VSTECS Microsoft
Sign In

Could Not Start Driver New - Ftk Imager

If administrator privileges didn't help, Windows might be rejecting the driver's signature.

Steps (Windows 10/11):

Warning: This disables a critical security feature. Use only for testing. If FTK Imager works, you have identified signature enforcement as the root cause. See Solution 6 for a permanent fix.

Since Windows Vista, Microsoft requires kernel-mode drivers to be digitally signed by a trusted authority. While AccessData does sign their drivers, sometimes:

Kernel drivers are a common target for rootkits. Many security products—especially McAfee, Symantec, CrowdStrike, or modern Windows Defender—will automatically block the installation of unknown or rarely seen drivers, even if they are legitimate.

By [Your Name/Tech Support]

One of the most frustrating errors encountered by digital forensics professionals and IT administrators is the dreaded "FTK Imager could not start driver (new)" message. This error typically appears when attempting to create a forensic image or mount a drive using AccessData's FTK Imager on Windows.

When this happens, the application fails to communicate with the system kernel, preventing it from accessing raw disk data. Fortunately, this is usually a permissions or driver conflict issue rather than a hardware failure.

Here is a step-by-step guide to resolving the error and getting back to your investigation.

Your security software may be deleting or quarantining the driver.

For Windows Defender (Microsoft Defender Antivirus): ftk imager could not start driver new

  • Re-extract or reinstall FTK Imager if the driver was already deleted.

    • For third-party AV: Consult your vendor’s documentation for adding application or folder exclusions.

    If running as admin fails, Windows is likely blocking the driver’s signature. For a one-time boot that disables signature enforcement:

    For Windows 10/11:

    Warning: Do not browse the web or run untrusted software during this session; disabled signature enforcement reduces security.

    To fix this problem, you must first understand what FTK Imager is trying to do. If administrator privileges didn't help, Windows might be

    Unlike standard file copy tools, FTK Imager needs direct access to disk volumes at the physical level. To read a hard drive byte-for-byte (including unallocated space, slack space, and partitions), Windows user-mode applications are too restricted. Therefore, FTK Imager relies on a kernel-mode driver.

    Specifically, FTK Imager uses a driver (often named EWF.sys or a variant related to the MountMgr or raw disk access) to:

    When the error says "Could not start driver new," it means FTK Imager attempted to install or start this kernel driver on your system, and Windows either blocked the operation or the driver failed to initialize.

    Modern Windows 10/11 machines often have Memory Integrity (Core Isolation) enabled. This feature blocks any driver that hasn't been tested and certified by Microsoft. FTK Imager’s driver often fails this test.