload a filter driver for testing (requires administrator privileges):
C:\>fltmc unload WdFilter
Note: Unloading critical system drivers may cause system instability. Only do this in test environments.
For developers needing deeper inspection, the DeviceTree utility from OSR Online shows the complete driver stack:
C:\>devicetree.exe -stack
This visual tool displays the complete hierarchy of drivers attached to each volume.
For Windows Server 2008 administrators needing to inspect loaded filesystem filter drivers, here are three effective approaches:
1. Using fltmc.exe (Filter Manager Control):
C:\> fltmc instances
This will display output like:
Filter Volume Name Altitude Instance Name
------------------------------ ------------ ------------------------------
luafv 38900 luafv
WdFilter 328010 WdFilter Instance
For more detailed information, you can use PowerShell with WMI:
Get-WmiObject -Class Win32_SystemDriver |
Where-Object {$_.PathName -like "*\filters\*"} |
Select-Object Name, State, PathName
For a comprehensive GUI solution, NirSoft's DriverView utility provides:
- Complete driver list with load addresses
- Filter driver identification
- Digital signature verification
When investigating a performance issue, I used this command sequence:
fltmc filters > filters.txt
fltmc instances > instances.txt
driverquery /v /fo csv > drivers.csv
This combination revealed an outdated antivirus filter driver causing I/O latency.
For persistent filter drivers, check this registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
Remember that changes to filter drivers should only be made by experienced administrators as they affect system stability.