Drivers#
SetupAPI Logs#
|Log|Purpose
1|
|---|--------|
|C:\Windows\INF\setupapi.dev.log|Device Installation Log on device/driver installs|
|C:\Windows\INF\setupapi.app.log|App Installation Log on app installs associated w/device driver installs|
Approach 1: AutoRuns#
- TLDR: use SysInternals: AutoRuns to find bad behaving/suspect drivers (Reference)
-
Configuration
- Options->Hide Microsoft Entries: enable this and unhide everything else
- Options->Scan Options->Verify code signatures: enable
- Options->Scan Options->Check VirusTotal.com: optional; useful but lots of false positives
-
Key Points
-
Red: no digital signature. if "LargeCorp" driver, extremely suspect/dangers (failed/didn't care to pass WHL Quality Assurance); if open-source driver, likely won't be signed bc of cost Yellow: driver image not found; usually safe to remove- Most Important Categories: 'Drivers','Services','ScheduledTasks','Logon'
- Drivers: most difficult bc Windows often can't remove kernel/device driver, marks it for deletion at reboot, which often silently fails
[!danger]- Usual Suspects/Bad Offenders
Driver Problems AMDRyzenMasterDriverV*seems latest versions are less dangerous and gets uninstalled, anyway better to remove RM unless you have gun pointed at your head AsrDrv*ASRock drivers, anything ASRock should be removed; literally banned as it provides full kernel access Asusgio2anything ASUS should be removed, the worst. If you have ROG peripherals you may need to keep the ROG drivers. Armoury-Crate software is a virus-like, will cause BSOD and all sort of issues, stay away EneIo,EneTechIo,*Io64.sysRGB software drivers usually terrible written, suffering from performance and serious security holes gdrv,gdrv2GigaByte software, 2nd worse after ASUS, remove everything. Known to cause BSODs NTIOLib_MSISimple_OC,NTIOLib_OCKit,MSI Command Centernot the worst but hitting performances. Remove all MSI software, you can do the same without usually. Nice to change options without rebooting but then once done disable the driver NPF*,Network Packet Filter driversused by many network utils (e.g. PowerLine adapters, etc) so must check if needed; can always disable/re-enable on-demand instead of deleting - Application Drivers: usually fine since they should only be loaded on demand on app start (e.g. CPU-z,HWInfo,GPU-z,)
- HW drivers: dangerous as can can cause your system to stop booting; always use system snapshots
- Services: pretty easy bc easily discoverable/traceable
[!warning]- Usual Suspects/Bad Offenders
Driver Problems HW peripheral vendors install superflous services e.g. RazerGameService anti-cheat from games 'Automatic','DelayedStart' 3rd-party services if service is for disabled/on-demand feature, requiring always-on background execution is sign of lurking issues (process likely running 'sleep mode' causing perf issues, micro-stuttering, zombie kernel objects/child processes). workaround by setting to 'Disabled' or Manual -
ScheduledTasks: tricky b/c big troubleshooting headache
- usually disabling works in short-to-midterm but breaks in mid-to-longterm (e.g. update requires Task but upgrade didn't re-enable Task)
- root cause analysis is headache b/c likely won't remember manually disabling task
- then relying on dice roll of how robust app's logging is but if you had to disable the task manually, app was probably poorly written to begin with
- safest to disable tasks for uninstalled software
-
Logon: subtle footguns abound
-
safest to mainly disable uninstalled/'yellow' registry keys
- then use another tool to disable startups e.g.
- NirSoft WhatInStartup
- SystemInformer
- TaskManager/msconfig
Approach 2: SCManager#
sc.exe: Service Control Manager CLI to manipulate services; drivers run as special kernel service
-
TLDR: attempt forensics on driver with
sc -
query driver to glean useful info
Batchfilesc queryex ssgdio sc qc ssgdio sc qdescription ssgdio sc GetDisplayName ssgdio sc GetKeyName ssgdio sc EnumDepend ssgdio -
disable service and reboot
Batchfilesc stop ssgdio sc config ssgdio start= disabled [restart_machine] -
delete driver
Batchfilesc delete ssgdio -
sccommand details -
sc.exe: Service Control Manager cli to manipulate services (drivers run as special kernel service)BatchfileSyntax: sc <"\\ServerName"> [command] [service name] <option1> <option2>... Help: sc [command] -
Global Commands: operate on SCManager; does not take service name
| Command | Description |
| -------------- | -------------------------------------------------------------------------------------------------- |
|sc [command]| get help for command |
|boot|ok|badIndicates whether the last boot should be saved as the last-known-good boot configuration |
|Lock| Locks the Service Database |
|QueryLock| Queries the LockStatus for the SCManager Database | -
Service Commands: operates on services; requires service name
| Command | Description |
| ----------------- | -------------------------------------------------------------------------------------------------- |
|query| Queries the status for a service, or enumerates the status for types of services |
|queryex| Queries the extended status for a service, or enumerates the status for types of services |
|start| Starts a service |
|pause| Sends a PAUSE control request to a service |
|interrogate| Sends an INTERROGATE control request to a service |
|continue| Sends a CONTINUE control request to a service |
|stop| Sends a STOP request to a service |
|config| Changes the configuration of a service (persistent) |
|description| Changes the description of a service |
|failure| Changes the actions taken by a service upon failure |
|failureflag| Changes the failure actions flag of a service |
|sidtype| Changes the service SID type of a service |
|privs| Changes the required privileges of a service |
|managedaccount| Changes the service to mark the service account password as managed by LSA |
|qc| Queries the configuration information for a service |
|qdescription| Queries the description for a service |
|qfailure| Queries the actions taken by a service upon failure |
|qfailureflag| Queries the failure actions flag of a service |
|qsidtype| Queries the service SID type of a service |
|qprivs| Queries the required privileges of a service |
|qtriggerinfo| Queries the trigger parameters of a service |
|qpreferrednode| Queries the preferred NUMA node of a service |
|qmanagedaccount| Queries whether a services uses an account with a password managed by LSA |
|qprotection| Queries the process protection level of a service |
|quserservice| Queries for a local instance of a user service template |
|delete| Deletes a service (from the registry) |
|create| Creates a service. (adds it to the registry) |
|control| Sends a control to a service |
|sdshow| Displays a service's security descriptor |
|sdset| Sets a service's security descriptor |
|showsid| Displays the service SID string corresponding to an arbitrary name |
|triggerinfo| Configures the trigger parameters of a service |
|preferrednode| Sets the preferred NUMA node of a service |
|GetDisplayName| Gets the DisplayName for a service |
|GetKeyName| Gets the ServiceKeyName for a service |
|EnumDepend| Enumerates Service Dependencies | -
query/queryexoptions- query service status:
sc query [servicename] - find matching services:
sc query [option]
| Option | Value Type | Description |
| ---------- | ------------------------- | --------------------------------------------------------------- |
|state=|active,inactive,all| service state to enumerate; default:active|
|bufsize=|int| size in bytes of enumeration buffer; default:4096|
|ri=|int| resume index number to begin enumeration; default:0|
|group=|string| service group to enumerate; default:all groups| - syntax examples
Batchfilesc query - Enumerates status for active services & drivers sc query eventlog - Displays status for the eventlog service sc queryex eventlog - Displays extended status for the eventlog service sc query type= driver - Enumerates only active drivers sc query type= service - Enumerates only Win32 services sc query state= all - Enumerates all services & drivers sc query bufsize= 50 - Enumerates with a 50 byte buffer sc query ri= 14 - Enumerates with resume index = 14 sc queryex group= "" - Enumerates active services not in a group sc query type= interact - Enumerates all interactive services sc query type= driver group= NDIS - Enumerates all NDIS drivers - query service status:
Approach 3: pnputil#
- find bad offender's by looking at zombie processes using Pavel's Object Explorer
- ex: Razer's shitty GameManagerService.exe that's forced on users for no reason
- list/inspect
- AutoRuns
- DriverView
- DevManView
- InstalledDriverList
-
command line
Batchfiledriverquery /V pnputil /enum-drivers pnputil /enum-devices pnputil /enum-interfaces -
delete
- BCUninstaller
- BleachBit
-
command line
Batchfilepnputil /delete-driver oem####.inf /uninstall /forcePowerShellGet-CimInstance Win32_SystemDriver -Filter "name='LGBusEnum'" | Invoke-CimMethod -MethodName Delete Get-CimInstance Win32_SystemDriver -Filter "name='LGJoyXlCore'" | Invoke-CimMethod -MethodName Delete Get-CimInstance Win32_SystemDriver -Filter "name='LGVirHid'" | Invoke-CimMethod -MethodName Delete Get-CimInstance Win32_SystemDriver -Filter "name='LVRS64'" | Invoke-CimMethod -MethodName Delete