cheat sheet
driverquery
Display all installed device drivers on a local or remote Windows machine — module name, type, link date, and driver file path — for hardware audits and troubleshooting.
#driverquery#windows#cli#scripting#sysadminupdated 05-26-2026
driverquery — List Installed Drivers
What it is
driverquery is a built-in Windows command that enumerates all currently installed kernel-mode and user-mode device drivers and reports their module name, display name, driver type, and link date. Use it to audit which drivers are installed on a machine, check driver dates for staleness, or verify that a driver was successfully installed. The PowerShell equivalent is Get-WindowsDriver or dism /online /Get-Drivers; for signing status, use sigverif.exe.
Availability
driverquery ships as C:\Windows\System32\driverquery.exe on Windows XP and later.
driverquery /?
Output:
Displays a list of all installed device drivers and their properties.
DRIVERQUERY [/S system [/U username [/P [password]]]]
[/FO format] [/NH] [/SI] [/V]
Syntax
driverquery [/S host] [/U user] [/P pass] [/FO format] [/NH] [/SI] [/V]
Output: (driver list)
Essential options
| Switch | Meaning |
|---|---|
/FO TABLE | Tabular output (default) |
/FO LIST | One field per line per driver |
/FO CSV | Comma-separated values — best for scripting |
/NH | Suppress column headers |
/SI | Show signing information (provider, date, version, signer) |
/V | Verbose: add start mode, state, accept stop, accept pause, paged pool, code, BSS |
/S host | Query a remote machine |
/U domain\user | Credentials for remote query |
/P password | Password for /U |
Basic driver list
Running driverquery without arguments produces a table of every installed driver with its module name, display name, driver type, and link date.
driverquery
Output:
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
1394ohci 1394 OHCI Compliant H Kernel 12/7/2019 7:33:54 AM
ACPI Microsoft ACPI Driver Kernel 12/7/2019 8:12:47 AM
acpiex Microsoft ACPIEx Drive Kernel 12/7/2019 8:12:47 AM
...
WdFilter Microsoft antimalware File System 1/15/2026 1:22:03 PM
WdNisDrv Microsoft Network Ins Kernel 1/15/2026 1:22:03 PM
CSV format for scripting
/FO CSV is the best format for automated processing — pipe to findstr, import into Excel, or feed into a monitoring script.
driverquery /FO CSV
Output:
"Module Name","Display Name","Driver Type","Link Date"
"1394ohci","1394 OHCI Compliant Host Controller","Kernel","12/7/2019 7:33:54 AM"
"ACPI","Microsoft ACPI Driver","Kernel","12/7/2019 8:12:47 AM"
...
driverquery /FO CSV /NH
Output:
"1394ohci","1394 OHCI Compliant Host Controller","Kernel","12/7/2019 7:33:54 AM"
"ACPI","Microsoft ACPI Driver","Kernel","12/7/2019 8:12:47 AM"
...
Signing information (/SI)
/SI adds four columns showing the vendor (Provider), date, version, and whether the driver is digitally signed. An unsigned driver shows FALSE in the Is Signed column — a potential security or stability concern.
driverquery /SI /FO TABLE
Output:
Module Name Display Name Is Signed Manufacturer DDI Compliance Image Path
============ ====================== ========== =================== =============== ===========
1394ohci 1394 OHCI Compliant H TRUE Microsoft FALSE ...
WdFilter Microsoft antimalware TRUE Microsoft FALSE ...
SomeUnsigned Unknown PCI Device FALSE Unknown FALSE ...
Filtering for specific drivers
Pipe driverquery output to findstr to search for a particular driver by module name or display name.
driverquery | findstr /I "nvidia"
Output:
nvlddmkm NVIDIA Windows Kernel Kernel 3/12/2026 4:15:22 PM
nvhda NVIDIA High Definition Kernel 3/12/2026 4:15:22 PM
driverquery /FO CSV /NH | findstr /I "audio"
Output:
"HDAudBus","Microsoft UAA Bus Driver for High Definition Audio","Kernel","12/7/2019 7:33:54 AM"
"snd_hda_codec","Realtek High Definition Audio","Kernel","2/28/2026 10:14:06 AM"
Verbose output (/V)
/V adds driver start mode (Boot, System, Auto, Demand, Disabled), state (Running, Stopped), and memory usage columns.
driverquery /V | findstr /I "disk"
Output:
disk Disk Driver Kernel Boot Running TRUE TRUE 0 0
diskperf Disk Performance Driv Kernel Demand Stopped TRUE FALSE 0 0
Remote driver query (/S)
/S queries a remote machine's driver list over the network. Requires appropriate network permissions.
driverquery /S myhost /U DOMAIN\alicedev /FO CSV
Output:
Password: (prompted)
"Module Name","Display Name","Driver Type","Link Date"
...
Common pitfalls
- Module name is truncated in TABLE output — the
Module Namecolumn is fixed-width and may cut off long names; use/FO CSVfor full names. - Link date is not the install date — the link date is when the driver binary was compiled, not when it was installed on this machine; a very old link date is not necessarily a problem if the driver is stable.
/SIis slow — it reads digital signature metadata for every driver; on machines with many drivers this can take 20–30 seconds.- Requires elevation for
/Von some systems — start an Administrator cmd.exe if verbose columns show blank or access-denied values. FALSEin Is Signed ≠ malware — some legitimate third-party hardware drivers are unsigned; investigate the module name and publisher before drawing conclusions.
Real-world recipes
Export driver list to CSV for an audit
driverquery /FO CSV > C:\Audit\drivers_%COMPUTERNAME%.csv
echo Saved to C:\Audit\drivers_%COMPUTERNAME%.csv
Output:
Saved to C:\Audit\drivers_MYHOST.csv
Find all unsigned drivers
driverquery /SI /FO CSV /NH | findstr ",FALSE,"
Output:
"SomeUnsigned","Unknown PCI Device","Kernel","1/1/2020 12:00:00 AM","FALSE","Unknown","1/1/2020","1.0.0.0"
Check whether a specific driver is installed
@echo off
driverquery | findstr /I "nvlddmkm" > NUL
if errorlevel 1 (
echo NVIDIA display driver is NOT installed.
) else (
echo NVIDIA display driver is installed.
)
Output:
NVIDIA display driver is installed.
List drivers sorted by link date (newest first)
driverquery /FO CSV /NH > %TEMP%\drv.csv
sort /R %TEMP%\drv.csv | more
Output:
"WdFilter","Microsoft antimalware file system filter driver","Kernel","1/15/2026 1:22:03 PM"
"nvlddmkm","NVIDIA Windows Kernel Mode Driver","Kernel","3/12/2026 4:15:22 PM"
...
(-- More --)
Driver type and start mode reference
driverquery reports two important taxonomies — driver type (where in the kernel the driver runs) and start mode (when in the boot sequence Windows loads it). Knowing both helps you triage which drivers might be implicated in a boot failure, a BSOD, or a USB device disappearing.
| Driver type | Examples | Notes |
|---|---|---|
Kernel | NIC drivers, AHCI, USB hubs | Standard kernel-mode driver |
File System | NTFS, FAT, ReFS | File system drivers |
FS Filter | WdFilter (Defender), bindflt | File-system mini-filters; intercept I/O |
Network | TCPIP, NetBT | Older NDIS-style network drivers |
Boot Bus Extender | volmgr, partmgr | Drivers needed to enumerate the boot disk |
System | ACPI, PCI | Bus drivers needed during HAL init |
Recognizer | (legacy) | FS-recognizer drivers |
| Start mode | Numeric | Meaning |
|---|---|---|
Boot | 0 | Loaded by the boot loader before the kernel — critical to boot |
System | 1 | Loaded during kernel init |
Auto | 2 | Loaded at service-control-manager start |
Demand | 3 | Loaded on-demand when a device or service triggers it |
Disabled | 4 | Configured but not loaded |
rem Show only Boot-start drivers (these matter most for boot failures)
driverquery /V /FO CSV /NH | findstr ",\"Boot\","
Output:
"acpi","Microsoft ACPI Driver","Kernel","Boot","Running","TRUE","TRUE","0","0"
"disk","Disk Driver","Kernel","Boot","Running","TRUE","TRUE","0","0"
"volmgr","Volume Manager","Kernel","Boot","Running","TRUE","TRUE","0","0"
...
Verbose (/V) column reference
/V adds eight columns to the default four. Knowing what they mean turns the verbose output from noise into a diagnostic.
| Column | Meaning |
|---|---|
| Module Name | Short module name (matches \Driver\<name>) |
| Display Name | Friendly name |
| Description | Driver description |
| Driver Type | Kernel / File System / etc. |
| Start Mode | Boot / System / Auto / Demand / Disabled |
| State | Running / Stopped |
| Status | OK / Error / Degraded |
| Accept Stop | Can the driver be stopped at runtime? |
| Accept Pause | Can it be paused? |
| Paged Pool | Bytes in paged pool |
| Code | Code section size in bytes |
| BSS | BSS section size in bytes |
| Link Date | When the binary was linked |
| Path | Full path to the .sys file |
| Init(bytes) | Init section size |
driverquery /V /FO LIST | findstr /B /C:"Module Name" /C:"Display Name" /C:"State" /C:"Status" /C:"Path"
Output:
Module Name: WdFilter
Display Name: Microsoft antimalware file system filter driver
State: Running
Status: OK
Path: C:\Windows\system32\DRIVERS\WdFilter.sys
Signing information (/SI) field reference
/SI lists driver signing detail — vital for Secure Boot, HVCI, and ransomware-driven driver-loading attacks ("BYOVD" — bring your own vulnerable driver). The signing columns are:
| Column | Meaning |
|---|---|
| Is Signed | TRUE if the binary has an Authenticode signature trusted by Windows |
| Manufacturer | Signing certificate's Subject CN |
| DDI Compliance | Driver-Device-Interface compliance — newer WHQL-signed drivers |
| Image Path | Full path to the .sys file |
driverquery /SI /FO CSV /NH | findstr /V ",TRUE,"
Output:
"SomeUnsigned","Unknown PCI Device","Kernel","1/1/2020 12:00:00 AM","FALSE","Unknown","1/1/2020","1.0.0.0"
Cross-check with sigverif.exe
The GUI sigverif.exe performs a full Authenticode validation and writes results to %USERPROFILE%\Documents\WINDOWS\sigverif.txt. For scripts, Get-AuthenticodeSignature against each .sys is equivalent.
Get-ChildItem C:\Windows\System32\drivers\*.sys |
Get-AuthenticodeSignature |
Where-Object Status -ne 'Valid' |
Select-Object Path, Status, SignerCertificate
Output:
Path Status SignerCertificate
---- ------ -----------------
C:\Windows\System32\drivers\unsigned.sys NotSigned
C:\Windows\System32\drivers\expired.sys HashMismatch CN=Old Vendor, ...
Get-PnpDevice — PowerShell device inventory
Get-PnpDevice is the PowerShell cmdlet that enumerates Plug-and-Play devices (richer than driverquery, which only enumerates loaded drivers). Each device exposes status, instance ID, class, and friendly name.
# All devices with their status
Get-PnpDevice | Group-Object Status | Format-Table Count, Name
Output:
Count Name
----- ----
142 OK
3 Error
7 Unknown
# Devices in error (yellow bang in Device Manager)
Get-PnpDevice | Where-Object Status -ne 'OK' |
Select-Object Class, FriendlyName, Status, InstanceId
Output:
Class FriendlyName Status InstanceId
----- ------------ ------ ----------
Unknown Unknown PCI Device Error PCI\VEN_8086&DEV_A0EF\3&11583659&0&FE
USB USB Mass Storage Error USB\VID_0951&PID_1666\AAAA
# Get the device's driver from an InstanceId
$d = Get-PnpDevice -InstanceId 'PCI\VEN_10DE&DEV_2204\...'
Get-PnpDeviceProperty -InputObject $d -KeyName DEVPKEY_Device_DriverVersion,
DEVPKEY_Device_DriverDate,
DEVPKEY_Device_DriverProvider |
Select-Object KeyName, Data
Output:
KeyName Data
------- ----
DEVPKEY_Device_DriverVersion 32.0.15.6614
DEVPKEY_Device_DriverDate 3/12/2026 12:00:00 AM
DEVPKEY_Device_DriverProvider NVIDIA
# Disable a flaky device
Get-PnpDevice -FriendlyName '*Bluetooth*' |
Disable-PnpDevice -Confirm:$false
# Re-enable
Get-PnpDevice -FriendlyName '*Bluetooth*' |
Enable-PnpDevice -Confirm:$false
Get-WindowsDriver — DISM driver enumeration
Get-WindowsDriver (from the DISM module) lists staged drivers in the driver store — including third-party packages that may or may not currently be in use. This is what you query after a driver upgrade to confirm the new version is staged.
# All third-party drivers (Microsoft + OEM excluded)
Get-WindowsDriver -Online |
Where-Object ProviderName -ne 'Microsoft' |
Select-Object Driver, OriginalFileName, ProviderName, ClassName, Date, Version |
Sort-Object Date -Descending
Output:
Driver OriginalFileName ProviderName ClassName Date Version
------ ---------------- ------------ --------- ---- -------
oem42.inf nvlddmkm.inf NVIDIA Display 3/12/2026 32.0.15.6614
oem17.inf iaStorAC.inf Intel HDC 2/28/2026 19.5.0.1037
oem09.inf RealtekHAudio.inf Realtek MEDIA 2/28/2026 6.0.1.8800
# Detail of one driver
Get-WindowsDriver -Online -Driver oem42.inf
Output:
Driver : oem42.inf
ClassName : Display
Date : 3/12/2026 12:00:00 AM
Version : 32.0.15.6614
ProviderName : NVIDIA
pnputil — driver-store administration
pnputil is the in-box CLI for adding, deleting, and exporting drivers from the driver store. Pair with Get-WindowsDriver for a full lifecycle.
rem List all staged third-party drivers
pnputil /enum-drivers
Output:
Microsoft PnP Utility
Published Name : oem42.inf
Original Name : nvlddmkm.inf
Provider Name : NVIDIA
Class Name : Display adapters
Class GUID : {4d36e968-e325-11ce-bfc1-08002be10318}
Driver Version : 03/12/2026 32.0.15.6614
Signer Name : Microsoft Windows Hardware Compatibility Publisher
rem Add a new driver to the store
pnputil /add-driver "C:\Drivers\NewNic\nic.inf" /install
Output:
Microsoft PnP Utility
Adding driver package: nic.inf
Driver package added successfully.
Published Name: oem47.inf
Total driver packages: 1
Added driver packages: 1
rem Remove an old driver (force = remove even if in use)
pnputil /delete-driver oem42.inf /uninstall /force
Output:
Microsoft PnP Utility
Driver package uninstalled.
Driver package deleted successfully.
rem Export all drivers to a folder (useful for re-image)
pnputil /export-driver * C:\DriverBackup
Output:
Microsoft PnP Utility
Exporting driver package: oem1.inf
Driver package exported successfully.
Exporting driver package: oem2.inf
Driver package exported successfully.
...
Total driver packages exported: 47
Driver event correlation
A driver problem usually leaves a trail in three places: PnP Event Log, System Event Log, and the SetupAPI.dev.log.
rem PnP-related events from the System log
wevtutil qe System ^
/q:"*[System[Provider[@Name='Microsoft-Windows-Kernel-PnP' or @Name='PlugPlayManager']]]" ^
/c:10 /rd:true /f:text
Output:
Event[0]:
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 2026-05-20T09:14:22.118
Event ID: 410
Level: Information
Description: Driver Management has concluded the process to install driver oem47.inf for Device Instance ID PCI\VEN_8086.
Event[1]:
Log Name: System
Source: PlugPlayManager
Date: 2026-05-19T22:01:08.402
Event ID: 257
Level: Information
Description: The driver pnputil.exe was installed for plug and play ID ROOT\SYSTEM\0000.
rem Driver installation history
type C:\Windows\INF\setupapi.dev.log | findstr /I "nvidia\|installed"
Output:
>>> [Device Install (DiskClassInstaller) - PCI\VEN_10DE...]
>>> Section start 2026-05-12 11:08:42.412
dvi: Driver Node #0 was installed.
ndv: Installed device driver nvidia display driver.
dvi: Installed device driver nv_disp.inf successfully.
Common pitfalls
- Module name is truncated in TABLE output — the
Module Namecolumn is fixed-width and may cut off long names; use/FO CSVfor full names. - Link date is not the install date — the link date is when the driver binary was compiled, not when it was installed on this machine; a very old link date is not necessarily a problem if the driver is stable.
/SIis slow — it reads digital signature metadata for every driver; on machines with many drivers this can take 20–30 seconds.- Requires elevation for
/Von some systems — start an Administrator cmd.exe if verbose columns show blank or access-denied values. FALSEin Is Signed != malware — some legitimate third-party hardware drivers are unsigned; investigate the module name and publisher before drawing conclusions.driverquerylists loaded drivers only — staged but unloaded drivers in the driver store don't appear. Usepnputil /enum-driversorGet-WindowsDriver -Onlinefor a complete inventory.Get-PnpDeviceanddriverqueryanswer different questions —Get-PnpDevicelists devices (some without drivers);driverquerylists drivers (some without devices, e.g. file-system filters). They overlap but neither is a superset.- WHQL signing is provider-specific — the
Manufacturercolumn in/SIis the cert subject, not the OEM brand. A driver may show "Microsoft Windows Hardware Compatibility Publisher" because WHQL countersigning replaces the original vendor's signature. - Truncated paths in
/V— verbose mode'sPathcolumn wraps at ~64 chars in TABLE format; use/FO CSVor/FO LIST. - HVCI-blocked drivers still appear with
Runningstate — but aren't — Hypervisor-protected Code Integrity (memory integrity) silently refuses to load incompatible drivers. Checkwevtutil qe Microsoft-Windows-CodeIntegrity/Operationalfor blocked entries.
Real-world recipes
Export driver list to CSV for an audit
driverquery /FO CSV > C:\Audit\drivers_%COMPUTERNAME%.csv
echo Saved to C:\Audit\drivers_%COMPUTERNAME%.csv
Output:
Saved to C:\Audit\drivers_MYHOST.csv
Find all unsigned drivers
driverquery /SI /FO CSV /NH | findstr ",FALSE,"
Output:
"SomeUnsigned","Unknown PCI Device","Kernel","1/1/2020 12:00:00 AM","FALSE","Unknown","1/1/2020","1.0.0.0"
Check whether a specific driver is installed
@echo off
driverquery | findstr /I "nvlddmkm" > NUL
if errorlevel 1 (
echo NVIDIA display driver is NOT installed.
) else (
echo NVIDIA display driver is installed.
)
Output:
NVIDIA display driver is installed.
List drivers sorted by link date (newest first)
driverquery /FO CSV /NH > %TEMP%\drv.csv
sort /R %TEMP%\drv.csv | more
Output:
"WdFilter","Microsoft antimalware file system filter driver","Kernel","1/15/2026 1:22:03 PM"
"nvlddmkm","NVIDIA Windows Kernel Mode Driver","Kernel","3/12/2026 4:15:22 PM"
...
(-- More --)
Find drivers older than 5 years (potential update candidates)
$cutoff = (Get-Date).AddYears(-5)
driverquery /FO CSV /NH |
ConvertFrom-Csv -Header Module, Name, Type, Link |
ForEach-Object {
$d = [datetime]::Parse($_.Link, [Globalization.CultureInfo]::InvariantCulture)
if ($d -lt $cutoff) {
[PSCustomObject]@{
Module = $_.Module
Name = $_.Name
Linked = $d.ToString('yyyy-MM-dd')
}
}
} | Format-Table -AutoSize
Output:
Module Name Linked
------ ---- ------
1394ohci 1394 OHCI Compliant Host Controller 2019-12-07
HDAudBus Microsoft UAA Bus Driver 2019-12-07
Compare driver inventory between two machines
A common upgrade smoke test: did the new image lose any third-party drivers?
$ref = Invoke-Command -ComputerName goldsrv `
-ScriptBlock { driverquery /FO CSV /NH } | ConvertFrom-Csv -Header M,N,T,L
$tgt = Invoke-Command -ComputerName newhost `
-ScriptBlock { driverquery /FO CSV /NH } | ConvertFrom-Csv -Header M,N,T,L
Compare-Object $ref $tgt -Property M -PassThru |
Select-Object SideIndicator, M, N
Output:
SideIndicator M N
------------- - -
<= nvlddmkm NVIDIA Windows Kernel Mode Driver
=> iaStorAC Intel RAID Controller
Yellow-bang device sweep
Find PCI devices missing a driver — the Device Manager "Unknown device" with a yellow exclamation mark.
Get-PnpDevice -PresentOnly |
Where-Object { $_.Status -eq 'Error' -or $_.Status -eq 'Unknown' } |
Select-Object FriendlyName, Class, InstanceId, Status
Output:
FriendlyName Class InstanceId Status
------------ ----- ---------- ------
Unknown PCI Device Unknown PCI\VEN_8086&DEV_A0EF\3&11583659&0&FE Error
Driver health snapshot for a support ticket
@echo off
set OUT=%TEMP%\drv_%COMPUTERNAME%.txt
echo === driverquery /V === > %OUT%
driverquery /V >> %OUT%
echo. >> %OUT%
echo === driverquery /SI === >> %OUT%
driverquery /SI >> %OUT%
echo. >> %OUT%
echo === pnputil /enum-drivers === >> %OUT%
pnputil /enum-drivers >> %OUT%
echo. >> %OUT%
echo === PnP devices with error status === >> %OUT%
powershell -NoProfile -Command "Get-PnpDevice | Where Status -ne 'OK' | Format-Table -AutoSize" >> %OUT%
echo Snapshot saved to %OUT%
Output:
Snapshot saved to C:\Users\Alice\AppData\Local\Temp\drv_MYHOST.txt
Audit BYOVD — recently installed unsigned third-party driver
A red flag for ransomware preparation is the installation of a known-vulnerable signed driver, but unsigned drivers are also worth investigating.
driverquery /SI /FO CSV /NH |
ConvertFrom-Csv -Header M,N,T,Date,Signed,Mfg,SigDate,Ver |
Where-Object { $_.Signed -eq 'FALSE' -or $_.Mfg -eq 'Unknown' } |
Where-Object { [datetime]::Parse($_.Date) -gt (Get-Date).AddDays(-30) }
Output:
M : SomeNewDrv
N : Unknown PCI Device
T : Kernel
Date : 5/10/2026 12:00:00 AM
Signed : FALSE
Mfg : Unknown
SigDate : 5/10/2026
Ver : 1.0.0.0
Sources
References consulted while writing this article. Links open in a new tab.
- Microsoft Learn — driverquery command reference — Authoritative flag list and parameter semantics used to build the Essential options table.
- SS64 — driverquery — Cross-version comparison and historical syntax notes.
Related tools
pnputil— manage the driver store: add, remove, export drivers.Get-PnpDevice— PowerShell device enumeration.Get-WindowsDriver— DISM-backed driver-store inventory.sigverif.exe— GUI Authenticode validator.wevtutil— query the Code Integrity and Kernel-PnP event channels.systeminfo— pair driver lists with build/hotfix context.htop— Linux equivalent for live device/process inspection.