Using Autoruns to validate system drivers

Recently, one of my enterprise customers had a system crash popularly known as a “blue screen of death” and this reminded me of the importance to validate drivers. Validating drivers is something I commonly do with my non-techie friends and family as well, simply because poorly written drivers are the most common cause of system crashes.

A relatively quick and easy way of validating the drivers of a system is to use the Sysinternals (Microsoft owned) tool, Autoruns. Autoruns is a free tool that does not require installation. Just download and run. For more information on Autoruns go to https://technet.microsoft.com/en-us/sysinternals/bb963902 and consider reading the book, “Windows Sysinternals Administrator’s Reference”.

1. Download and launch Autoruns.exe

1. Download Autoruns using one of the links above or click here and save it to your desktop.
2. Double-click on it to run it. 
   Note: Administrator rights is not required unless you intend to make changes to the system. Also, you might be prompted for Administrator credentials or other User Access Control (UAC) prompts depending on your settings.
3. Autoruns will begin to gather system information. For now, press the ESC key to stop the gathering of data since we will be rescanning the system shortly. Otherwise, wait for the Status bar to reports, “Ready”.

• Filter Autoruns: This step will remove common entries that are relatively safe and enable verification of the signatures of the drivers, EXEs and DLLs of software targeted for startup on the system.
  Note: Microsoft drivers are certainly not immune to problems, but they are generally written well enough to not be on the list of usual suspects.

1. In the menu, click Options, Filter Options.

2. Enable/check Verify code signatures, Hide Microsoft entries, and Hide Windows entries.

   

3. Click the Rescan button and wait for the hour glasses to go away. Again, this might take a few minutes depending on the resources of the system.

• Validate drivers: This step checks non-Microsoft drivers. According to the Windows Sysinternals Administrator’s Reference, “Verifying a digital signature associated with that file gives a much higher degree of assurance of the file’s authenticity and integrity.”
  Note: When a driver is verified, the Publisher field changes from the company name to the name on the signed certificate.

1. Click the Drivers tab and look for drivers that are “Not Verified”. This will show up in the Publisher field.

2. In my case, I found one driver that is not Microsoft, but it was verified to be a virtual networking vendor.

    

3. If any of the drivers are highlighted and come up as “Not Verified” in the Publisher field, then the driver does not have a digital signature.

Drivers that are “Not Verified” do not have a digital signature or have been modified. It doesn’t mean that the driver is malware. It just means that the driver cannot be verified to be from the publisher that is claims to be from. For example, the driver might have been written by a small company that didn’t bother to have their driver signed.

Note: 64-bit versions of Windows and Windows Server require all drivers to be signed when loaded, but this policy can be by-passed.

With that said, malware commonly installs a driver to gain access to the system and it could be exposed through this procedure. My advice is if the system is not functioning properly, then I would uninstall the unverified drivers.

Beyond driver validation, Autoruns is great for fixing performance issues as well. I simply go to all of the other tabs and uncheck/disable all of the software that I don’t recognize. Be careful when doing this and disable only the entries that you recognize and don’t want. If you accidentally disable something that you need, then its okay because Autoruns makes a backup of the entry and it can be re-enabled by running the tool again.

I hope you find this helpful.