Wednesday, November 23, 2011

How to Disable and Enable Windows Device Drivers

From time to time there may be a reason to disable or enable a driver through the registry. Some examples include:

  • Software installation or updates enable/disable drivers that may be needed
  • A driver needs to be removed, but there is no uninstaller available. This is the case for some drivers such as secdrv.sys that can be found in certain security audits.
  • The system has frequent crashes and unsigned drivers need to be disabled to troubleshoot the issue.
  • A driver needs to be temporarily disabled to identify a cause for an issue.  
  • Viruses/malware that present themselves as distinct kernel mode drivers, but where there is no current ability to clean with an antivirus/antimalware program

Drivers have a corresponding service entry in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services). Each of the keys that represents a driver has a "Start" value of type REG_DWORD that specifies the startup type from the driver. Below is a list compiled from Windows Internals and MSDN that describes the different startup types for device drivers. I also include the startup type listed in msinfo32.exe for each driver startup type.

MSinfo32.exe Start Mode Startup Type Value Description
Boot SERVICE_BOOT_START 0x00000000 Drivers that need to be loaded by the boot loader to successfully boot the system.
System SERVICE_SYSTEM_START 0x00000001 The driver is not required for system start, but identifies a device that the associated bus driver cannot enumerate.
Auto SERVICE_AUTO_START 0x00000002 The driver is started automatically, but is not required at system boot time.
Manual SERVICE_DEMAND_START 0x00000003 The driver is started on demand by either the service control manager or the PnP manager. This setting is used when the driver is not required at boot time.
Disabled SERVICE_DISABLED 0x00000004 The driver does not start in this case.

To disable a driver, simply change the Start value for the driver in the system registry to 4. As an example, I disabled the CDROM driver (cdrom.sys) for a VM. It shows that there is a possible issue in device manager and properties for the device show the error message "A driver (service) for this device has been disabled. An alternate driver may be providing this functionality. (Code 32)" Another cause of this issue is due to invalid UpperFilters or LowerFilters for a driver.



This error sometimes presents itself if an administrator has disables drivers through group policy (an example of this would be to prevent USB mass storage devices using the usbstor.sys driver).

The drivers and their current startup state can be found in msinfo32.exe under Software Environment\System Drivers.



See Also,

Windows Crash Dump Analysis

Identifying Problem Drivers: Signature Verification Tool
How to Delete UpperFilters and LowerFilters for a Device Driver
Have an idea for something that you'd like to see explored? Leave a comment or send an e-mail to razorbackx_at_gmail<dot>com

Any source

No comments:

Post a Comment