Removing filter drivers: Catastrophe and how to avert
Almost every day, I see people who want to, try to or succeed in removing a piece of unwanted software that has been annoying them for a while. Sometimes, however, the unwanted piece of software in question is kernel driver that refuses to go down without taking the computer down. Removing its entry from Windows Registry or its file from the computer breaks one or more devices, or worse, makes the entire computer unbootable. But don’t worry: All that needs to be done is to act methodically.
So, what’s the problem?
There is no denying that a piece of software must always be removed by its uninstaller. In Microsoft Windows, uninstallers are registered in Programs and Features part of Control Panel. However, malware (e.g. keyloggers) do not have uninstallers. Low quality software do have uninstallers that may leave annoying components behind. (Acronis True Image is an example of such bad apps.)
The aforesaid problem is of caused by filter drivers. These drivers modify the behavior of another driver. When they are peremptorily removed, the other drivers whose behaviors are to be modified, break.
Removing a filter driver has three stages:
- Create a restore checkpoint via System Restore, least something went wrong
- Remove the driver itself
- Remove the driver’s associations with other devices
The last two steps must be completed in one session, without restarting the computer in between.
Creating a System Restore checkpoint
System Restore is component of Microsoft Windows that helps revert system to a workable state, in case of catastrophe. Please study the following resources on Microsoft website:
- What is System Restore?
- System Restore: frequently asked questions
- How to restore, refresh, or reset your PC
If you have any other means of saving your computer’s state, such a third-party backup tool, please use it. When it comes to backup, Microsoft programs are the worst choice. (For instance, you may create a system image via Windows Backup without problem but you may also discover that restoring said image takes days!)
Removing the driver itself
This step is easy enough: Download Sysinternals Autoruns or Comodo KillSwitch, find the driver that you want removed, highlight it and hit the Delete button. But while you are doing this, take a note of its name and its file system location. You are going to need the former for the next step and the latter for deleting the file.
Wise guys may consider delaying the part that hit the Delete button until driver associations are removed.
Removing the driver’s associations with other devices
Open Windows Registry Editor by hitting Windows+R key combination, typing
regedit and hitting Enter key. Now, navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet. Use Find command in Edit menu to search for the name of the driver you want to remove. In this example, I searched for BTOWSVF. (BTOWSVF is an innocent driver and I have no intention of removing it. However, I did not have the luxury of having a broken computer at hand; even then, writing a blog post on that computer would have proved impossible.)
You are looking for instances of drivers or driver classes that have their “UpperFilters” and “LowerFilters” entries pointing to the filter driver you’d like to remove. In the picture, I have found a driver class with an UpperFilters entry pointing to “
BTOWSVF” and a LowerFilters entry pointing to “
fvevol” and “
rdyboost“. (UpperFilters and LowerFilters entries may point to more than one filter drivers, which you may not want removed.)
Carefully edit the UpperFilters and LowerFilters entries, erasing the line containing the name of the driver you are about to remove. In my case, I have to remove “BTOWSVF”.
Continue your search but keep an eye on the status bar: Do no go outside
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. Do not delete or alter anything outside of the scope.
Once you’ve completed all the steps, the troublesome driver should be gone.
Posted on 29 June 2013, in Windows Administration and tagged Autoruns, Cleaning Essentials, CurrrentControlSet, device, driver, fail, filter driver, kernel driver, Killswitch, LowerFilters, Registry, removal, removing, System Restore, unbootable, UpperFilters, WDDM, Windows Driver Model. Bookmark the permalink. Leave a comment.