windowsbugscrashes100674019orig

How to detect buggy device drivers in Windows 10

When buggy third-party drivers crash a system and invoke a blue screen of death, it can be difficult to pinpoint the source among all the active running software. An alternative method to using WinDbg is to identify any device driver addition or change that occurred prior to the Blue Screen of Death event.

Windows device drivers are just one part of the broader Windows operating environment function called Autorun Settings. Windows’ Autorun Settings identify Windows auto-starting software, including all Windows device drivers, during system bootup or login.

In this image, AutorunCheck Forensic v1.0.1 displays the BEFORE and AFTER state of a driver. When chasing down the cause of a system crash, knowing what changed is valuable.

As an alternative to the tried-and-true Windows Debugger method, buggy device drivers that caused Windows to go from a stable operating environment to suffering a BSOD can be discovered through a process of authenticating all device drivers and detecting any recent change events (such as device driver changes or addition).

The process of discovering, authenticating, and detecting driver state changes can be accomplished using a myriad of available Autorun utilities, but most require manually combing through all of the system’s Autorun Settings, which can be a time-consuming, frustrating process.

There are some utilities listed in the following table that are capable of automating this process through built-in functionality. These Autorun utilities allow you to take a snapshot of the current Windows system state, identify all recent system change events, and authenticate non-offending change events. These system change events identify the timeline and driver differences which ultimately help to resolve the BSOD culprit.

The following table is not a comprehensive comparison of all features of the products listed, but highlights the features that apply to BSOD issues.

Autorun utility software capable of automating driver change detection

ProductAutorunsAutorunCheckConfigSafeFireTower Guard
Triggering On-Demand On-Demand On-Demand Real-Time
Discovery1 Live only Live + Shadows Live + Shadows Live only
Authentication2 2a 2b  None 2c
Change Detection3 Manual Manual Manual Real-Time
  • "Note: 1: Discovery: Discover Auto-starting locations for Live Windows State and Windows State in Volume Shadow Copies.
  • 2: Authentication: Authentication through file image hash value in Autorun Settings from malware databases and whitelist databases.
  • 2a: Authentication source: VirusTotal.com.
  • 2b: Authentication source: Autorun Setting Repository, and three adjustable online anti-malware engines.
  • 2c: Authentication source: Autorun Setting Repository, and three adjustable online anti-malware engines.3: Change Detection: Manually compare two Autorun snapshots vs real-time automatic change detection notification.
IDG Insider

PREVIOUS ARTICLE

« Windows 10 Anniversary Update: Everything you need to know

NEXT ARTICLE

Uber China gives up fight, will merge with local player, Didi Chuxing »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends

Poll

Is your organization fully GDPR compliant?