This repository contains a simple Windows minifilter kernel driver that intercepts file create (IRP_MJ_CREATE) operations to block the launch of a specific executable or file. The solution was made in the context of Apriorit blog article "How to Develop a Windows File System Minifilter Driver: Complete Tutorial"
The project illustrates how to:
- Register a minifilter driver.
- Intercept file operations.
- Make a selective filtering of calls.
- Deny access to prevent process creation or file opening.
- Visual Studio 2019 or higher
- Windows Driver Kit (WDK)
- A test VM with Windows in Test Mode (or with code signing properly set up)
- Clone the Repository
- Open project in Visual Studio
- Build the solution
- Sign the Driver (Optional/Test Mode)
-
Copy the Driver binaries
Copy binaries to your test VM:fsminifilter.cat,FsMinifilter.sys,FsMinifilter.inf -
Install the Service
Right-click onFsMinifilter.infand choose "Install" option -
Start the Service from CMD
sc start FsMinifilter
-
Stop the Service from CMD
sc stop FsMinifilter -
Uninstall the Service from CMD
pnputil /delete-driver "FsMinifilter.inf" /uninstall /force
-
Manually delete your copied files
Delete binaries from your test VM:fsminifilter.cat,FsMinifilter.sys,FsMinifilter.inf
- Edit the Target Process and Target File
- In the
FsMinifilter.cpp, update the variablesunauthorizedFileNameandunauthorizedProcessNameof the file and process you want to block (e.g.,passwords.exeandmsedge.exe).
- In the
- Rebuild the solution
- Install the driver on test VM
- Attempt to launch the specified executable or file