Troubleshooting Hardware with NoVirusThanks Dos Device Inspector

How to Use NoVirusThanks Dos Device Inspector for Driver Analysis

What it is

NoVirusThanks Dos Device Inspector is a Windows utility that lists loaded kernel-mode drivers, device objects, and associated information useful for analyzing driver behavior, investigating rootkits, and troubleshooting hardware/driver issues.

Install and run

1. Download the tool from NoVirusThanks official site and extract the ZIP to a folder.
2. Right-click the executable and choose Run as administrator (required to view kernel drivers).
3. If Windows SmartScreen/UAC prompts, allow to proceed.

Key interface elements

• Drivers list: shows loaded drivers with base address, size, module path, and timestamp.
• Device objects: lists device names and associated driver(s).
• IRP hooks / dispatch table indicators: highlights suspicious entries where driver dispatch addresses point outside expected ranges.
• Filters/search box: quickly locate drivers by name or path.

Basic workflow for driver analysis

1. Start the tool as admin and let it enumerate drivers.
2. Scan the drivers list for:
   • Unknown or unsigned driver names.
   • Modules with paths in temporary or user-writable folders.
   • Modules whose timestamp or version info looks inconsistent.
3. Select a driver to view details: base address, size, file path, and export functions.
4. Check device objects for unexpected symbolic names or devices with no clear vendor association.
5. Use the IRP dispatch/dispatch table view to spot hooks: handlers pointing to third-party modules or addresses outside the driver’s module range can indicate hooking/rootkit behavior.
6. Cross-reference suspicious driver paths with VirusTotal, driver signing information, and vendor websites.
7. If malware is suspected, quarantine the file and investigate further offline (memory forensics, full AV scan, boot-time scan).

Advanced tips

• Compare driver base addresses and sizes with a clean baseline of the same OS/build to spot injected code.
• Combine with Process Explorer, Autoruns, and a kernel debugger (WinDbg) for deeper analysis.
• Use checksum/version details to detect tampered drivers.
• For automation, script repeated snapshots and diffs to detect transient drivers.

Remediation steps (if a driver is malicious/suspicious)

1. Boot into Safe Mode or WinPE.
2. Backup the driver file and relevant system state.
3. Remove the driver via Device Manager or delete the driver file from the file system.
4. Clean registry entries under SYSTEM\CurrentControlSet\Services for the service/driver.
5. Reboot and verify the driver no longer appears; run full antivirus and integrity checks.

Quick checklist

• Run tool as admin
• Verify driver signing and file path
• Inspect IRP dispatch addresses for out-of-range hooks
• Cross-check with external threat intelligence (VirusTotal)
• Backup before removal; use Safe Mode for remediation

Resources

• NoVirusThanks official download and documentation
• VirusTotal for file scanning
• Microsoft Docs on kernel drivers and driver signing