How Filter Driver Load Order Affects Device Stack Behavior

Troubleshooting Filter Driver Load Order Issues in Windows

What it is

Filter driver load order determines the sequence kernel-mode filter drivers attach to a device stack. Incorrect order can cause device malfunctions, unexpected behavior, or failures to load.

Common symptoms

• Device not appearing or failing to start
• I/O errors or frequent timeouts
• System crashes (blue screens) referencing driver modules
• Features provided by a filter driver not functioning (e.g., encryption, antivirus file filtering)
• Performance degradation or high CPU/latency during I/O

Root causes

• Conflicting filter drivers attaching in wrong order
• Missing or corrupted registry entries controlling load order
• Improper INF or service installation (incorrect upper/lower filter registry values)
• Driver signing or compatibility issues preventing attachment
• Resource contention or bugs in a filter driver causing detach/attach failures

Diagnostic steps (ordered)

1. Check Device Manager
   • Look for device status errors and driver details.
2. Enable Driver Verifier (for suspect drivers)
   • Use caution; may cause crashes but helps reveal faulty drivers.
3. Examine Event Viewer
   • Check System and Setup logs for driver load/stop errors and codes.
4. Use autorunsc/WhoCrashed and OS tools
   • Use built-in utilities (e.g., msinfo32) and Sysinternals Autoruns to spot filter drivers and startup entries.
5. Inspect registry filter entries
   • Check UpperFilters and LowerFilters under the device class key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{Class-GUID}
   • Also check device-specific keys under Enum\USB or Enum\PCI when relevant.
6. List attached drivers with Device Tree / fltmc
   • Use “fltmc filter” to list file system filter drivers and “driverquery” for others.
7. Boot into Safe Mode
   • If issue disappears, likely a third-party filter driver conflict.
8. Enable kernel debugging / capture crash dumps
   • Analyze with WinDbg to identify driver causing a crash or failure to attach.

How to fix common problems

• Remove problematic UpperFilters/LowerFilters entries
  • Back up registry first. Remove only entries for known-bad drivers or those identified in diagnostics, then reboot.
• Uninstall or update conflicting drivers
  • Use Programs and Features or device uninstall in Device Manager; install vendor-updated, signed drivers.
• Reinstall device driver stack
  • Uninstall device, delete drivers from driver store (pnputil), reboot and let Windows redetect.
• Adjust filter order via driver INF or installation sequence
  • For custom drivers, set correct AttachToDeviceStack or use attach/Detach IRP handling per WDK guidance.
• Use Microsoft hotfixes/patches
  • Apply OS updates if issue is caused by known Windows bug.
• Disable Driver Verifier after tests
  • If you enabled it, turn it off to restore normal operation.

Preventive best practices

• Test filter drivers thoroughly in staging before deployment.
• Use signed drivers and follow WDK recommendations for attachment routines.
• Avoid multiple vendors providing overlapping filter functionality on the same stack.
• Keep system and drivers updated; maintain backups of registry and driver store.

Quick checklist for admins (short)

1. Check Device Manager + Event Viewer
2. Boot Safe Mode to isolate third-party filters
3. Inspect Upper/LowerFilters registry values (backup first)
4. Use fltmc