but how do they even have a hidparse.sys file directly under System32?
i checked a few computers around me...
... ZERO of them have a file located at C:\Windows\System32\hidparse.sys
and all of them have the normal C:\Windows\System32\drivers\hidparse.sys
from what i can tell if you have a hidparse.sys directly under System32 that means it's an older version, likely planted there on purpose by a piece of malware so that they can exploit vulnerabilities present in those versions of the file / operating systems.
The steps indicated by Microsoft to xcopy the newest version from the drivers folder back to overwrite the old one in System32 mean the system remains functional but the attack/HID problem is most likely prevented from then on. (If you just delete the old one you risk getting blue screens)
This story about hidparse.sys starts to smell like NSA's EternalBlue + DoublePulsar all over again, especially since it involves HID parsing.
Maybe they were trying to hide USB keyboard/mouse/etc. interceptors/injectors disguised as extension cables or hubs?
/(black helicopter icon, because NSA, of course)