Windows 10 has a neat data usage report that can help you keep track of how much data your apps on Windows 10 powered devices consume. The feature, hidden in the Network section of the Settings app, can stop updating the ledger over data usage when you’ve got legacy network and security products installed.
I was curious about how much data an app had used in Windows, and opened up the Data usage report to have a look. The report didn’t show the app I was curious about, but did instead include software that I’d uninstalled at least a week earlier. Something was amiss.
After some digging around, I found out that this problem occurs when any program uses a legacy Kernel Filter-Hook Drivers (KFHD) in Windows. This type of driver was discouraged from future use when Windows Vista was released in favor of the then new Windows Filtering Platform Callout Drivers (WFPCD). However, KFHDs where never formally deprecated and are supported up to and including Windows 10.
The Windows Kernel isn’t open-source so I can’t verify what is going on. However, if we take a look at the known limitations of the Filter-Hook Driver system in Windows, we can have a pretty good guess “Only a single filter-hook driver can be installed on the operating system and used by the IP filter driver”. The Data usage report isn’t relying on a KFHD, however their use also breaks some parts of WFPCD because a KFHD will get an exclusive lock in the network communications stack.
Considering that Kernel Filter-Hook Drivers have been discouraged from use for almost a decade, I recommend that you uninstall any software that relies on the KFHD. A list of known software that use this Windows feature is included at the end of the article.
KFHD a part of Windows that has been abandoned and discouraged by Microsoft and is rarely used. This is the type of Kernel module that can have security problems lurking in them as well as causing known software incompatibility problems.
You can disable the Filter-Hook Driver kernel module temporarily by disabling the KFHD in your network adapter’s properties in Windows. However, in my testing I found that it will be re-enabled on-demand the next time Windows starts up and the program that relies on the feature is started. (This could vary by software.)
In any case, I would simply remove the program that introduced a KFHD on your system and look for alternatives instead. Or you could contact the third-party software provider and be thoroughly ignored when you point out that their product still rely on Windows 2000-era technology.
The data usage feature isn’t useful for keeping track of monthly data quotas and billing cycles as it can only show data for the last 30-days and don’t reset at the beginning of a new month. This is probably by design as network providers can count data differently than Windows, and with the current design Windows is staying clear of any arguments customers may have with their ISP. Data usage in Windows also doesn’t keep track of historical data, probably for the same reason. Despite that, I find this novelty feature quite interesting as it highlights how much network bandwidth is used by Windows Update and the default Windows apps even when I never use or open them.
Here is a list of current programs known to use Kernel Filter-Hook Drivers in Windows 10:
- Cisco AnyConnect
- (Other VPN, gateway, network accelerator, and proxy programs.)
- Panda Security Antivirus
- (Other firewall, web fraud protection, and “internet security suite” programs.)
- MSI Dragon Center (cFosSpeed)