Table of contents
Collapse the table of content
Expand the table of content

Early Launch AntiMalware

Last Updated: 7/30/2016

This section provides information about developing Early Launch Antimalware (ELAM) drivers for Windows operating systems. It provides guidelines for anti-malware developers to develop anti-malware drivers that are initialized before other boot-start drivers, and that ensure that those subsequent drivers do not contain malware. It assumes that the reader is familiar with developing kernel-mode drivers, specifically boot-start drivers.

This information applies to the following operating systems:

  • Windows 8
  • Windows Server 2012

The following topics describe the interface requirements for Early Launch Antimalware (ELAM) drivers. They are intended to provide information about ELAM driver interfaces. The ELAM feature provides a Microsoft-supported mechanism for antimalware (AM) software to start before all other third-party components. AM drivers are initialized first and allowed to control the initialization of boot drivers, potentially not initializing unknown boot drivers. Once the boot process has initialized boot drivers and access to persistent storage is available in an efficient way, existing AM software may continue block malware from executing.

ELAM PrerequisitesELAM Driver Requirements

© 2017 Microsoft