How to stop a running FS Filter driver and remove device?

OSR_Community_User · May 19, 2016, 1:51pm

Hi everyone, I’m very new to the OSR community but have really enjoyed reading up on the lists. The DeviceTree software is really cool.

This is probably a pretty easy question to answer for someone that is experienced with FS filter drivers. I am trying to script the removal of a filter driver and device.

Some background… this driver is running on Windows 7/8/10 x64. The vendor that created the driver has not been helpful in fulfilling my request for a removal tool. Unfortunately their MSIEXEC uninstall is buggy and only works about half the time you run it… They want us to upgrade to their newest version that doesn’t have the bug we are encountering during uninstallation. We aren’t interested in continuing use of this software so an upgrade seems frivolous… Their only suggestion has been to reimage the computers without the software that includes the FS filter device… That’s out of the questions because it is on 1000+ computers…

Basically, their official uninstaller does an API callback to one of their servers and verifies the machines eligibility to uninstall (…1) does the MAC address of the primary network adapter exist in their database …2) does the password you entered for uninstallation match what is set on their server)… If you are eligible it runs and MSI uninstallation and disables the FS filter device, removes the driver file, service files, configuration, and restarts… The bug that is keeping us from doing a normal bulk removal (their way) is that the MSIEXEC freezes during the removal process (after checking eligibility) and requires us to restart a client computer up to 3 times to finish the uninstall.

I have been able to successfully remove the software and device/driver by mounting the Windows file system and manually removing the driver file under System32/Drivers and also removing all of the actual program files/services. I have not been able this live. The FS filter driver that is running is protecting those program files, a registry key, and the actual .sys file under System32…

I have gone through what normal Google searches have put me through… I’ve tried showing hidden devices in devmgmt but nothing is showing in terms of FS filter drivers. I’ve tried devcon but it doesn’t list anything related to the FS filter driver… I’ve tried doing an uninstallation via rundll32.exe SETUPAPI.DLL, InstallHinfSection DefaultUninstall 132 C:\Program Files\MyProduct\MyMinifilter.inf but that hasn’t provided any results. The furthest I have gotten is getting the FS filter device to show in DeviceTree.

Is there a good way to script the disable of a FS filter device and then remove it?

OSR_Community_User · May 19, 2016, 2:23pm

Just an FYI, I have tried fltmc and attempting to unload or detach gives the error 0x801f0010 Do not detach the filter from the volume at this time.

OSR_Community_User · May 19, 2016, 2:39pm

>machines eligibility to uninstall

Well, this is really very funny.

Reverse-engineer their MSI file and do the same manually.

1 reboot will be probably a must.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · May 19, 2016, 3:57pm

Yeah, this is still pretty comical to me too : )

I’ve done some basic reverse engineering of their MSI… They are using custom actions to perform the removal… First step is the removal of the service, second step is the removal of the minifilter. Both actions are done via an executable that is packaged in the MSI… I’ve extracted that and attempted to use it by running the same commands that they do during the MSI… I haven’t had any luck. The minifilter just doesn’t want to die.

They have some other custom actions that are loaded via DLL. Initial investigation makes me think its all of their custom uninstall eligibility craziness.

I’ll keep trying the reverse engineering route and see if I can come up with anything. The only thing I am afraid of is if the uninstall bug that is causing this headache is still present in the uninstall exe I found.

OSR_Community_User · May 23, 2016, 12:50pm

I can’t get their uninstallation method to work consistently. It looks like their minifilter doesn’t have an unload routine built in. Using FLTMC I get this error attempting to detach and/or unload:

0x801f0010 Do not detach the filter from the volume at this time.
0x801f0014 Do not detach the filter from the volume at this time.

Does anyone have any recommendations on how to unload an unloadable minifilter? Am I SoL?