Get Driver Information for Video and Audio Drivers

Content Authoring
1

Hi,

I need to get driver version and date information for my video drivers and HD audio drivers. I cannot find anything on BigFix.me which comes even close to something that basic. I have this which gives date and version for audio drivers, but in a very difficult to read format. I can’t adapt it to anything else, really.

((property "DeviceName" of it, property "DriverDate" of it, property "DriverVersion" of it) of select objects "DeviceName, DriverVersion, DriverDate from Win32_PnPSignedDriver" of wmi) whose (item 0 of it as string contains "AMD High Definition Audio Device")

I need to find device type and driver versions for AMD hardware, and Intel hardware.

Thanks

2

You can get this info from the INF files in the driverstore.

I do have some stuff on BigFix.Me that does some similar things.

Related:

3

I tried one example for AMD, and like I expected, it didn’t work.

Q: unique values of (it as trimmed string) of (preceding text of last "%22" of following text of first "%22" of it) of lines whose(it starts with "amd") of files whose(name of it as lowercase ends with ".inf") of folders whose(name of it as lowercase starts with "amd") of folders "DriverStore\FileRepository" of system folder
E: Singular expression refers to nonexistent object.

What does “%22” represent?

Thanks

4

If you were to use WMI, does something like this help? Of course you need to be wary with querying too much through WMI for avoid impacting client performance. This should pull anything that is display or media class related.

Q: ((string values of property "DeviceClass" of it, string values of property "Description" of it, string values of property "DriverVersion" of it, first 8 of string values of property "DriverDate" of it) of ((select objects "Description, DriverVersion, DriverDate, DeviceClass from Win32_PnPSignedDriver" of wmi) whose (string value of property "DeviceClass" of it as uppercase = "DISPLAY" or string value of property "DeviceClass" of it as uppercase = "MEDIA")))
A: MEDIA, Intel(R) Display Audio, 6.16.0.3131, 20131127
A: MEDIA, Realtek High Definition Audio, 6.0.1.6053, 20141016
A: MEDIA, USB Audio Device, 6.1.7601.18208, 20130712
A: DISPLAY, Intel(R) HD Graphics 4600, 10.18.10.3412, 20140129
A: MEDIA, High Definition Audio Device, 6.1.7601.17514, 20101119
A: DISPLAY, NVIDIA Quadro K2100M   , 9.18.13.4807, 20150426
T: 908.291 ms
I: plural ( string, string, string, substring )
5

I have this working.

value "DriverVersion" of key "SYSTEM\CurrentControlSet\Control\Video\{09DE818B-72C9-435B-AD56-3DF7255B903C}\0000" of it of key "HKEY_LOCAL_MACHINE" of registry

However, it is not very useful as that I would have to know the value of {09DE818B-72C9-435B-AD56-3DF7255B903C} on each computer, which could be different.

6

This really isn’t working either. It should be evaluating to True, but it is not.

(("name from win32_VideoController")of WMI) is "Intel(R) HD Graphics 4600"
7

I have made many long replies below, each in reply to a different post above, which could be a bit overwhelming, but they go into great detail about how all of this works. I hope you and others find this useful for writing relevance in general, but particularly in this case.

This is the % encoded sequence for the " (double quote) character. It is the only way to represent a double quote within a string in relevance. If for some reason you have to escape relevance within relevance like I have done recently, then it becomes %2522 with %25 being the % encoded sequence for the % (percent) character, which is the only way to represent a percent sign within relevance. These are 2 common ASCII characters that can’t be directly represented in a string literal in relevance. Another is the newline character(s).

Figuring out how to use %22 and %25 in relevance definitely tripped me up for a while. %2522 is still a mind bender.

I’m not exactly sure why that particular relevance didn’t work in your post, but you have to start by finding an INI/INF file in the DriverStore that has what you are looking for, then write relevance against that specific file to get the information you require, then generalize it like that relevance you attempted. I think you are starting at the end and trying to work backwards which is a bit harder to do.

If you are trying to write relevance to determine which drivers are installed, but not necessarily which drivers are in use, then this is the “correct” way to go about it. If you are trying to write relevance to install a driver if and only if it is not already installed, then this is also the “correct” way to go about it. The appearance of a new INF file in the DriverStore is the direct result of installing a new driver, while the driver actually being used by the system is a different, later, and indirect result that cannot be predicted in as meaningful of a way.

If you just want to know which drivers are currently in use on a system for reporting, then there might be an easier option, like the registry and/or WMI as discussed in other replies.

1 Like
8

This can be addressed with relevance. Relevance is dynamic, you don’t need to know the exact value in order to query it.

Step 1:

unique values of names of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video" of (x64 registries; x32 registries)

Steps 2,3,4:

unique values of (it as string) of values "DriverVersion" of keys "0000" of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video" of (x64 registries; x32 registries)

Actual Results:

Q: unique values of (it as string) of values "DriverVersion" of keys "0000" of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video" of (x64 registries; x32 registries)
A: 10.0.10586.0
T: 1.433 ms
I: plural string with multiplicity

Notice how fast this query is: T: 1.433 ms

Relevance that queries the Windows Registry is often the fastest possible option. This is in part because I believe that reads to the Windows Registry are done from a cache in RAM that Windows itself maintains. If you have ever used Process Explorer, you would see that the primary thing programs seem to do is read values from the registry, thousands of times a second, even when there doesn’t seem to be anything that would obviously cause them to do so.

Pay attention to the speed of the queries in this post as compared to all of the other queries made in the results I have posted.

This is the entire result you are looking for from the Windows Registry:

Q: unique values of (item 0 of it as string &", "& item 1 of it as string &", "& item 2 of it as string) of (values "DriverDesc" of it, values "DriverDate" of it, values "DriverVersion" of it) of keys "0000" of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video" of (x64 registries; x32 registries)
A: Microsoft Hyper-V Video, 6-21-2006, 10.0.10586.0
T: 0.929 ms
I: plural string with multiplicity

This is the raw data from the registry:

unique values of (name of it & "=" & it as string) of (values of it) of keys "0000" of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video" of (x64 registries; x32 registries)
1 Like
9

That’s because it could never work.

This is not written correctly and will never actually do anything except for return the literal string name from win32_VideoController. This relevance statement is effectively saying, “If WMI exists, then return the string name from win32_VideoController

Q: ("name from win32_VideoController")of WMI
A: name from win32_VideoController
T: 6.074 ms
I: singular string

See this example:

Q: ("Hello World!")of WMI
A: Hello World!
T: 9.276 ms
I: singular string

You need to make sure the WMI query actually returns the correct/expected value before trying to compare it to Intel(R) HD Graphics 4600

See here:

Q: selects "name from win32_VideoController" of WMIs
A: Name=Microsoft Hyper-V Video
T: 38.336 ms
I: plural wmi select

Notice that the type info is plural wmi select and not singular string. This mean is is a result of a WMI Select and not just a string. This means it has properties that are particular to the type wmi select than can be used.

This will get just the string result so that it can be used in a comparison:

Q: string values of selects "name from win32_VideoController" of WMIs
A: Microsoft Hyper-V Video
T: 47.574 ms
I: plural string

Then to get the true/false value from a plural result, use whose:

Q: exists string values whose("Microsoft Hyper-V Video" = it) of selects "name from win32_VideoController" of WMIs
A: True
T: 48.344 ms
I: singular boolean

All of this is a very long way of saying, don’t start with trying to get a boolean result. Start by getting the string value you want to compare, THEN turn that into a boolean result. If you start with trying to get a boolean result, it can easily lead you down the wrong path.

For instance, the following will always be true:

Q: exists "Intel(R) HD Graphics 4600"
A: True
T: 0.095 ms
I: singular boolean

It only asserts that the literal string exists, which it always will, on every computer and OS.

This is how to get the raw data from WMI:

selects "* from win32_VideoController" of WMIs

This is how to get just the name,driverversion,DriverDate:

Q: selects "Name,DriverVersion,DriverDate from win32_VideoController" of WMIs
A: DriverDate=20060621000000.000000-000
A: DriverVersion=10.0.10586.0
A: Name=Microsoft Hyper-V Video
T: 49.127 ms
I: plural wmi select

This is how to get them together as a single result:

Q: (string value of property "Name" of it & " = " & string value of property "DriverVersion" of it) of select objects "Name,DriverVersion from win32_VideoController" of WMIs
A: Microsoft Hyper-V Video = 10.0.10586.0
T: 41.647 ms
I: plural string

References:

1 Like
10

@jasonrw this is the raw data from @SLB 's post:

selects "* from Win32_PnPSignedDriver where DeviceClass='DISPLAY'" of WMIs

and then just the main parts you are looking for:

Q: selects "Description,DriverVersion,DriverDate from Win32_PnPSignedDriver where DeviceClass='DISPLAY'" of WMIs
A: Description=Microsoft Hyper-V Video
A: DriverDate=20060621000000.******+***
A: DriverVersion=10.0.10586.0
T: 1833.787 ms
I: plural wmi select

The raw data can be overwhelming, but it gives you a great idea of what info is available.

Also, you should NOT use this relevance or the relevance @SBL provided in most cases. WMI Queries to Win32_PnPSignedDriver are so slow that they will cause problems, particularly if used in relevance for Fixlets/Tasks. WMI Queries to win32_VideoController are lightning quick by comparison, and even then almost all WMI Queries are slower than most alternatives, like the Windows Registry, which is almost always the fastest option, if available.

All of the queries to WMI I’ve posted were done on fast systems with fast SSD hard drives. This is a BEST case for WMI query speed. It could be much slower on low end systems with slow storage.

1 Like
11

Would this be a proper query to target machines, who’s graphics adapters are AMD Radeon HD 7570?

unique values of (if exists friendly name of it then friendly name of it else if exists description of it then description of it else "NoDescOrFN") of active devices whose (class of it = "Display") is "AMD Radeon HD 7570"

The object here would be to target only those PCs with such an adapter.

12

That is very close, but it will have issues since the relevance is plural doing a direct comparison. This is how you would do that while keeping it plural:

exists unique values whose("AMD Radeon HD 7570" = it) of (friendly name of it | description of it | "NoDescOrFN") of active devices whose (class of it = "Display")

I also swapped out the IF-THEN-ELSE for the pipe character method.

13

I find that “active devices” also tends to be an expensive inspector, and I suspect it may be doing something WMI-like in the background.

It helps to understand that the GUIDs stored at HKLM\System\CurrentControlSet\Control\Class each correspond to a specific type of device, and that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318} always corresponds to the Display Driver class.

Beneath this registry key is one or more indexed Key names, each corresponding to a display device, such as “0000”, “0001”, “0002”, etc. Each different device Class behaves similarly in my experience.

I’ve also seen inactive devices here, likely a result of image cloning. From what I can tell, the drivers that are active also have a “Settings” subkey, while inactive devices do not.

Q: names of keys of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" of native registry
A: 0000
T: 0.116 ms

Q: (values "ProviderName" of it as string, values "DriverVersion" of it as string as version) of keys whose (exists key "Settings" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" of native registry
A: NVIDIA, 10.18.13.6143
T: 0.174 ms

q: exists keys whose (exists key "Settings" of it AND value "ProviderName" of it as string = "NVIDIA" AND value "DriverVersion" of it as string as version < version "11.0.0.0") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" of native registry
A: True
T: 0.142 ms

Similarly, this key corresponds to the MEDIA class: {4d36e96c-e325-11ce-bfc1-08002be10318}. Here the two “NVidia” entries refer to the NVidia graphics card’s ability to output audio over the HDMI cable - so this is really “Nvidia Audio” and not “NVidia Video”:

Q: (values "ProviderName" of it as string, values "DriverVersion" of it as string as version) of keys whose (exists key "Settings" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" of native registry
A: NVIDIA Corporation, 1.3.34.4
A: Realtek Semiconductor Corp., 6.0.1.7544
A: NVIDIA, 1.2.31.0
T: 0.327 ms

These all work for devices that have drivers installed. To look for devices that may be missing drivers, you’d have to search through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. I’m planning to write my own post about that this week when I get back to my consoles, so watch this forum.

1 Like
14

OK. Thanks! I’ll be on the lookout.

15

Hi Jason,

do you know how to query with DriverDate property?
like if I want a driver that it’s DriverDate is later than 20060621000000.000000-000

I tried with SELECT * FROM Win32_PnPSignedDriver where DriverDate > "20060621000000.000000-000"
but retrieved 0 instances…
I am new to WQL, I have googled this for 3 days now… really can’t find the exact questions like I want to ask.
hopefully that you can help:cry:

16

I have this for determining whether or not a particular driver is installed for the use of an install package.

((name of it = "Win7" AND x64 of it)) of operating system AND ((not exists key "HKLM\SYSTEM\CurrentControlSet\Control\Video\{8CB6EA57-F687-443A-816D-4A22F16FEEFA}\0000" of native registry) OR (not exists value "DriverVersion" of key "HKLM\SYSTEM\CurrentControlSet\Control\Video\{8CB6EA57-F687-443A-816D-4A22F16FEEFA}\0000" of native registry) OR (value "DriverVersion" of key "HKLM\SYSTEM\CurrentControlSet\Control\Video\{8CB6EA57-F687-443A-816D-4A22F16FEEFA}\0000" of native registry as string != "15.200.1062.1004"))
17

You don’t actually need all of that relevance. This one statement would be equivalent and faster:

( (name of it = "Win7" AND x64 of it) of operating system ) AND (not exists values "DriverVersion" whose(it as string = "15.200.1062.1004") of keys "HKLM\SYSTEM\CurrentControlSet\Control\Video\{8CB6EA57-F687-443A-816D-4A22F16FEEFA}\0000" of native registries)
18

##Note:

WMI queries can be fairly slow and are not always a good idea to use in Applicability relevance for that reason. Using a registry query is better for that purpose in most cases.

Normally something like this would work:

time values of selects "DriverDate FROM Win32_PnPSignedDriver" of wmis

It seems like this isn’t working because DriverDate contains date but not time info. Instead of having 00 for time, it has ** which is a bit annoying.

This seems to give me YYYYMMDD for DriverDate as a string:

(preceding texts of firsts "000000." of string values of properties "DriverDate" of it) of select objects "* FROM Win32_PnPSignedDriver where DriverDate is not null" of wmis

This will take the YYYYMMDD result and turn it into a BigFix date object:

( (it as date) of (last 2 of it & " " & (substring (4,2) of it as integer as month as three letters) & " " & first 4 of it) of unique value of preceding texts of firsts "000000." of string values of properties "DriverDate" of it) of select objects "* FROM Win32_PnPSignedDriver where DriverDate is not null" of wmis

This is what you are asking for:

properties "DeviceName" of items 0 of (it, (it as date) of (last 2 of it & " " & (substring (4,2) of it as integer as month as three letters) & " " & first 4 of it) of unique value of preceding texts of firsts "000000." of string values of properties "DriverDate" of it) whose(item 1 of it > (it as date) of "21 Jun 2006") of select objects "* FROM Win32_PnPSignedDriver WHERE DriverDate is not NULL" of wmis

You can add more retrieved properties as needed:

(properties "InfName" of it, properties "DeviceName" of it) of items 0 of (it, (it as date) of (last 2 of it & " " & (substring (4,2) of it as integer as month as three letters) & " " & first 4 of it) of unique value of preceding texts of firsts "000000." of string values of properties "DriverDate" of it) whose(item 1 of it > (it as date) of "21 Jun 2006") of select objects "* FROM Win32_PnPSignedDriver WHERE DriverDate is not NULL" of wmis