Overview of Early Launch AntiMalware
This section provides information about developing Early Launch Antimalware (ELAM) drivers for Windows operating systems. It provides guidelines for antimalware developers to develop drivers that are initialized before other boot-start drivers, and that ensure that subsequent drivers do not contain malware. It assumes that the reader is familiar with developing kernel-mode drivers, specifically boot-start drivers.
This information applies to the following operating systems:
- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
The following topics describe the interface requirements for Early Launch Antimalware (ELAM) drivers. They are intended to provide information about ELAM driver interfaces. The ELAM feature provides a Microsoft-supported mechanism for antimalware (AM) software to start before other third-party components. AM drivers are initialized first and allowed to control the initialization of subsequent boot drivers, potentially not initializing unknown boot drivers. Once the boot process has initialized boot drivers and access to persistent storage is available in an efficient way, existing AM software may continue to block malware from executing.
Note
Because an ELAM service runs as a PPL (Protected Process Light), you need to debug using a kernel debugger.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for