Microsoft's most recent versions of Windows offer a feature called "Core isolation" to protect very important processes from malicious access or tampering via virtualization.
Among the available protections, we find "Hypervisor-protected Code Integrity (HVCI)", or "Memory Integrity" in the settings, which aim at preventing malicious code to leverage low level drivers and their powers.
We highly recommend the activation of this security setting .
The long explanation and how-to on enabling memory integrity are described at ref 1 and ref 2 below.
But then:
How to deal with non-compliant drivers that prevent the activation of the protection?
Better still, how to know which process/program is using the driver, so to know what you may impact on removal if you choose to do so?
Read through to find out!
Getting to work
Before we start getting rid of drivers that Windows lists as non-compliant and preventing the activation of the Memory Integrity security feature, we will first try to understand what the driver in question is and what process/service may be using it.
The goal here is to be careful and avoid letting our system in an non-functional state while trying to remove non-compliant drivers. Then we can look at removing it from a device point of view in the next section.
Which process is currently using a driver?
Now, let's pretend Windows told us that the following driver was non-compliant (insecure from the memory integrity security standpoint):
\SystemRoot\System32\drivers\vpnpbus.sysWe will refer to our article "How to investigate which Windows process currently has a file opened?" for the procedure.
By searching for the driver name ("vpnpbus.sys" in this case) in the handles search of Process Hacker, we will know instantly if a process is currently using it, and which one. This will greatly help our analysis of the impact we may cause by stopping the driver or removing it from our system.
For example, the "vpnpbus.sys" driver we searched for was indeed in use at that time, meaning a functionality of our system or devices is dependent on it:
Consequently, its stopping or removal may break a functionality, so let's be careful if we do that.
If Process hacker did not find the driver in question, it does not mean that it is not ultimately important for our system, but at least that it is not always running, so less critical in that sense.
Removing drivers from your system
Windows 10/11 store their drivers in various folders, as source or installed repository (ref 3):
\SystemRoot\INF
\SystemRoot\System32\drivers\
\SystemRoot\System32\DriverStore\FileRepository\where "\systemroot\" would be "C:\windows" for most people.
But exactly as for programs, dont' just go and try to remove mere files, because 1) it's not gonna work since the files are protected, even with a local admin account and 2) an installed driver is more than a file and has information stored in other places (like the registry or other folders) that need to be cleaned up.
The easiest and (graphical) way to remove a driver is through the Device Manager configuration panel.
We will refer to our article "Investigate which device uses a Windows driver (device/driver relationship)" for the procedure.
Disclaimer: proceed with caution at this step since stopping or removing a driver may crash your system or prevent it from functioning properly. Understand what you are doing first.
In the Device Manager, find the problematic driver reported by Windows in the list (for example "oem6.inf") Right-click on it and choose "Remove Driver".
You will be prompted with a confirmation. We want to remove the driver for any device using it because it is the driver itself preventing the activation of the memory security feature. Try first without checking the 2nd box, to avoid crashes and instability. So confirm it is the right driver you want to remove and click "Remove".
Comments