How do I get from the ServiceGroupOrder outline to actual lists of driver filenames?
Below is the ServiceGroupOrder as it appears in the HKLM register. Below that is the ntbtlog from the same machine trying to load Vista normally (and failing). What file(s) is/are used to translate from "WdfLoadGroup" to "Wdf01000.sys" & "WdfLDR.SYS"
Code:System Reserved EMS WdfLoadGroup Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Virtualization FSFilter Encryption FSFilter Compression FSFilter Imaging FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Streams Drivers NDIS Wrapper COM Infrastructure Event Log AudioGroup ProfSvc_Group UIGroup MS_WindowsLocalValidation PlugPlay PNP_TDI NDIS TDI iSCSI Service Pack 2 3 16 2012 12:31:51.359 Loaded driver \SystemRoot\system32\ntkrnlpa.exe Loaded driver \SystemRoot\system32\hal.dll Loaded driver \SystemRoot\system32\kdcom.dll Loaded driver \SystemRoot\system32\PSHED.dll Loaded driver \SystemRoot\system32\BOOTVID.dll Loaded driver \SystemRoot\system32\CLFS.SYS Loaded driver \SystemRoot\system32\CI.dll Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS Loaded driver \SystemRoot\system32\drivers\acpi.sys Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS Loaded driver \SystemRoot\system32\drivers\msisadrv.sys Loaded driver \SystemRoot\system32\drivers\pci.sys Loaded driver \SystemRoot\System32\drivers\partmgr.sys Loaded driver \SystemRoot\system32\DRIVERS\compbatt.sys Loaded driver \SystemRoot\system32\DRIVERS\BATTC.SYS Loaded driver \SystemRoot\system32\drivers\volmgr.sys Loaded driver \SystemRoot\System32\drivers\volmgrx.sys Loaded driver \SystemRoot\system32\drivers\pciide.sys Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS Loaded driver \SystemRoot\System32\drivers\mountmgr.sys Loaded driver \SystemRoot\system32\drivers\atapi.sys Loaded driver \SystemRoot\system32\drivers\ataport.SYS Loaded driver \SystemRoot\system32\drivers\msahci.sys Loaded driver \SystemRoot\system32\drivers\fltmgr.sys Loaded driver \SystemRoot\system32\drivers\fileinfo.sys Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys Loaded driver \SystemRoot\system32\drivers\ndis.sys Loaded driver \SystemRoot\system32\drivers\msrpc.sys Loaded driver \SystemRoot\system32\drivers\NETIO.SYS Loaded driver \SystemRoot\System32\drivers\tcpip.sys Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys Loaded driver \SystemRoot\system32\drivers\volsnap.sys Loaded driver \SystemRoot\system32\DRIVERS\TVALZ_O.SYS Loaded driver \SystemRoot\system32\DRIVERS\tos_sps32.sys Loaded driver \SystemRoot\System32\Drivers\spldr.sys Loaded driver \SystemRoot\System32\Drivers\mup.sys Loaded driver \SystemRoot\System32\drivers\ecache.sys Loaded driver \SystemRoot\system32\drivers\disk.sys Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS Loaded driver \SystemRoot\system32\DRIVERS\AtiPcie.sys Loaded driver \SystemRoot\system32\drivers\crcdisk.sys Loaded driver \SystemRoot\system32\DRIVERS\tunnel.sys Loaded driver \SystemRoot\system32\DRIVERS\tunmp.sys Loaded driver \SystemRoot\system32\DRIVERS\FwLnk.sys Loaded driver \SystemRoot\system32\DRIVERS\processr.sys Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys Loaded driver \SystemRoot\system32\DRIVERS\atikmdag.sys Loaded driver \SystemRoot\system32\DRIVERS\Rtlh86.sys Loaded driver \SystemRoot\system32\DRIVERS\athr.sys Loaded driver \SystemRoot\system32\DRIVERS\tdcmdpst.sys Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys Loaded driver \SystemRoot\system32\DRIVERS\msiscsi.sys Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys Loaded driver \SystemRoot\system32\DRIVERS\hamachi.sys Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS Loaded driver \SystemRoot\system32\drivers\RTKVHDA.sys Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys Loaded driver \SystemRoot\system32\drivers\modem.sys Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS Loaded driver \SystemRoot\System32\Drivers\Null.SYS Loaded driver \SystemRoot\System32\Drivers\Beep.SYS Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys Loaded driver \SystemRoot\System32\Drivers\UVCFTR_S.SYS Loaded driver \SystemRoot\System32\Drivers\usbvideo.sys Loaded driver \SystemRoot\System32\drivers\vga.sys Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys Loaded driver \SystemRoot\system32\DRIVERS\smb.sys Loaded driver \SystemRoot\system32\drivers\afd.sys Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys Loaded driver \SystemRoot\system32\DRIVERS\jswpslwf.sys Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Did not load driver Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
How are driver filenames derived from SGO?
- 18 Mar 2012 #1My System Specs
How are driver filenames derived from SGO?
Last edited by Brink; 26 Mar 2012 at 11:21 AM. Reason: code box
- 19 Mar 2012 #2
٩(͡๏̯͡๏)۶
My System SpecsRe: How are driver filenames derived from SGO?
Hello O negative and welcome to the forums
With an sc query command, we can list all of the drivers, but it churns out a horrible output like this:
The first two lines are all that we want from this, so with a findstr command, we can get rid of the other information. This will then leave us with lots of these:Code:SERVICE_NAME: NisDrv DISPLAY_NAME: Microsoft Network Inspection System TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Windows\System32>
The first one is the driver without the .sys extension, so we'll have to write some code to add that to the end of each line. The second one is fine as it isCode:SERVICE_NAME: NisDrv DISPLAY_NAME: Microsoft Network Inspection System
But we'll need to output this to the text file after adding the .sys extension as we don't want it on this text.
So I've knocked together a little batch file to do all of that for you:
The only problem with this is that it will list it in the following format:Code:@echo off sc query type= driver | findstr SERVICE_NAME > %SYSTEMDRIVE%\drivers.txt set addtext=.sys if exist %SYSTEMDRIVE%\tmpfile.txt del /q %SYSTEMDRIVE%\tmpfile.txt for /f "delims=" %%l in (%SYSTEMDRIVE%\drivers.txt) Do ( echo %%l%addtext% >> %SYSTEMDRIVE%\tmpfile.txt ) del /q %SYSTEMDRIVE%\drivers.txt ren %SYSTEMDRIVE%\tmpfile.txt drivers.txt echo. >> %SYSTEMDRIVE%\drivers.txt sc query type= driver | findstr DISPLAY_NAME >> %SYSTEMDRIVE%\drivers.txt echo. >> %SYSTEMDRIVE%\drivers.txt echo EOF >> %SYSTEMDRIVE%\drivers.txt start notepad.exe %SYSTEMDRIVE%\drivers.txt
File A
File B
File C
Name A
Name B
Name C
But it's not too hard to convert between the two. If you want, I can make it output each to a different file, then you can view them side by side?
You might have to run it as an administrator.
Tom
- 19 Mar 2012 #3My System Specs
Re: How are driver filenames derived from SGO?
sc query type= driver is a good way to get the type number, but it doesn't help me translate from the registry group name to the individual driver filenames. The example I gave, "WdfLoadGroup", happens to have at least two individual drivers associated with it. Somewhere, maybe in a .inf file--I don't know--the associations are listed.
Last edited by O negative; 19 Mar 2012 at 04:39 PM. Reason: typo
- 19 Mar 2012 #4
٩(͡๏̯͡๏)۶
My System SpecsRe: How are driver filenames derived from SGO?
Hello O negative,
Sorry about that, I misunderstood your first post.
You seem pretty well versed with Windows, I take it you know how to use command prompt? If not, then let me know and I'll explain it
If you do know, I would like you to run the following command for me please:
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services" /s > %SYSTEMDRIVE%\CCSServices.txt
This will create a text file called CCSServices.txt in the root folder of your main drive (e.g. C:\CCSServices), can you attach this to your next post please? Hopefully this information will shed some light on the problem
Tom
- 20 Mar 2012 #5My System Specs
Re: How are driver filenames derived from SGO?
Thanks Tom!
This gives me the group names for the drivers and more. A gold mine of info.
see attached
- 21 Mar 2012 #6
٩(͡๏̯͡๏)۶
My System SpecsRe: How are driver filenames derived from SGO?
Hello O negative,
Originally Posted by O negative 
You're welcome Is this all of the information that you wanted? Or do you want to have a hunt for where WdfLDR.SYS is found in your registry?
Tom
- 22 Mar 2012 #7My System Specs
Re: How are driver filenames derived from SGO?
I put together a spreadsheet with a column of all the service groups from ServiceGroupOrder and adjacent columns for drivers associated with those groups. Unfortunately, that query only provided driver/group associations for half of the groups. Some groups are quite large (SCSI miniport), but very few of the drivers are chosen. The sequencing is not straightforward either.
I'm still hoping to find some kind of script that is followed when the drivers are loaded, but I'm guessing it is more like a bunch of nested "if then else" instructions.
- 23 Mar 2012 #8
٩(͡๏̯͡๏)۶
My System SpecsRe: How are driver filenames derived from SGO?
Sorry, I have absolutely no idea how to do that. Perhaps another member will enlighten us, but that sounds like a very complicated thing to do
Tom
- 02 Apr 2012 #9My System Specs
Re: How are driver filenames derived from SGO?
Hello!
I did not notice this thread before. Sorry for the delay. Maybe I can shed some light on how drivers are loaded. There is no specific script. Windows does not use scripts for this sort of thing, only kernel mode code. There is a HUGE amount more to say. I shall give you a very brief introduction, and you can ask questions.
There are two types of driver loading, explicit loading, and enumeration-based loading. Explicit loading is based on the contents of HKLM\SYSTEM\CurrentControlSet\Services, whereas enumeration-based loading is based on the results when the PnP manager dynamically loads drivers for the devices that a bus driver reports during bus enumeration.
For startup type 0 drivers, the operating system loader (winload.exe), called by the bootloader, loads the appropriate kernel and HAL images (Ntoskrnl.exe and Hal.dll by default), reads the VGA font file (vgaoem.fon by default), reads the National Language System files (l_intl.nls, c_1252.nls, and c_437.nls by default), reads the System registry hive (\Windows\System32\config\System by default), and then reads the boot time drivers (Start = 0 (SERVICE_BOOT_START)) out of the HKLM\SYSTEM\CurrentControlSet\Services, loads the file system driver, then loads the boot time drivers just scanned, and then prepares the CPU registers for the execution of Ntoskrnl.exe, and calls Nt!KiSystemStartup to perform the rest of system initialisation. This is all before the Windows Kernal has loaded
(n.b. This is for BIOS systems. For EFI systems, winload.exe is replaced by winload.efi)
The above was for Start = 0 (SERVICE_BOOT_START). When that equals 1 (SERVICE_SYSTEM_START), the I/O manager loads the driver after the executive subsystems have finished initialising.
As for what affects device driver loading order, many things!
The coursest control is through the use of Start = either 0 or 1 (SERVICE_BOOT_START or SERVICE_SYSTEM_START respectively). To refine its order, the HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List key is used. For further refining, HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList defines tag precedence within a group. You can read more about this here: How To Control Device Driver Load Order
You can read more about the other available values of What Determines When a Driver Is Loaded
I am not going to go into the fine details of service/driver startup (which functions make which calls which do what), but if you want to know something specific, just ask.
I hope that this solves more confusion that it creates (I somehow doubt that!!), and do feel free to ask for help with any other aspects.
Richard
- 02 Apr 2012 #10My System Specs
Re: How are driver filenames derived from SGO?
Now for the shorter answer
ServiceGroupOrder and driver names are simply enumerated from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\{driver}
The startup order, and whether a driver starts up, etc. is based upon many other factors (from the registry keys given above).
Reply With Quote
How are driver filenames derived from SGO? problems?
| Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Using XmlSerializer for derived classes | nagar | .NET General | 2 | 02 Nov 2009 |
| Why XSD.exe does not add XmlArrayItemAttribute for the derived type in the list item? | eyiu.ca | Indigo | 0 | 30 Aug 2007 |
| WPF: Own Control Derived From TextBox | hufaunder@yahoo.com | Avalon | 5 | 29 Jul 2007 |
| WCF DataContract and derived classes | Gomolyako Eduard | Indigo | 1 | 03 Jul 2007 |
| GUI application unable to display info derived from registry | Tony | Vista General | 3 | 05 Feb 2007 |
