How does NTLite decide which drivers are not used?

[OpenSource Ghost]

Some drivers, such as Named Pipe Service Trigger Provider (npsvctrig.sys), are not detected by NTLite as drivers required for Host Machine, even when such drivers run in the background all the time and have "System" for Start Type. How does NTLite know that such a running driver isn't used? There are hardware-specific drivers that require respective hardware to be connected before NTLite session for NTLite to determine Host Machine needs, but I don't understand how it applies to System drivers, especially ones that always run in the background.

 

[nuhi]

Those software devices, not actually real hardware, should be filtered out from that list.
They are deployed by an installer or a real device driver. If you make a list of those that are missed, I'll gladly check and filter them out, those drivers do not need integrating.

 

[OpenSource Ghost]

Are you saying that such software drivers should NOT be removed (or be made removable)?

 

[garlin]

nuhi's referring to kernel API drivers, which generally shouldn't be tampered with because they can cause Windows crashes.

The safe way to remove them is unchecking the Component which owns that kernel feature (and driver). Maybe the way to ask this question, can NTLite provide a listed component for every kernel driver that's displayed?

 

[OpenSource Ghost]

It is yet another double-edged sword. Kernel drivers have access to all memory. There is no need to keep unnecessary ones running and it is even better to not have such at all, but I don't know enough to figure out whether Microsoft decides to enable and run some drivers in the background without those drivers actually performing any tasks other than elevating attack surface or there is more to it. For example, "RdyBoost" driver is set to run on boot and it used for Prefetching. If Prefetching is disabled, this driver keeps running, but is there any use to it? Simple disablement of this driver will cause a BSOD on boot, which can make one think that such a driver is necessary, but there is no BSOD if entries for this driver are removed from Windows registry lower filter list. There are quite a few other drivers that can be disabled without any perceived negative effect, but as I said, I don't know how to know for sure. I hope NTLite can somehow detect whether a running driver is used by the OS somehow or not. If not, then it can be removed. I guess not?

 

[garlin]

Do you understand how Component-Based Servicing works? Drivers belong to a component. Remove that component, and no more drivers.

ReadyBoost is represented by SuperFetch.

There are several kernel components if you feel brave enough to break, like Bind Filter, ETW log filters, several Storage services, VSS, and Hyper-V support. It's possible to run without those services if you don't have any dependencies. Do some background research on a given kernel feature before deciding you want to remove it.

 

[OpenSource Ghost]

It is not as simple as that... Removal of some components without additional changes to files and/or registry creates issues. For example, until recently, removal of "MicrosoftWindows.Client.FileExp_cw5n1h2txyewy" component would break explorer in Windows 11. A fix for that is to remove "C:\\Windows\\System32\\Windows.UI.FileExplorer.dll" lines in all "2aa9162e-c906-4dd9-ad0b-3d24a8eef5a0" and "6480100b-5a83-4d1e-9f69-8ae5a88e9a33" CLSID's in registry.

Microsoft also doesn't mind creating dependencies of some components on others or on files from other components. The same can very much apply to drivers, making "Remove that component, and no more drivers" a somewhat misleading statement. I don't know that for sure, which is why I ask. I think this is a case of looking at it case-by-case, driver-by-driver.