.sys

Windows System File

A SYS file is a Windows kernel-mode driver that runs with full hardware access at Ring 0. FileDex provides reference information only — no driver files are uploaded, loaded, or executed.

اقرأ المزيد ↓

بنية الصيغة

Header magic bytes

Sections code · data

octet-stream1985مملوك

بواسطة FileDex

غير قابل للتحويل

System binary file. Format conversion requires recompilation.

أسئلة شائعة

How can I inspect a .sys driver file safely?

Use PE analysis tools like CFF Explorer or IDA Free to examine the driver's imports, exports, and sections without loading it into the kernel. The dumpbin /headers command from Visual Studio also reads the PE structure statically. Never attempt to load an unknown driver, as kernel-mode code has unrestricted system access.

What causes a Blue Screen referencing a .sys file?

The .sys file named in the BSOD triggered an unrecoverable kernel-mode exception, such as accessing invalid memory or deadlocking at a raised IRQL. The stop code (e.g., IRQL_NOT_LESS_OR_EQUAL, PAGE_FAULT_IN_NONPAGED_AREA) indicates the specific failure mode. Updating or rolling back the driver through Device Manager is the standard fix.

Can I delete a .sys file I don't recognize in System32\drivers?

Do not delete .sys files from the drivers directory without identifying them first. Many legitimate drivers have obscure names, and removing a required driver can prevent Windows from booting. Use Device Manager or the sc qc command to check which service owns the driver before taking any action.

Why won't Windows load my custom .sys driver?

Windows 10 version 1607 and later require kernel-mode drivers to carry a Microsoft attestation signature or WHQL certification. Self-signed drivers load only when test-signing mode is enabled via bcdedit or Secure Boot is disabled. Check the Windows Event Log under System for driver load failure events with specific error codes.

ما يميز .SYS

System driver files (.sys) operate in kernel mode at Ring 0, the most privileged execution level in the x86/x64 architecture. A bug in a .sys file does not merely crash an application — it triggers a Blue Screen of Death (BSOD) because kernel-mode code shares the same address space as the Windows kernel itself. This critical distinction separates .sys files from all user-mode executables.

اكتشف التفاصيل التقنية

Driver Frameworks

Microsoft provides three frameworks for driver development. WDM (Windows Driver Model) is the oldest, requiring manual IRP (I/O Request Packet) dispatch and careful synchronization. KMDF (Kernel-Mode Driver Framework) wraps WDM with simplified object management, power state handling, and PnP support. UMDF (User-Mode Driver Framework) runs driver code in a user-mode host process, sacrificing direct hardware access for crash isolation — a UMDF driver failure kills only its host process, not the entire system.

Entry Point and IRP Dispatch

Every kernel-mode .sys file exports a DriverEntry function, called by the I/O manager when the driver loads. DriverEntry initializes the driver object, sets up IRP dispatch routines (create, read, write, close, device control), and creates device objects. The dispatch table is an array of function pointers indexed by IRP major function codes like IRP_MJ_CREATE and IRP_MJ_DEVICE_CONTROL. Minifilter drivers for file system filtering register with the Filter Manager instead, using altitude-based ordering to determine their position in the filter stack.

Signing Requirements

Since Windows 10 version 1607, Microsoft requires all new kernel-mode drivers to be submitted to the Windows Hardware Dev Center for attestation signing — self-signed drivers only load with test-signing mode enabled or Secure Boot disabled. WHQL (Windows Hardware Quality Labs) certification goes further, running the driver through the Hardware Lab Kit (HLK) test suite before granting a Microsoft signature. Drivers signed with a cross-certificate from a trusted CA were accepted before July 2021, but that path is now closed.

Minifilter File System Drivers

File system minifilters intercept I/O operations (file create, read, write, rename) at a specific altitude in the filter stack. Antivirus products, encryption tools, and backup software all use minifilter drivers. Each minifilter registers pre-operation and post-operation callbacks, and the Filter Manager routes IRPs through the stack in altitude order.

المرجع التقني

المواصفات CLI الأمان

نوع MIME: application/octet-stream
Magic Bytes: 4D 5A MZ PE header for driver SYS files. Some SYS files are config (no header).
المطوّر: Microsoft
سنة التقديم: 1985
معيار مفتوح: لا

000000004D5A MZ

MZ PE header for driver SYS files. Some SYS files are config (no header).

البنية الثنائية

Uses the PE format with the same MZ/PE header structure (4D 5A magic bytes, PE signature at e_lfanew). The optional header's Subsystem field is set to IMAGE_SUBSYSTEM_NATIVE (1), indicating a kernel-mode binary. The DriverEntry export serves as the entry point called by the Windows I/O manager during driver load.

Query driver status and configuration أخرى

sc query type=driver state=all | findstr /i "DISPLAY_NAME STATE"

Lists all registered drivers on the system with their current state (running, stopped, etc.). The sc query command reads the Service Control Manager database where kernel drivers are registered alongside services.

Verify driver digital signature أخرى

signtool verify /pa /v C:\Windows\System32\drivers\ntfs.sys

Checks the Authenticode signature chain of a .sys file using the Windows SDK signtool. The /pa flag uses the default authentication verification policy, and /v enables verbose output showing the entire certificate chain.

CRITICAL

نقاط الضعف

arbitrary code execution
privilege escalation
supply chain compromise
kernel-mode rootkit installation with complete system control
Bring Your Own Vulnerable Driver (BYOVD) attacks using legitimately signed but flawed drivers

الحماية: FileDex does not execute, load, or parse these files. Reference page only.