What is a SYS file?
SYS files are Windows system files, primarily kernel-mode device drivers that allow the operating system to communicate with hardware. They run at the highest privilege level (Ring 0) in the Windows kernel, giving them direct access to hardware and memory. Some SYS files are legacy configuration files (like CONFIG.SYS from MS-DOS and early Windows), but the vast majority in modern Windows are binary kernel-mode drivers.
Modifying, replacing, or deleting system SYS files — especially those in C:\Windows\System32\drivers\ — can cause Blue Screens of Death (BSOD), hardware failures, or an unbootable Windows installation. Never delete a SYS file unless you are certain of its purpose and have a recovery plan.
How to open SYS files
- Device Manager (Windows) — View which driver (.sys) is associated with each hardware device
- Driver Verifier (
verifier.exe) — Built-in Windows tool for stress-testing drivers - WinDbg (Windows) — Microsoft’s kernel debugger for analyzing driver crashes and BSOD minidumps
- Sigcheck (Sysinternals) — Verify digital signatures on SYS files
- Notepad — View text-based legacy SYS files (
CONFIG.SYS)
Technical specifications
| Property | Value |
|---|---|
| Format | PE (Portable Executable) — same format as .exe and .dll |
| Privilege level | Kernel-mode (Ring 0) |
| Typical location | C:\Windows\System32\drivers\ |
| Signing requirement | Must be WHQL or Authenticode signed (Windows 10+, 64-bit) |
| Framework | WDM (Windows Driver Model), KMDF, UMDF |
| Load time | At boot (boot drivers) or on demand (service drivers) |
Common SYS files and their roles
| File | Purpose |
|---|---|
ntfs.sys | NTFS filesystem driver |
tcpip.sys | TCP/IP networking stack |
nvlddmkm.sys | NVIDIA graphics driver |
USBHUB3.sys | USB hub driver |
Wdf01000.sys | Windows Driver Framework |
dxgkrnl.sys | DirectX graphics kernel |
Common use cases
- Device drivers: Graphics cards, network adapters, storage controllers, printers — each needs a
.sysdriver - System configuration:
CONFIG.SYSon DOS/Windows 9x controlled memory management and device loading - Virtual devices: Software drivers that simulate hardware (VPN tunnels, virtual audio devices, hypervisors)
- Security software: Antivirus and endpoint protection kernel drivers intercept I/O at this level
- Debugging tools: Tools like Wireshark use kernel drivers (
npcap.sys) to capture raw network packets
Security and driver signing
Since Windows Vista 64-bit, all kernel-mode drivers must be digitally signed. Windows 10/11 enforce Secure Boot and Kernel Patch Protection (PatchGuard), making unauthorized or unsigned kernel code very difficult to load. Driver signing is enforced by Microsoft’s Hardware Developer Program (WHQL certification).
Malware that targets kernel level (rootkits) attempts to load malicious .sys files. Suspicious SYS files that aren’t in System32\drivers\, aren’t signed by a trusted vendor, or appear after installing pirated software should be investigated. Use Autoruns (Sysinternals) to see all SYS files loaded at startup.
BSOD analysis
When a kernel-mode driver causes a crash, Windows writes a minidump file to C:\Windows\Minidump\. WinDbg can open these and identify the faulting driver:
!analyze -v ; Identify crash cause
lmvm drivername ; Show driver version and pathCommon BSOD codes related to drivers: DRIVER_IRQL_NOT_LESS_OR_EQUAL, PAGE_FAULT_IN_NONPAGED_AREA, SYSTEM_SERVICE_EXCEPTION.