- Software installation or updates enable/disable drivers that may be needed
- A driver needs to be removed, but there is no uninstaller available. This is the case for some drivers such as secdrv.sys that can be found in certain security audits.
- The system has frequent crashes and unsigned drivers need to be disabled to troubleshoot the issue.
- A driver needs to be temporarily disabled to identify a cause for an issue.
- Viruses/malware that present themselves as distinct kernel mode drivers, but where there is no current ability to clean with an antivirus/antimalware program
Drivers have a corresponding service entry in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services). Each of the keys that represents a driver has a "Start" value of type REG_DWORD that specifies the startup type from the driver. Below is a list compiled from Windows Internals and MSDN that describes the different startup types for device drivers. I also include the startup type listed in msinfo32.exe for each driver startup type.
|MSinfo32.exe Start Mode||Startup Type||Value||Description|
|Boot||SERVICE_BOOT_START||0x00000000||Drivers that need to be loaded by the boot loader to successfully boot the system.|
|System||SERVICE_SYSTEM_START||0x00000001||The driver is not required for system start, but identifies a device that the associated bus driver cannot enumerate.|
|Auto||SERVICE_AUTO_START||0x00000002||The driver is started automatically, but is not required at system boot time.|
|Manual||SERVICE_DEMAND_START||0x00000003||The driver is started on demand by either the service control manager or the PnP manager. This setting is used when the driver is not required at boot time.|
|Disabled||SERVICE_DISABLED||0x00000004||The driver does not start in this case.|
To disable a driver, simply change the Start value for the driver in the system registry to 4. As an example, I disabled the CDROM driver (cdrom.sys) for a VM. It shows that there is a possible issue in device manager and properties for the device show the error message "A driver (service) for this device has been disabled. An alternate driver may be providing this functionality. (Code 32)" Another cause of this issue is due to invalid UpperFilters or LowerFilters for a driver.
This error sometimes presents itself if an administrator has disables drivers through group policy (an example of this would be to prevent USB mass storage devices using the usbstor.sys driver).
The drivers and their current startup state can be found in msinfo32.exe under Software Environment\System Drivers.
Windows Crash Dump Analysis
Identifying Problem Drivers: Signature Verification Tool
How to Delete UpperFilters and LowerFilters for a Device Driver
Have an idea for something that you'd like to see explored? Leave a comment or send an e-mail to razorbackx_at_gmail<dot>com