Now, there is a whole list of load order groups and altitude ranges on Microsoft website, but what you need to understand is that, the higher the altitude of your filter driver, the more operations you can catch. As previously mentioned, every filter driver must have a unique altitude identifier, and windows uses a dedicated set of load order groups that are loaded at system startup. Now that we know what filter drivers are, let’s understand what the altitude is. So if you want different altitudes, you must ask Microsoft about it. Each filter driver must have a unique altitude identifier, and the altitude allocation is managed by Microsoft. Now, it doesn’t mean that you can go, create a virus, put a higher elevation on the filter driver and TADA, you have a potent virus. These operations must be performed by the antivirus software before the file is executed, otherwise it doesn’t make sense to let a virus run and then tell the user “heeeeey uhhhmmm yeah soooo it’s kinda bad you have a virus in your system now”. When you double click a file and you have an Antivirus installed, the filter driver of the antivirus loads the file, reads it, checks for any malicious code and then releases it for execution. So if you think of it, this is how most antivirus utilities work. For example, a file system filter driver can filter the I/O operations for the file system volumes, and depending on how that filter is designed it can either log the operations, observe the operations or completely block file operations. But before we get to the altitude, let’s try to understand what filter drivers are.Ī filter driver is a kernel-mode component which runs as part of the windows executive. If we open up PowerShell as an Administrator and type fltmc, we can see all the filter drivers present on the machine:Īs you can see, the PROCMON24 filter drives is almost at the top, with an altitude of 385200. However, in the background, Process Monitor loads a Filter Driver. For a normal user, the windows appears and this starts to record everything that happens on the system.
Let’s understand why and how you can change this.įirst of all let’s understand what is happening when you open up Process Monitor. However, there might be cases where Process Monitor cannot show all the threads, or the information shown might be misleading. The activity is composed out of file system changes, registry changes and processes/threads.
But what does actually ProcMon show you? Process Monitor displays all the activity that happens on the system. Process Monitor is a great tool when it comes to troubleshooting applications.
0 kommentar(er)
