none
Where are the driver details stored in Windows? RRS feed

  • Question

  • I'm trying to write a script that scans a couple thousand machines to determine when a specific driver was last updated. For the life of me I can't figure out where the properties are stored for the driver.

    Here's a screenshot for the field I'm trying to find: http://i.imgur.com/54CiFD6.jpg 

    I've gone through WMI and install date is always a blank field for windows drivers. I'm guessing Windows stores this value in the registry somewhere? I've searched through the registry and couldn't find anything.

    I did find I can scan the setupapi.dev.log in c:\windows\inf but that's going to make this project a lot more complicated than it needs to be.

    Currently downloading Windows Driver Kit to play around with Devcon.exe but not sure if it's going to get me what I need.  Any help would be greatly appreciated.

    Monday, May 9, 2016 2:59 PM

Answers

  • All I can find for SetupAPI calls is programming in C which I'm unfamiliar with :(

    I dabbled with devcon and I don't think it can get me the data I need.  Seems to be a very useful tool but unable to find a command for it to grab driver properties like install date.

    • Marked as answer by hsoj Monday, May 16, 2016 3:05 PM
    Monday, May 9, 2016 8:11 PM

All replies

  • Please see these links - Where are Device Drivers stored in Windows 7? – DriverStore and How to See a List of All Installed Windows Drivers. I'm not certain how you can run the command "driverquery" remotely and get the results remotely.

    Plus scanning a couple thousand machines would take an exceptionally long time I figure.


    La vida loca

    Monday, May 9, 2016 3:16 PM
  • Devcon is the way to go on this, the data you want is not documented as to where it resides.  You cannot rely on the setupapi.dev.log, there is nothing stopping someone from deleting it, or setting the logging so nothing is present.

    Devcon has the sources so you should be able to use the SetupAPI's to write a program based on the devcon sample to directly collect the data you want.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, May 9, 2016 3:17 PM
  • Thanks guys.  I think I found the info in the registry.  Looks like it's in HKLM\SYSTEM\CurrentControlSet\Enum\PCI\HWID

    There's a properties tab in there that has a lot of keys and unreadable info.  I'm guessing that's where it pulls the data that populates in device manager.  This is proving a lot more difficult than I had hoped. 

    I'll dig more into devcon.  Thank you.

    Monday, May 9, 2016 3:50 PM
  • What do you really need to find: the release date of the installed driver (like in its INF DriverVersion), or when the driver has been installed?

    Can you run programs/scripts on each machine or you access only their disk remotely?

    You can run devcon on remote machines if this is allowed by group policy.

    -- pa


    • Edited by Pavel A Monday, May 9, 2016 5:53 PM
    Monday, May 9, 2016 4:55 PM
  • you should not be reading this information directly from the registry or the driver store on disk. there are APIs and properties on each device that represent all of the information you see in device manager, it is a matter of making the right query through the right API.  devcon is a good place to start

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, May 9, 2016 4:59 PM
  • So we have a lot of devices out there running an old version of the Intel NIC driver.  This is causing an IPV6 flood while the machines sleep.  You can find details of the problem here - https://communities.intel.com/thread/48051?start=0&tstart=0

    We put together an SCCM package and sent it to all machines with affected NICs to update the driver.  A lot of them didn't update.  So I'm trying to build a report that shows the computer's name, network adapter, driver version, driver date, first install date, and install date.  I have everything scripted except for the first install date and install date.  

    Those are the two entries I'm struggling to get added to the script.  The same image was used for all of the machines with the same original driver.  Those two entries will tell us if the network driver was ever updated since the machine was first imaged.  If it wasn't we can setup a compliance script in SCCM to force them to install the latest NIC driver. 

    I found the information in the registry is in a FILETIME format and have tried to decode it to a readable time format but haven't had any luck.  For instance the value for my first install date on the wifi adapter is DAE1 1A65 C948 D101 which converts to 15771916394499199233 using http://www.mobilefish.com/services/big_number/big_number.php however it doesn't work properly when I input it here:  http://www.silisoftware.com/tools/date.php?inputdate=15771916394499199233&inputformat=filetime

    It seems to convert it back to DAE11A65:C9550000 which has the last 6 digits wrong.  Wednesday, March 19, 51580 8:44:10pm is not the correct value.  Not sure why it's doing that. 

    • Edited by hsoj Monday, May 9, 2016 6:11 PM
    Monday, May 9, 2016 5:47 PM
  • Do not get this data from the registry, use the SetupAPI calls instead.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, May 9, 2016 6:42 PM
  • All I can find for SetupAPI calls is programming in C which I'm unfamiliar with :(

    I dabbled with devcon and I don't think it can get me the data I need.  Seems to be a very useful tool but unable to find a command for it to grab driver properties like install date.

    • Marked as answer by hsoj Monday, May 16, 2016 3:05 PM
    Monday, May 9, 2016 8:11 PM
  • Why not use DriverQuery?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, May 9, 2016 11:20 PM
    Moderator
  • DriverQuery has no flag to give you install date and first install date.  
    Thursday, May 12, 2016 3:56 PM
  • If you're looking for a particular version of a driver, then the link date is more than sufficient. Why does the install date matter?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, May 13, 2016 12:11 AM
    Moderator
  • I was pretty clear in my explanation above.  
    Saturday, May 14, 2016 12:37 AM
  • Aha, you probably mean the InstallTimeStamp and NetworkInterfaceInstallTimestamp values in the Net class driver keys. AFAIK these are undocumented.

    To use documented SetupAPI calls, you indeed need some C. Try to find someone who knows C.

    -- pa

    Saturday, May 14, 2016 10:17 AM
  • Yea that's exactly what I wrote up above.  
    Monday, May 16, 2016 3:05 PM