Question on WFP callout driver...

Hello,

I have a WFP callout driver that intercepts inbound/outbound network connections. The interception works only if the user mode BFE service is running.

I went through the WFP architecture diagram at https://docs.microsoft.com/en-us/windows/desktop/fwp/windows-filtering-platform-architecture-overview. I couldn’t find anything obvious that would explain the dependency on the BFE service.

I see that my driver callbacks (inbound/outbound connect) are called by KM filter engine implemented by netio.sys.

Is it possible to implement a functional WFP callout driver that can function even if user mode BFE service is disabled/stopped? Would using FWPM_FILTER_FLAG_BOOTTIME help? The documentation says that boot filters are disabled once BFE comes up. If BFE never comes up OR stopped later, would the boot filters continue to work?

Any pointers?

Thanks.
-Prasad