Masquerade Drivers

The masquerade service manages a set of kernel-mode filter drivers that provide display emulation and security monitoring at the driver level.

Drivers

Driver	INF File	Purpose
`nvmsqrd`	`nvmsqrd.inf`	Display masquerade (EDID injection)
`nvgfnmon`	`nvgfnmon.inf`	GFN kernel monitoring (GFNMON)
`nvfoxhnd`	`nvfoxhnd.inf`	Fox handle driver
`nvguard`	`nvguard.inf`	Guard/security driver

Installation

install_driver.bat manages the driver lifecycle:

batch

REM Unload existing drivers
fltmc unload nvmsqrd
fltmc unload nvgfnmon
fltmc unload nvfoxhnd
fltmc unload nvguard

REM Install via INF
devcon.exe install nvmsqrd.inf
devcon.exe install nvgfnmon.inf
devcon.exe install nvfoxhnd.inf
devcon.exe install nvguard.inf

REM Copy to System32\drivers
copy nvmsqrd.sys %SystemRoot%\System32\drivers\
copy nvgfnmon.sys %SystemRoot%\System32\drivers\
copy nvfoxhnd.sys %SystemRoot%\System32\drivers\
copy nvguard.sys %SystemRoot%\System32\drivers\

REM Reload drivers
fltmc load nvmsqrd
fltmc load nvgfnmon
fltmc load nvfoxhnd
fltmc load nvguard

GFNMON — Kernel Monitoring Driver

nvgfnmon is used by GciPlugin (see GciPlugin docs) to provide low-level monitoring that is difficult to bypass from userspace.

The driver exposes a rich API to GciPlugin:

Callback Registration

gfnmon_set_on_file_access_callback()         // File open/read/write events
gfnmon_set_untrusted_file_opened_callback()   // Untrusted file access
gfnmon_set_driver_load_callback()            // Kernel driver loads
gfnmon_set_driver_queue_statistics_callback() // Driver stats
gfnmon_set_reparse_point_callback()          // NTFS reparse points
gfnmon_set_rename_directory_callback()       // Directory renames
gfnmon_set_privileged_image_load_callback()  // Privileged PE loads
gfnmon_set_registry_create_key_callback()    // Registry key creation
gfnmon_set_sync_message_sequence_number_callback() // Message sync

Filter Management

gfnmon_add_file_access_filter()
gfnmon_clear_file_access_filters()
gfnmon_add_protected_process()
gfnmon_set_protected_process_configuration()
gfnmon_set_non_critical_process_configuration()
gfnmon_add_registry_access_filter_ex()
gfnmon_clear_registry_access_filters()

nvmsqrd — Display Masquerade

The masquerade driver intercepts display queries and returns spoofed EDID data:

Games see a "real" monitor with the configured resolution/refresh rate
Actual rendering is captured by NvFBC (Frame Buffer Capture)
Enables per-session resolution changes without physical monitor

IO Throttling

The masquerade layer also handles IO throttling for game installs (configured via CTMT):

json

{
  "masquerade": {
    "ioThrottlingEnabled": true,
    "ioThrottlingDelayMs": 1000
  }
}

nvguard — Security Guard Driver

Works in tandem with GciPlugin for security enforcement:

Provides kernel-enforced process protection
Blocks unauthorized driver loads at the kernel level
Enforces code integrity policies

Event Logs

Driver activity is logged as Windows ETL traces:

C:\Asgard\logs\masquerade\masquerade.etl
C:\Asgard\logs\masquerade\masquerade_install.etl

Masquerade Drivers ​

Drivers ​

Installation ​

GFNMON — Kernel Monitoring Driver ​

Callback Registration ​

Filter Management ​

nvmsqrd — Display Masquerade ​

IO Throttling ​

nvguard — Security Guard Driver ​

Event Logs ​