Finding what is trying to load a driver

Sineira · Oct 27, 2022

I deleted old drivers to be able to turn on memory integrity.
It complained about old unused drivers and I deleted them.
Some of them were old orphaned sys files. I also found one old sys file called amsdk.sys and I deleted it because nothing should be using it.
However when Windows boots something is trying to use it but I don't know what.
How do I figure that out?

clam1952 · Oct 27, 2022

Should be related to an antimalware program, not a Windows driver as such. SystemLookup - amsdk

Assuming it wasn't a malware version, it may belong to whatever anti malware programs you have or have had in the past that didn't uninstall properly, apparently it runs as a service which is probably why Windows is complaining it's missing.

Sineira · Oct 27, 2022

How do I figure out which service?
I can't see anything pointed out in the Event Viewer.
I never had any anti-malware installed and am very suspicious of this file now.

clam1952 · Oct 27, 2022

Sineira said:
How do I figure out which service?
I can't see anything pointed out in the Event Viewer.
I never had any anti-malware installed and am very suspicious of this file now.

Which Service is where Google isn't providing any answer other than it may be infected by malware GitHub - ReCryptLLC/CVE-2022-42045

We discovered an Arbitrary code injection in Zemana amsdk.sys kernel-mode driver, a part of Zemana Antimalware SDK. The vulnerability allows to inject an arbitrary code into the one of the driver code sections and then to execute it with kernel-mode privileges (local privileges escalation from admin to kernel mode). This vulnerability could be used, for example, to disable Driver Signature Enforcement and then to install unsigned kernel-mode drivers.

I'd suggest checking for any malware for a start.

Ben Myers · Oct 27, 2022

Autoruns has a "Drivers" tab. Run it as administrator and make sure that "Hide Windows entries" under "Options" is unchecked.

Ben

glasskuter · Oct 27, 2022

Sineira said:
when Windows boots something is trying to use it

What message do you get that indicates it is calling for that driver?

See if it occurs in a clean boot state. If it doesn't happen in a clean boot, you have some software conflict. Brink's procedure will help you weed out which one using the process of elimination. Perform a Clean Boot in Windows 11 to Troubleshoot Software Conflicts Tutorial

clam1952 · Oct 27, 2022

Found some more on amsdk also used by WildTangent Games, from what I remember a cause of problems a few years back. OK Quick Google, It's a Web driver for on and offline games.

May help: https://www.techwalla.com/articles/how-to-remove-wild-tangent-malware

Dru2 · Oct 27, 2022

This phrase says you know what the driver is (name of driver)....

Sineira said:
However when Windows boots something is trying to use it but I don't know what.

If so, Google "it" (the driver) and it may tell you what app/device it's used for or at least point you in the right direction.

Example this: amsdk.sys - does this sound familiar? Are you running any third-party malware software?

That said, there are no guarantees what you seek will be found. And if found the info may be as clear a mud. But nothing beats a failure but a try.

Good luck.

Sineira · Oct 28, 2022

glasskuter said:
What message do you get that indicates it is calling for that driver?

See if it occurs in a clean boot state. If it doesn't happen in a clean boot, you have some software conflict. Brink's procedure will help you weed out which one using the process of elimination. Perform a Clean Boot in Windows 11 to Troubleshoot Software Conflicts Tutorial

I get this type of pop-up now with memory integrity turned on.
Autoruns is awesome, lots of stale references to clean up and unneeded garbage starting for no reason.

glasskuter · Oct 28, 2022

AsIO.sys is a virtual driver for Asus PC Probe. It is specific to ASUS computers. See if there is a updated Realtek ASIO driver on manufacturer site.

x BlueRobot · Oct 28, 2022

I would remove ASUS PC Probe altogether, it's motherboard bloatware and that driver has a number of issues with it.

Sineira · Oct 28, 2022

I have these entries I can't delete within autoruns.
How do I get rid of them?

glasskuter · Oct 28, 2022

Autoruns has to be run as administrator.

Sineira · Oct 28, 2022

glasskuter said:
Autoruns has to be run as administrator.

It fails even running as admin.

glasskuter · Oct 28, 2022

Instead of trying to delete them, uncheck them. Then go back into autoruns and try deleting the autorun entry. If it won't delete, as long as it's unchecked it won't load so don't worry about it.