I can't find reg entry for Dbgv.sys....

Many years i was assuming that for every driver there must be an registry entry to load driver successfully?

But recently found that a driver “Dbgv.sys” (dbgview driver) for which there is no entry in registry.

So Is it possible to run driver without installation?

> So Is it possible to run driver without installation?

There is no need to have any installer. It is enough to create required entries in the registry and call NtLoadDriver/ZwLoadDriver with a path to the driver’s registry key.

I guess the registry entries are created by an application. Then NtLoadDriver is called. After NtLoadDriver returns the registry entries are removed. After a driver has loaded there is no need in its registry entries( not sure about Win 10 ). Before Windows 10 you can even remove the driver’s sys file as its content was copied to system space and was backed by a pagefile. Starting from Windows 10 MS implemented some questionable features( a.k.a misfeatures) that might prevent from doing this.

Have you noticed that the app and associated driver run on both x86 and x64 platforms ?

The drivers’s binaries (x86 and x64 versions) are most probably loaded in the app’s binary image as binary resources. The registry configuration is created using the service manager API.

The setup process is similar to a filter driver installation except that only the CopyFiles and AddService installation sections are performed.

xxxxx@gmail.com wrote:

Many years i was assuming that for every driver there must be an registry entry to load driver successfully?

True.

But recently found that a driver “Dbgv.sys” (dbgview driver) for which there is no entry in registry.

There certainly is, but it only exists for a short period of time.

So Is it possible to run driver without installation?

Well, no, but it’s a matter of terminology. For a legacy (non-PnP)
driver, only three steps are required:

  1. Copy the file into place in system32\drivers
  2. Add an entry to the services key
  3. Start the service

That process is what I would call “installation”. There are many ways
to do that. Heck, you can do it with a batch file:

copy mydriver.sys %SystemRoot\system32\drivers
sc create mydriver type= kernel start= demand binPath=
system32\drivers\mydriver.sys
sc start mydriver

Obviously, you can also do it in an application, and that’s what
dbgview.exe does. Once the driver loads, you don’t need the registry
key any more.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

thanks Tim… for detail explanation.

Oh sorry, I forgot to mention that the configuration or service is deleted when the application exits.

It seemed so obvious …