Hello Team,

I have some windows 8.1 computers which are connected to a domain.

HKLM\DRIVERS registry hive is getting deleted just a litter later after our logon and it comes back when we log off and login again. once again it gets vanished after some time. This happens with all the machines which are there in our work network.

I could see the same behavior with VMs hosted in hyper-v and also on the physical machines. 

Assuming that this could be because of some corporate group policy, I checked in some machines which are in our network and not connected to domain, the same problem could be seen also on the machines not connected to domain.

Just wondering if this an expected behavior of this is some kind of a problem.

I work as an application packager and i see some driver installation done by applications gets failed and I wanted to figure out if that is due to this issue with HKLM\DRIVERS registry.

would be helpful if someone could get me out of this.

Thanks & Regards,

Venkata Ramana

Hi Ramana,Venkata,

I have made a test from my own machine. I deleted the HKLM\DRIVERS registry from my Windows 8.1 Enterprise machine and restart the machine, these restry keys will be recreated after a restart.

According to my understanding, this registry key is related to the driver. During the boot process, the first step to boot the Windows system is to load the drivers marked as bootable drivers then the usual drivers ,they are loaded to the memory. If the registry key has been deleted, they will be recreated during the shutdown process according to the memory. I think it is a expected behavior to protect the machine in case we missconfigured the registry keys.

If we want to troubleshoot the issue related to this registry, we could configure the audit mode from the properties of the registry instead of deleting them directly. After configuring the audit mode, we will get the information from the Event Viewer(Event Viewer\Windows Logs\Security)

Best re

Hello MeipoXu,

Thank you for your response.

I understand that registry getting restored s an expected behavior.

what about the automatic deletion of the HKLM\DRIVERS registry. Is that also an expected behavior in WIn8.1?

Regards,

Venkata Ramana

Hi Ramana,Venkata,

I didn`t notice that it will disappear automatically.
Before I tried to test the issue, I checked my own Windows 8.1 Enterprise machine and my colleagues`.  This registry can`t be found everywhere. I think it may be related to our working environment.
Now I noticed that this registry only be available when we restart the machine and it will disappear automatically.
It seems that there is not an official document to explain this. I checked this symptom with my Windows 7 Enterprise and there is no chance to see this registry key.

I tried to audit the whole registry key but the audit configurations will be removed after a restart.
I planned to capture this operation with process monitor. I hope we could get something useful.

Best r

Thank you for your time...

let us keep keep monitoring it...

we have to find why and how it gets deleted automatically.

Is this a kind of security Feature? will this have any impact on driver installation?

Regards,

Venkata Ramana

Hi Ramana,

I have tried to use the Process Monitor to capture the process without result.
Considering it will disappear automatically, I suspect it may be related to the built-in task schedul. I will make a deep test.

Do you have any ideas about this case?

"Is this a kind of security Feature? will this have any impact on driver installation?"
In my opinion, it may be a designed for security consideration. I have checked the symptom with many Windows 8.1 machine and it shares the same symptom. Since it is an expected symptom, it shouldn`t have impact on driver installation. We could take it as a normal symptom though we haven`t found the reason of this behavior.

Best regards