Blocking legacy file system filter drivers
Starting in Windows 10, version 1607, administrators and driver developers can use a registry setting to block legacy file system filter drivers. Legacy file system filter drivers are drivers that attach to the file system stack directly and don't use Filter Manager. This topic describes the registry setting for blocking and unblocking legacy file system filter drivers. It also describes the event entered into the System event log when a legacy file system filter is blocked and how to check if the OS has legacy file system drivers running.
How to block legacy drivers
Use the IoBlockLegacyFsFilters registry key to specify if the system blocks legacy file system filter drivers. When blocked, all legacy file system filter drivers are blocked from loading. For the registry changes to take effect, perform a system restart.
The registry key must be created under the following registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System
The valid DWORD values for the IoBlockLegacyFsFilters key are as follows:
|1||Legacy file system filter drivers are blocked from loading or attaching to storage volumes.|
|0||Legacy file system filter drivers are not blocked. In this release, this is the default behavior.|
This is what the key looks like in Registry Editor:
Example: when a legacy driver is blocked from loading
An Error event is logged to the System event log when a legacy file system filter driver is blocked from loading, as shown here:
|Date||12/29/2015 2:55:05 PM|
|Description||Windows is configured to block legacy file system filters. Filter name: \Driver\sfilter|
How to check if legacy drivers are running
If you're unsure which filters are legacy file system filter drivers or want to make sure that they're not running, you can perform the following:
To check if legacy file system filter drivers are running
- Open an elevated Command Prompt by right-clicking a cmd.exe icon and clicking Run as administrator.
- Look for legacy drivers, they're the ones with a Frame value of <Legacy>.
In this example, the legacy file system filter drivers, named AVLegacy and EncryptionLegacy, are marked with the <Legacy> Frame value. The file system driver named AVMiniFilter does not have the <Legacy> Frame value because it is a minifilter driver (it does not attach to the file system stack directly and uses Filter Manager).
C:\Windows\system32>fltmc filters Filter Name Num Instances Altitude Frame ------------------------------ ------------- ------------ ----- AVLegacy 389998.99 <Legacy> EncryptionLegacy 149998.99 <Legacy> AVMiniFilter 3 328000 0
If you see that legacy drivers are still running after you block legacy file system filter drivers, make sure you reboot the system after setting the IoBlockLegacyFsFilters registry key. The setting will not take effect until after a reboot.
If your system has legacy file system filter drivers, work with the respective ISVs to get the Minifilter version of the file system driver. For info about porting legacy file system filter drivers to minifilter drivers that use the Filter Manager model, see Guidelines for Porting Legacy Filter Drivers.
We’d love to hear your thoughts. Choose the type you’d like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.