Windows System Software -- Consulting, Training, Development -- Engineering Excellence, Every Time.

OSR’s Isolation Minifilter Solution Framework

Every week, we encounter a problem like this:  An unsuspecting dev looks at the File System Minifilter model, sees that it’s pretty cool, and decides to undertake what looks like a straightforward project.  The project?  A Minifilter that does one of the following:

  • Virtualizes the location of a file (allowing the file to be pulled down, bit by bit, from back-end cloud storage or from slow near-line storage).
  • Implements per-file on-access transparent encryption and decryption
  • Implements “hot backup” of files, and allows seamless access to both new and old versions
  • Implements file compression
  • Provides data deduplication processing (store the file data once, have it be available via multiple files)

The dev gets coding underway, but after a few weeks runs into unexpected issues.  Why?  Because he or she has left the realm of conventional Standard Minifilters and accidentally entered the world of Windows file system Isolation Minifilters.  We describe the technical differences between Standard Minifilter and Isolation Minifilters in another article in this issue of The NT Insider.

Should This Minifilter Be an Isolation Minifilter?

Unless you have experience in Windows file systems or file system filters, it’s sometimes hard to know in advance that your design is going to (or should) enter into Isolation Minifilter territory.  Heck, here at OSR we’ve started Minifilter projects, only to discover after several weeks of work that “we probably should have used an Isolation Minifilter for this.”  It happens.

The best way to determine if you’re likely to need an Isolation Minifilter, before you start your code, is to ask yourself, “Do I need to maintain a view of the data that is different in content, shape, or location from that which is stored by the underlying file system.”  If the answer to this question is yes, you should at least consider implementing an Isolation Minifilter.

Isolation Minifilter: Hard

Determining whether you need to write a Standard Minifilter or an Isolation Minifilter is important, because undertaking the development of an Isolation Minifilter is far more difficult than a Standard Minifilter.  Because of their close coupling with the Windows VM subsystems (Memory Manager and Cache Manager) developing an Isolation Minifilter is at least as complicated as developing a Windows file system.  In fact, in discussing just this topic, one of the OSR devs recently wrote:

I maintain that an Isolation Minifilter is actually much harder than a filesystem to write because in many cases the lower edge [of the Minifilter] is a filesystem (which is complicated and involves locking), whereas for a filesystem it is a series of blocks (idempotent, no locking, etc,….)

In any case, let’s just agree that Isolation Minifilters are difficult to write from scratch.  Based on our own experience developing Isolation Minifilters, starting from scratch we estimate that it would take a very experienced Windows file system developer at least 3 months to get a prototype Isolation Minifilter working.  For a less experienced dev, one who is “just” experienced writing Windows kernel-mode drivers, we figure it would take at least 6-9 months to get a working prototypeAnd, in either case, that’s just to have something that you can demo.  A real solution, that works in the real world, will still be many months of work away.

Isolation Minifilter Solution Framework:  Much Easier

Fortunately, there’s a solution that allows you to jump-start the process of developing an Isolation Minifilter and have working prototype in a few weeks instead of many months.  That solution is OSR’s Isolation Minifilter Solution Framework (IMSF).

As we were developing our comprehensive Solution Framework specific to on-access transparent file encryption (FESF, you can read about it here if you’re interested) we, obviously, had to implement an Isolation Minifilter.  Instead of tightly coupling this Isolation Minifilter with FESF, we architected and implemented it as a separable set of modules.  We make these modules available, with documentation and example code, as part of the IMSF.

Our IMSF kit comprises a complete and fully customizable Isolation Minifilter.  This Isolation Minifilter is identical to the code that forms the heart of FESF that is currently shipping world-wide in major products.  This code gets used and tested every day, in real-world conditions.  It works.  It’s solid.

In addition to the Isolation Minifilter itself, IMSF includes comprehensive documentation for the interfaces and a working example that illustrates how to use IMSF as the basis for a real product.  And, yes:  You get the complete source code. For everything.

To be clear:  You still need to understand Windows kernel-mode programming and file systems concepts to make good use of our IMSF kit.  But the hard work is done for you by IMSF.  You don’t need to be an expert on the Cache Manager.  You don’t have to figure out “How should I do this?”  IMSF provides a base that’s solid, actively developed, constantly maintained with each new release/update of Windows, and is proven to work in real, shipping, products.

Ask an Expert

If you’re working on a project, and you’d like to discuss whether the Isolation Minifilter approach might be the right way to go, get in contact with us.  There’s no charge to get our engineering team on Skype with your engineering team to discuss your options.  If we don’t think you need an Isolation Minifilter, or if IMSF isn’t right for you, we’ll tell you.  On the other hand, maybe we can save you some time and trouble with one of our Solution Frameworks.  Either way, if can start you in the right direction with just an hour on the phone, we figure it’ll be time well spent.

Article Name
OSR's Isolation Minifilter Solution Framework