driverquery — List Installed Drivers#

What it is#

driverquery is a built-in Windows command that enumerates all currently installed kernel-mode and user-mode device drivers and reports their module name, display name, driver type, and link date. Use it to audit which drivers are installed on a machine, check driver dates for staleness, or verify that a driver was successfully installed. The PowerShell equivalent is Get-WindowsDriver or dism /online /Get-Drivers; for signing status, use sigverif.exe.

Availability#

driverquery ships as C:\Windows\System32\driverquery.exe on Windows XP and later.

driverquery /?

Output:

Displays a list of all installed device drivers and their properties.

DRIVERQUERY [/S system [/U username [/P [password]]]]
            [/FO format] [/NH] [/SI] [/V]

Syntax#

driverquery [/S host] [/U user] [/P pass] [/FO format] [/NH] [/SI] [/V]

Output: (driver list)

Essential options#

Basic driver list#

Running driverquery without arguments produces a table of every installed driver with its module name, display name, driver type, and link date.

driverquery

Output:

Module Name  Display Name           Driver Type   Link Date
============ ====================== ============= ======================
1394ohci     1394 OHCI Compliant H  Kernel        12/7/2019 7:33:54 AM
ACPI         Microsoft ACPI Driver  Kernel        12/7/2019 8:12:47 AM
acpiex       Microsoft ACPIEx Drive Kernel        12/7/2019 8:12:47 AM
...
WdFilter     Microsoft antimalware  File System   1/15/2026 1:22:03 PM
WdNisDrv     Microsoft Network Ins  Kernel        1/15/2026 1:22:03 PM

CSV format for scripting#

/FO CSV is the best format for automated processing — pipe to findstr, import into Excel, or feed into a monitoring script.

driverquery /FO CSV

Output:

"Module Name","Display Name","Driver Type","Link Date"
"1394ohci","1394 OHCI Compliant Host Controller","Kernel","12/7/2019 7:33:54 AM"
"ACPI","Microsoft ACPI Driver","Kernel","12/7/2019 8:12:47 AM"
...

driverquery /FO CSV /NH

Output:

"1394ohci","1394 OHCI Compliant Host Controller","Kernel","12/7/2019 7:33:54 AM"
"ACPI","Microsoft ACPI Driver","Kernel","12/7/2019 8:12:47 AM"
...

Signing information (/SI)#

/SI adds four columns showing the vendor (Provider), date, version, and whether the driver is digitally signed. An unsigned driver shows FALSE in the Is Signed column — a potential security or stability concern.

driverquery /SI /FO TABLE

Output:

Module Name  Display Name           Is Signed  Manufacturer        DDI Compliance  Image Path
============ ====================== ========== =================== =============== ===========
1394ohci     1394 OHCI Compliant H  TRUE       Microsoft           FALSE           ...
WdFilter     Microsoft antimalware  TRUE       Microsoft           FALSE           ...
SomeUnsigned Unknown PCI Device     FALSE      Unknown             FALSE           ...

Filtering for specific drivers#

Pipe driverquery output to findstr to search for a particular driver by module name or display name.

driverquery | findstr /I "nvidia"

Output:

nvlddmkm     NVIDIA Windows Kernel  Kernel        3/12/2026 4:15:22 PM
nvhda        NVIDIA High Definition Kernel        3/12/2026 4:15:22 PM

driverquery /FO CSV /NH | findstr /I "audio"

Output:

"HDAudBus","Microsoft UAA Bus Driver for High Definition Audio","Kernel","12/7/2019 7:33:54 AM"
"snd_hda_codec","Realtek High Definition Audio","Kernel","2/28/2026 10:14:06 AM"

Verbose output (/V)#

/V adds driver start mode (Boot, System, Auto, Demand, Disabled), state (Running, Stopped), and memory usage columns.

driverquery /V | findstr /I "disk"

Output:

disk         Disk Driver            Kernel    Boot       Running   TRUE   TRUE   0       0
diskperf     Disk Performance Driv  Kernel    Demand     Stopped   TRUE   FALSE  0       0

Remote driver query (/S)#

/S queries a remote machine’s driver list over the network. Requires appropriate network permissions.

driverquery /S myhost /U DOMAIN\alicedev /FO CSV

Output:

Password: (prompted)
"Module Name","Display Name","Driver Type","Link Date"
...

Common pitfalls#

1. Module name is truncated in TABLE output — the Module Name column is fixed-width and may cut off long names; use /FO CSV for full names.
2. Link date is not the install date — the link date is when the driver binary was compiled, not when it was installed on this machine; a very old link date is not necessarily a problem if the driver is stable.
3. /SI is slow — it reads digital signature metadata for every driver; on machines with many drivers this can take 20–30 seconds.
4. Requires elevation for /V on some systems — start an Administrator cmd.exe if verbose columns show blank or access-denied values.
5. FALSE in Is Signed ≠ malware — some legitimate third-party hardware drivers are unsigned; investigate the module name and publisher before drawing conclusions.

Real-world recipes#

Export driver list to CSV for an audit#

driverquery /FO CSV > C:\Audit\drivers_%COMPUTERNAME%.csv
echo Saved to C:\Audit\drivers_%COMPUTERNAME%.csv

Output:

Saved to C:\Audit\drivers_MYHOST.csv

Find all unsigned drivers#

driverquery /SI /FO CSV /NH | findstr ",FALSE,"

Output:

"SomeUnsigned","Unknown PCI Device","Kernel","1/1/2020 12:00:00 AM","FALSE","Unknown","1/1/2020","1.0.0.0"

Check whether a specific driver is installed#

@echo off
driverquery | findstr /I "nvlddmkm" > NUL
if errorlevel 1 (
    echo NVIDIA display driver is NOT installed.
) else (
    echo NVIDIA display driver is installed.
)

Output:

NVIDIA display driver is installed.

List drivers sorted by link date (newest first)#

driverquery /FO CSV /NH > %TEMP%\drv.csv
sort /R %TEMP%\drv.csv | more

Output:

"WdFilter","Microsoft antimalware file system filter driver","Kernel","1/15/2026 1:22:03 PM"
"nvlddmkm","NVIDIA Windows Kernel Mode Driver","Kernel","3/12/2026 4:15:22 PM"
...
(-- More --)

Driver type and start mode reference#

driverquery reports two important taxonomies — driver type (where in the kernel the driver runs) and start mode (when in the boot sequence Windows loads it). Knowing both helps you triage which drivers might be implicated in a boot failure, a BSOD, or a USB device disappearing.

rem Show only Boot-start drivers (these matter most for boot failures)
driverquery /V /FO CSV /NH | findstr ",\"Boot\","

Output:

"acpi","Microsoft ACPI Driver","Kernel","Boot","Running","TRUE","TRUE","0","0"
"disk","Disk Driver","Kernel","Boot","Running","TRUE","TRUE","0","0"
"volmgr","Volume Manager","Kernel","Boot","Running","TRUE","TRUE","0","0"
...

Verbose (/V) column reference#

/V adds eight columns to the default four. Knowing what they mean turns the verbose output from noise into a diagnostic.

driverquery /V /FO LIST | findstr /B /C:"Module Name" /C:"Display Name" /C:"State" /C:"Status" /C:"Path"

Output:

Module Name: WdFilter
Display Name: Microsoft antimalware file system filter driver
State:       Running
Status:      OK
Path:        C:\Windows\system32\DRIVERS\WdFilter.sys

Signing information (/SI) field reference#

/SI lists driver signing detail — vital for Secure Boot, HVCI, and ransomware-driven driver-loading attacks (“BYOVD” — bring your own vulnerable driver). The signing columns are:

driverquery /SI /FO CSV /NH | findstr /V ",TRUE,"

Output:

"SomeUnsigned","Unknown PCI Device","Kernel","1/1/2020 12:00:00 AM","FALSE","Unknown","1/1/2020","1.0.0.0"

Cross-check with sigverif.exe#

The GUI sigverif.exe performs a full Authenticode validation and writes results to %USERPROFILE%\Documents\WINDOWS\sigverif.txt. For scripts, Get-AuthenticodeSignature against each .sys is equivalent.

Get-ChildItem C:\Windows\System32\drivers\*.sys |
    Get-AuthenticodeSignature |
    Where-Object Status -ne 'Valid' |
    Select-Object Path, Status, SignerCertificate

Output:

Path                                     Status           SignerCertificate
----                                     ------           -----------------
C:\Windows\System32\drivers\unsigned.sys NotSigned

C:\Windows\System32\drivers\expired.sys  HashMismatch     CN=Old Vendor, ...

Get-PnpDevice — PowerShell device inventory#

Get-PnpDevice is the PowerShell cmdlet that enumerates Plug-and-Play devices (richer than driverquery, which only enumerates loaded drivers). Each device exposes status, instance ID, class, and friendly name.

# All devices with their status
Get-PnpDevice | Group-Object Status | Format-Table Count, Name

Output:

Count Name
----- ----
  142 OK
    3 Error
    7 Unknown

# Devices in error (yellow bang in Device Manager)
Get-PnpDevice | Where-Object Status -ne 'OK' |
    Select-Object Class, FriendlyName, Status, InstanceId

Output:

Class      FriendlyName           Status   InstanceId
-----      ------------           ------   ----------
Unknown    Unknown PCI Device     Error    PCI\VEN_8086&DEV_A0EF\3&11583659&0&FE
USB        USB Mass Storage       Error    USB\VID_0951&PID_1666\AAAA

# Get the device's driver from an InstanceId
$d = Get-PnpDevice -InstanceId 'PCI\VEN_10DE&DEV_2204\...'
Get-PnpDeviceProperty -InputObject $d -KeyName DEVPKEY_Device_DriverVersion,
                                              DEVPKEY_Device_DriverDate,
                                              DEVPKEY_Device_DriverProvider |
    Select-Object KeyName, Data

Output:

KeyName                          Data
-------                          ----
DEVPKEY_Device_DriverVersion     32.0.15.6614
DEVPKEY_Device_DriverDate        3/12/2026 12:00:00 AM
DEVPKEY_Device_DriverProvider    NVIDIA

# Disable a flaky device
Get-PnpDevice -FriendlyName '*Bluetooth*' |
    Disable-PnpDevice -Confirm:$false

# Re-enable
Get-PnpDevice -FriendlyName '*Bluetooth*' |
    Enable-PnpDevice -Confirm:$false

Get-WindowsDriver — DISM driver enumeration#

Get-WindowsDriver (from the DISM module) lists staged drivers in the driver store — including third-party packages that may or may not currently be in use. This is what you query after a driver upgrade to confirm the new version is staged.

# All third-party drivers (Microsoft + OEM excluded)
Get-WindowsDriver -Online |
    Where-Object ProviderName -ne 'Microsoft' |
    Select-Object Driver, OriginalFileName, ProviderName, ClassName, Date, Version |
    Sort-Object Date -Descending

Output:

Driver       OriginalFileName            ProviderName ClassName Date       Version
------       ----------------            ------------ --------- ----       -------
oem42.inf    nvlddmkm.inf                NVIDIA       Display   3/12/2026  32.0.15.6614
oem17.inf    iaStorAC.inf                Intel        HDC       2/28/2026  19.5.0.1037
oem09.inf    RealtekHAudio.inf           Realtek      MEDIA     2/28/2026  6.0.1.8800

# Detail of one driver
Get-WindowsDriver -Online -Driver oem42.inf

Output:

Driver       : oem42.inf
ClassName    : Display
Date         : 3/12/2026 12:00:00 AM
Version      : 32.0.15.6614
ProviderName : NVIDIA

pnputil — driver-store administration#

pnputil is the in-box CLI for adding, deleting, and exporting drivers from the driver store. Pair with Get-WindowsDriver for a full lifecycle.

rem List all staged third-party drivers
pnputil /enum-drivers

Output:

Microsoft PnP Utility

Published Name :     oem42.inf
Original Name :      nvlddmkm.inf
Provider Name :      NVIDIA
Class Name :         Display adapters
Class GUID :         {4d36e968-e325-11ce-bfc1-08002be10318}
Driver Version :     03/12/2026 32.0.15.6614
Signer Name :        Microsoft Windows Hardware Compatibility Publisher

rem Add a new driver to the store
pnputil /add-driver "C:\Drivers\NewNic\nic.inf" /install

Output:

Microsoft PnP Utility

Adding driver package:  nic.inf
Driver package added successfully.
Published Name:         oem47.inf

Total driver packages:  1
Added driver packages:  1

rem Remove an old driver (force = remove even if in use)
pnputil /delete-driver oem42.inf /uninstall /force

Output:

Microsoft PnP Utility

Driver package uninstalled.
Driver package deleted successfully.

rem Export all drivers to a folder (useful for re-image)
pnputil /export-driver * C:\DriverBackup

Output:

Microsoft PnP Utility

Exporting driver package:  oem1.inf
Driver package exported successfully.
Exporting driver package:  oem2.inf
Driver package exported successfully.
...
Total driver packages exported:  47

Driver event correlation#

A driver problem usually leaves a trail in three places: PnP Event Log, System Event Log, and the SetupAPI.dev.log.

rem PnP-related events from the System log
wevtutil qe System ^
  /q:"*[System[Provider[@Name='Microsoft-Windows-Kernel-PnP' or @Name='PlugPlayManager']]]" ^
  /c:10 /rd:true /f:text

Output:

Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Kernel-PnP
  Date: 2026-05-20T09:14:22.118
  Event ID: 410
  Level: Information
  Description: Driver Management has concluded the process to install driver oem47.inf for Device Instance ID PCI\VEN_8086.

Event[1]:
  Log Name: System
  Source: PlugPlayManager
  Date: 2026-05-19T22:01:08.402
  Event ID: 257
  Level: Information
  Description: The driver pnputil.exe was installed for plug and play ID ROOT\SYSTEM\0000.

rem Driver installation history
type C:\Windows\INF\setupapi.dev.log | findstr /I "nvidia\|installed"

Output:

>>>  [Device Install (DiskClassInstaller) - PCI\VEN_10DE...]
>>>      Section start 2026-05-12 11:08:42.412
     dvi:      Driver Node #0 was installed.
     ndv:      Installed device driver nvidia display driver.
     dvi:      Installed device driver nv_disp.inf successfully.

Common pitfalls#

1. Module name is truncated in TABLE output — the Module Name column is fixed-width and may cut off long names; use /FO CSV for full names.
2. Link date is not the install date — the link date is when the driver binary was compiled, not when it was installed on this machine; a very old link date is not necessarily a problem if the driver is stable.
3. /SI is slow — it reads digital signature metadata for every driver; on machines with many drivers this can take 20–30 seconds.
4. Requires elevation for /V on some systems — start an Administrator cmd.exe if verbose columns show blank or access-denied values.
5. FALSE in Is Signed != malware — some legitimate third-party hardware drivers are unsigned; investigate the module name and publisher before drawing conclusions.
6. driverquery lists loaded drivers only — staged but unloaded drivers in the driver store don’t appear. Use pnputil /enum-drivers or Get-WindowsDriver -Online for a complete inventory.
7. Get-PnpDevice and driverquery answer different questions — Get-PnpDevice lists devices (some without drivers); driverquery lists drivers (some without devices, e.g. file-system filters). They overlap but neither is a superset.
8. WHQL signing is provider-specific — the Manufacturer column in /SI is the cert subject, not the OEM brand. A driver may show “Microsoft Windows Hardware Compatibility Publisher” because WHQL countersigning replaces the original vendor’s signature.
9. Truncated paths in /V — verbose mode’s Path column wraps at ~64 chars in TABLE format; use /FO CSV or /FO LIST.
10. HVCI-blocked drivers still appear with Running state — but aren’t — Hypervisor-protected Code Integrity (memory integrity) silently refuses to load incompatible drivers. Check wevtutil qe Microsoft-Windows-CodeIntegrity/Operational for blocked entries.

Real-world recipes#

Export driver list to CSV for an audit#

driverquery /FO CSV > C:\Audit\drivers_%COMPUTERNAME%.csv
echo Saved to C:\Audit\drivers_%COMPUTERNAME%.csv

Output:

Saved to C:\Audit\drivers_MYHOST.csv

Find all unsigned drivers#

driverquery /SI /FO CSV /NH | findstr ",FALSE,"

Output:

"SomeUnsigned","Unknown PCI Device","Kernel","1/1/2020 12:00:00 AM","FALSE","Unknown","1/1/2020","1.0.0.0"

Check whether a specific driver is installed#

@echo off
driverquery | findstr /I "nvlddmkm" > NUL
if errorlevel 1 (
    echo NVIDIA display driver is NOT installed.
) else (
    echo NVIDIA display driver is installed.
)

Output:

NVIDIA display driver is installed.

List drivers sorted by link date (newest first)#

driverquery /FO CSV /NH > %TEMP%\drv.csv
sort /R %TEMP%\drv.csv | more

Output:

"WdFilter","Microsoft antimalware file system filter driver","Kernel","1/15/2026 1:22:03 PM"
"nvlddmkm","NVIDIA Windows Kernel Mode Driver","Kernel","3/12/2026 4:15:22 PM"
...
(-- More --)

Find drivers older than 5 years (potential update candidates)#

$cutoff = (Get-Date).AddYears(-5)
driverquery /FO CSV /NH |
    ConvertFrom-Csv -Header Module, Name, Type, Link |
    ForEach-Object {
        $d = [datetime]::Parse($_.Link, [Globalization.CultureInfo]::InvariantCulture)
        if ($d -lt $cutoff) {
            [PSCustomObject]@{
                Module = $_.Module
                Name   = $_.Name
                Linked = $d.ToString('yyyy-MM-dd')
            }
        }
    } | Format-Table -AutoSize

Output:

Module    Name                                 Linked
------    ----                                 ------
1394ohci  1394 OHCI Compliant Host Controller  2019-12-07
HDAudBus  Microsoft UAA Bus Driver             2019-12-07

Compare driver inventory between two machines#

A common upgrade smoke test: did the new image lose any third-party drivers?

$ref = Invoke-Command -ComputerName goldsrv `
    -ScriptBlock { driverquery /FO CSV /NH } | ConvertFrom-Csv -Header M,N,T,L
$tgt = Invoke-Command -ComputerName newhost `
    -ScriptBlock { driverquery /FO CSV /NH } | ConvertFrom-Csv -Header M,N,T,L

Compare-Object $ref $tgt -Property M -PassThru |
    Select-Object SideIndicator, M, N

Output:

SideIndicator M             N
------------- -             -
<=            nvlddmkm      NVIDIA Windows Kernel Mode Driver
=>            iaStorAC      Intel RAID Controller

Yellow-bang device sweep#

Find PCI devices missing a driver — the Device Manager “Unknown device” with a yellow exclamation mark.

Get-PnpDevice -PresentOnly |
    Where-Object { $_.Status -eq 'Error' -or $_.Status -eq 'Unknown' } |
    Select-Object FriendlyName, Class, InstanceId, Status

Output:

FriendlyName        Class    InstanceId                                   Status
------------        -----    ----------                                   ------
Unknown PCI Device  Unknown  PCI\VEN_8086&DEV_A0EF\3&11583659&0&FE       Error

Driver health snapshot for a support ticket#

@echo off
set OUT=%TEMP%\drv_%COMPUTERNAME%.txt
echo === driverquery /V === > %OUT%
driverquery /V >> %OUT%
echo. >> %OUT%
echo === driverquery /SI === >> %OUT%
driverquery /SI >> %OUT%
echo. >> %OUT%
echo === pnputil /enum-drivers === >> %OUT%
pnputil /enum-drivers >> %OUT%
echo. >> %OUT%
echo === PnP devices with error status === >> %OUT%
powershell -NoProfile -Command "Get-PnpDevice | Where Status -ne 'OK' | Format-Table -AutoSize" >> %OUT%
echo Snapshot saved to %OUT%

Output:

Snapshot saved to C:\Users\Alice\AppData\Local\Temp\drv_MYHOST.txt

Audit BYOVD — recently installed unsigned third-party driver#

A red flag for ransomware preparation is the installation of a known-vulnerable signed driver, but unsigned drivers are also worth investigating.

driverquery /SI /FO CSV /NH |
    ConvertFrom-Csv -Header M,N,T,Date,Signed,Mfg,SigDate,Ver |
    Where-Object { $_.Signed -eq 'FALSE' -or $_.Mfg -eq 'Unknown' } |
    Where-Object { [datetime]::Parse($_.Date) -gt (Get-Date).AddDays(-30) }

Output:

M           : SomeNewDrv
N           : Unknown PCI Device
T           : Kernel
Date        : 5/10/2026 12:00:00 AM
Signed      : FALSE
Mfg         : Unknown
SigDate     : 5/10/2026
Ver         : 1.0.0.0

Sources#

References consulted while writing this article. Links open in a new tab.

• Microsoft Learn — driverquery command reference — Authoritative flag list and parameter semantics used to build the Essential options table.
• SS64 — driverquery — Cross-version comparison and historical syntax notes.

Related tools#

• pnputil — manage the driver store: add, remove, export drivers.
• Get-PnpDevice — PowerShell device enumeration.
• Get-WindowsDriver — DISM-backed driver-store inventory.
• sigverif.exe — GUI Authenticode validator.
• wevtutil — query the Code Integrity and Kernel-PnP event channels.
• systeminfo — pair driver lists with build/hotfix context.
• htop — Linux equivalent for live device/process inspection.