When buggy third-party drivers crash a system and invoke a blue screen of death, it can be difficult to pinpoint the source among all the active running software. An alternative method to using WinDbg is to identify any device driver addition or change that occurred prior to the Blue Screen of Death event.\nWindows device drivers are just one part of the broader Windows operating environment function called Autorun Settings. Windows\u2019 Autorun Settings identify Windows auto-starting software, including all Windows device drivers, during system bootup or login.\n \nIn this image, AutorunCheck Forensic v1.0.1 displays the BEFORE and AFTER state of a driver. When chasing down the cause of a system crash, knowing what changed is valuable.\n\nAs an alternative to the tried-and-true Windows Debugger method, buggy device drivers that caused Windows to go from a stable operating environment to suffering a BSOD can be discovered through a process of authenticating all device drivers and detecting any recent change events (such as device driver changes or addition).\n\nThe process of discovering, authenticating, and detecting driver state changes can be accomplished using a myriad of available Autorun utilities, but most require manually combing through all of the system\u2019s Autorun Settings, which can be a time-consuming, frustrating process.\nThere are some utilities listed in the following table that are capable of automating this process through built-in functionality. These Autorun utilities allow you to take a snapshot of the current Windows system state, identify all recent system change events, and authenticate non-offending change events. These system change events identify the timeline and driver differences which ultimately help to resolve the BSOD culprit.\nThe following table is not a comprehensive comparison of all features of the products listed, but highlights the features that apply to BSOD issues.\n\n\nAutorun utility software capable of automating driver change detection\n\n\nProductAutorunsAutorunCheckConfigSafeFireTower Guard\n\n\nTriggering\nOn-Demand\nOn-Demand\nOn-Demand\nReal-Time\n\nDiscovery1\nLive only\nLive + Shadows\nLive + Shadows\nLive only\n\nAuthentication2\n2a\n2b\n\u00a0None\n2c\n\nChange Detection3\nManual\nManual\nManual\nReal-Time\n\n\n\n\n\n\n"Note: 1: Discovery: Discover Auto-starting locations for Live Windows State and Windows State in Volume Shadow Copies.\n2: Authentication: Authentication through file image hash value in Autorun Settings from malware databases and whitelist databases.\n2a: Authentication source: VirusTotal.com.\n2b: Authentication source: Autorun Setting Repository, and three adjustable online anti-malware engines.\n2c: Authentication source: Autorun Setting Repository, and three adjustable online anti-malware engines.3: Change Detection: Manually compare two Autorun snapshots vs real-time automatic change detection notification.