Creating an INF file for a minifilter driver
Introduction
Note
Starting in Windows 10 version 1903, INF requirements for primitive drivers (such as file system minifilter drivers) changed. See Creating a new primitive driver for details.
Filter drivers need an INF file to be installed on the Windows operating system. You'll find sample INF files in the minifilter samples.
An INF file for a file system filter driver generally contains the following sections:
| Section | Notes |
|---|---|
| Version | Required |
| DestinationDirs | Optional but recommended |
| DefaultInstall | Required |
| DefaultInstall.Services | Required |
| ServiceInstall | Required |
| AddRegistry | Required |
| Strings | Required |
Note
Starting with Windows 10 version 1903, the DefaultUninstall and DefaultUninstall.Services sections are prohibited, (with exception). These sections were optional in prior OS versions.
All drivers running on 64-bit versions of Windows systems must be signed before Windows will load them. See Signing a driver for more information.
Version Section (required)
The Version section specifies a class and GUID that are determined by the type of minifilter driver, as shown in the following code example.
[Version]
Signature = "$WINDOWS NT$"
Class = "ActivityMonitor"
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider = %Msft%
DriverVer = 10/09/2001,1.0.0.0
CatalogFile =
PnpLockdown = 1
The following table shows the values that file system minifilter drivers should specify in the Version section.
| Entry | Value |
|---|---|
| Signature | "$WINDOWS NT$" |
| Class | See File System Filter Driver Classes and Class GUIDs. |
| ClassGuid | See File System Filter Driver Classes and Class GUIDs. |
| Provider | In your own INF file, you should specify a provider other than Microsoft. |
| DriverVer | See INF DriverVer directive. |
| CatalogFile | For antivirus minifilter drivers that are signed, this entry contains the name of a WHQL-supplied catalog file. All other minifilter drivers should leave this entry blank. For more information, see the description of the CatalogFile entry in INF Version Section |
DestinationDirs Section (optional but recommended)
The DestinationDirs section specifies the directories where minifilter driver and application files will be copied.
In this section and in the ServiceInstall section, you can specify well-known system directories by system-defined numeric values. For a list of these values, see INF DestinationDirs Section. In the following code example, the value 12 refers to the Drivers directory (%windir%\system32\drivers), and the value 10 refers to the Windows directory (%windir%).
[DestinationDirs]
DefaultDestDir = 12
Minispy.DriverFiles = 12
Minispy.UserFiles = 10,FltMgr
DefaultInstall Section (required)
In the DefaultInstall section, a CopyFiles directive copies the minifilter driver's driver files and user-application files to the destinations that are specified in the DestinationDirs section.
Note
The CopyFiles directive should not refer to the catalog file or the INF file itself. SetupAPI copies these files automatically.
You can create a single INF file to install your driver on multiple versions of the Windows operating systems. You can create this type of INF file by creating additional DefaultInstall and DefaultInstall.Services sections for each operating system version. Each section is labeled with a decoration (for example, .ntx86, .ntia64, or .nt) that specifies the operating system version to which it applies. For more information about creating this type of INF file, see Creating INF Files for Multiple Platforms and Operating Systems.
The following code example shows a typical DefaultInstall section.
[DefaultInstall.NTamd64]
OptionDesc = %MinispyServiceDesc%
CopyFiles = Minispy.DriverFiles, Minispy.UserFiles
DefaultInstall.Services Section (required)
The DefaultInstall.Services section contains an AddService directive that controls how and when the services of a particular driver are loaded, as shown in the following code example.
[DefaultInstall.NTamd64.Services]
AddService = %MinispyServiceName%,,Minispy.Service
ServiceInstall Section (required)
The ServiceInstall section contains information used for loading the driver service. In the MiniSpy sample driver, this section is named "Minispy.Service", as shown in the following code example. The name of the ServiceInstall section must appear in an AddService directive in the DefaultInstall.Services section.
[Minispy.Service]
DisplayName = %MinispyServiceName%
Description = %MinispyServiceDesc%
ServiceBinary = %12%\minispy.sys
ServiceType = 2 ; SERVICE_FILE_SYSTEM_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL%
LoadOrderGroup = "FSFilter Activity Monitor"
AddReg = Minispy.AddRegistry
Dependencies = FltMgr
The ServiceType entry specifies the type of service. Minifilter drivers should specify a value of 2 (SERVICE_FILE_SYSTEM_DRIVER). For more information about the ServiceType entry, see INF AddService Directive.
The StartType entry specifies when to start the service. The following table lists the possible values for StartType and their corresponding start types.
| Value | Description |
|---|---|
| 0x00000000 | SERVICE_BOOT_START |
| 0x00000001 | SERVICE_SYSTEM_START |
| 0x00000002 | SERVICE_AUTO_START |
| 0x00000003 | SERVICE_DEMAND_START |
| 0x00000004 | SERVICE_DISABLED |
For more information about these start types, see "Driver Start Types" in What Determines When a Driver Is Loaded.
The LoadOrderGroup entry provides the filter manager with information that it needs to ensure interoperability between minifilter drivers and legacy file system filter drivers. You should specify a LoadOrderGroup value that is appropriate for the type of minifilter driver that you are developing. To choose a load order group, see Load Order Groups and Altitudes for Minifilter Drivers.
Note that you must specify a LoadOrderGroup value, even if your minifilter driver's start type is not SERVICE_BOOT_START. In this way, minifilter drivers are different from legacy file system filter drivers.
Note
The filter manager's StartType value is SERVICE_BOOT_START, and its LoadOrderGroup value is FSFilter Infrastructure. These values ensure that the filter manager is always loaded before any minifilter drivers are loaded.
For more information about how the StartType and LoadOrderGroup entries determine when the driver is loaded, see What Determines When a Driver Is Loaded.
For minifilter drivers, unlike legacy file system filter drivers, the StartType and LoadOrderGroup values do not determine where the minifilter driver attaches in the minifilter instance stack. This location is determined by the altitude that is specified for the minifilter instance.
The ErrorControl entry specifies the action to be taken if the service fails to start during system startup. Minifilter drivers should specify a value of 1 (SERVICE_ERROR_NORMAL). For more information about the ErrorControl entry, see INF AddService Directive.
The AddReg directive refers to one or more INF writer-defined AddRegistry sections that contain information to be stored in the registry for the newly installed service. Minifilter drivers use AddRegistry sections to define minifilter driver instances and to specify a default instance.
The Dependencies entry specifies the names of any services or load order groups on which the driver depends. All minifilter drivers must specify FltMgr, which is the service name of the filter manager.
AddRegistry Section (required)
The AddRegistry section adds keys and values to the registry. Minifilter drivers use an AddRegistry section to define minifilter instances and to specify a default instance. This information is used whenever the filter manager creates a new instance for the minifilter driver.
In the MiniSpy sample driver, the following AddRegistry section, together with the %strkey% token definitions in the Strings section, defines three instances, one of which is named as the MiniSpy sample driver's default instance.
[Minispy.AddRegistry]
HKR,%RegInstancesSubkeyName%,%RegDefaultInstanceValueName%,0x00000000,%DefaultInstance%
HKR,%RegInstancesSubkeyName%"\"%Instance1.Name%,%RegAltitudeValueName%,0x00000000,%Instance1.Altitude%
HKR,%RegInstancesSubkeyName%"\"%Instance1.Name%,%RegFlagsValueName%,0x00010001,%Instance1.Flags%
HKR,%RegInstancesSubkeyName%"\"%Instance2.Name%,%RegAltitudeValueName%,0x00000000,%Instance2.Altitude%
HKR,%RegInstancesSubkeyName%"\"%Instance2.Name%,%RegFlagsValueName%,0x00010001,%Instance2.Flags%
HKR,%RegInstancesSubkeyName%"\"%Instance3.Name%,%RegAltitudeValueName%,0x00000000,%Instance3.Altitude%
HKR,%RegInstancesSubkeyName%"\"%Instance3.Name%,%RegFlagsValueName%,0x00010001,%Instance3.Flags%
Strings Section (required)
The Strings section defines each %strkey% token that is used in the INF file.
You can create a single international INF file by creating additional locale-specific Strings.LanguageID sections in the INF file. For more information about international INF files, see Creating International INF Files.
The following code example shows a typical Strings section.
[Strings]
Msft = "Microsoft Corporation"
MinispyServiceDesc = "Minispy mini-filter driver"
MinispyServiceName = "Minispy"
RegInstancesSubkeyName = "Instances"
RegDefaultInstanceValueName = "DefaultInstance"
RegAltitudeValueName = "Altitude"
RegFlagsValueName = "Flags"
DefaultInstance = "Minispy - Top Instance"
Instance1.Name = "Minispy - Middle Instance"
Instance1.Altitude = "370000"
Instance1.Flags = 0x1 ; Suppress automatic attachments
Instance2.Name = "Minispy - Bottom Instance"
Instance2.Altitude = "365000"
Instance2.Flags = 0x1 ; Suppress automatic attachments
Instance3.Name = "Minispy - Top Instance"
Instance3.Altitude = "385000"
Instance3.Flags = 0x1 ; Suppress automatic attachments
DefaultUninstall and DefaultUninstall.Services sections
Note
The DefaultUninstall and DefaultUninstall.Services sections are prohibited (with exception) starting with Windows 10 version 1903.
In Windows 10 prior to version 1903, the DefaultUninstall and DefaultUninstall.Services sections were optional but recommended if the driver could be uninstalled:
- DefaultUninstall contained DelFiles and DelReg directives to remove files and registry entries.
- DefaultUninstall.Services contained DelService directives to remove the minifilter driver's services. The DelService directive always specified the SPSVCINST_STOPSERVICE flag (0x00000200) to stop the service before it was deleted.
The following example shows typical DefaultUninstall and DefaultUninstall.Services sections prior to Windows 10, version 1903.
[DefaultUninstall.NTamd64]
DelFiles = Minispy.DriverFiles, Minispy.UserFiles
DelReg = Minispy.DelRegistry
[DefaultUninstall.NTamd64.Services]
DelService = Minispy,0x200
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for