How are driver filenames derived from SGO?

How do I get from the ServiceGroupOrder outline to actual lists of driver filenames?

Below is the ServiceGroupOrder as it appears in the HKLM register. Below that is the ntbtlog from the same machine trying to load Vista normally (and failing). What file(s) is/are used to translate from "WdfLoadGroup" to "Wdf01000.sys" & "WdfLDR.SYS"

Code:
System Reserved
EMS
WdfLoadGroup
Boot Bus Extender
System Bus Extender
SCSI miniport
Port
Primary Disk
SCSI Class
SCSI CDROM Class
FSFilter Infrastructure
FSFilter System
FSFilter Bottom
FSFilter Copy Protection
FSFilter Security Enhancer
FSFilter Open File
FSFilter Physical Quota Management
FSFilter Virtualization
FSFilter Encryption
FSFilter Compression
FSFilter Imaging
FSFilter HSM
FSFilter Cluster File System
FSFilter System Recovery
FSFilter Quota Management
FSFilter Content Screener
FSFilter Continuous Backup
FSFilter Replication
FSFilter Anti-Virus
FSFilter Undelete
FSFilter Activity Monitor
FSFilter Top
Filter
Boot File System
Base
Pointer Port
Keyboard Port
Pointer Class
Keyboard Class
Video Init
Video
Video Save
File System
Streams Drivers
NDIS Wrapper
COM Infrastructure
Event Log
AudioGroup
ProfSvc_Group
UIGroup
MS_WindowsLocalValidation
PlugPlay
PNP_TDI
NDIS
TDI
iSCSI
 
Service Pack 2 3 16 2012 12:31:51.359
Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\hal.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\acpi.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\DRIVERS\compbatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\BATTC.SYS
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\system32\drivers\pciide.sys
Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\msahci.sys
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\system32\drivers\ndis.sys
Loaded driver \SystemRoot\system32\drivers\msrpc.sys
Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
Loaded driver \SystemRoot\system32\DRIVERS\tos_sps32.sys
Loaded driver \SystemRoot\System32\Drivers\spldr.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\System32\drivers\ecache.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS
Loaded driver \SystemRoot\system32\DRIVERS\AtiPcie.sys
Loaded driver \SystemRoot\system32\drivers\crcdisk.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunnel.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunmp.sys
Loaded driver \SystemRoot\system32\DRIVERS\FwLnk.sys
Loaded driver \SystemRoot\system32\DRIVERS\processr.sys
Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\atikmdag.sys
Loaded driver \SystemRoot\system32\DRIVERS\Rtlh86.sys
Loaded driver \SystemRoot\system32\DRIVERS\athr.sys
Loaded driver \SystemRoot\system32\DRIVERS\tdcmdpst.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\msiscsi.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys
Loaded driver \SystemRoot\system32\DRIVERS\hamachi.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\RTKVHDA.sys
Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys
Loaded driver \SystemRoot\system32\drivers\modem.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\System32\Drivers\UVCFTR_S.SYS
Loaded driver \SystemRoot\System32\Drivers\usbvideo.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys
Loaded driver \SystemRoot\system32\DRIVERS\smb.sys
Loaded driver \SystemRoot\system32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys
Loaded driver \SystemRoot\system32\DRIVERS\jswpslwf.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Did not load driver 
Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
 
Last edited by a moderator:

My Computer

System One

  • Manufacturer/Model
    Toshiba
    CPU
    AMD Turion
Hello O negative and welcome to the forums :party:

With an sc query command, we can list all of the drivers, but it churns out a horrible output like this:
Code:
SERVICE_NAME: NisDrv
DISPLAY_NAME: Microsoft Network Inspection System
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Windows\System32>

The first two lines are all that we want from this, so with a findstr command, we can get rid of the other information. This will then leave us with lots of these:

Code:
SERVICE_NAME: NisDrv
DISPLAY_NAME: Microsoft Network Inspection System

The first one is the driver without the .sys extension, so we'll have to write some code to add that to the end of each line. The second one is fine as it is :) But we'll need to output this to the text file after adding the .sys extension as we don't want it on this text.

So I've knocked together a little batch file to do all of that for you:

Code:
@echo off
sc query type= driver | findstr SERVICE_NAME > %SYSTEMDRIVE%\drivers.txt
set addtext=.sys
if exist %SYSTEMDRIVE%\tmpfile.txt del /q %SYSTEMDRIVE%\tmpfile.txt
for /f "delims=" %%l in (%SYSTEMDRIVE%\drivers.txt) Do (
      echo %%l%addtext% >> %SYSTEMDRIVE%\tmpfile.txt
)
del /q %SYSTEMDRIVE%\drivers.txt
ren %SYSTEMDRIVE%\tmpfile.txt drivers.txt

echo. >> %SYSTEMDRIVE%\drivers.txt

sc query type= driver | findstr DISPLAY_NAME >> %SYSTEMDRIVE%\drivers.txt

echo. >> %SYSTEMDRIVE%\drivers.txt
echo EOF >> %SYSTEMDRIVE%\drivers.txt

start notepad.exe %SYSTEMDRIVE%\drivers.txt

The only problem with this is that it will list it in the following format:

File A
File B
File C

Name A
Name B
Name C

But it's not too hard to convert between the two. If you want, I can make it output each to a different file, then you can view them side by side?

You might have to run it as an administrator.

Tom
 

Attachments

  • Driver File and Name Query.bat
    601 bytes · Views: 53

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
sc query type= driver is a good way to get the type number, but it doesn't help me translate from the registry group name to the individual driver filenames. The example I gave, "WdfLoadGroup", happens to have at least two individual drivers associated with it. Somewhere, maybe in a .inf file--I don't know--the associations are listed.
 
Last edited:

My Computer

System One

  • Manufacturer/Model
    Toshiba
    CPU
    AMD Turion
Hello O negative,

Sorry about that, I misunderstood your first post.

You seem pretty well versed with Windows, I take it you know how to use command prompt? If not, then let me know and I'll explain it :)

If you do know, I would like you to run the following command for me please:

REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services" /s > %SYSTEMDRIVE%\CCSServices.txt

This will create a text file called CCSServices.txt in the root folder of your main drive (e.g. C:\CCSServices), can you attach this to your next post please? Hopefully this information will shed some light on the problem :)

Tom
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
Thanks Tom!

This gives me the group names for the drivers and more. A gold mine of info.

see attached
 

Attachments

  • ccss.txt
    232.3 KB · Views: 620

My Computer

System One

  • Manufacturer/Model
    Toshiba
    CPU
    AMD Turion
Thanks Tom!

This gives me the group names for the drivers and more. A gold mine of info.

see attached

Hello O negative,

You're welcome :) Is this all of the information that you wanted? Or do you want to have a hunt for where WdfLDR.SYS is found in your registry?

Tom
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
I put together a spreadsheet with a column of all the service groups from ServiceGroupOrder and adjacent columns for drivers associated with those groups. Unfortunately, that query only provided driver/group associations for half of the groups. Some groups are quite large (SCSI miniport), but very few of the drivers are chosen. The sequencing is not straightforward either.

I'm still hoping to find some kind of script that is followed when the drivers are loaded, but I'm guessing it is more like a bunch of nested "if then else" instructions.
 

My Computer

System One

  • Manufacturer/Model
    Toshiba
    CPU
    AMD Turion
Sorry, I have absolutely no idea how to do that. Perhaps another member will enlighten us, but that sounds like a very complicated thing to do :(

Tom
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
Hello!

I did not notice this thread before. Sorry for the delay. Maybe I can shed some light on how drivers are loaded. There is no specific script. Windows does not use scripts for this sort of thing, only kernel mode code. There is a HUGE amount more to say. I shall give you a very brief introduction, and you can ask questions.

There are two types of driver loading, explicit loading, and enumeration-based loading. Explicit loading is based on the contents of HKLM\SYSTEM\CurrentControlSet\Services, whereas enumeration-based loading is based on the results when the PnP manager dynamically loads drivers for the devices that a bus driver reports during bus enumeration.

For startup type 0 drivers, the operating system loader (winload.exe), called by the bootloader, loads the appropriate kernel and HAL images (Ntoskrnl.exe and Hal.dll by default), reads the VGA font file (vgaoem.fon by default), reads the National Language System files (l_intl.nls, c_1252.nls, and c_437.nls by default), reads the System registry hive (\Windows\System32\config\System by default), and then reads the boot time drivers (Start = 0 (SERVICE_BOOT_START)) out of the HKLM\SYSTEM\CurrentControlSet\Services, loads the file system driver, then loads the boot time drivers just scanned, and then prepares the CPU registers for the execution of Ntoskrnl.exe, and calls Nt!KiSystemStartup to perform the rest of system initialisation. This is all before the Windows Kernal has loaded :)

(n.b. This is for BIOS systems. For EFI systems, winload.exe is replaced by winload.efi)

The above was for Start = 0 (SERVICE_BOOT_START). When that equals 1 (SERVICE_SYSTEM_START), the I/O manager loads the driver after the executive subsystems have finished initialising.

As for what affects device driver loading order, many things!

The coursest control is through the use of Start = either 0 or 1 (SERVICE_BOOT_START or SERVICE_SYSTEM_START respectively). To refine its order, the HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List key is used. For further refining, HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList defines tag precedence within a group. You can read more about this here: How To Control Device Driver Load Order

You can read more about the other available values of What Determines When a Driver Is Loaded

I am not going to go into the fine details of service/driver startup (which functions make which calls which do what), but if you want to know something specific, just ask.

I hope that this solves more confusion that it creates (I somehow doubt that!!), and do feel free to ask for help with any other aspects.

Richard
 

My Computer

System One

  • Manufacturer/Model
    Dell XPS 420
    CPU
    Intel Core 2 Quad Q9300 2.50GHz
    Motherboard
    Stock Dell 0TP406
    Memory
    4 gb (DDR2 800) 400MHz
    Graphics Card(s)
    ATI Radeon HD 3870 (512 MBytes)
    Sound Card
    Onboard
    Monitor(s) Displays
    1 x Dell 2007FP and 1 x (old) Sonic flat screen
    Screen Resolution
    1600 x 1200 and 1280 x 1204
    Hard Drives
    1 x 640Gb (SATA 300)
    Western Digital: WDC WD6400AAKS-75A7B0

    1 x 1Tb (SATA 600)
    Western Digital: Caviar Black, SATA 6GB/S, 64Mb cache, 8ms
    Western Digital: WDC WD1002FAEX-00Z3A0 ATA Device
    PSU
    Stock PSU - 375W
    Case
    Dell XPS 420
    Cooling
    Stock Fan
    Keyboard
    Dell Bluetooth
    Mouse
    Advent Optical ADE-WG01 (colour change light up)
    Internet Speed
    120 kb/s
    Other Info
    ASUS USB 3.0 5Gbps/SATA 6Gbps - PCI-Express Combo Controller Card (U3S6)
Now for the shorter answer :p

ServiceGroupOrder and driver names are simply enumerated from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\{driver}

The startup order, and whether a driver starts up, etc. is based upon many other factors (from the registry keys given above).
 

My Computer

System One

  • Manufacturer/Model
    Dell XPS 420
    CPU
    Intel Core 2 Quad Q9300 2.50GHz
    Motherboard
    Stock Dell 0TP406
    Memory
    4 gb (DDR2 800) 400MHz
    Graphics Card(s)
    ATI Radeon HD 3870 (512 MBytes)
    Sound Card
    Onboard
    Monitor(s) Displays
    1 x Dell 2007FP and 1 x (old) Sonic flat screen
    Screen Resolution
    1600 x 1200 and 1280 x 1204
    Hard Drives
    1 x 640Gb (SATA 300)
    Western Digital: WDC WD6400AAKS-75A7B0

    1 x 1Tb (SATA 600)
    Western Digital: Caviar Black, SATA 6GB/S, 64Mb cache, 8ms
    Western Digital: WDC WD1002FAEX-00Z3A0 ATA Device
    PSU
    Stock PSU - 375W
    Case
    Dell XPS 420
    Cooling
    Stock Fan
    Keyboard
    Dell Bluetooth
    Mouse
    Advent Optical ADE-WG01 (colour change light up)
    Internet Speed
    120 kb/s
    Other Info
    ASUS USB 3.0 5Gbps/SATA 6Gbps - PCI-Express Combo Controller Card (U3S6)
Back
Top