🕵️‍♂️ How We Tracked Down a Fake Windows Driver Foundation (WDF.exe)

Malware often hides in plain sight, pretending to be legitimate system files. One such case is the fake Windows Driver Foundation (WDF.exe). Here’s how we detected, traced, and removed it using free tools like Autoruns, PowerShell, and Process Explorer.

Step 1: Spotting the Suspicious File

C:\Windows\Windows Driver Foundation (WDF).exe

A massive 672 MB executable with no signature or version info. Clearly not a legitimate Microsoft file.

Step 2: Autoruns & PowerShell Checks

We exported all services and tasks to confirm no hidden startup entries.

Get-CimInstance Win32_Service | 
Select-Object Name, DisplayName, StartMode, PathName | 
Out-File C:\services_with_paths.txt

Get-ScheduledTask | ForEach-Object {
    foreach ($action in $_.Actions) {
        [PSCustomObject]@{
            TaskName   = $_.TaskName
            Path       = $_.TaskPath
            Execute    = $action.Execute
            Arguments  = $action.Arguments
        }
    }
} | Out-File C:\tasks_with_full_paths.txt -Width 4096

No service or task pointed to WDF.exe. Suspicious.

Step 3: Process Explorer Trail

Process Explorer revealed WDF.exe was spawned by cmd.exe running a script:

C:\Windows\System32\cmd.exe /c "C:\Windows\wtime.cmd"

@echo off
timeout /t 30
cd %windir%
%tmpd%"%windir%\Windows Driver Foundation (WDF).exe"

Step 4: Registry Hijack Discovery

The Winlogon Shell value was hijacked to run the malicious script:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe,wudf.exe wtime.cmd

Normally, Shell should be only:

explorer.exe

Step 5: Cleanup

• Restored Shell value to explorer.exe
• Deleted malicious files:
  • C:\Windows\Windows Driver Foundation (WDF).exe
  • C:\Windows\wtime.cmd
  • C:\Windows\wudf.exe
• Rebooted — malware no longer launched
• Ran full malware scans for confirmation

Lessons Learned

• Malware can hijack Winlogon Shell instead of services or tasks
• Exporting services and tasks with PowerShell helps confirm legitimacy
• Process Explorer is invaluable for tracing parent processes
• Always check registry keys for hidden startup hijacks

Conclusion

This detective work shows how persistence and free tools can uncover even the most hidden startup hijacks. By documenting the trail — from Autoruns to PowerShell exports, Process Explorer analysis, and registry inspection — we created a repeatable method for others to follow. Use this guide to protect your PC from impostor files like fake WDF.exe.