Mpksldrv sys что за драйвер
mpksldrv.sys is part of Microsoft Malware Protection and developed by Microsoft Corporation according to the mpksldrv.sys version information.
mpksldrv.sys's description is "KSLDriver"
mpksldrv.sys is digitally signed by Microsoft Windows.
mpksldrv.sys is usually located in the 'c:\programdata\microsoft\windows defender\definition updates\\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about mpksldrv.sys.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on mpksldrv.sys:
| Property | Value |
|---|---|
| Product name | Microsoft Malware Protection |
| Company name | Microsoft Corporation |
| File description | KSLDriver |
| Internal name | KSLDriver |
| Original filename | KSLDriver.sys |
| Legal copyright | © Microsoft Corporation. All rights reserved. |
| Product version | 1.1.16540.0 |
| File version | 1.1.16540.0 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Microsoft Malware Protection |
| Company name | Microsoft Corporation |
| File description | KSLDriver |
| Internal name | KSLDriver |
| Original filename | KSLDriver.sys |
| Legal copyright | © Microsoft Corporation. All rights.. |
| Product version | 1.1.16540.0 |
| File version | 1.1.16540.0 |
Digital signatures [?]
mpksldrv.sys has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | Microsoft Windows |
| Certificate issuer name | Microsoft Windows Production PCA 2011 |
| Certificate serial number | 33000002313234cbafa8ab9a4d000000000231 |
VirusTotal report
None of the 73 anti-virus programs at VirusTotal detected the mpksldrv.sys file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
ERROR: Failed to execute process.
Generic
Signatures
Network
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 15745ca06b38006f451c6817fef086db |
| SHA256 | dd83cdf2560426bc0caa0b7210b313d8d0a3a633430a1fba340fae0ce5e3891b |
What will you do with mpksldrv.sys?
To help other users, please let us know what you will do with mpksldrv.sys:
What did other users do?
The poll result listed below shows what users chose to do with mpksldrv.sys. 63% have voted for removal. Based on votes from 41 users.
NOTE: Please do not use this poll as the only source of input to determine what you will do with mpksldrv.sys.
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
We meet BSOD today,The following is the dump file,we can see the IMAGE_NAME: MpKslDrv.sys. So we want to know why MpKslDrv.sys would cause BSOD. And what is this driver(MpKslDrv.sys)?
Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Stan.Du\Desktop\050921-32140-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but .
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80348dbe107, The address that the exception occurred at
Arg3: ffffb880bfaec428, Exception Record Address
Arg4: ffffb880bfaebc70, Context Record Address
Debugging Details:
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
EXCEPTION_RECORD: ffffb880bfaec428 -- (.exr 0xffffb880bfaec428)
ExceptionAddress: fffff80348dbe107 (nt!KeDeregisterBugCheckReasonCallback+0x000000000000003f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: ffffb880bfaebc70 -- (.cxr 0xffffb880bfaebc70)
rax=ffffca0129aff010 rbx=ffffca01512abe48 rcx=c2eb26500ccfaea2
rdx=0000000000000000 rsi=0000000000000000 rdi=ffffca01512abe00
rip=fffff80348dbe107 rsp=ffffb880bfaec660 rbp=ffffb880bfaec830
r8=0000000000000000 r9=fffff80348c8d000 r10=fffff80348fd0320
r11=ffff8f0e4079af50 r12=0000000000000000 r13=fffff8078fc76008
r14=ffffca0fdaa41b00 r15=ffffca00e9aba000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!KeDeregisterBugCheckReasonCallback+0x3f:
fffff803`48dbe107 48395908 cmp qword ptr [rcx+8],rbx ds:002b:c2eb2650`0ccfaeaa=.
Resetting default scope
READ_ADDRESS: fffff80349033338: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff80348f7edf0: Unable to get Flags value from nt!KdVersionBlock
ffffffffffffffff
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s
STACK_TEXT:
ffffb880`bfaec660 fffff807`8fc6b1d5 : ffffca01`512abe30 00000000`c0000002 00000000`00000000 ffffb880`00030190 : nt!KeDeregisterBugCheckReasonCallback+0x3f
ffffb880`bfaec690 ffffca01`512abe30 : 00000000`c0000002 00000000`00000000 ffffb880`00030190 00000000`00460044 : MpKslDrv+0xb1d5
ffffb880`bfaec698 00000000`c0000002 : 00000000`00000000 ffffb880`00030190 00000000`00460044 fffff807`8fc740f0 : 0xffffca01`512abe30
ffffb880`bfaec6a0 00000000`00000000 : ffffb880`00030190 00000000`00460044 fffff807`8fc740f0 ffffca01`512abe30 : 0xc0000002
For certain Universal Serial Bus (USB) devices, such as devices that are accessed by only a single application, you can install WinUSB (Winusb.sys) in the device's kernel-mode stack as the USB device's function driver instead of implementing a driver.
This topic contains these sections:
Automatic installation of WinUSB without an INF file
As an OEM or independent hardware vendor (IHV), you can build your device so that the Winusb.sys gets installed automatically on Windows 8 and later versions of the operating system. Such a device is called a WinUSB device and does not require you to write a custom INF file that references in-box Winusb.inf.
When you connect a WinUSB device, the system reads device information and loads Winusb.sys automatically.
For more information, see WinUSB Device.
Installing WinUSB by specifying the system-provided device class
When you connect your device, you might notice that Windows loads Winusb.sys automatically (if the IHV has defined the device as a WinUSB Device). Otherwise follow these instructions to load the driver:
- Plug in your device to the host system.
- Open Device Manager and locate the device.
- Select and hold (or right-click) the device and select Update driver software. from the context menu.
- In the wizard, select Browse my computer for driver software.
- Select Let me pick from a list of device drivers on my computer.
- From the list of device classes, select Universal Serial Bus devices.
- The wizard displays WinUsb Device. Select it to load the driver.
If Universal Serial Bus devices does not appear in the list of device classes, then you need to install the driver by using a custom INF. The preceding procedure does not add a device interface GUID for an app (UWP app or Windows desktop app) to access the device. You must add the GUID manually by following this procedure.
Load the driver as described in the preceding procedure.
Generate a device interface GUID for your device, by using a tool such as guidgen.exe.
Find the registry key for the device under this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<VID_vvvv&PID_pppp>
Under the Device Parameters key, add a String registry entry named DeviceInterfaceGUID or a Multi-String entry named DeviceInterfaceGUIDs. Set the value to the GUID you generated in step 2.
Disconnect the device from the system and reconnect it to the same physical port. Note If you change the physical port then you must repeat steps 1 through 4.
Writing a custom INF for WinUSB installation
As part of the driver package, you provide an .inf file that installs Winusb.sys as the function driver for the USB device.
The following example .inf file shows WinUSB installation for most USB devices with some modifications, such as changing USB_Install in section names to an appropriate DDInstall value. You should also change the version, manufacturer, and model sections as necessary. For example, provide an appropriate manufacture's name, the name of your signed catalog file, the correct device class, and the vendor identifier (VID) and product identifier (PID) for the device. For info on creating a catalog file, see Creating a Catalog File for Test-Signing a Driver Package.
Also notice that the setup class is set to "USBDevice". Vendors can use the "USBDevice" setup class for devices that do not belong to another class and are not USB host controllers or hubs.
If you are installing WinUSB as the function driver for one of the functions in a USB composite device, you must provide the hardware ID that is associated with the function, in the INF. You can obtain the hardware ID for the function from the properties of the devnode in Device Manager. The hardware ID string format is "USB\VID_vvvv&PID_pppp".
The following INF installs WinUSB as the OSR USB FX2 board's function driver on a x64-based system.
Starting in Windows 10, version 1709, the Windows Driver Kit provides InfVerif.exe that you can use to test a driver INF file to make sure there are no syntax issues and the INF file is universal. We recommened that you provide a universal INF. For more information, see Using a Universal INF File.
Only include a ClassInstall32 section in a device INF file to install a new custom device setup class. INF files for devices in an installed class, whether a system-supplied device setup class or a custom class, must not include a ClassInstall32 section.
Except for device-specific values and several issues that are noted in the following list, you can use these sections and directives to install WinUSB for any USB device. These list items describe the Includes and Directives in the preceding .inf file.
USB_Install: The Include and Needs directives in the USB_Install section are required for installing WinUSB. You should not modify these directives.
USB_Install.Services: The Include directive in the USB_Install.Services section includes the system-supplied .inf for WinUSB (WinUSB.inf). This .inf file is installed by the WinUSB co-installer if it isn't already on the target system. The Needs directive specifies the section within WinUSB.inf that contains information required to install Winusb.sys as the device's function driver. You should not modify these directives. Note Because Windows XP doesn't provide WinUSB.inf, the file must either be copied to Windows XP systems by the co-installer, or you should provide a separate decorated section for Windows XP.
USB_Install.HW: This section is the key in the .inf file. It specifies the device interface globally unique identifier (GUID) for your device. The AddReg directive sets the specified interface GUID in a standard registry value. When Winusb.sys is loaded as the device's function driver, it reads the registry value DeviceInterfaceGUIDs key and uses the specified GUID to represent the device interface. You should replace the GUID in this example with one that you create specifically for your device. If the protocols for the device change, create a new device interface GUID.
Note User-mode software must call SetupDiGetClassDevs to enumerate the registered device interfaces that are associated with one of the device interface classes specified under the DeviceInterfaceGUIDs key. SetupDiGetClassDevs returns the device handle for the device that the user-mode software must then pass to the WinUsb_Initialize routine to obtain a WinUSB handle for the device interface. For more info about these routines, see How to Access a USB Device by Using WinUSB Functions.
The following INF installs WinUSB as the OSR USB FX2 board's function driver on a x64-based system. The example shows INF with WDF coinstallers.
USB_Install.CoInstallers: This section, which includes the referenced AddReg and CopyFiles sections, contains data and instructions to install the WinUSB and KMDF co-installers and associate them with the device. Most USB devices can use these sections and directives without modification.
The x86-based and x64-based versions of Windows have separate co-installers.
Note Each co-installer has free and checked versions. Use the free version to install WinUSB on free builds of Windows, including all retail versions. Use the checked version (with the "_chk" suffix) to install WinUSB on checked builds of Windows.
Each time Winusb.sys loads, it registers a device interface that has the device interface classes that are specified in the registry under the DeviceInterfaceGUIDs key.
Note If you use the redistributable WinUSB package for Windows XP or Windows Server 2003, make sure that you don't uninstall WinUSB in your uninstall packages. Other USB devices might be using WinUSB, so its binaries must remain in the shared folder.
How to create a driver package that installs Winusb.sys
To use WinUSB as the device's function driver, you create a driver package. The driver package must contain these files:
- WinUSB co-installer (Winusbcoinstaller.dll)
- KMDF co-installer (WdfcoinstallerXXX.dll)
- An .inf file that installs Winusb.sys as the device's function driver. For more information, see Writing an .Inf File for WinUSB Installation.
- A signed catalog file for the package. This file is required to install WinUSB on x64 versions of Windows starting with Vista.
Note Make sure that the driver package contents meet these requirements:
- The KMDF and WinUSB co-installer files must be obtained from the same version of the Windows Driver Kit (WDK).
- The co-installer files must be obtained from the latest version of the WDK, so that the driver supports all the latest Windows releases.
- The contents of the driver package must be digitally signed with a Winqual release signature. For more info about how to create and test signed catalog files, see Kernel-Mode Code Signing Walkthrough on the Windows Dev Center - Hardware site.
Create a driver package folder on the machine that the USB device is connected to. For example, c:\UsbDevice.
Copy the WinUSB co-installer (WinusbcoinstallerX.dll) from the WinDDK\BuildNumber\redist\winusb folder to the driver package folder.
Copy the KMDF co-installer (WdfcoinstallerXXX.dll) from the WinDDK\BuildNumber\redist\wdf folder to the driver package folder.
The KMDF co-installer (WdfcoinstallerXXX.dll) installs the correct version of KMDF on the target system, if necessary. The version of WinUSB co-installer must match the KMDF co-installer because KMDF-based client drivers, such as Winusb.sys, require the corresponding version of the KMDF framework to be installed properly on the system. For example, Winusbcoinstaller2.dll requires KMDF version 1.9, which is installed by Wdfcoinstaller01009.dll. The x86 and x64 versions of WdfcoinstallerXXX.dll are included with the WDK under the WinDDK\BuildNumber\redist\wdf folder. The following table shows the WinUSB co-installer and the associated KMDF co-installer to use on the target system.
Use this table to determine the WinUSB co-installer and the associated KMDF co-installer.
Write an .inf file that installs Winusb.sys as the function driver for the USB device.
Create a signed catalog file for the package. This file is required to install WinUSB on x64 versions of Windows.
Attach the USB device to your computer.
Open Device Manager to install the driver. Follow the instructions on the Update Driver Software wizard and choose manual installation. You will need to provide the location of the driver package folder to complete the installation.
В этой статье постараюсь описать методику диагностики проблем с неподписанными файлами драйверов в x64 битной версии Windows систем, из-за которых компьютер перестает загружаться и при загрузке падает в BSOD. Но систему все-таки можно загрузить, отключив проверку цифровой подписи при загрузке (F8 -> Disable Driver Signature Enforcement). В качестве примера в этой статье я буду работать с Windows Server 2008 R2 (которая, напомню, бывает только в 64-разрядной редакции), но данная методика подойдет так и для Windows 7 x64 и Vista x64.
Если вернуться к предыстории вопроса, то вспомним, что Microsoft приняла решение о том, что в 64-битных системах, начиная с Windows Vista, Windows загружает драйвера в режим ядра только в том случае, если драйвер имеет цифровую подпись. Если же цифровая подпись драйвера отсутствует, то при загрузке системы случается критическая ошибка (зависит от типа драйвера, загрузка которого заблокирована) и появляется экран BSOD. Конкретная ошибка и ее код зависят от конкретного драйвера, который заблокирован в процессе загрузки. Некоторые ошибок прямо на экране BSOD могут указывать на файл неподписанного драйвера.
В моем случае после обновления драйверов на сервере Windows 2008 r2 при обычной загрузки машины появился синий экран смерти с текстом:
STOP: c000021a (fatal System Error)
The initial session process or system process terminated unexpectedly with a status of 0x00000000 (0xc000428 0x00100448). The system has been shut down
Попробуем выяснить что это за ошибка, какой драйвер ее вызывает т определим по драйверу конкретное устройство.
Преобразуем hex код ошибки в более удобочитаемую форму. Для этого можно воспользоваться встроенной в Windows утилитой SLUI.EXE или же сопоставить код этой ошибки в файле ntstatus.h, найти который можно в Windows SDK. Воспользуемся первым способом, для чего в командной строке выполним:
Как вы видите на скриншоте, мы убедились в том, что BSOD вызвана невозможностью проверить цифровую подпись драйвера (“Windows cannot verify digital signature for this file”)
Перезагружаем наш компьютер и при загрузке жмем клавишу F8. В расширенном загрузочном меню (Advanced Boot Options) отключаем проверку цифровой подписи, выбрав Disable Driver Signature Enforcement .
В том случае, если в таком режиме сервер загрузиться, мы точно уверены в том, что некий неподписанный модуль или драйвер не позволяет системе нормально загрузиться.
Следующий шаг – определение файла проблемного модуля или драйвера. Откроем консоль журнал событий (Event Viewer) и перейдем в раздел Applications and Services Logs -> Microsoft -> Windows -> CodeIntegrity -> Operational.
Примечание: если при доступе к логам в этой ветке появляется ошибка “access denied”, создайте на диске c: каталог, предоставив группе Everyone полный доступ. Затем измените путь к файлу ETL на новый каталог, и отключите и заново включите логирование.
В моем случае, в журнале есть событие EventID 3001 с текстом «Code Integrity determined an unsigned kernel module \Device\HarddiskVolume1\Windows\System32\win32k.sys is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available». Вот мы и нашли проблемный драйвер!
Проверку наличия цифровой подписи выполним командой:
Если подпись отсутствует, то в поле Verified будет указано Unsigned (в противном случае, соответственно Signed).
Перед нами есть два варианта решения проблемы невозможности нормальной загруки системы с неподписанным драйвером:
- Найти подписанную версию драйвера
- Отказаться от использования данного драйвера (и устройства)
- отключить проверку цифровой подписи драйвера в Windows
Третий вариант может не подойти по тем или иным причинам. В первых двух случаях нам нужно определить к какому конкретному устройству относится данный файл драйвера .sys.
Как же определить устройство, зная лишь имя sys-файла? Я использую следующую методику (пусть нам нужно определить устройство, драйвер которого имеет имя HpCISSs2.sys):
1) Открываем редактор реестра и поиском по ветке HKEY_LOAL_MACHINE\SYSTEM\ControlSet001 ищем ключ со значением HpCISSs2.sys
2) В моем случае он нашелся в ветке HKEY_LOAL_MACHINE\SYSTEM\ControlSet001\services\HpCISSs2
3) Разворачиваем вложенную ветку с названием ENUM, нас интересует значение ключа 0, в моем случае это PCI\VEN_103C&DEV_3230&SUBSYS_3235103C&REV_01\4&3b416f2c&0&0018
4) Определяем, что производитель устройства имеет ID 103C, а код устройства 3230
5) Далее на сайте указываем в полях Vendor Search и Device Search найденные нами коды.
6) Получаем что искомое нами устройство контроллер жестких дисков HP Smart Array P400 Controller.
Нам осталось лишь найти новую версию драйвера на сайте производителя оборудования (внимательно смотрите для каких версий ОС подходит нужный вам драйвер) и обновить драйвер на компьютере.
Читайте также:
- 1с объект crypts ошибка при расшифровывании 0x80092004 80092004 объект или свойство не найдено
- Маркер для ввода текста в программе word представляется
- Почему браузер открывается на половину экрана
- Mint launcher что это за программа и нужна ли она на андроид
- Произошла ошибка на уровне транспорта excel olap