Skip to content


SetupAPI Logs#

|C:\Windows\INF\|Device Installation Log on device/driver installs|
|C:\Windows\INF\|App Installation Log on app installs associated w/device driver installs|

Approach 1: AutoRuns#

  • TLDR: use SysInternals: AutoRuns to find bad behaving/suspect drivers (Reference)
  • Configuration

    • Options->Hide Microsoft Entries: enable this and unhide everything else
    • Options->Scan Options->Verify code signatures: enable
    • Options->Scan Options->Check optional; useful but lots of false positives
    • Key Points

    • Red: no digital signature. if "LargeCorp" driver, extremely suspect/dangers (failed/didn't care to pass WHL Quality Assurance); if open-source driver, likely won't be signed bc of cost

    • Yellow: driver image not found; usually safe to remove
    • Most Important Categories: 'Drivers','Services','ScheduledTasks','Logon'
    • Drivers: most difficult bc Windows often can't remove kernel/device driver, marks it for deletion at reboot, which often silently fails

    [!danger]- Usual Suspects/Bad Offenders

    Driver Problems
    AMDRyzenMasterDriverV* seems latest versions are less dangerous and gets uninstalled, anyway better to remove RM unless you have gun pointed at your head
    AsrDrv* ASRock drivers, anything ASRock should be removed; literally banned as it provides full kernel access
    Asusgio2 anything ASUS should be removed, the worst. If you have ROG peripherals you may need to keep the ROG drivers. Armoury-Crate software is a virus-like, will cause BSOD and all sort of issues, stay away
    EneIo,EneTechIo,*Io64.sys RGB software drivers usually terrible written, suffering from performance and serious security holes
    gdrv,gdrv2 GigaByte software, 2nd worse after ASUS, remove everything. Known to cause BSODs
    NTIOLib_MSISimple_OC,NTIOLib_OCKit,MSI Command Center not the worst but hitting performances. Remove all MSI software, you can do the same without usually. Nice to change options without rebooting but then once done disable the driver
    NPF*,Network Packet Filter drivers used by many network utils (e.g. PowerLine adapters, etc) so must check if needed; can always disable/re-enable on-demand instead of deleting
    • Application Drivers: usually fine since they should only be loaded on demand on app start (e.g. CPU-z,HWInfo,GPU-z,)
    • HW drivers: dangerous as can can cause your system to stop booting; always use system snapshots
    • Services: pretty easy bc easily discoverable/traceable

    [!warning]- Usual Suspects/Bad Offenders

    Driver Problems
    HW peripheral vendors install superflous services e.g. RazerGameService
    anti-cheat from games
    'Automatic','DelayedStart' 3rd-party services if service is for disabled/on-demand feature, requiring always-on background execution is sign of lurking issues (process likely running 'sleep mode' causing perf issues, micro-stuttering, zombie kernel objects/child processes). workaround by setting to 'Disabled' or Manual
  • ScheduledTasks: tricky b/c big troubleshooting headache

    • usually disabling works in short-to-midterm but breaks in mid-to-longterm (e.g. update requires Task but upgrade didn't re-enable Task)
    • root cause analysis is headache b/c likely won't remember manually disabling task
    • then relying on dice roll of how robust app's logging is but if you had to disable the task manually, app was probably poorly written to begin with
    • safest to disable tasks for uninstalled software
    • Logon: subtle footguns abound

    • safest to mainly disable uninstalled/'yellow' registry keys

    • then use another tool to disable startups e.g.
    • NirSoft WhatInStartup
    • SystemInformer
    • TaskManager/msconfig

Approach 2: SCManager#

sc.exe: Service Control Manager CLI to manipulate services; drivers run as special kernel service

  • TLDR: attempt forensics on driver with sc

  • query driver to glean useful info

    sc queryex        ssgdio
    sc qc             ssgdio
    sc qdescription   ssgdio
    sc GetDisplayName ssgdio
    sc GetKeyName     ssgdio
    sc EnumDepend     ssgdio

  • disable service and reboot

    sc stop   ssgdio
    sc config ssgdio start= disabled

  • delete driver

    sc delete ssgdio

  • sc command details

  • sc.exe: Service Control Manager cli to manipulate services (drivers run as special kernel service)

    Syntax: sc <"\\ServerName"> [command] [service name] <option1> <option2>...
    Help:   sc [command]
  • Global Commands: operate on SCManager; does not take service name
    | Command | Description |
    | -------------- | -------------------------------------------------------------------------------------------------- |
    | sc [command] | get help for command |
    | boot | ok|bad Indicates whether the last boot should be saved as the last-known-good boot configuration |
    | Lock | Locks the Service Database |
    | QueryLock | Queries the LockStatus for the SCManager Database |

  • Service Commands: operates on services; requires service name
    | Command | Description |
    | ----------------- | -------------------------------------------------------------------------------------------------- |
    | query | Queries the status for a service, or enumerates the status for types of services |
    | queryex | Queries the extended status for a service, or enumerates the status for types of services |
    | start | Starts a service |
    | pause | Sends a PAUSE control request to a service |
    | interrogate | Sends an INTERROGATE control request to a service |
    | continue | Sends a CONTINUE control request to a service |
    | stop | Sends a STOP request to a service |
    | config | Changes the configuration of a service (persistent) |
    | description | Changes the description of a service |
    | failure | Changes the actions taken by a service upon failure |
    | failureflag | Changes the failure actions flag of a service |
    | sidtype | Changes the service SID type of a service |
    | privs | Changes the required privileges of a service |
    | managedaccount | Changes the service to mark the service account password as managed by LSA |
    | qc | Queries the configuration information for a service |
    | qdescription | Queries the description for a service |
    | qfailure | Queries the actions taken by a service upon failure |
    | qfailureflag | Queries the failure actions flag of a service |
    | qsidtype | Queries the service SID type of a service |
    | qprivs | Queries the required privileges of a service |
    | qtriggerinfo | Queries the trigger parameters of a service |
    | qpreferrednode | Queries the preferred NUMA node of a service |
    | qmanagedaccount | Queries whether a services uses an account with a password managed by LSA |
    | qprotection | Queries the process protection level of a service |
    | quserservice | Queries for a local instance of a user service template |
    | delete | Deletes a service (from the registry) |
    | create | Creates a service. (adds it to the registry) |
    | control | Sends a control to a service |
    | sdshow | Displays a service's security descriptor |
    | sdset | Sets a service's security descriptor |
    | showsid | Displays the service SID string corresponding to an arbitrary name |
    | triggerinfo | Configures the trigger parameters of a service |
    | preferrednode | Sets the preferred NUMA node of a service |
    | GetDisplayName | Gets the DisplayName for a service |
    | GetKeyName | Gets the ServiceKeyName for a service |
    | EnumDepend | Enumerates Service Dependencies |

  • query/queryex options

    • query service status: sc query [servicename]
    • find matching services: sc query [option]
      | Option | Value Type | Description |
      | ---------- | ------------------------- | --------------------------------------------------------------- |
      | state= | active,inactive,all | service state to enumerate; default: active |
      | bufsize= | int | size in bytes of enumeration buffer; default: 4096 |
      | ri= | int | resume index number to begin enumeration; default: 0 |
      | group= | string | service group to enumerate; default: all groups |
    • syntax examples
    sc query                                - Enumerates status for active services & drivers
    sc query   eventlog                     - Displays status for the eventlog service
    sc queryex eventlog                     - Displays extended status for the eventlog service
    sc query   type= driver                 - Enumerates only active drivers
    sc query   type= service                - Enumerates only Win32 services
    sc query   state= all                   - Enumerates all services & drivers
    sc query   bufsize= 50                  - Enumerates with a 50 byte buffer
    sc query   ri= 14                       - Enumerates with resume index = 14
    sc queryex group= ""                    - Enumerates active services not in a group
    sc query   type= interact               - Enumerates all interactive services
    sc query   type= driver group= NDIS     - Enumerates all NDIS drivers

Approach 3: pnputil#

  • find bad offender's by looking at zombie processes using Pavel's Object Explorer
  • ex: Razer's shitty GameManagerService.exe that's forced on users for no reason
  • list/inspect
  • AutoRuns
  • DriverView
  • DevManView
  • InstalledDriverList
  • command line

    driverquery /V
    pnputil /enum-drivers
    pnputil /enum-devices
    pnputil /enum-interfaces

  • delete

  • BCUninstaller
  • BleachBit
  • command line

    pnputil /delete-driver oem####.inf /uninstall /force

    Get-CimInstance Win32_SystemDriver -Filter "name='LGBusEnum'" | Invoke-CimMethod -MethodName Delete
    Get-CimInstance Win32_SystemDriver -Filter "name='LGJoyXlCore'" | Invoke-CimMethod -MethodName Delete
    Get-CimInstance Win32_SystemDriver -Filter "name='LGVirHid'" | Invoke-CimMethod -MethodName Delete
    Get-CimInstance Win32_SystemDriver -Filter "name='LVRS64'" | Invoke-CimMethod -MethodName Delete