Missing "Non Plug and Play Drivers" from Device Manager

OK, hate to be a noob here, but I've a system here that simply will not show the Non Plug and Play Drivers category. XP SP3

It's actually one of several I've run across with this issue over the last few weeks, and have not been able to resolve it. All systems were XP SP3 as best as I recall...

Of course, I fire up a command prompt and type

Code:

set devmgr_show_nonpresent_devices=1
devmgmt.msc

then when device manager starts up, I select show hidden devices... I'm also being sure to leave the command prompt open after I open the device manager.

I know that the set devmgr... bit is working, because I can see missing devices under "other devices" that I cannot see when I do NOT do the set devmgr... bit first.

The PC I am seeing this on right now did have the zero access rootkit on it, but was removed. Not sure if this is some component of the malware that disables the ability to view these devices in an attempt to hinder removal attempts... I haven't read anything on the subject in various whitepapers on zero access, however...

My Google-fu must be lacking, because I cannot seem to find any info on this issue. I found one article with no resolution that mentioned it could be a corrupted/missing component of device manager (the article was also about XP Embedded so I didn't expect much anyway)... every other result I can find only mentions how to view the category with the set devmgr... bit, but none mentions it not actually working...

I couldn't fix anything with SFC on any of the systems so far as it found nothing; and I don't know how to check for / what device manager components could possibly be missing/corrupted?

I have also tried same procedure in Safe Mode.

I have even tried the procedure from a command prompt run under the LOCAL SYSTEM account (like you could do by using Sysinternals PSEXEC)...

I have verified in the registry of the current system that there are in fact plenty of those non plug n' play devices (legacy drivers) under HKLM\System\CurrentControlSet\Enum\Root, and I have verified that none of the existing entries are malicious, as well. It just bugs me that I cannot see them in Device Manager...

Am I missing something obvious?

Any suggestions?

Thanks in advance!

 

Does it work if you add the line to Environmental Variables?

 

Just checked. Alas, no it does not. I even rebooted to ensure the change would take effect. No love...

But thanks for the response!

 

Not sure if this will help but found this. Do you have the reg key listed and also legcydrv.inf?

http://www.ditii.com/2009/12/08/windows-xp-pro-non-plug-and-play-properties-dont-display-correctly/

 

THAT'S IT! THANK YOU THANK YOU THANK YOU!

FYI, the entire registry key and all values were missing.

The INF file was present in %systemroot%\inf, however a right-click and install did not put the registry key back.

So I exported it from a known working PC and imported it on the broken one and voila! There is my missing non plug and play drivers category!!!

I wonder if this was a function of the zero access malware that was present on the system - the deletion of that reg key... ??

Either way, THANKS AGAIN!

 

I did some searching and found that the Legacy Driver Component was related to the Non Plug and Play Drivers category so I did another search with it and Device Manager and was able to come up with that link.

I am glad that I was able to help and thank you for the feedback.

 

That would be interesting. We know it's rapidly evolving. It's already a very impressive rootkit :-D