Installing NDIS 6 LWF filter driver interrupts networking in Windows Server 2019 when QoS enabled

Question

On Windows Server 2019 Datacenter, installing any NDIS 6.0 LWF filter driver results in a network interruption. This is noticeable on Azure instances because the RDP connection drops. We have seen this with our own filter driver, but we have also reproduced it with the demo LWF driver from the Windows DDK. Not registering the optional callbacks does not have an impact: the network still drops for a moment.

This doesn't happen with Windows Server 2016, and may be related to the QoS feature. A customer of ours had this observation: "Additional observation is that there is some relation to presence of QoS binding on the network interface. When the QoS binding is disabled, the installer finishes without breaking the RDP connection. This scenario however cannot be used as a workaround, since the RDP connection gets broken anyway when QoS binding is restored (re-enabled) after the filter driver is installed."

Is this intentional, or is there a way to work around this?

Answer 1

This is caused by NDIS reattaching a lightweight filter (LWF) driver which is already in the stack and is marked as requiring TCPIP to unbind and rebind when it is attached or detached. This behavior is default for Mandatory filter drivers, and can be opted into by Optional filter drivers by setting the UnbindOnAttach or UnbindOnDetach registry values in the "Ndi" subkey. To attach a new filter (Npcap in this case), NDIS must detach some existing filters and reattach them after attaching the new one. The algorithm it uses does not currently take into account whether the operation will unbind TCPIP. Windows 10 2004 debuts a new algorithm that accounts for this as an additional cost and when possible prefers transformations that do not unbind TCPIP. This new algorithm may be made available to Server 2019 via Windows update in late 2020. There is nothing a filter driver can do to alter this behavior.

Source and further info: Answer by Jeffrey Tippet of Microsoft on issue #53 on the Npcap issue tracker