The binary fltMC.exe is used to manage minifilter drivers. You can easily load and unload minifilters using this binary. To unload the Sysmon driver you can use:
fltMC unload SysmonDrv
If this binary is flagged, we can unload the minifilter driver by calling the ‘FilterUnload’ which is the Win32 equivalent of ‘FltUnloadFilter’. It will call the minifilter’s ‘FilterUnloadCallback’ (PFLT_FILTER_UNLOAD_CALLBACK) routine. This is as same as using fltMC which is a Non-mandatory unload.
For calling this API SeLoadDriverPrivilege is required. To obtain this privelege adminsitrative permissions are required.
Here’s a simple C code I wrote to call the ‘FilterUnload’ API.
https://github.com/OsandaMalith/WindowsInternals/blob/master/Unload_Minifilter.c
[gist https://gist.github.com/OsandaMalith/3315bc640ff51227ab067052bc20a445]
Note that when unloading a minifilter driver by the FilterManager, it will be logged under the System log.
References:
https://www.osr.com/nt-insider/2017-issue2/introduction-standard-isolation-minifilters/
2 thoughts on “Unloading the Sysmon Minifilter Driver”