Removing filter drivers: Catastrophe and how to avert

Screenshot: Autoruns v11.61, poised to delete a filter driver

Screenshot: Autoruns v11.61, poised to delete a filter driver
(Click to enlarge)

Almost every day, I see people who want to, try to or succeed in removing a piece of unwanted software  that has been annoying them for a while. Sometimes, however, the unwanted piece of software in question is kernel driver that refuses to go down without taking the computer down. Removing its entry from Windows Registry or its file from the computer breaks one or more devices, or worse, makes the entire computer unbootable. But don’t worry: All that needs to be done is to act methodically.

So, what’s the problem?

There is no denying that a piece of software must always be removed by its uninstaller. In Microsoft Windows, uninstallers are registered in Programs and Features part of Control Panel. However, malware (e.g. keyloggers) do not have uninstallers. Low quality software do have uninstallers that may leave annoying components behind. (Acronis True Image is an example of such bad apps.)

The aforesaid problem is of caused by filter drivers. These drivers modify the behavior of another driver. When they are peremptorily removed, the other drivers whose behaviors are to be modified, break.

Removing a filter driver has three stages:

  1. Create a restore checkpoint via System Restore, least something went wrong
  2. Remove the driver itself
  3. Remove the driver’s associations with other devices

The last two steps must be completed in one session, without restarting the computer in between.

Creating a System Restore checkpoint

System Restore is component of Microsoft Windows that helps revert system to a workable state, in case of catastrophe. Please study the following resources on Microsoft website:

  1. What is System Restore?
  2. System Restore: frequently asked questions
  3. How to restore, refresh, or reset your PC

If you have any other means of saving your computer’s state, such a third-party backup tool, please use it. When it comes to backup, Microsoft programs are the worst choice. (For instance, you may create a system image via Windows Backup without problem but you may also discover that restoring said image takes days!)

Removing the driver itself

This step is easy enough: Download Sysinternals Autoruns or Comodo KillSwitch, find the driver that you want removed, highlight it and hit the Delete button. But while you are doing this, take a note of its name and its file system location. You are going to need the former for the next step and the latter for deleting the file.

Wise guys may consider delaying the part that hit the Delete button until driver associations are removed.

Removing the driver’s associations with other devices

Open Windows Registry Editor by hitting Windows+R key combination, typing regedit and hitting Enter key. Now, navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet. Use Find command in Edit menu to search for the name of the driver you want to remove. In this example, I searched for BTOWSVF. (BTOWSVF is an innocent driver and I have no intention of removing it.  However, I did not have the luxury of having a broken computer at hand; even then, writing a blog post on that computer would have proved impossible.)

Screenshot: Registry Editor showing an UpperFilter

Screenshot: Registry Editor showing an UpperFilter
(Click to enlarge)

You are looking for instances of drivers or driver classes that have their “UpperFilters” and “LowerFilters” entries pointing to the filter driver you’d like to remove. In the picture, I have found a driver class with an UpperFilters entry pointing to “BTOWSVF” and a LowerFilters entry pointing to “fvevol” and “rdyboost“. (UpperFilters and LowerFilters entries  may point to more than one filter drivers, which you may not want removed.)

Carefully edit the UpperFilters and LowerFilters entries, erasing the line containing the name of the driver you are about to remove. In my case, I have to remove “BTOWSVF”.

Continue your search but keep an eye on the status bar: Do no go outside HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. Do not delete or alter anything outside of the scope.

Conclusion

Once you’ve completed all the steps, the troublesome driver should be gone.

Advertisements

Posted on 29 June 2013, in Windows Administration and tagged , , , , , , , , , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: