Device Filter allows you to monitor all I/O request packets (IRP’s) on your system, fast I/O requests and capture each request input and output data. It shows you all kernel-mode drivers installed on your Windows NT/2000/XP/2003 system and device objects created by these drivers. It also allows you to hook any of these devices (not more than 10 simultaneously by default) and monitor all requests to the selected devices that are delivered to their dispatch table. Please, note that it hooks a selected device, but not the one which can be above this device. This approach allows you to see the IRP path down the device stack, for example, to check if it was blocked by an upper level filter. All request input and output data are converted into a request-associated structures or represented as a hexadecimal data dump.
|Windows NT 4.0||Windows XP|
|Windows 2000||Widows Server 2003|
- Provides detailed information about intercepted I/O operation
- Provides detailed information about driver and device objects on your system
- Advanced filtering engine
- Decodes SRB (SCSI), URB (USB) and IRB (IEEE1394)
- Easy-to-use interface
You can use it as a learning tool if you’re wondering how different devices/drivers interact or handle certain types of I/O. Or, use it as a debugging/troubleshooting tool, tracking your own driver’s activity on a live system with no need in setting up the kernel debugger.
How it works
For an enumeration of drivers utility uses undocumented Object API functions exported by ntdll.dll (NtOpenDirectoryObject, NtQueryDirectoryObject and etc..). Kernel-mode component devflt.sys gets driver object by its name and enumerates all devices associated with it, it is also responsible for hooking specified device and tracing all requests to it.
Download & License
Since November 27, 2020 you can download and use the full version of Device Filter free of charge. Please use the following information to register your copy:
- Username: Freeware
- Company: Freeware
- Product ID: 700AF7E0ABE4DADA
How to install
Unzip and run dflt_full.zip.
Device Filter software is supplied AS-IS, without warranties of any kind.