By default installation and deinstallation of CallbackFilter files (kernel-mode drivers and Helper DLLs) can be performed from the user account which belongs to Administrators group. This is a security measure of Windows operating system. You can change this behaviour on the target system by adjusting the list of users and groups who have the right to install and uninstall the drivers. This can be done in Control Panel -> Administrative tools -> Local Security Settings -> Local Policies \ User Rights Assignment (tree branch), there you need to change "Load and Unload device drivers" item. No need to say that by default you can change the security settings if you are system administrator.
Notes for Vista and later versions of Windows
If you have UAC (User Account Control) enabled, Vista and later versions of Windows will run applications started by you with limited rights even when you are logged in as administrator or m7ember of Administrators group.
If you install or uninstall the drivers by calling the above mentioned functions in your code, you need to elevate privileges of your application so that it's started with truly administrative rights.
To elevate privilages for your application, you must start it with Run As Administrator option. In Windows Explorer this is done using Run As Administrator command in context menu for the application. Alternatively you can set the corresponding option in the Properties window shown for your executable module.
One more option is to use the manifest.
The manifest file can be placed next to the executable of your application or embedded into the executable.
If you decide to keep the manifest in a separate file, it must be named <EXEName_with_extension>.manifest, eg.
for MyApp.exe the manifest should be called MyApp.exe.manifest.
You can use the following manifest:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<description>elevate execution level</description>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
The driver to be deployed is cbfltfs4.sys. Note, that the drivers are different for Win32, x64 (AMD 64-bit architecture) and IA64 (Itamium 64-bit architecture) platforms.
Debug drivers are located in "<CBFlt>\Drivers\Debug\32bit" or "<CBFlt>\Drivers\Debug\64bit" folders (for Win32 and Win64 platforms).
Release drivers are located in "<CBFlt>\Drivers\Release\32bit" or "<CBFlt>\Drivers\Release\64bit" folders (for Win32 and Win64 platforms).
64-bit version of the driver is available for x64 (AMD64) processor architecture used by most modern 64-bit processors and IA64 (Itanium) processor architecture used by some Intel-produced server processors.
Installation of the drivers to the target system is described here.
CallbackFilter user-mode API is shipped as .NET assemblies, static library for Visual C++ and VCL units.
- C++ API:
C++ class links CallbackFilter API statically so no deployment is required.
- VCL API:
VCL unit for Delphi and C++Builder links CallbackFilter API statically so no deployment is required.
- .NET API:
When deploying the project, copy the CBFlt4Net.dll below to your application folder. Questions about when and how to install the assemblies to Global Assembly Cache are discussed in Working with Assemblies and the Global Assembly Cache and How to: Install an Assembly into the Global Assembly Cache articles.
.NET assemblies are different for Intel 32-bit and Intel 64-bit platforms.
64-bit .NET 4.6 assemblies are available for x64 processor architecture used by most modern 64-bit processors.
64-bit .NET 4.5.1 assemblies are available for x64 processor architecture used by most modern 64-bit processors.
64-bit .NET 4.5 assemblies are available for x64 processor architecture used by most modern 64-bit processors.
64-bit .NET 4.0 assemblies are available for x64 (AMD64) processor architecture used by most modern 64-bit processors and IA64 (Itanium) processor architecture used by some Intel-produced server processors.
64-bit .NET 2.0 assemblies are available for x64 (AMD64) processor architecture used by most modern 64-bit processors and IA64 (Itanium) processor architecture used by some Intel-produced server processors.
MSVC++ Runtime DLLs
All .NET assemblies require Visual C++ Multithreaded Runtime DLLs. It's a good idea to include these DLLs into the distribution.
If you place the assembly to the same folder where your application is located, MSVC++ Runtime DLLs should be placed in this folder too.
If you install the .NET assembly to the GAC, MSVC Runtime DLLs should be deployed using the installable "vcredist" package instead. The package can be downloaded from Microsoft site and included to your installation package. Do the search for "Microsoft Visual C++ Redistributable Package" on Microsoft site and choose the needed redistributable packages. "Vcredist" installations don't just copy VC redistributable DLLs to proper Windows folders, but also register them for side-by-side use in registry to avoid conflicts with files of the same name but different version.
.NET 4.6 assemblies require vcruntime140.dll. The DLLs are located in <CBFlt>\MSVC_REDIST\NET_46 folder.
NET 4.5.1 assemblies require msvcp120.dll and msvcr120.dll. The DLLs are located in <CBFlt>\MSVC_REDIST\NET_451 folder.
.NET 4.5 assemblies require msvcp110.dll and msvcr110.dll. The DLLs are located in <CBFlt>\MSVC_REDIST\NET_45 folder.
.NET 4.0 assemblies require msvcp100.dll and msvcr100.dll. The DLLs are located in <CBFlt>\MSVC_REDIST\NET_40 folder.
.NET 2.0 assemblies require msvcp90.dll and msvcr90.dll. The DLLs are located in <CBFlt>\MSVC_REDIST\NET_20 folder.