Recent Posts
- Ctor conflicts
Fri, 29 Nov 2013
- MUI files under the hood
Wed, 14 Nov 2012
- Preparing a bugfix version of CFF Explorer
Thu, 25 Oct 2012
- Companies on the Verge of a Nervous Breakdown
Thu, 09 Aug 2012
- The biggest software delusions of the last decade
Thu, 22 Sep 2011
 
Recent Comments
- Comment on Filter Monitor 1.0.1 by Daniel Pistelli
Fri, 29 Apr 2016
- Comment on Filter Monitor 1.0.1 by Moci
Wed, 16 Dec 2015
- Comment on Ctor conflicts by Daniel Pistelli
Mon, 01 Jun 2015
- Comment on Microsoft’s Rich Signature (undocumented) by Guru Meditation
Fri, 22 May 2015
- Comment on Ctor conflicts by Harper
Tue, 19 May 2015
 
Filter Monitor
Current Version: 1.1.0

Download Filter Monitor


This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals.


As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters.

Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.


Download Filter Monitor