xp/sigverify.exe driver check

  • Thread starter Thread starter mynick
  • Start date Start date
M

mynick

if you point it to win\sys32\drivers can it detect corruption of the
driver that causes boot stop(at volsnap.sys so bootlog is not
written)?
how about verifier.exe tool in the same situation?
 
mynick said:
if you point it to win\sys32\drivers can it detect corruption of the
driver that causes boot stop(at volsnap.sys so bootlog is not
written)?
how about verifier.exe tool in the same situation?
Click to expand...



sigverif.exe determines if a driver is digitally signed:
http://support.microsoft.com/kb/308514

Driver Verifier (verifier.exe) provides the following capabilities -
Pool Allocations
Provide Extreme Memory Pressure
Parameter Validation
Pool Allocation Injection Failure
Pool Being Freed
Pool Leakage Detection
Driver Unload Checking
I/O Verifier

Using Driver Verifier to identify issues with Windows drivers for
advanced users
http://support.microsoft.com/kb/244617



MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"
 
sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514

Driver Verifier (verifier.exe) provides the following capabilities -
Pool Allocations
Provide Extreme Memory Pressure
Parameter Validation
Pool Allocation Injection Failure
Pool Being Freed
Pool Leakage Detection
Driver Unload Checking
I/O Verifier

Using Driver Verifier to identify issues with Windows drivers for
advanced usershttp://support.microsoft.com/kb/244617

MowGreen
===============
  *-343-*  FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"
Click to expand...

is it possbile use Verifier from recovery xp/cd recovery console
because system cannot boot due to driver error?
 
mynick said:
is it possbile use Verifier from recovery xp/cd recovery console
because system cannot boot due to driver error?
Click to expand...

No, but you can disable the driver from the Recovery Console, use the
DISABLE command. For help on the command do: HELP DISABLE for help on
the command. For a list of services that can be disabled do LISTSVC.

http://support.microsoft.com/kb/314058
Description of the Windows XP Recovery Console for advanced users

John
 
No, but you can disable the driver from the Recovery Console, use the
DISABLE command.  For help on the command do:  HELP DISABLE for help on
the command.  For a list of services that can be disabled do LISTSVC.

http://support.microsoft.com/kb/314058
Description of the Windows XP Recovery Console for advanced users

John
Click to expand...

ok thanks
where can one find the order of loading the drivers during boot
I guess all drivers are noted in registry but is there a predetermined
load list
 
mynick said:
ok thanks
where can one find the order of loading the drivers during boot
I guess all drivers are noted in registry but is there a predetermined
load list
Click to expand...

You can take a look in the proper Control Set (ControlSetnnn), on an up
and running machine look at the List value at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

This is by no means a full list of all the drivers, if the services are
not in the GroupOrderList they will not show at the ServiceGroupOrder
key. Other than that the only other way that I know would be to look at
a copy of a saved bootlog.

John
 
You can take a look in the proper Control Set (ControlSetnnn), on an up
and running machine look at the List value at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

This is by no means a full list of all the drivers, if the services are
not in the GroupOrderList they will not show at the ServiceGroupOrder
key.  Other than that the only other way that I know would be to look at
a copy of a saved bootlog.

John
Click to expand...
-thanks but group order list and servicegrouporder subkeys only show
groups not individual group member drivers
-is this a typical and full xp home safe mode loading drivers list
http://www.onlinehowto.net/tuts_pic/400_1381_safe_mode_listing.jpg
or where can one find safe mode ntbtlog.txt because it is not
written when boot stops early on
 
mynick said:
-thanks but group order list and servicegrouporder subkeys only show
groups not individual group member drivers
Click to expand...

During the early booting stage the I/O manager looks in each of the
driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services
and sorts out the drivers by their Group and Tag numbers, then it
consults the ServiceGroupOrder and the GroupOrderList to determine in
which order the services should be started. There is no other list or
easy way of knowing the load order of the drivers from any one registry
key, you would have to sort them all and decipher the Tag order sequence
from the binary data at the GroupOrderList, higher or lower tag numbers
don't necessarily mean that one driver in the group will start before or
after another one, each group has its own tag order. Quite possibly
someone might have written a script or application to collect and
decipher the information from the registry but I don't know of any at
this time.

If you want, you can search the
HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service
group and then sort them out and get a rough starting order. For
example, on my machine these are the first three service groups:

System Reserved
Boot Bus Extender
System Bus Extender

A search for System Reserved finds nothing so I the proceed to search
for the second one, Boot Bus Extender, here I find that the following
drivers belong to this group:

a347bus.sys
ACPI.sys
isapnp.sys
ohci1394.sys
pci.sys

Then I search for the next service group, System Bus Extender, and I find:

dmio.sys
dmload.sys
ftdisk.sys
intelide.sys
pciide.sys
phylock.sys

.... and so on. From this I can tell that ftdisk.sys starts after
pci.sys because the pci.sys service order group is started before the
ftdisk.sys group. Drivers with Tag numbers are started before those
without but otherwise you need to decipher the tag sequence at the
GroupOrderList key to know exactly where they fit within their group.
Pretty tedious stuff! If you can find a script or application to sort
it out for you then things will be pretty easy!

What you can do is look at the registry key for the last driver that is
shown as loaded on your your boot screen and find out to which service
group it belongs. Then find the drivers in that group and the ones in
the next service group and from that information you can whittle down
the list of possible candidates for the next start position.

John
 
During the early booting stage the I/O manager looks in each of the
driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services
and sorts out the drivers by their Group and Tag numbers, then it
consults the ServiceGroupOrder and the GroupOrderList to determine in
which order the services should be started.  There is no other list or
easy way of knowing the load order of the drivers from any one registry
key, you would have to sort them all and decipher the Tag order sequence
from the binary data at the GroupOrderList, higher or lower tag numbers
don't necessarily mean that one driver in the group will start before or
after another one, each group has its own tag order.  Quite possibly
someone might have written a script or application to collect and
decipher the information from the registry but I don't know of any at
this time.

If you want, you can search the
HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service
group and then sort them out and get a rough starting order.  For
example, on my machine these are the first three service groups:

System Reserved
Boot Bus Extender
System Bus Extender

A search for System Reserved finds nothing so I the proceed to search
for the second one, Boot Bus Extender, here I find that the following
drivers belong to this group:

a347bus.sys
ACPI.sys
isapnp.sys
ohci1394.sys
pci.sys

Then I search for the next service group, System Bus Extender, and I find:

dmio.sys
dmload.sys
ftdisk.sys
intelide.sys
pciide.sys
phylock.sys

... and so on.  From this I can tell that ftdisk.sys starts after
pci.sys because the pci.sys service order group is started before the
ftdisk.sys group.  Drivers with Tag numbers are started before those
without but otherwise you need to decipher the tag sequence at the
GroupOrderList key to know exactly where they fit within their group.
Pretty tedious stuff!  If you can find a script or application to sort
it out for you then things will be pretty easy!

What you can do is look at the registry key for the last driver that is
shown as loaded on your your boot screen and find out to which service
group it belongs.  Then find the drivers in that group and the ones in
the next service group and from that information you can whittle down
the list of possible candidates for the next start position.

John
Click to expand...
thanks volsnap is a member of eventlog group but went down the list
form pic and was lucky with atapi.sys
which previously ran sigverif did not detect as corrupted although it
is supposed to be signed!!??
 
mynick said:
thanks volsnap is a member of eventlog group but went down the list
form pic and was lucky with atapi.sys
which previously ran sigverif did not detect as corrupted although it
is supposed to be signed!!??
Click to expand...

So, I take it that the problem is now fixed? Maybe the file only became
corrupt after you ran Sigverif?

John
 
Back
Top