What is a minidriver?
In the world of Windows operating systems, minidrivers play a crucial role in facilitating communication between the hardware and the operating system. However, having several minidrivers installed on a Windows 10 or 11 system can potentially lead to performance problems. Here’s why:
1. Resource Consumption: Each minidriver consumes system resources such as memory and CPU. If you have multiple minidrivers running concurrently, it can lead to high resource utilization, impacting overall system performance.
2. Driver Conflicts: Different minidrivers may not always play well together. Conflicts between drivers can result in system instability, crashes, or performance degradation.
3. Compatibility Issues: Not all minidrivers are optimized for the latest operating systems. Running outdated or incompatible minidrivers on Windows 10 or 11 can lead to performance issues.
Now, let’s talk about how to identify and address these problems using tools:
4. Device Manager:
– Open the Device Manager (you can do this by right-clicking on the Start button and selecting “Device Manager”).
– Look for any devices with a yellow triangle icon, as this indicates a driver issue.
– Update or uninstall the problematic drivers from here.
5. Performance Monitor:
– Use the built-in Performance Monitor to monitor resource usage.
– Look for spikes or sustained high usage of CPU, memory, or disk that coincide with performance issues.
– Identify the processes responsible and check if they are associated with minidrivers.
6. Event Viewer:
– Check the Event Viewer for any system errors or warnings related to drivers.
– Look for patterns or recurring events that coincide with performance problems.
7. Reliability Monitor:
– Open the Reliability Monitor (search for “Reliability Monitor” in the Start menu).
– Check for critical events, warnings, or errors related to drivers.
– Use this information to pinpoint the timeframes of performance issues.
8. Third-Party Tools:
– Tools like Process Explorer, Autoruns, or DriverView can provide detailed information about running processes, drivers, and their impact on system performance.
– Analyze the output of these tools to identify any problematic minidrivers.
9. fltmc.exe (Filter Manager Control Program):
– `fltmc.exe` is a command-line tool that allows you to manage minifilter drivers on a Windows system.
– Open Command Prompt as an administrator and use `fltmc.exe` to list all loaded minifilter drivers:
– Examine the list for any unnecessary or problematic minifilters.
– Disable a specific minifilter temporarily to observe the impact on performance:
– If disabling a particular minifilter resolves performance issues, consider updating or replacing the minifilter driver.
Including `fltmc.exe` in your troubleshooting arsenal provides a more in-depth look into the minifilter drivers specifically, allowing you to manage and analyze them directly from the command line. Remember to create a system restore point before making any significant changes to drivers to ensure you can revert to a stable state if needed. Regularly updating drivers to their latest versions from the hardware manufacturer’s official website can also help prevent compatibility issues.
Sometimes you simply can’t mix and match everything that is on the market
We encountered a situation that required extensive investigation to determine why specific components were not operating seamlessly together. The primary security infrastructure comprised McAfee/Trellix ENS Endpoint, serving as the main security product suite with Tie-Server, ATP-Sandbox, and various other components—a comprehensive and intricate security setup considered best of breed.
In addition to this robust security framework, there was a secondary line of security products provided by Rapid 7, dedicated to SIEM (Security Information and Event Management) and vulnerability scanning. Furthermore, a profile virtualization layer from Ivanti added another dimension to the setup.
It became apparent that the combination of McAfee/Trellix ENS Endpoint, Rapid 7’s security products, and Ivanti’s profile virtualization might have introduced complexity that led to interoperability challenges. The presence of multiple layers of security solutions and profile virtualization tools may have been one layer too many, contributing to the difficulties we encountered.
All three use MINIDRIVER and handle a lot of I/O and peformance related things.
So lets search what is using the sysmon driver. It is not Mcafee/Trellix it is Rapid 7 Inisght Agent also.
Other system with Mcafee7Trellix ENS but no Rapid 7 product
Ivanti
Yes for sure disabling AV and Ransomware protection in 2020-2023 is not a good idea just so you can manage your profile! Same seems to be happening with VMWARE NSX Security.
Then you change the Profile Management Solution first for sure not the main AV provider!
Here is how to TEST remove the filter if you think you found the right one (Just to test):
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Some helpfull Links:
https://docplayer.net/19532221-Tracking-hackers-on-your-network-with-sysinternals-sysmon.html
https://www.osr.com/nt-insider/2017-issue2/introduction-standard-isolation-minifilters/