Overview of Early Launch AntiMalware

This section provides information about developing Early Launch Antimalware (ELAM) drivers for Windows operating systems. It provides guidelines for antimalware developers to develop drivers that are initialized before other boot-start drivers, and that ensure that subsequent drivers do not contain malware. It assumes that the reader is familiar with developing kernel-mode drivers, specifically boot-start drivers.

This information applies to the following operating systems:

  • Windows 11
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

The following topics describe the interface requirements for Early Launch Antimalware (ELAM) drivers. They are intended to provide information about ELAM driver interfaces. The ELAM feature provides a Microsoft-supported mechanism for antimalware (AM) software to start before other third-party components. AM drivers are initialized first and allowed to control the initialization of subsequent boot drivers, potentially not initializing unknown boot drivers. Once the boot process has initialized boot drivers and access to persistent storage is available in an efficient way, existing AM software may continue to block malware from executing.

ELAM Prerequisites

ELAM Driver Requirements


Because an ELAM service runs as a PPL (Protected Process Light), you need to debug using a kernel debugger.

See also

Protecting Anti-Malware Services.