GIM Category: driver
The Driver category captures events related to system driver management, including loading, unloading, and configuration changes. Drivers operate with high privileges and interact directly with the operating system kernel, making driver events highly relevant for detecting unauthorized code execution, persistence mechanisms, or system integrity violations. This category supports monitoring of driver lifecycle activity across different operating systems.
loaded
Events that record when a system driver is loaded into memory. Driver loading typically occurs during system startup or device initialization, but unexpected or unsigned driver loads may indicate tampering or malicious kernel activity.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
270000 |
driver |
driver.loaded |
system driver loaded |
A system driver was loaded into memory, either during startup or through a manual or automated process. |
unloaded
Events that record when a system driver is unloaded from memory. While driver unloads can be part of normal device lifecycle operations, frequent or unexpected unloads may indicate troubleshooting activity or driver manipulation attempts.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
270100 |
driver |
driver.unloaded |
system driver unloaded |
A system driver was unloaded from memory, either as part of normal operation or manual intervention. |
default
General events related to system drivers that do not fit more specific subcategories. These may include driver configuration messages, version reports, or unsigned driver alerts.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
279999 |
driver |
driver.default |
system driver event |
Messages related to system driver configuration |
