How to properly fix filter driver problems in Windows XP
- Apr 30th. 2007
- Posted in Fixes . Technical . XP
- By DjLizard
- Write comment
(Note: this is an article for technicians, so common technical terminology and procedures will not be spelled out.)
Most technicians are familiar with the issue where optical drives disappear from My Computer, only to be found in Device Manager with an exclamation point on them, indicating a problem.
Most technicians also have no idea what filter drivers are, or how this can happen, so I'm here to explain this and show you the proper way to repair a driver whose filter chain is broken.
I've noticed that most people completely blast all of the filter drivers away until it works, and although that works, it's really not the best way to go about things, especially since the other filters might be working properly. Also, don't you want to know the why and the how? This problem can apply to more than just optical drives.
Background information
A filter driver intercepts requests/communication in order to extend or replace functionality in the driver or hardware that it is filtering. There are three types of filter that you should know about: bus filter drivers, upper filter drivers, and lower filter drivers.
A bus filter driver extends functionality (usually for proprietary features) on a bus driver, such as ACPI. An ACPI filter driver, for example, could add additional power management modes or communicate with proprietary modifications to ACPI (such as in laptops).
An upper filter driver filters data between the main driver and the application/operating system service. Microsoft's example: a keyboard filter driver could perform additional security checks before passing the data along to the application or OS/module that is receiving the data.
A lower filter driver filters data between the hardware itself and the main driver, providing extra security/stability or translating proprietary communication into a standard language for the main driver. A good example of this is when you press a button on a piece of hardware: you may have only pressed the button once, but internally, the button may have made electrical contact repeatedly within mere milliseconds, sending more than one signal when only one was intended. A filter driver can recognize that this isn't intended behavior, and can refine the data to expected specifications (it turns multiple contacts into the intended 1 contact). This way, the main driver receives a stream of cleaned/stable data, and from the end user's perspective, everything is OK. Since hardware is physical and anything can go wrong, filter drivers are quite necessary for operating system sanity.
There are two ways to install a filter driver in Windows: at the class level, and at the device level. If you install a keyboard class filter driver, EVERY keyboard you ever install will be filtered by it. If you only install it on the device level (which is done by unique device ID), then it will only filter the exact device that you put it on originally and all other devices, even in the same class, will be unaffected.
Troubleshooting
Here's the part everyone is really reading this for. How do you know when you have a filter driver problem, and how do you properly solve it?
If you go into Device Manager and see a device with an exclamation point on it (CD-ROM or not) you should not immediately try to remove and refresh it. Double-click the device so you can see the error code. If it's anything other than "the drivers aren't installed for this device", then you should click the Details tab.
Pull down the drop-down box on the Details tab and look at the following four items:
- Device Upper Filters
- Device Lower Filters
- Class Upper Filters
- Class Lower Filters
In each of these sections, there may be zero or more items. Note the name of each item in each section. They are all drivers, so they should be in %systemroot%\System32\Drivers with a .sys extension. If you investigate your CD-ROM drive's filter drivers and notice GEARAspiWDM (for example), then you should find a corresponding GEARAspiWDM.sys file in the %systemroot%\System32\Drivers folder. If you don't find a corresponding file, then you've found a broken driver chain. Your next course of action is to either find the .sys file and put it in System32\Drivers and reboot, or remove the registry entry and reboot. In most cases you'll just be removing the registry entry that is pointing to a non-existent driver.
How does this happen? If you uninstall iTunes (for instance) then it will remove the GEARAspiWDM.sys file and its filter driver entry from the registry. If you then System Restore to a date prior to this uninstallation, it may or may not put back the .sys file but it will definitely put back the registry entry, and thus the filter chain will be broken. This can happen with any device, as all are capable of hosting filter drivers above or below the main driver. Again, this is not exclusive to that well-known CD-ROM drive problem.
Removing the registry entry
If the missing file came from either of the two "Class" filter categories, drill-down in Regedit to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class. Hit CTRL+F and type the entry as you saw it in Device Manager (i.e., "GEARAspiWDM" — without the .sys part) and try to find it. It should quickly bring you directly to the Upper or Lower filters value that contains this driver's reference. Double click the value that it was found in (in the right-hand pane of Regedit), and remove just the line of the missing file, leaving everything else alone (specifically anything that DOES actually exist in %systemroot%\System32\Drivers). Make sure there's only one item per line and that there are no blank lines and that you are modifying the intended driver. The (Default) value of every class key should describe the class' name in English (i.e., "DVD/CD-ROM Drives")
If the missing file name came from either of the two "Device" filter categories, drill-down to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Hit CTRL+F and type the entry as you saw it in Device manager, etc, and remove the line in the same way as explained in the paragraph above this one. If more than one device is using this particular filter, then you will have to search again and remove it from each device.
After you've discovered and removed the offending filter driver entry from the registry, restart the computer. All should be well again at this point, if it was indeed just a filter driver problem. Try not to attempt to remove and reinstall the driver before at least rebooting first, as it should be fixed on the next system startup.
Hi DJ,
Thanks for this article as this clarified a few point for me anyway!
I have found one useful tool when looking at filter issues which is free and can be found here:
http://www.bustrace.com/downloads/free_utilities.htm
The tool is called DEVFILTER.EXE and is a graphical tool to view the filter drivers on your optical devices.
Unfortunately it doesn't help you fix them but it's a good way to narrow down on the problem filter so you can sort it out.
Any thoughts about including something in DAF to help resolve these issues?
Kind Regards
Simon
Yes, the next Dial-a-fix will scan every driver for broken filter chains and let you resolve them. It's on my extensive to-do list.
hi, is it possible to let me now if you have a new version of daf.
i use it al the time on my day work….
computer repair and problem solving duty.(computer shop)
i love daf it is for now the best there is for problem solving !
thnks in advance and keep up the good work.
You and everyone else will see it when it hits my front page and my wiki. There won't be a DAF version for a few months, at least.
thanks for the reply….
i wait for it.
Thanks so much.
I had been having problems with my USB keyboards for several months before I found this.
I kept on having to plug my keyboards into different USB ports at Windows login to get them to work.
I found out from some forum that it was a filter problem so I tried deleting lower/upper filter keys, etc, etc.
That never worked because the system would never let me delete the keys.
But this fix, with moving the .sys file to its correct location finally solved it.
As it turns out, the sys file I needed, npkcusb, ended up in the folder of an MMO I play. Huh. Who knew?
In any case, thanks again for sharing the knowledge =)
Fast and quick yeah thats how i've always done it, and i've never heard of "filter drivers" until now.
Nice article.
Does anyone know how to install a filter driver from the command line?
On our setup we sometimes force driver installs with DEVCON, but that requires a deviceID. Apparently for a filter driver you can use a "software enumerated device ID", but I don't know what this implies.
The application is to get a G-Sensor filter driver installed to work with the Intel SATA hardware controller driver.
Thanks for any ideas…
Nick: I don't know the official/"correct" way, but I suppose you could inject the proper filter driver registry key using reg.exe or the like.
I have a situation with a Dell Dimension 2400 (Windows XP)with CD-ROM and CD-RW drives. Neither drive is recognized by My Computer, Windows Explorer, or Device Manager. I also have no exclamation points in Device Manager. I deleted the upper and lower filters manually as per. MSKB314060, but it didn't help. I also checked the power and data connections and they are ok. I'm stumped
I'm no expert like you guys but I had a problem regarding my drives not being shown in the drives registry. No CD image was possible to create because no driver letter was assigned nor was it possible to change the driver letter.
It seems that by downloading devfilter.exe (enabling to see your upper/lower driver filters) GEARAspiWDM was spotted as an upper filter with no registery related or utility or whatever you want to call it.
When i found this article (about 3 hours later), ITunes seemed to be the problem.
It turns out that yesterday, my sister uninstalled ITunes from my computer (based on the only restoration point available on it)
I restored it on that date, hoped that, as the acticle says: "it may or may not put back the .sys file" in place.
Took 5 min to resolve the problem. Now, all my drives are shown and with their proper drive letters.
Thank you to whoever posted that article!
Hi,
I really enjoyed reading your post. I found when I was troubleshooting my external enclosure from Azio (Model# ENC211SU31) paired with my 80GB hard drive. It's being used (when it works) on WinXP Pro SP2 and SP3.
Issue: the drive is recognized only about 1 out of 20 times. Usually when is plugged into the computer for the very first time it works. It usually works the second time. It usually fails the third time and afterwards. It is tricky to make it work after that (I still did not figure out the procedure – some combination of plugging/unplugging, reboots, removing ghost driver, weather, moon phase, tide, etc).
My troubleshooting so far:
1. I checked working drive in device manager. The device is listed there as "Initio MHY2080BH USB device". All appropriate drives seems to be generic WinXP drivers as expected (manufacture states that no drivers are needed when running on XP and later).
2. When device is not recognized, it appears as "Unknown device" in device manager. Note, that correct ghost device is still present. I believe, that the problem is in device ID recognition …
The working device shows meaningful "Device Instance id" (USBSTOR\DISK$Ven_Initio …) and "Hardware id" under device properties/details tab. On the other hand, "Device Instance id=USB\VID ….".
I did reseeded the the drive in the tray with no positive result.
Since the device is not recognized, I cannot delete upper/lover drives …
Note: I did all this testing with ac adapter and connecting only one of the USB plugs.
I would appreciate any feedback on this.
PS> As I keep troubleshooting this I realized, that it perhaps has nothing to do with upper/lower drivers, but rather inability of computer/OS to recognize hardware or failure of Azio enclosure to provide proper ID. Why this is happening I do not know. I still would appreciate your feedback.
With regards,
Radek
THANKS sooo much you provided me with the right way to fix it when eveyone else just said delete and that did not fix it. Your info helped me find the missing file.
Gear Software has released new drivers March 30, 2009 that has fixed the issue in Vista64, see http://www.gearsoftware.com/support/drivers.php
The original drivers didn't work in Ghost14 Norton knows about this but only tells you to load new drivers see http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2008&suid=20081007_02
nice article!
I understood that there are device filter and class filter, and to filter every keyboard you connect, you should use the class filter.
Now, I have a question.
Is there any way to filter ALL USB devices connected to the PC?
Keyboard, mouse, USB memory, music player, just everything?
Do I have to filter ALL classes?
I would appreciate any feedback on this!
thanks!
yuko
@Simon and @DjLizard,
Both of your tools make the assumption that the device exists in Hardware Manager. If an incorrect and unrelated filter exists, but the driver does not, and the device is not in Hardware Manager (and therefore has no driver), the filter chain is broken, but your tools do not detect this problem.
It would be more helpful if you scanned the registry for filters, and highlighted whether the drivers were present, than scanning the hardware and only loading these drivers to look for filters.
Thanks!
My tool doesn't look for filter driver chain breakage at all. That was planned for a later version but alas.
So what should one do if the disappearing DVD-ROM does not appear in device manager at all (let alone with an exclamation mark)? Scanning for hardware changes does not make it reappear (nor does the sleep/wake-up trick).
Should I still follow the above information DjLizard?
DJ:
Thank you for your efforts in posting a very informative and needed article. While a bit over my head, I'm reading and re-reading it until I can apply it to my problem.
A quick :) question: what if there are NO entries in the filters? In my case, I have exclaimation marks on two cdroms/dvds, one of which is not even in my computer…and has never been in the machine since a fresh rebuild and intall of XPpro. No matter what I do the OS detects the drive, and reinstalls it. This causes the drive that is actually present to not function. System restores do not fix the problem.
Any thoughts? Thanks.
I followed your directions above, and function has been restored to the dvd drive that is present in the system…woo hoo. The 'ghost' drive has not been affected, and though it has never been in the system since XP was installed, it still shows up. If I delete it in Device manager, it returns when I reboot. It was installed on this motherboard years ago, but not within the history of the current registry. Very curious.
I just wanted to point out that the procedure is still valid for Windows Vista/7. ;)
This is the procedure I followed when cleaning up after an ill-behaved 32-bit development tool that apparently wasn't aware that any of its users might possibly be needing a 64-bit OS. (DOH!)
All the warnings and caveats in the post still apply. About the only things that need to be noted for Vista and later are UAC (of course) and to check whether the filter driver is 64-bit if you're on a 64-bit Windows if it exists on the filesystem. (The post indicates that you should proceed if the filter driver does not exist on the filesystem.) Of course, a 32-bit filter will break a 64-bit driver. :) (How to check this is beyond the scope of a blog comment. Especially when the entry was aimed at technicians.)
Thanks for this! Please post any and all additional information you think could help me with Dial-a-fix. (In case you didn't see the front page in a while, I have returned to work on it once again.)
Originally I had planned for Dial-a-fix to scan for missing filters and offer to fix it, so I will once again attempt to implement this now that I'm back in the saddle.
I would add that if you're going to download a driver, use a reliable source. There's way too many nefarious websites out there and they're full of viruses.
Thanks for the fine tutorial. I'm in the process of trying to ring out a weird cd/dvd problem and your discussion certainly adds clarity to my thinking. I intend to visit your site and see what's new.