Saturday, March 27, 2010

Fixing filter driver problems in Windows XP

(taken from )

Background information

A filter driver intercepts requests/communication in order to extend or replace functionality in the driver or hardware that it is filtering. There are three types of filter that you should know about: bus filter drivers, upper filter drivers, and lower filter drivers.

A bus filter driver extends functionality (usually for proprietary features) on a bus driver, such as ACPI. An ACPI filter driver, for example, could add additional power management modes or communicate with proprietary modifications to ACPI (such as in laptops).

An upper filter driver filters data between the main driver and the application/operating system service. Microsoft's example: a keyboard filter driver could perform additional security checks before passing the data along to the application or OS/module that is receiving the data.

A lower filter driver filters data between the hardware itself and the main driver, providing extra security/stability or translating proprietary communication into a standard language for the main driver. A good example of this is when you press a button on a piece of hardware: you may have only pressed the button once, but internally, the button may have made electrical contact repeatedly within mere milliseconds, sending more than one signal when only one was intended. A filter driver can recognize that this isn't intended behavior, and can refine the data to expected specifications (it turns multiple contacts into the intended 1 contact). This way, the main driver receives a stream of cleaned/stable data, and from the end user's perspective, everything is OK. Since hardware is physical and anything can go wrong, filter drivers are quite necessary for operating system sanity.

There are two ways to install a filter driver in Windows: at the class level, and at the device level. If you install a keyboard class filter driver, EVERY keyboard you ever install will be filtered by it. If you only install it on the device level (which is done by unique device ID), then it will only filter the exact device that you put it on originally and all other devices, even in the same class, will be unaffected.


Here's the part everyone is really reading this for. How do you know when you have a filter driver problem, and how do you properly solve it?

If you go into Device Manager and see a device with an exclamation point on it (CD-ROM or not) you should not immediately try to remove and refresh it. Double-click the device so you can see the error code. If it's anything other than "the drivers aren't installed for this device", then you should click the Details tab.

Pull down the drop-down box on the Details tab and look at the following four items:

  • Device Upper Filters
  • Device Lower Filters
  • Class Upper Filters
  • Class Lower Filters

In each of these sections, there may be zero or more items. Note the name of each item in each section. They are all drivers, so they should be in %systemroot%\System32\Drivers with a .sys extension. If you investigate your CD-ROM drive's filter drivers and notice GEARAspiWDM (for example), then you should find a corresponding GEARAspiWDM.sys file in the %systemroot%\System32\Drivers folder. If you don't find a corresponding file, then you've found a broken driver chain. Your next course of action is to either find the .sys file and put it in System32\Drivers and reboot, or remove the registry entry and reboot. In most cases you'll just be removing the registry entry that is pointing to a non-existent driver.

How does this happen? If you uninstall iTunes (for instance) then it will remove the GEARAspiWDM.sys file and its filter driver entry from the registry. If you then System Restore to a date prior to this uninstallation, it may or may not put back the .sys file but it will definitely put back the registry entry, and thus the filter chain will be broken. This can happen with any device, as all are capable of hosting filter drivers above or below the main driver. Again, this is not exclusive to that well-known CD-ROM drive problem.

Removing the registry entry

If the missing file came from either of the two "Class" filter categories, drill-down in Regedit to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class. Hit CTRL+F and type the entry as you saw it in Device Manager (i.e., "GEARAspiWDM" — without the .sys part) and try to find it. It should quickly bring you directly to the Upper or Lower filters value that contains this driver's reference. Double click the value that it was found in (in the right-hand pane of Regedit), and remove just the line of the missing file, leaving everything else alone (specifically anything that DOES actually exist in %systemroot%\System32\Drivers). Make sure there's only one item per line and that there are no blank lines and that you are modifying the intended driver. The (Default) value of every class key should describe the class' name in English (i.e., "DVD/CD-ROM Drives")

If the missing file name came from either of the two "Device" filter categories, drill-down to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Hit CTRL+F and type the entry as you saw it in Device manager, etc, and remove the line in the same way as explained in the paragraph above this one. If more than one device is using this particular filter, then you will have to search again and remove it from each device.

After you've discovered and removed the offending filter driver entry from the registry, restart the computer. All should be well again at this point, if it was indeed just a filter driver problem. Try not to attempt to remove and reinstall the driver before at least rebooting first, as it should be fixed on the next system startup.

No comments:

Post a Comment