I'm wondering if it's possible to get the name of a driver from the device that it created. Let's say I have a symbolic link that points to a device, \.\RTF64 -> \Device\RTF64. Is there any way to get the driver name (.sys) using just this information. Either I have to use some undocumented functions exported by ntdll.dll or write a driver which retrieves the information I want. Is it even possible to do?.

I've looked trough various functions exported by ntdll.dll but have not found anything yet.

CodePudding user response：

In user mode you can use SetupDi* functions to enumerate all the devices and interfaces then use SetupDiGetDeviceInterfaceDetail to get the device path.
Then use something like SetupDiGetDriverInfoDetail to get details about the driver.

Edit: As mentioned in the comments it only works if the driver registered an interface for the device object, which is not possible in some cases (control device objects)