View Other Properties

Contents

View Other Properties

How to List Drivers Across All Windows Devices

Using Kolide, you can easily view and query Windows Drivers across your fleet.

Introduction

Device drivers are software that enable an Operating System like Windows to communicate with the hardware and hardware peripherals that make up your PC.

Microsoft Windows comes with built-in (or is able to automatically obtain) drivers for thousands of common devices including monitors, printers, and built-in hardware components (like Wi-Fi and Bluetooth radios). Additionally, device manufacturers can provide their own drivers that can allow Windows (and the programs that run on Windows) to access the full capabilities and performance of the device. This is common for specialized hardware like video cards and multi-function printers.

Microsoft automatically ships drivers and driver updates through Windows Update to improve compatibility and to fix and security, performance, and stability issues. Third-party drivers on the other hand, are normally updated by accompanying software installed by the end-user. (Ex: NVIDIA updates its drivers for its graphics cards through a program called GeForce Experience).

In the past, a common source of device crashes (also known as the Blue Screen of Death) were unstable or buggy drivers created by third parties. Since the release of Windows XP in 2001, Microsoft has required all manufacturers to have their third-party drivers go through a certification process to ensure the hardware and driver's quality. If approved, Microsoft signs the driver which enables end-users to install it on their devices.

What Windows Driver Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Windows Drivers from Windows devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Windows Drivers Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

class_name Text

Device class of the driver. Example: "SYSTEM"

description Text

The description of the driver. In practice often identical to the driver's name

device_driver_name Text

The display name of the device driver

driver_device_id Text

Device identifier of the device. Example: "ROOT\FTDISK\0000"

image_path Text

The path to driver image file

inf Text

The INF file (setup informatiopn file) associted with the driver

manufacturer Text

Manufacturer of the driver. Example: "Microsoft"

provider Text

Provider of the driver. Example: "Microsoft"

service Text

The name of the Windows service associated with the driver (if it exists)

service_key Text

The registry key of the Windows service associated with the driver (if it exists)

signed Boolean

true if driver is signed; otherwise false

version Text

The version of the device driver

version_date Date

The date associated with the version of the driver (supplied by the INF file)

version_major Bigint

version's semver major version (ex: 4.2.1 would yield 4)

version_minor Bigint

version's semver minor version (ex: 4.2.1 would yield 2)

version_patch Bigint

version's semver patch version (ex: 4.2.1 would yield 1)

version_subpatch Bigint

version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Locate Unsigned Drivers
Kolide SQL
SELECT device_name, device_driver_name, signed, version 
FROM windows_drivers 
WHERE signed = false
Example Results
signed version device_name device_driver_name
false 3.5.0.0 DESKTOP-2HFBS8U Built-in Trackpad Device (Trackpad++)
List Non-Microsoft Drivers
Kolide SQL
SELECT device_name, device_driver_name, provider, class_name
FROM windows_drivers 
WHERE provider != 'Microsoft'
Example Results
provider class_name device_name device_driver_name
Apple Inc. SYSTEM DESKTOP-2HFBS8U Apple panel backlight
Cirrus Logic, Inc. MEDIA DESKTOP-2HFBS8U Cirrus Logic CS8409 (AB 57)
Apple Inc. SYSTEM DESKTOP-2HFBS8U Apple graphics mux
Apple Inc. SYSTEM DESKTOP-2HFBS8U Apple SMC device
Apple Inc. SYSTEM DESKTOP-2HFBS8U Apple input device
Enumerate all Display Drivers
Kolide SQL
SELECT device_name, device_driver_name, provider, class_name, version
FROM windows_drivers 
WHERE class_name = 'DISPLAY'
Example Results
version provider class_name device_name device_driver_name
21.19.128.7 Advanced Micro Devices, Inc. DISPLAY DESKTOP-2HFBS8U AMD Radeon Pro 460

Why Should I Collect Windows Drivers?

IT & Security administrators may review Windows drivers for several reasons. These reasons include:

  • Verifying the proper installation of required drivers
  • Ensuring there are no unsigned or compromised drivers installed on the system
  • Verifying the correct versions of popular drivers are installed

Old and deprecated drivers can cause Windows PCs to become unstable, crash, or can create security holes as bad-actors discover vulnerabilities. Additionally, there are variants of malware that can use drivers to compromise the integrity of the device. By listing drivers, IT and Security teams can gain visibility into this class of malware.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

In normal circumstances enumerating the Windows Drivers on a PC should not reveal personal information about the users. That being said, it could reveal the presence of specific hardware peripherals that have been connected to the device.

When you use Kolide to list Windows Driver data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Mac SIP Settings
security, integrity, boot-security, operating-system, hardware
New
Mac Crashes
operating-system, hardware, stability
New
Mac Battery Status
batteries, hardware
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free