Which Software Installed That Driver – And When?
Installing a software that includes a driver may leave your system in an inconsistent state. If the install fails, parts may remain on the system. And if the remaining part is a driver, I get nervous – drivers are not the kind of stuff I want to have lingering around my system’s memory. Here is a way of identifying when a driver actually got installed.
In my case, I installed, or rather tried to install, the Citrix Access Gateway (CAG) Plugin 4.6.2, a VPN client, on Windows 7 x64. That failed – the installer reported a timeout after a couple of minutes of showing a progress bar. I aborted the install, which worked, but when I rebooted the machine, it hung on shutting down. Not good.
After a reset I examined the system: nothing related to the CAG client, but in the properties of my network card I found something suspicious called “Deterministic Network Enhancer”:
But how to know whether it came from the (partly failed) install or from something entirely else? First thought: Check the timestamp of the driver file. By searching the registry, I found the driver’s entries:
To my disappointment the driver file’s dates (dne64x.sys) revealed nothing. I did not install anything in 2008 – I run Windows 7…
Then I had the idea of checking the registry. Each driver has a key under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services. And each registry key has a timestamp that gets updated whenever the key itself or a direct sub-object of the key get changed. So I only had to get the timestamp of the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNE in order to know when that driver had been installed.
But… although I run the seventh incarnation of Windows its registry editor has not changed much for at least a decade. Regedit.exe has many shortcomings, one of them being that it does not show timestamps for registry keys. Luckily, other programmers are more than happy to fill the void. I found the interesting tool Registry Commander – one of its capabilities is to show registry key timestamps. It looks like this:
And that was the answer I sought. The DNE driver was indeed installed by the CAG client. Now I can safely disable or uninstall that driver.
What about you? Have you used any alternative registry editors? Do you prefer them over Regedit?
Smart thing to check on the registry time stamps. I usally use more brute force techniciques. As of my own, it doesn’t really matter, but for corporate I usally take the standpoint of the system being compromised and rebuild rather. Then again, real life strikes it’s face, and I’m to resort to best-effort. As of such, your method does provide a best-effort handling of the case propably more efficient than brute force methods.
I’d assume that the learning point is that we need to know what we are doing before deploying at a mass scale.
Nice stuff Helge. I’ll have to look into registry commander – and I suspect I now know why my VPN stopped working when I removed the strangely named driver from my network config.
if you export a key in Regedit and ‘Save as type; Text Files’, you’ll get a file that includes Last Write Time data for registry keys. Unfortunately, this capability cannot be replicated by reg.exe, even if specified output file has a .txt extension…
> reg export “HKLM\SYSTEM\CurrentControlSet\Services\Apple Mobile Device” AppleMobDev.txt
This simply creates a file with familiar .reg format. I requested the text format option of Regedit be added as an option of the ‘reg export’ command:
I want to be able to do something like this:
> reg export “HKLM\SYSTEM\CurrentControlSet\Services\Apple Mobile Device” /FO LIST “AppleMobDev.txt”
However, Regedit is probably good enough for what your looking for in this post.
Wow, that is some really good info! Thanks for sharing!
Here is an example of a registry key exported by regedit in text format:
Schlüsselname: HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\NvCplApi\Policies
Letzter Schreibzugriff: 30.09.2009 – 12:07
I found an ActiveX control called RegTimeStamp that allows reading and writing of registry key time stamps. I haven’t used it yet but it looks interesting.
“…there is an undocumented NT native API call that allows you to explicitly set the time stamp of a registry key. By utilizing the RegTimeStamp.Dll (that makes that function available to you) you can read and write time stamps on various registry keys from a VBScript or any other scripting language.”
i came across some info about registry LastWrite time when reading up on Windows forensics.
2.11.7 Registry Last Write Time
Bye the information stated by Lih Wern Wong (2006), all registry key has a value called Last Write time, which is similar to file’s last modification time. In fact, this value is a FILETIME structure, which is the same as file’s MAC (Modified, Accessed,and created) time. The FILETIME structure is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 UTC (MSDN, 2005c). The LastWrite time will be updated whenever a registry value in the key is created, modified or deleted. Tool such as Keytime.exe(Carvey, 2005a) allows examiner to retrieve LastWrite time of a specific key.