xp/sigverify.exe driver check
in [Windows XP]
|
From: John John - MVP on 6 Jan 2010 10:56 mynick wrote: > On Jan 6, 3:23 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: >> mynick wrote: >>> On Jan 5, 7:17 pm, MowGreen <mowgr...(a)nowandzen.com> wrote: >>>> mynick wrote: >>>>> if you point it to win\sys32\drivers can it detect corruption of the >>>>> driver that causes boot stop(at volsnap.sys so bootlog is not >>>>> written)? >>>>> how about verifier.exe tool in the same situation? >>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514 >>>> Driver Verifier (verifier.exe) provides the following capabilities - >>>> Pool Allocations >>>> Provide Extreme Memory Pressure >>>> Parameter Validation >>>> Pool Allocation Injection Failure >>>> Pool Being Freed >>>> Pool Leakage Detection >>>> Driver Unload Checking >>>> I/O Verifier >>>> Using Driver Verifier to identify issues with Windows drivers for >>>> advanced usershttp://support.microsoft.com/kb/244617 >>>> MowGreen >>>> =============== >>>> *-343-* FDNY >>>> Never Forgotten >>>> =============== >>>> banthecheck.com >>>> "Security updates should *never* have *non-security content* prechecked" >>> is it possbile use Verifier from recovery xp/cd recovery console >>> because system cannot boot due to driver error? >> No, but you can disable the driver from the Recovery Console, use the >> DISABLE command. For help on the command do: HELP DISABLE for help on >> the command. For a list of services that can be disabled do LISTSVC. >> >> http://support.microsoft.com/kb/314058 >> Description of the Windows XP Recovery Console for advanced users >> >> John > > ok thanks > where can one find the order of loading the drivers during boot > I guess all drivers are noted in registry but is there a predetermined > load list You can take a look in the proper Control Set (ControlSetnnn), on an up and running machine look at the List value at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder This is by no means a full list of all the drivers, if the services are not in the GroupOrderList they will not show at the ServiceGroupOrder key. Other than that the only other way that I know would be to look at a copy of a saved bootlog. John
From: mynick on 6 Jan 2010 12:43 On Jan 6, 4:56 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: > mynick wrote: > > On Jan 6, 3:23 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: > >> mynick wrote: > >>> On Jan 5, 7:17 pm, MowGreen <mowgr...(a)nowandzen.com> wrote: > >>>> mynick wrote: > >>>>> if you point it to win\sys32\drivers can it detect corruption of the > >>>>> driver that causes boot stop(at volsnap.sys so bootlog is not > >>>>> written)? > >>>>> how about verifier.exe tool in the same situation? > >>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514 > >>>> Driver Verifier (verifier.exe) provides the following capabilities - > >>>> Pool Allocations > >>>> Provide Extreme Memory Pressure > >>>> Parameter Validation > >>>> Pool Allocation Injection Failure > >>>> Pool Being Freed > >>>> Pool Leakage Detection > >>>> Driver Unload Checking > >>>> I/O Verifier > >>>> Using Driver Verifier to identify issues with Windows drivers for > >>>> advanced usershttp://support.microsoft.com/kb/244617 > >>>> MowGreen > >>>> =============== > >>>> *-343-* FDNY > >>>> Never Forgotten > >>>> =============== > >>>> banthecheck.com > >>>> "Security updates should *never* have *non-security content* prechecked" > >>> is it possbile use Verifier from recovery xp/cd recovery console > >>> because system cannot boot due to driver error? > >> No, but you can disable the driver from the Recovery Console, use the > >> DISABLE command. For help on the command do: HELP DISABLE for help on > >> the command. For a list of services that can be disabled do LISTSVC.. > > >>http://support.microsoft.com/kb/314058 > >> Description of the Windows XP Recovery Console for advanced users > > >> John > > > ok thanks > > where can one find the order of loading the drivers during boot > > I guess all drivers are noted in registry but is there a predetermined > > load list > > You can take a look in the proper Control Set (ControlSetnnn), on an up > and running machine look at the List value at: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder > > This is by no means a full list of all the drivers, if the services are > not in the GroupOrderList they will not show at the ServiceGroupOrder > key. Other than that the only other way that I know would be to look at > a copy of a saved bootlog. > > John -thanks but group order list and servicegrouporder subkeys only show groups not individual group member drivers -is this a typical and full xp home safe mode loading drivers list http://www.onlinehowto.net/tuts_pic/400_1381_safe_mode_listing.jpg or where can one find safe mode ntbtlog.txt because it is not written when boot stops early on
From: John John - MVP on 6 Jan 2010 15:31 mynick wrote: > On Jan 6, 4:56 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: >> mynick wrote: >>> On Jan 6, 3:23 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: >>>> mynick wrote: >>>>> On Jan 5, 7:17 pm, MowGreen <mowgr...(a)nowandzen.com> wrote: >>>>>> mynick wrote: >>>>>>> if you point it to win\sys32\drivers can it detect corruption of the >>>>>>> driver that causes boot stop(at volsnap.sys so bootlog is not >>>>>>> written)? >>>>>>> how about verifier.exe tool in the same situation? >>>>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514 >>>>>> Driver Verifier (verifier.exe) provides the following capabilities - >>>>>> Pool Allocations >>>>>> Provide Extreme Memory Pressure >>>>>> Parameter Validation >>>>>> Pool Allocation Injection Failure >>>>>> Pool Being Freed >>>>>> Pool Leakage Detection >>>>>> Driver Unload Checking >>>>>> I/O Verifier >>>>>> Using Driver Verifier to identify issues with Windows drivers for >>>>>> advanced usershttp://support.microsoft.com/kb/244617 >>>>>> MowGreen >>>>>> =============== >>>>>> *-343-* FDNY >>>>>> Never Forgotten >>>>>> =============== >>>>>> banthecheck.com >>>>>> "Security updates should *never* have *non-security content* prechecked" >>>>> is it possbile use Verifier from recovery xp/cd recovery console >>>>> because system cannot boot due to driver error? >>>> No, but you can disable the driver from the Recovery Console, use the >>>> DISABLE command. For help on the command do: HELP DISABLE for help on >>>> the command. For a list of services that can be disabled do LISTSVC. >>>> http://support.microsoft.com/kb/314058 >>>> Description of the Windows XP Recovery Console for advanced users >>>> John >>> ok thanks >>> where can one find the order of loading the drivers during boot >>> I guess all drivers are noted in registry but is there a predetermined >>> load list >> You can take a look in the proper Control Set (ControlSetnnn), on an up >> and running machine look at the List value at: >> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder >> >> This is by no means a full list of all the drivers, if the services are >> not in the GroupOrderList they will not show at the ServiceGroupOrder >> key. Other than that the only other way that I know would be to look at >> a copy of a saved bootlog. >> >> John > -thanks but group order list and servicegrouporder subkeys only show > groups not individual group member drivers During the early booting stage the I/O manager looks in each of the driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services and sorts out the drivers by their Group and Tag numbers, then it consults the ServiceGroupOrder and the GroupOrderList to determine in which order the services should be started. There is no other list or easy way of knowing the load order of the drivers from any one registry key, you would have to sort them all and decipher the Tag order sequence from the binary data at the GroupOrderList, higher or lower tag numbers don't necessarily mean that one driver in the group will start before or after another one, each group has its own tag order. Quite possibly someone might have written a script or application to collect and decipher the information from the registry but I don't know of any at this time. If you want, you can search the HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service group and then sort them out and get a rough starting order. For example, on my machine these are the first three service groups: System Reserved Boot Bus Extender System Bus Extender A search for System Reserved finds nothing so I the proceed to search for the second one, Boot Bus Extender, here I find that the following drivers belong to this group: a347bus.sys ACPI.sys isapnp.sys ohci1394.sys pci.sys Then I search for the next service group, System Bus Extender, and I find: dmio.sys dmload.sys ftdisk.sys intelide.sys pciide.sys phylock.sys .... and so on. From this I can tell that ftdisk.sys starts after pci.sys because the pci.sys service order group is started before the ftdisk.sys group. Drivers with Tag numbers are started before those without but otherwise you need to decipher the tag sequence at the GroupOrderList key to know exactly where they fit within their group. Pretty tedious stuff! If you can find a script or application to sort it out for you then things will be pretty easy! What you can do is look at the registry key for the last driver that is shown as loaded on your your boot screen and find out to which service group it belongs. Then find the drivers in that group and the ones in the next service group and from that information you can whittle down the list of possible candidates for the next start position. John
From: mynick on 6 Jan 2010 22:45 On Jan 6, 12:31 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: > mynick wrote: > > On Jan 6, 4:56 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: > >> mynick wrote: > >>> On Jan 6, 3:23 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: > >>>> mynick wrote: > >>>>> On Jan 5, 7:17 pm, MowGreen <mowgr...(a)nowandzen.com> wrote: > >>>>>> mynick wrote: > >>>>>>> if you point it to win\sys32\drivers can it detect corruption of the > >>>>>>> driver that causes boot stop(at volsnap.sys so bootlog is not > >>>>>>> written)? > >>>>>>> how about verifier.exe tool in the same situation? > >>>>>>sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514 > >>>>>> Driver Verifier (verifier.exe) provides the following capabilities - > >>>>>> Pool Allocations > >>>>>> Provide Extreme Memory Pressure > >>>>>> Parameter Validation > >>>>>> Pool Allocation Injection Failure > >>>>>> Pool Being Freed > >>>>>> Pool Leakage Detection > >>>>>> Driver Unload Checking > >>>>>> I/O Verifier > >>>>>> Using Driver Verifier to identify issues with Windows drivers for > >>>>>> advanced usershttp://support.microsoft.com/kb/244617 > >>>>>> MowGreen > >>>>>> =============== > >>>>>> *-343-* FDNY > >>>>>> Never Forgotten > >>>>>> =============== > >>>>>> banthecheck.com > >>>>>> "Security updates should *never* have *non-security content* prechecked" > >>>>> is it possbile use Verifier from recoveryxp/cd recovery console > >>>>> because system cannot boot due to driver error? > >>>> No, but you can disable the driver from the Recovery Console, use the > >>>> DISABLE command. For help on the command do: HELP DISABLE for help on > >>>> the command. For a list of services that can be disabled do LISTSVC. > >>>>http://support.microsoft.com/kb/314058 > >>>> Description of the WindowsXPRecovery Console for advanced users > >>>> John > >>> ok thanks > >>> where can one find the order of loading the drivers during boot > >>> I guess all drivers are noted in registry but is there a predetermined > >>> load list > >> You can take a look in the proper Control Set (ControlSetnnn), on an up > >> and running machine look at the List value at: > > >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder > > >> This is by no means a full list of all the drivers, if the services are > >> not in the GroupOrderList they will not show at the ServiceGroupOrder > >> key. Other than that the only other way that I know would be to look at > >> a copy of a saved bootlog. > > >> John > > -thanks but group order list and servicegrouporder subkeys only show > > groups not individual group member drivers > > During the early booting stage the I/O manager looks in each of the > driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services > and sorts out the drivers by their Group and Tag numbers, then it > consults the ServiceGroupOrder and the GroupOrderList to determine in > which order the services should be started. There is no other list or > easy way of knowing the load order of the drivers from any one registry > key, you would have to sort them all and decipher the Tag order sequence > from the binary data at the GroupOrderList, higher or lower tag numbers > don't necessarily mean that one driver in the group will start before or > after another one, each group has its own tag order. Quite possibly > someone might have written a script or application to collect and > decipher the information from the registry but I don't know of any at > this time. > > If you want, you can search the > HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service > group and then sort them out and get a rough starting order. For > example, on my machine these are the first three service groups: > > System Reserved > Boot Bus Extender > System Bus Extender > > A search for System Reserved finds nothing so I the proceed to search > for the second one, Boot Bus Extender, here I find that the following > drivers belong to this group: > > a347bus.sys > ACPI.sys > isapnp.sys > ohci1394.sys > pci.sys > > Then I search for the next service group, System Bus Extender, and I find: > > dmio.sys > dmload.sys > ftdisk.sys > intelide.sys > pciide.sys > phylock.sys > > ... and so on. From this I can tell that ftdisk.sys starts after > pci.sys because the pci.sys service order group is started before the > ftdisk.sys group. Drivers with Tag numbers are started before those > without but otherwise you need to decipher the tag sequence at the > GroupOrderList key to know exactly where they fit within their group. > Pretty tedious stuff! If you can find a script or application to sort > it out for you then things will be pretty easy! > > What you can do is look at the registry key for the last driver that is > shown as loaded on your your boot screen and find out to which service > group it belongs. Then find the drivers in that group and the ones in > the next service group and from that information you can whittle down > the list of possible candidates for the next start position. > > John thanks volsnap is a member of eventlog group but went down the list form pic and was lucky with atapi.sys which previously ran sigverif did not detect as corrupted although it is supposed to be signed!!??
From: John John - MVP on 7 Jan 2010 09:52 mynick wrote: > On Jan 6, 12:31 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: >> mynick wrote: >>> On Jan 6, 4:56 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: >>>> mynick wrote: >>>>> On Jan 6, 3:23 pm, John John - MVP <audetw...(a)nbnot.nb.ca> wrote: >>>>>> mynick wrote: >>>>>>> On Jan 5, 7:17 pm, MowGreen <mowgr...(a)nowandzen.com> wrote: >>>>>>>> mynick wrote: >>>>>>>>> if you point it to win\sys32\drivers can it detect corruption of the >>>>>>>>> driver that causes boot stop(at volsnap.sys so bootlog is not >>>>>>>>> written)? >>>>>>>>> how about verifier.exe tool in the same situation? >>>>>>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514 >>>>>>>> Driver Verifier (verifier.exe) provides the following capabilities - >>>>>>>> Pool Allocations >>>>>>>> Provide Extreme Memory Pressure >>>>>>>> Parameter Validation >>>>>>>> Pool Allocation Injection Failure >>>>>>>> Pool Being Freed >>>>>>>> Pool Leakage Detection >>>>>>>> Driver Unload Checking >>>>>>>> I/O Verifier >>>>>>>> Using Driver Verifier to identify issues with Windows drivers for >>>>>>>> advanced usershttp://support.microsoft.com/kb/244617 >>>>>>>> MowGreen >>>>>>>> =============== >>>>>>>> *-343-* FDNY >>>>>>>> Never Forgotten >>>>>>>> =============== >>>>>>>> banthecheck.com >>>>>>>> "Security updates should *never* have *non-security content* prechecked" >>>>>>> is it possbile use Verifier from recoveryxp/cd recovery console >>>>>>> because system cannot boot due to driver error? >>>>>> No, but you can disable the driver from the Recovery Console, use the >>>>>> DISABLE command. For help on the command do: HELP DISABLE for help on >>>>>> the command. For a list of services that can be disabled do LISTSVC. >>>>>> http://support.microsoft.com/kb/314058 >>>>>> Description of the WindowsXPRecovery Console for advanced users >>>>>> John >>>>> ok thanks >>>>> where can one find the order of loading the drivers during boot >>>>> I guess all drivers are noted in registry but is there a predetermined >>>>> load list >>>> You can take a look in the proper Control Set (ControlSetnnn), on an up >>>> and running machine look at the List value at: >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder >>>> This is by no means a full list of all the drivers, if the services are >>>> not in the GroupOrderList they will not show at the ServiceGroupOrder >>>> key. Other than that the only other way that I know would be to look at >>>> a copy of a saved bootlog. >>>> John >>> -thanks but group order list and servicegrouporder subkeys only show >>> groups not individual group member drivers >> During the early booting stage the I/O manager looks in each of the >> driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services >> and sorts out the drivers by their Group and Tag numbers, then it >> consults the ServiceGroupOrder and the GroupOrderList to determine in >> which order the services should be started. There is no other list or >> easy way of knowing the load order of the drivers from any one registry >> key, you would have to sort them all and decipher the Tag order sequence >> from the binary data at the GroupOrderList, higher or lower tag numbers >> don't necessarily mean that one driver in the group will start before or >> after another one, each group has its own tag order. Quite possibly >> someone might have written a script or application to collect and >> decipher the information from the registry but I don't know of any at >> this time. >> >> If you want, you can search the >> HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service >> group and then sort them out and get a rough starting order. For >> example, on my machine these are the first three service groups: >> >> System Reserved >> Boot Bus Extender >> System Bus Extender >> >> A search for System Reserved finds nothing so I the proceed to search >> for the second one, Boot Bus Extender, here I find that the following >> drivers belong to this group: >> >> a347bus.sys >> ACPI.sys >> isapnp.sys >> ohci1394.sys >> pci.sys >> >> Then I search for the next service group, System Bus Extender, and I find: >> >> dmio.sys >> dmload.sys >> ftdisk.sys >> intelide.sys >> pciide.sys >> phylock.sys >> >> ... and so on. From this I can tell that ftdisk.sys starts after >> pci.sys because the pci.sys service order group is started before the >> ftdisk.sys group. Drivers with Tag numbers are started before those >> without but otherwise you need to decipher the tag sequence at the >> GroupOrderList key to know exactly where they fit within their group. >> Pretty tedious stuff! If you can find a script or application to sort >> it out for you then things will be pretty easy! >> >> What you can do is look at the registry key for the last driver that is >> shown as loaded on your your boot screen and find out to which service >> group it belongs. Then find the drivers in that group and the ones in >> the next service group and from that information you can whittle down >> the list of possible candidates for the next start position. >> >> John > thanks volsnap is a member of eventlog group but went down the list > form pic and was lucky with atapi.sys > which previously ran sigverif did not detect as corrupted although it > is supposed to be signed!!?? So, I take it that the problem is now fixed? Maybe the file only became corrupt after you ran Sigverif? John
First
|
Prev
|
Pages: 1 2 Prev: error: IE unable to update RSS feed and will try again later Next: istaling windows |