1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

xp/sigverify.exe driver check

Discussion in 'Windows XP' started by mynick, Jan 4, 2010.

  1. mynick

    mynick Flightless Bird

    if you point it to win\sys32\drivers can it detect corruption of the
    driver that causes boot stop(at volsnap.sys so bootlog is not
    written)?
    how about verifier.exe tool in the same situation?
     
  2. MowGreen

    MowGreen Flightless Bird

    mynick wrote:

    > if you point it to win\sys32\drivers can it detect corruption of the
    > driver that causes boot stop(at volsnap.sys so bootlog is not
    > written)?
    > how about verifier.exe tool in the same situation?




    sigverif.exe determines if a driver is digitally signed:
    http://support.microsoft.com/kb/308514

    Driver Verifier (verifier.exe) provides the following capabilities -
    Pool Allocations
    Provide Extreme Memory Pressure
    Parameter Validation
    Pool Allocation Injection Failure
    Pool Being Freed
    Pool Leakage Detection
    Driver Unload Checking
    I/O Verifier

    Using Driver Verifier to identify issues with Windows drivers for
    advanced users
    http://support.microsoft.com/kb/244617



    MowGreen
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============

    banthecheck.com
    "Security updates should *never* have *non-security content* prechecked"
     
  3. mynick

    mynick Flightless Bird

    On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    > mynick wrote:
    > > if you point it to win\sys32\drivers can it detect  corruption of the
    > > driver that causes boot stop(at volsnap.sys so bootlog is not
    > > written)?
    > > how about verifier.exe tool in the same situation?

    >
    > sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514
    >
    > Driver Verifier (verifier.exe) provides the following capabilities -
    > Pool Allocations
    > Provide Extreme Memory Pressure
    > Parameter Validation
    > Pool Allocation Injection Failure
    > Pool Being Freed
    > Pool Leakage Detection
    > Driver Unload Checking
    > I/O Verifier
    >
    > Using Driver Verifier to identify issues with Windows drivers for
    > advanced usershttp://support.microsoft.com/kb/244617
    >
    > MowGreen
    > ===============
    >   *-343-*  FDNY
    > Never Forgotten
    > ===============
    >
    > banthecheck.com
    > "Security updates should *never* have *non-security content* prechecked"


    is it possbile use Verifier from recovery xp/cd recovery console
    because system cannot boot due to driver error?
     
  4. John John - MVP

    John John - MVP Flightless Bird

    mynick wrote:
    > On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    >> mynick wrote:
    >>> if you point it to win\sys32\drivers can it detect corruption of the
    >>> driver that causes boot stop(at volsnap.sys so bootlog is not
    >>> written)?
    >>> how about verifier.exe tool in the same situation?

    >> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514
    >>
    >> Driver Verifier (verifier.exe) provides the following capabilities -
    >> Pool Allocations
    >> Provide Extreme Memory Pressure
    >> Parameter Validation
    >> Pool Allocation Injection Failure
    >> Pool Being Freed
    >> Pool Leakage Detection
    >> Driver Unload Checking
    >> I/O Verifier
    >>
    >> Using Driver Verifier to identify issues with Windows drivers for
    >> advanced usershttp://support.microsoft.com/kb/244617
    >>
    >> MowGreen
    >> ===============
    >> *-343-* FDNY
    >> Never Forgotten
    >> ===============
    >>
    >> banthecheck.com
    >> "Security updates should *never* have *non-security content* prechecked"

    >
    > is it possbile use Verifier from recovery xp/cd recovery console
    > because system cannot boot due to driver error?


    No, but you can disable the driver from the Recovery Console, use the
    DISABLE command. For help on the command do: HELP DISABLE for help on
    the command. For a list of services that can be disabled do LISTSVC.

    http://support.microsoft.com/kb/314058
    Description of the Windows XP Recovery Console for advanced users

    John
     
  5. mynick

    mynick Flightless Bird

    On Jan 6, 3:23 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    > mynick wrote:
    > > On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    > >> mynick wrote:
    > >>> if you point it to win\sys32\drivers can it detect  corruption of the
    > >>> driver that causes boot stop(at volsnap.sys so bootlog is not
    > >>> written)?
    > >>> how about verifier.exe tool in the same situation?
    > >> sigverif.exe determines if a driver is digitally signed:http://support..microsoft.com/kb/308514

    >
    > >> Driver Verifier (verifier.exe) provides the following capabilities -
    > >> Pool Allocations
    > >> Provide Extreme Memory Pressure
    > >> Parameter Validation
    > >> Pool Allocation Injection Failure
    > >> Pool Being Freed
    > >> Pool Leakage Detection
    > >> Driver Unload Checking
    > >> I/O Verifier

    >
    > >> Using Driver Verifier to identify issues with Windows drivers for
    > >> advanced usershttp://support.microsoft.com/kb/244617

    >
    > >> MowGreen
    > >> ===============
    > >>   *-343-*  FDNY
    > >> Never Forgotten
    > >> ===============

    >
    > >> banthecheck.com
    > >> "Security updates should *never* have *non-security content* prechecked"

    >
    > > is it possbile use Verifier from recovery xp/cd recovery console
    > > because system cannot boot due to driver error?

    >
    > No, but you can disable the driver from the Recovery Console, use the
    > DISABLE command.  For help on the command do:  HELP DISABLE for help on
    > the command.  For a list of services that can be disabled do LISTSVC.
    >
    > http://support.microsoft.com/kb/314058
    > Description of the Windows XP Recovery Console for advanced users
    >
    > John


    ok thanks
    where can one find the order of loading the drivers during boot
    I guess all drivers are noted in registry but is there a predetermined
    load list
     
  6. John John - MVP

    John John - MVP Flightless Bird

    mynick wrote:
    > On Jan 6, 3:23 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    >> mynick wrote:
    >>> On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    >>>> mynick wrote:
    >>>>> if you point it to win\sys32\drivers can it detect corruption of the
    >>>>> driver that causes boot stop(at volsnap.sys so bootlog is not
    >>>>> written)?
    >>>>> how about verifier.exe tool in the same situation?
    >>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514
    >>>> Driver Verifier (verifier.exe) provides the following capabilities -
    >>>> Pool Allocations
    >>>> Provide Extreme Memory Pressure
    >>>> Parameter Validation
    >>>> Pool Allocation Injection Failure
    >>>> Pool Being Freed
    >>>> Pool Leakage Detection
    >>>> Driver Unload Checking
    >>>> I/O Verifier
    >>>> Using Driver Verifier to identify issues with Windows drivers for
    >>>> advanced usershttp://support.microsoft.com/kb/244617
    >>>> MowGreen
    >>>> ===============
    >>>> *-343-* FDNY
    >>>> Never Forgotten
    >>>> ===============
    >>>> banthecheck.com
    >>>> "Security updates should *never* have *non-security content* prechecked"
    >>> is it possbile use Verifier from recovery xp/cd recovery console
    >>> because system cannot boot due to driver error?

    >> No, but you can disable the driver from the Recovery Console, use the
    >> DISABLE command. For help on the command do: HELP DISABLE for help on
    >> the command. For a list of services that can be disabled do LISTSVC.
    >>
    >> http://support.microsoft.com/kb/314058
    >> Description of the Windows XP Recovery Console for advanced users
    >>
    >> John

    >
    > ok thanks
    > where can one find the order of loading the drivers during boot
    > I guess all drivers are noted in registry but is there a predetermined
    > load list


    You can take a look in the proper Control Set (ControlSetnnn), on an up
    and running machine look at the List value at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

    This is by no means a full list of all the drivers, if the services are
    not in the GroupOrderList they will not show at the ServiceGroupOrder
    key. Other than that the only other way that I know would be to look at
    a copy of a saved bootlog.

    John
     
  7. mynick

    mynick Flightless Bird

    On Jan 6, 4:56 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    > mynick wrote:
    > > On Jan 6, 3:23 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    > >> mynick wrote:
    > >>> On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    > >>>> mynick wrote:
    > >>>>> if you point it to win\sys32\drivers can it detect  corruption ofthe
    > >>>>> driver that causes boot stop(at volsnap.sys so bootlog is not
    > >>>>> written)?
    > >>>>> how about verifier.exe tool in the same situation?
    > >>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514
    > >>>> Driver Verifier (verifier.exe) provides the following capabilities -
    > >>>> Pool Allocations
    > >>>> Provide Extreme Memory Pressure
    > >>>> Parameter Validation
    > >>>> Pool Allocation Injection Failure
    > >>>> Pool Being Freed
    > >>>> Pool Leakage Detection
    > >>>> Driver Unload Checking
    > >>>> I/O Verifier
    > >>>> Using Driver Verifier to identify issues with Windows drivers for
    > >>>> advanced usershttp://support.microsoft.com/kb/244617
    > >>>> MowGreen
    > >>>> ===============
    > >>>>   *-343-*  FDNY
    > >>>> Never Forgotten
    > >>>> ===============
    > >>>> banthecheck.com
    > >>>> "Security updates should *never* have *non-security content* prechecked"
    > >>> is it possbile use Verifier from recovery xp/cd recovery console
    > >>> because system cannot boot due to driver error?
    > >> No, but you can disable the driver from the Recovery Console, use the
    > >> DISABLE command.  For help on the command do:  HELP DISABLE for help on
    > >> the command.  For a list of services that can be disabled do LISTSVC..

    >
    > >>http://support.microsoft.com/kb/314058
    > >> Description of the Windows XP Recovery Console for advanced users

    >
    > >> John

    >
    > > ok thanks
    > > where can one find the order of loading the drivers during boot
    > > I guess all drivers are noted in registry but is there a predetermined
    > > load list

    >
    > You can take a look in the proper Control Set (ControlSetnnn), on an up
    > and running machine look at the List value at:
    >
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
    >
    > This is by no means a full list of all the drivers, if the services are
    > not in the GroupOrderList they will not show at the ServiceGroupOrder
    > key.  Other than that the only other way that I know would be to look at
    > a copy of a saved bootlog.
    >
    > John

    -thanks but group order list and servicegrouporder subkeys only show
    groups not individual group member drivers
    -is this a typical and full xp home safe mode loading drivers list
    http://www.onlinehowto.net/tuts_pic/400_1381_safe_mode_listing.jpg
    or where can one find safe mode ntbtlog.txt because it is not
    written when boot stops early on
     
  8. John John - MVP

    John John - MVP Flightless Bird

    mynick wrote:
    > On Jan 6, 4:56 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    >> mynick wrote:
    >>> On Jan 6, 3:23 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    >>>> mynick wrote:
    >>>>> On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    >>>>>> mynick wrote:
    >>>>>>> if you point it to win\sys32\drivers can it detect corruption of the
    >>>>>>> driver that causes boot stop(at volsnap.sys so bootlog is not
    >>>>>>> written)?
    >>>>>>> how about verifier.exe tool in the same situation?
    >>>>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514
    >>>>>> Driver Verifier (verifier.exe) provides the following capabilities -
    >>>>>> Pool Allocations
    >>>>>> Provide Extreme Memory Pressure
    >>>>>> Parameter Validation
    >>>>>> Pool Allocation Injection Failure
    >>>>>> Pool Being Freed
    >>>>>> Pool Leakage Detection
    >>>>>> Driver Unload Checking
    >>>>>> I/O Verifier
    >>>>>> Using Driver Verifier to identify issues with Windows drivers for
    >>>>>> advanced usershttp://support.microsoft.com/kb/244617
    >>>>>> MowGreen
    >>>>>> ===============
    >>>>>> *-343-* FDNY
    >>>>>> Never Forgotten
    >>>>>> ===============
    >>>>>> banthecheck.com
    >>>>>> "Security updates should *never* have *non-security content* prechecked"
    >>>>> is it possbile use Verifier from recovery xp/cd recovery console
    >>>>> because system cannot boot due to driver error?
    >>>> No, but you can disable the driver from the Recovery Console, use the
    >>>> DISABLE command. For help on the command do: HELP DISABLE for help on
    >>>> the command. For a list of services that can be disabled do LISTSVC.
    >>>> http://support.microsoft.com/kb/314058
    >>>> Description of the Windows XP Recovery Console for advanced users
    >>>> John
    >>> ok thanks
    >>> where can one find the order of loading the drivers during boot
    >>> I guess all drivers are noted in registry but is there a predetermined
    >>> load list

    >> You can take a look in the proper Control Set (ControlSetnnn), on an up
    >> and running machine look at the List value at:
    >>
    >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
    >>
    >> This is by no means a full list of all the drivers, if the services are
    >> not in the GroupOrderList they will not show at the ServiceGroupOrder
    >> key. Other than that the only other way that I know would be to look at
    >> a copy of a saved bootlog.
    >>
    >> John

    > -thanks but group order list and servicegrouporder subkeys only show
    > groups not individual group member drivers


    During the early booting stage the I/O manager looks in each of the
    driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services
    and sorts out the drivers by their Group and Tag numbers, then it
    consults the ServiceGroupOrder and the GroupOrderList to determine in
    which order the services should be started. There is no other list or
    easy way of knowing the load order of the drivers from any one registry
    key, you would have to sort them all and decipher the Tag order sequence
    from the binary data at the GroupOrderList, higher or lower tag numbers
    don't necessarily mean that one driver in the group will start before or
    after another one, each group has its own tag order. Quite possibly
    someone might have written a script or application to collect and
    decipher the information from the registry but I don't know of any at
    this time.

    If you want, you can search the
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service
    group and then sort them out and get a rough starting order. For
    example, on my machine these are the first three service groups:

    System Reserved
    Boot Bus Extender
    System Bus Extender

    A search for System Reserved finds nothing so I the proceed to search
    for the second one, Boot Bus Extender, here I find that the following
    drivers belong to this group:

    a347bus.sys
    ACPI.sys
    isapnp.sys
    ohci1394.sys
    pci.sys

    Then I search for the next service group, System Bus Extender, and I find:

    dmio.sys
    dmload.sys
    ftdisk.sys
    intelide.sys
    pciide.sys
    phylock.sys

    .... and so on. From this I can tell that ftdisk.sys starts after
    pci.sys because the pci.sys service order group is started before the
    ftdisk.sys group. Drivers with Tag numbers are started before those
    without but otherwise you need to decipher the tag sequence at the
    GroupOrderList key to know exactly where they fit within their group.
    Pretty tedious stuff! If you can find a script or application to sort
    it out for you then things will be pretty easy!

    What you can do is look at the registry key for the last driver that is
    shown as loaded on your your boot screen and find out to which service
    group it belongs. Then find the drivers in that group and the ones in
    the next service group and from that information you can whittle down
    the list of possible candidates for the next start position.

    John
     
  9. mynick

    mynick Flightless Bird

    On Jan 6, 12:31 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    > mynick wrote:
    > > On Jan 6, 4:56 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    > >> mynick wrote:
    > >>> On Jan 6, 3:23 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    > >>>> mynick wrote:
    > >>>>> On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    > >>>>>> mynick wrote:
    > >>>>>>> if you point it to win\sys32\drivers can it detect  corruption of the
    > >>>>>>> driver that causes boot stop(at volsnap.sys so bootlog is not
    > >>>>>>> written)?
    > >>>>>>> how about verifier.exe tool in the same situation?
    > >>>>>>sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514
    > >>>>>> Driver Verifier (verifier.exe) provides the following capabilities-
    > >>>>>> Pool Allocations
    > >>>>>> Provide Extreme Memory Pressure
    > >>>>>> Parameter Validation
    > >>>>>> Pool Allocation Injection Failure
    > >>>>>> Pool Being Freed
    > >>>>>> Pool Leakage Detection
    > >>>>>> Driver Unload Checking
    > >>>>>> I/O Verifier
    > >>>>>> Using Driver Verifier to identify issues with Windows drivers for
    > >>>>>> advanced usershttp://support.microsoft.com/kb/244617
    > >>>>>> MowGreen
    > >>>>>> ===============
    > >>>>>>   *-343-*  FDNY
    > >>>>>> Never Forgotten
    > >>>>>> ===============
    > >>>>>> banthecheck.com
    > >>>>>> "Security updates should *never* have *non-security content* prechecked"
    > >>>>> is it possbile use Verifier from recoveryxp/cd recovery console
    > >>>>> because system cannot boot due to driver error?
    > >>>> No, but you can disable the driver from the Recovery Console, use the
    > >>>> DISABLE command.  For help on the command do:  HELP DISABLE for help on
    > >>>> the command.  For a list of services that can be disabled do LISTSVC.
    > >>>>http://support.microsoft.com/kb/314058
    > >>>> Description of the WindowsXPRecovery Console for advanced users
    > >>>> John
    > >>> ok thanks
    > >>> where can one find the order of loading the drivers during boot
    > >>> I guess all drivers are noted in registry but is there a predetermined
    > >>> load list
    > >> You can take a look in the proper Control Set (ControlSetnnn), on an up
    > >> and running machine look at the List value at:

    >
    > >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

    >
    > >> This is by no means a full list of all the drivers, if the services are
    > >> not in the GroupOrderList they will not show at the ServiceGroupOrder
    > >> key.  Other than that the only other way that I know would be to look at
    > >> a copy of a saved bootlog.

    >
    > >> John

    > > -thanks but group order list and servicegrouporder subkeys only show
    > > groups not individual group member drivers

    >
    > During the early booting stage the I/O manager looks in each of the
    > driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services
    > and sorts out the drivers by their Group and Tag numbers, then it
    > consults the ServiceGroupOrder and the GroupOrderList to determine in
    > which order the services should be started.  There is no other list or
    > easy way of knowing the load order of the drivers from any one registry
    > key, you would have to sort them all and decipher the Tag order sequence
    > from the binary data at the GroupOrderList, higher or lower tag numbers
    > don't necessarily mean that one driver in the group will start before or
    > after another one, each group has its own tag order.  Quite possibly
    > someone might have written a script or application to collect and
    > decipher the information from the registry but I don't know of any at
    > this time.
    >
    > If you want, you can search the
    > HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service
    > group and then sort them out and get a rough starting order.  For
    > example, on my machine these are the first three service groups:
    >
    > System Reserved
    > Boot Bus Extender
    > System Bus Extender
    >
    > A search for System Reserved finds nothing so I the proceed to search
    > for the second one, Boot Bus Extender, here I find that the following
    > drivers belong to this group:
    >
    > a347bus.sys
    > ACPI.sys
    > isapnp.sys
    > ohci1394.sys
    > pci.sys
    >
    > Then I search for the next service group, System Bus Extender, and I find:
    >
    > dmio.sys
    > dmload.sys
    > ftdisk.sys
    > intelide.sys
    > pciide.sys
    > phylock.sys
    >
    > ... and so on.  From this I can tell that ftdisk.sys starts after
    > pci.sys because the pci.sys service order group is started before the
    > ftdisk.sys group.  Drivers with Tag numbers are started before those
    > without but otherwise you need to decipher the tag sequence at the
    > GroupOrderList key to know exactly where they fit within their group.
    > Pretty tedious stuff!  If you can find a script or application to sort
    > it out for you then things will be pretty easy!
    >
    > What you can do is look at the registry key for the last driver that is
    > shown as loaded on your your boot screen and find out to which service
    > group it belongs.  Then find the drivers in that group and the ones in
    > the next service group and from that information you can whittle down
    > the list of possible candidates for the next start position.
    >
    > John

    thanks volsnap is a member of eventlog group but went down the list
    form pic and was lucky with atapi.sys
    which previously ran sigverif did not detect as corrupted although it
    is supposed to be signed!!??
     
  10. John John - MVP

    John John - MVP Flightless Bird

    mynick wrote:
    > On Jan 6, 12:31 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    >> mynick wrote:
    >>> On Jan 6, 4:56 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    >>>> mynick wrote:
    >>>>> On Jan 6, 3:23 pm, John John - MVP <audetw...@nbnot.nb.ca> wrote:
    >>>>>> mynick wrote:
    >>>>>>> On Jan 5, 7:17 pm, MowGreen <mowgr...@nowandzen.com> wrote:
    >>>>>>>> mynick wrote:
    >>>>>>>>> if you point it to win\sys32\drivers can it detect corruption of the
    >>>>>>>>> driver that causes boot stop(at volsnap.sys so bootlog is not
    >>>>>>>>> written)?
    >>>>>>>>> how about verifier.exe tool in the same situation?
    >>>>>>>> sigverif.exe determines if a driver is digitally signed:http://support.microsoft.com/kb/308514
    >>>>>>>> Driver Verifier (verifier.exe) provides the following capabilities -
    >>>>>>>> Pool Allocations
    >>>>>>>> Provide Extreme Memory Pressure
    >>>>>>>> Parameter Validation
    >>>>>>>> Pool Allocation Injection Failure
    >>>>>>>> Pool Being Freed
    >>>>>>>> Pool Leakage Detection
    >>>>>>>> Driver Unload Checking
    >>>>>>>> I/O Verifier
    >>>>>>>> Using Driver Verifier to identify issues with Windows drivers for
    >>>>>>>> advanced usershttp://support.microsoft.com/kb/244617
    >>>>>>>> MowGreen
    >>>>>>>> ===============
    >>>>>>>> *-343-* FDNY
    >>>>>>>> Never Forgotten
    >>>>>>>> ===============
    >>>>>>>> banthecheck.com
    >>>>>>>> "Security updates should *never* have *non-security content* prechecked"
    >>>>>>> is it possbile use Verifier from recoveryxp/cd recovery console
    >>>>>>> because system cannot boot due to driver error?
    >>>>>> No, but you can disable the driver from the Recovery Console, use the
    >>>>>> DISABLE command. For help on the command do: HELP DISABLE for help on
    >>>>>> the command. For a list of services that can be disabled do LISTSVC.
    >>>>>> http://support.microsoft.com/kb/314058
    >>>>>> Description of the WindowsXPRecovery Console for advanced users
    >>>>>> John
    >>>>> ok thanks
    >>>>> where can one find the order of loading the drivers during boot
    >>>>> I guess all drivers are noted in registry but is there a predetermined
    >>>>> load list
    >>>> You can take a look in the proper Control Set (ControlSetnnn), on an up
    >>>> and running machine look at the List value at:
    >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
    >>>> This is by no means a full list of all the drivers, if the services are
    >>>> not in the GroupOrderList they will not show at the ServiceGroupOrder
    >>>> key. Other than that the only other way that I know would be to look at
    >>>> a copy of a saved bootlog.
    >>>> John
    >>> -thanks but group order list and servicegrouporder subkeys only show
    >>> groups not individual group member drivers

    >> During the early booting stage the I/O manager looks in each of the
    >> driver registry keys at HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services
    >> and sorts out the drivers by their Group and Tag numbers, then it
    >> consults the ServiceGroupOrder and the GroupOrderList to determine in
    >> which order the services should be started. There is no other list or
    >> easy way of knowing the load order of the drivers from any one registry
    >> key, you would have to sort them all and decipher the Tag order sequence
    >> from the binary data at the GroupOrderList, higher or lower tag numbers
    >> don't necessarily mean that one driver in the group will start before or
    >> after another one, each group has its own tag order. Quite possibly
    >> someone might have written a script or application to collect and
    >> decipher the information from the registry but I don't know of any at
    >> this time.
    >>
    >> If you want, you can search the
    >> HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services keys for the service
    >> group and then sort them out and get a rough starting order. For
    >> example, on my machine these are the first three service groups:
    >>
    >> System Reserved
    >> Boot Bus Extender
    >> System Bus Extender
    >>
    >> A search for System Reserved finds nothing so I the proceed to search
    >> for the second one, Boot Bus Extender, here I find that the following
    >> drivers belong to this group:
    >>
    >> a347bus.sys
    >> ACPI.sys
    >> isapnp.sys
    >> ohci1394.sys
    >> pci.sys
    >>
    >> Then I search for the next service group, System Bus Extender, and I find:
    >>
    >> dmio.sys
    >> dmload.sys
    >> ftdisk.sys
    >> intelide.sys
    >> pciide.sys
    >> phylock.sys
    >>
    >> ... and so on. From this I can tell that ftdisk.sys starts after
    >> pci.sys because the pci.sys service order group is started before the
    >> ftdisk.sys group. Drivers with Tag numbers are started before those
    >> without but otherwise you need to decipher the tag sequence at the
    >> GroupOrderList key to know exactly where they fit within their group.
    >> Pretty tedious stuff! If you can find a script or application to sort
    >> it out for you then things will be pretty easy!
    >>
    >> What you can do is look at the registry key for the last driver that is
    >> shown as loaded on your your boot screen and find out to which service
    >> group it belongs. Then find the drivers in that group and the ones in
    >> the next service group and from that information you can whittle down
    >> the list of possible candidates for the next start position.
    >>
    >> John

    > thanks volsnap is a member of eventlog group but went down the list
    > form pic and was lucky with atapi.sys
    > which previously ran sigverif did not detect as corrupted although it
    > is supposed to be signed!!??


    So, I take it that the problem is now fixed? Maybe the file only became
    corrupt after you ran Sigverif?

    John
     

Share This Page