Hi,
Is there a utility to get which version of driver is loaded in the machine.
I have a customer dump. I used the command !chksym mydriver.sys to figure out the driver loaded in the machine. From the result I got from the above command I came to conclusion that old version of driver is loaded in the machine.
Here I have two questions
eventhough my customer placed the newer version in system32 folder I see old driver version loaded in memory(from crash dump). He has restarted the machine after replacing the new driver. what would cause the old driver to load into memory and not the new version.
I thought once driver is placed in system 32 folder and we restart the machine the new driver will be loaded in memory.
other than windbg commands (with the help of crash dump)is there a tool or way to know the version of driver loaded in the machine.
Note : My driver is a boot driver. volume filter driver.
last good configuration does nothing about files on disk. Why is your
driver in system32 insted of system32\drivers? You really should have an
installer that replaces old with new and that records what it did. You
should also have version information in your driver resource file. You
could also have your driver record its version in the system event log when
it starts.
Mark Roddy
On Thu, Sep 28, 2017 at 6:35 AM, xxxxx@yahoo.co.in < xxxxx@lists.osr.com> wrote:
I suspect last good configuration got invoked in the machine for some
reason.
NTDEV is sponsored by OSR
Visit the list online at: http:> showlists.cfm?list=ntdev> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:></http:>
Is there a utility to get which version of driver is loaded in the machine.
The “lmt” or “lmv” commands will show you the build timestamp from your
binary. “lmv” will also show you parts of the version resource. You DO
faithfully update your version with each build, right?
eventhough my customer placed the newer version in system32 folder I see old driver version loaded in memory(from crash dump). He has restarted the machine after replacing the new driver. what would cause the old driver to load into memory and not the new version.
Are you sure your driver should have gone into system32? With few
exceptions, drivers go in system32\drivers.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
System32\driverquery.exe will dump the list of loaded drivers and their versions.
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@probo.com
Sent: Thursday, September 28, 2017 10:03 AM
To: Windows System Software Devs Interest List Subject: Re: [ntdev] Driver loading issue
xxxxx@yahoo.co.in wrote: > Is there a utility to get which version of driver is loaded in the machine.
The “lmt” or “lmv” commands will show you the build timestamp from your binary. “lmv” will also show you parts of the version resource. You DO faithfully update your version with each build, right?
> 1. eventhough my customer placed the newer version in system32 folder I see old driver version loaded in memory(from crash dump). He has restarted the machine after replacing the new driver. what would cause the old driver to load into memory and not the new version.
Are you sure your driver should have gone into system32? With few exceptions, drivers go in system32\drivers.
– Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
With respect to version information, the resource section (.rsrc) is marked
as discardable by default. The end result is that if you have a dump file
lmv doesn’t usually show you any version information embedded in your
resource file:
3: kd> lmv mclassflt
Browse full module list
start end module name
fffff8029f710000 fffff8029f71a000 ClassFlt (deferred)
Image path: ClassFlt.sys
Image name: ClassFlt.sys
Browse all global symbols functions data
Timestamp: Thu Sep 28 13:38:41 2017 (59CD33A1)
CheckSum: 00012E4B
ImageSize: 0000A000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
You can strip the discardable bit as a link step if you want to have it
present in dump files. For example:
> Is there a utility to get which version of driver is loaded in the machine. I have a customer dump.
Long ago I’ve made a small utility to search a collection of driver packages for specific binary (sys) version, by its linker timestamp. Timestamps are always available for loaded modules. It gets the path to the found package, and the rest is trivial.
I can send you source (it’s too small, old and ugly for github, and not updated to a modern VC++, sorry)
>eventhough my customer placed the newer version in system32 folder I see old
driver version loaded in memory
Did the customer just replace the driver manually? In this case Windows file protection (sfc_os.dll) could come into play and restore the original driver.
Hi all,
Thanks for the details. few more clarifications I would like to make.
The driver was placed in system32\drivers folder. There was issue in the driver for which a patch was given so installer will not have the record for it. currently the version information logging in event log is not in place. However thanks for the input . will definitely implement this.
I tried lmv and got the timestamp which gives a old date and that is also one of the reason I conclude that old driver is loaded.
@Doron holan
Driverquery.exe - does it show the details of the loaded driver in the system or the one which is there in system32 folder.
Because in my case I suspect both are different.old one is loaded and new one is there in system32\driver folder.
I am trying to figure out the reason for the same.
@pavel
Could you send me the code. I would be glad to try it in my test machine.
@Mikae
yes, the driver was replaced manually. But does this sfc_os.dll come into picture always or in a specific scenario.
Our patches on driver is always replaced manually. but never faced this problem.
system file protection should not matter for third party drivers. So some
other malfunction is going on.
Mark Roddy
On Tue, Oct 3, 2017 at 6:04 AM, xxxxx@yahoo.co.in < xxxxx@lists.osr.com> wrote:
Hi all,
Thanks for the details. few more clarifications I would like to make.
The driver was placed in system32\drivers folder. There was issue in the
driver for which a patch was given so installer will not have the record
for it. currently the version information logging in event log is not in
place. However thanks for the input . will definitely implement this.
I tried lmv and got the timestamp which gives a old date and that is also
one of the reason I conclude that old driver is loaded.
@Doron holan
Driverquery.exe - does it show the details of the loaded driver in the
system or the one which is there in system32 folder.
Because in my case I suspect both are different.old one is loaded and new
one is there in system32\driver folder.
I am trying to figure out the reason for the same.
@pavel
Could you send me the code. I would be glad to try it in my test machine.
@Mikae
yes, the driver was replaced manually. But does this sfc_os.dll come into
picture always or in a specific scenario.
Our patches on driver is always replaced manually. but never faced this
problem.
Regards,
Vidhya
NTDEV is sponsored by OSR
Visit the list online at: http:> showlists.cfm?list=ntdev> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:></http:>