Deleting .sys From The Drivers Folder

Someone pointed out to me that the WiX/Difxapp based installer we use does not, on uninstallation, remove the .sys file from Windows\System32\Drivers. We use a renamed devcon.exe to remove the device node, and the files staged in Windows\System32\DriverStore\FileRepository are all getting cleaned up as expected.

In the WiX script we include the difxapp:Driver element, and I tried setting the attribute DeleteFiles=“yes”. That didn’t work. Why not? Well…
https://technet.microsoft.com/en-us/ff549843(v=vs.96)

From that link, “Starting with Windows 7, the DIFxApp configuration flag to remove installed files, together with the DriverDeleteFiles attribute, are ignored by the operating system. Binary files, which were copied to a system when a driver package was installed, can no longer be deleted by using DIFxApp.”

Oh. Huh?

I’m not sure I understand the thinking here, and I have yet to find any explanation. Microsoft is free to do as it pleases, but when they don’t explain their reasoning, well-meaning developers may violate some unspoken intent.

Should I create a custom uninstall action to manually clean up the .sys file? Or does Microsoft have good reason to keep that file in place until the day the disk is formatted? (I personally don’t worry much if the file is left behind, but I do need to justify this to management if there’s a reason for it.)

Thoughts?

Thanks,
Dave


Bonus note:

The sheer breadth of Microsoft’s documentation means that sections fall out of date, unnoticed, and recommend entirely the wrong things. Look here, for instance:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/using-the-difx-tools-to-uninstall-driver-packages

From that page: “We recommend that you only use the DIFx tools to create driver uninstallers. Applications that use the DIFx tools to uninstall drivers are designed to work correctly with future versions of Windows. Although other approaches might be successful with the current versions of Windows, they may not work correctly with future versions.”

Fantastic! I’m state-of-the-art. Happy dance! Oh, wait:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/difx-guidelines

In which we learn, “Starting in Windows 10 Version 1607 (Redstone 1), the Driver Install Frameworks (DIFx) tools are no longer included in the WDK. Instead, we recommend providing your driver as a standalone package that doesn’t require an installer, ideally through Windows Update.”

(I *will* make use of Microsoft’s issue reporting to flag the outdated page; in my experience, they are quite responsive. I encourage everyone to make generous use of their reporting system to address documentation issues.)

This change was well discussed on this very forum, by the way, though in the end it seemed short on conclusions:
https://osronline.com/ShowThread.cfm?link=282146

Current versions of Windows will not delete any files copied during a driver?s initial deployment. Doesn?t matter if you use difx or any other tool or api to uninstall the driver. Nor does it delete any services that were deployed. The historical reasons are
1 app comp issues if the os deletes the files and the setup.exe runs and fails during its own uninstall.
2 there isn?t strong ref counting to know what other dependencies there are on the copied files to know when it is safe to delete the files

We have a strong desire to address this gap and delete files when the driver is uninstalled in a future release. As an interim solution you can run from driver store (dest dir is 13, not 12) and when the driver package the files are gone.

d

Bent from my phone


From: 30121620100n behalf of
Sent: Wednesday, August 15, 2018 5:43 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Deleting .sys From The Drivers Folder

Someone pointed out to me that the WiX/Difxapp based installer we use does not, on uninstallation, remove the .sys file from Windows\System32\Drivers. We use a renamed devcon.exe to remove the device node, and the files staged in Windows\System32\DriverStore\FileRepository are all getting cleaned up as expected.

In the WiX script we include the difxapp:Driver element, and I tried setting the attribute DeleteFiles=“yes”. That didn’t work. Why not? Well…
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fff549843%2528v%3Dvs.96%2529&data=02|01|Doron.Holan%40microsoft.com|6f60ec44abb545dc4d0e08d6031139ae|72f988bf86f141af91ab2d7cd011db47|1|0|636699769852848053&sdata=arBdEOV9%2BMfFieXu3%2FMJtackON9e19po5bh2PmdyQtk%3D&reserved=0

From that link, “Starting with Windows 7, the DIFxApp configuration flag to remove installed files, together with the DriverDeleteFiles attribute, are ignored by the operating system. Binary files, which were copied to a system when a driver package was installed, can no longer be deleted by using DIFxApp.”

Oh. Huh?

I’m not sure I understand the thinking here, and I have yet to find any explanation. Microsoft is free to do as it pleases, but when they don’t explain their reasoning, well-meaning developers may violate some unspoken intent.

Should I create a custom uninstall action to manually clean up the .sys file? Or does Microsoft have good reason to keep that file in place until the day the disk is formatted? (I personally don’t worry much if the file is left behind, but I do need to justify this to management if there’s a reason for it.)

Thoughts?

Thanks,
Dave


Bonus note:

The sheer breadth of Microsoft’s documentation means that sections fall out of date, unnoticed, and recommend entirely the wrong things. Look here, for instance:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Finstall%2Fusing-the-difx-tools-to-uninstall-driver-packages&data=02|01|Doron.Holan%40microsoft.com|6f60ec44abb545dc4d0e08d6031139ae|72f988bf86f141af91ab2d7cd011db47|1|0|636699769852848053&sdata=wwXw%2Fva7EJ9nrNjmKsHvEbLyPBiLnOg7nzYJDWcMHOg%3D&reserved=0

From that page: “We recommend that you only use the DIFx tools to create driver uninstallers. Applications that use the DIFx tools to uninstall drivers are designed to work correctly with future versions of Windows. Although other approaches might be successful with the current versions of Windows, they may not work correctly with future versions.”

Fantastic! I’m state-of-the-art. Happy dance! Oh, wait:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Finstall%2Fdifx-guidelines&data=02|01|Doron.Holan%40microsoft.com|6f60ec44abb545dc4d0e08d6031139ae|72f988bf86f141af91ab2d7cd011db47|1|0|636699769852848053&sdata=vQj7Yl26qsqmPlVfcn%2FTOXJO4tTJv3X5SPELfy99dXI%3D&reserved=0

In which we learn, “Starting in Windows 10 Version 1607 (Redstone 1), the Driver Install Frameworks (DIFx) tools are no longer included in the WDK. Instead, we recommend providing your driver as a standalone package that doesn’t require an installer, ideally through Windows Update.”

(I *will* make use of Microsoft’s issue reporting to flag the outdated page; in my experience, they are quite responsive. I encourage everyone to make generous use of their reporting system to address documentation issues.)

This change was well discussed on this very forum, by the way, though in the end it seemed short on conclusions:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fosronline.com%2FShowThread.cfm%3Flink%3D282146&data=02|01|Doron.Holan%40microsoft.com|6f60ec44abb545dc4d0e08d6031139ae|72f988bf86f141af91ab2d7cd011db47|1|0|636699769852848053&sdata=JaNwNeIU6bjdMlpJZ2odQ1E8T46hhJcuSHIRkr7ggLc%3D&reserved=0


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

Thanks, Doron. One way or another I’m not going to force deletion, then.

I wasn’t aware it was okay to run from the driver store. I’ll need to see how well that scheme plays with upgrade scenarios (where the current version of the driver is in the Drivers folder), and I’ll need to do something other than specify “13” for the destination dirid for Windows 7 support (on Windows 7, the driver ends up installed to System32\unknown; fair enough, as it’s documented as being valid on Windows 8.1 and up).

Probably the simplest route is just to leave the file be. If Microsoft deems it should be left alone for the benefit of stability, I expect management will accept it.

Thanks again for your quick and thorough response, I appreciate it!

Dave

“13” isn’t a good number.

– pa

Running from the Driver Store, while it (probably) works is not a good solution. It’s most unexpected, for one thing. It looks like an error, and it’s a support problem waiting to happen IMHO.

Probably the simplest route is just to leave the file be.

That’s what I would do.

Peter
OSR
@OSRDrivers

Running from driver store is the wave of the future :wink:

Bent from my phone


From: 30611716400n behalf of
Sent: Thursday, August 16, 2018 8:14 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Deleting .sys From The Drivers Folder

Running from the Driver Store, while it (probably) works is not a good solution. It’s most unexpected, for one thing. It looks like an error, and it’s a support problem waiting to happen IMHO.

Probably the simplest route is just to leave the file be.

That’s what I would do.

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

> Running from driver store is the wave of the future :wink:

Thanks for the heads-up. Sincerely.

When we GET to that future, we’ll all expect driver executables to be run out of the driver store and all will be right with the world.

Will you be able to successfully link your drivers with “Just My Code” in the future too? Cuz, you know, telling the difference between F10 and F11 is SOOO trying.

Peter
OSR
@OSRDrivers

> Will you be able to successfully link your drivers with “Just My Code” in the future too? Cuz, you know, telling the difference between F10 and F11 is SOOO trying.

I honestly have no idea what you are staying with this. What is F10 and 11?

From a pragmatic POV running from driver store does let you deploy the crt or other binaries that have historically been problematic (esp around versioning) when you deploy to global directories

d

Bent from my phone


From: 30551635500n behalf of
Sent: Thursday, August 16, 2018 1:32 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Deleting .sys From The Drivers Folder

Running from driver store is the wave of the future :wink:

Thanks for the heads-up. Sincerely.

When we GET to that future, we’ll all expect driver executables to be run out of the driver store and all will be right with the world.

Will you be able to successfully link your drivers with “Just My Code” in the future too? Cuz, you know, telling the difference between F10 and F11 is SOOO trying.

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

>I honestly have no idea what you are staying with this. What is F10 and 11?

Sorry for the lack of context, and the abrubt thread drift. My bad.

This has nothing to do with running from the driver store. I’m just irrationally being “annoyed” by changes this afternoon.

Why? Because I’ve only just recovered from ranting about the latest issue with Visual Studio and the WDK (Which results in the Debug build of drivers suddenly getting “unresolved symbol” errors, because in VS 15.8 the VS team had the *outstanding* idea to enable “Just My Code” debugging – which jumps OVER and not INTO library functions during debugging – by default.)

https:</https:>

Sorry!

Peter
OSR
@OSRDrivers

I had my aha moment when I read the rant a few minutes ago :wink:

Bent from my phone


From: 30121426600n behalf of
Sent: Thursday, August 16, 2018 1:55 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Deleting .sys From The Drivers Folder

I honestly have no idea what you are staying with this. What is F10 and 11?

Sorry for the lack of context, and the abrubt thread drift. My bad.

This has nothing to do with running from the driver store. I’m just irrationally being “annoyed” by changes this afternoon.

Why? Because I’ve only just recovered from ranting about the latest issue with Visual Studio and the WDK (Which results in the Debug build of drivers suddenly getting “unresolved symbol” errors, because in VS 15.8 the VS team had the *outstanding* idea to enable “Just My Code” debugging – which jumps OVER and not INTO library functions during debugging – by default.)

https:

Sorry!

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:></https:>

> Running from driver store is the wave of the future :wink:

So the future is already here. At least some sys files in system32\drivers are hardlinks to the driver store. The following is on my RS5 machine:

fsutil hardlink list “C:\Windows\System32\drivers\netr28x.sys”
\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_2456905a9fcd405d\netr28x.sys
\Windows\System32\drivers\netr28x.sys
\Windows\WinSxS\amd64_dual_netr28x.inf_31bf3856ad364e35_10.0.17713.1000_none_60656ff08099cd3a\netr28x.sys

fsutil file queryfileid “C:\Windows\System32\drivers\netr28x.sys”
File ID is 0x00000000000000000027000000074380

fsutil file queryfileid C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_2456905a9fcd405d\netr28x.sys
File ID is 0x00000000000000000027000000074380

– pa

Those hard links are precursors to truly running from the store. If you have pnplockdown=1 in your inf pnp install will create these hard links instead of copying the files. Run from driver store has no hard links or copies.

d

Bent from my phone


From: 30121701200n behalf of
Sent: Thursday, August 16, 2018 2:57 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Deleting .sys From The Drivers Folder

Running from driver store is the wave of the future :wink:

So the future is already here. At least some sys files in system32\drivers are hardlinks to the driver store. The following is on my RS5 machine:

fsutil hardlink list “C:\Windows\System32\drivers\netr28x.sys”
\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_2456905a9fcd405d\netr28x.sys
\Windows\System32\drivers\netr28x.sys
\Windows\WinSxS\amd64_dual_netr28x.inf_31bf3856ad364e35_10.0.17713.1000_none_60656ff08099cd3a\netr28x.sys

fsutil file queryfileid “C:\Windows\System32\drivers\netr28x.sys”
File ID is 0x00000000000000000027000000074380

fsutil file queryfileid C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_2456905a9fcd405d\netr28x.sys
File ID is 0x00000000000000000027000000074380

– pa


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>