Windows device installation uses digital signatures to verify the integrity of driver packages and to verify the identity of the publishers of the driver packages.
In addition, the kernel-mode code signing policy for 64-bit versions of Windows Server 2008 and Windows Vista specifies that a kernel-mode driver must be signed in order for the driver to load.
This can cause problems where an application or driver has not been signed and you wish to use it with Microsoft Windows Vista x64 and Microsoft Windows Server 2008 x64.
The solution is to use the Windows Driver Kit to create your own Certificate and sign your own drivers. Note that under the licensing agreements you are not permitted to distribute any part of the WDK or your test certificates and drivers.
Skills and Requirements:
This guide assumes you know how to use windows explorer to find and copy files, including those in the hidden system partitions (Windows\System32). It also assumes you know how to run a command prompt as administrator in Windows Vista, and execute commands. You will need to examine the Windows Event log. You will also need a Windows Live ID. You will need ~5Gb of free space, temporarily.
Obtaining the Windows Driver Kit:
The first step in creating your own test signed drivers is to obtain the Windows Driver Kit. This is a simple process, but requires a Windows Live ID that you must then register on the Windows Connect site.
Windows Connect:
The link below will show you the steps to gaining access to the Windows Connect site, and registering for the Windows Driver Kit. Once you have registered you can download the ~2.3Gb ISO file containing all the tools you will ever need, want or desire, for Windows Drivers.
If you get a 'page not found' error when clicking this link, follow this link:
http://www.microsoft.com/whdc/devtools/WDK/default.mspx and click on the "How to Get the Windows Driver Kit and the Windows Logo Kit" link on that page.
These steps should take only a couple of minutes to complete. The download may take longer, depending on your connection speed. Go watch a movie unless you have a 5mbps+ connection and are locally situated to the Microsoft download servers.
Installing the Windows Driver Kit:
Once you have downloaded the ISO file, you will need to access the files within. Either burn it to DVD, mount it in a Virtual DVD drive or extract it to your hard drive.
Now you need to install the kit, by running the installer, satisfying the pre-requisites, and finally installing the WDK. Note that this can use up to 1800mb of drive space.
Finding the driver signing executables
Now we need to gather the tools we need. We want to use the following executables and files:
which are located in the following directory:
Where C: is the local drive you installed to (default is system partition, usually C
.
Yes, we download a 2.7Gb ISO and installed a 1.7Gb set of applications, to get access to 700Kb of files.
If anyone knows how to get the executables and libraries directly from the image, please let me know.
Copy the files to a temporary work location, such as C:\driversign\ (create the folder if it doesn't exist).
Create a Certificate:
The first thing we need is a certificate. This is a test certificate, as you yourself are declaring the authenticity of the files you sign. Thus, only sign drivers you trust, and don't use anyone else's test certificate. To create your certificate, open a command window, as an administrator, change directory to your temporary work location and enter the following commands:
These two commands create the certificate and add it to the local store. You can examine, add, or delete the certificate through the Certificate snap-in, which you may either add to an MMC instance or run via
Obviously, you may substitute your own name for mine. Leave the command window open, we're going to use it again shortly.
Now we need to gather the driver files we want to sign. For example, if I am going to use VMware Server 1.0.5, I run the download and run the installer executable. I Followed the prompts until the red banded Driver Signing alerts appeared - which took some time, as Windows tries to verify the drivers itself before throwing an alert back to the user. Be patient, and ignore any warning messages that appear indicating that the Windows Installer has encountered a problem or failed. Once the Driver Signing alerts appear, navigate to the install directory, and find the driver files - all the .sys extension files. Copy these to the temporary work location you created earlier. Now, accept the driver signing warnings, and complete the installation of the software. Don't try and run it yet.
Signing The Drivers:
For each driver listed in the temporary work location, run the signtool executable as follows:
If you've entered the command correctly, you will see a success report. If there was a failure, recheck your spelling and syntax and try again.
Now verify the validity, by running the signtool executable again:
Once you've completed your signing, copy the .sys. files back in to two locations - the original program files location, and the Windows System32 folder. Overwrite any existing files.
Test Sign Mode:
Finally we need to allow Test Signed drivers to be allowed to load in to the Kernel. To do this we need to edit start up options, using BCDedit:
This is the only 'ugly' part of the process - from now on your desktop will display 'Test Mode' in all four corners, just as Windows does when you boot into Safe mode. At first I found it jarring, but after a while I don't even notice it. The benefits of running the software I want, how I want, outweigh the disadvantages for me.
Note that if the drivers you are attempting to install are not compatible with 64bit systems, this process will not help.
Reboot and Test:
Now reboot your system. If all is well, then you should see the Test Mode alerts in all four corners of the screen. Check the Windows Event logs for failed driver loads. If there are any, find them and sign them, copy them to where they need to be and reboot. Rinse and repeat as needed.
Cleanup:
Uninstall the WDK using Control Panel's Programs and Features - Uninstall a Program and delete the downloaded ISO if there is nothing further you need from it. I suggest burning it to DVD, just in case you need it again later.
In addition, the kernel-mode code signing policy for 64-bit versions of Windows Server 2008 and Windows Vista specifies that a kernel-mode driver must be signed in order for the driver to load.
This can cause problems where an application or driver has not been signed and you wish to use it with Microsoft Windows Vista x64 and Microsoft Windows Server 2008 x64.
The solution is to use the Windows Driver Kit to create your own Certificate and sign your own drivers. Note that under the licensing agreements you are not permitted to distribute any part of the WDK or your test certificates and drivers.
Skills and Requirements:
This guide assumes you know how to use windows explorer to find and copy files, including those in the hidden system partitions (Windows\System32). It also assumes you know how to run a command prompt as administrator in Windows Vista, and execute commands. You will need to examine the Windows Event log. You will also need a Windows Live ID. You will need ~5Gb of free space, temporarily.
Obtaining the Windows Driver Kit:
The first step in creating your own test signed drivers is to obtain the Windows Driver Kit. This is a simple process, but requires a Windows Live ID that you must then register on the Windows Connect site.
Windows Connect:
The link below will show you the steps to gaining access to the Windows Connect site, and registering for the Windows Driver Kit. Once you have registered you can download the ~2.3Gb ISO file containing all the tools you will ever need, want or desire, for Windows Drivers.
Code:
How to Get the Windows Driver Kit and the Windows Logo Kit [URL="http://www.microsoft.com/whdc/DevTools/WDK/WSKpkg.mspx"]http://www.microsoft.com/whdc/DevTools/WDK/WDKpkg.mspx[/URL]
http://www.microsoft.com/whdc/devtools/WDK/default.mspx and click on the "How to Get the Windows Driver Kit and the Windows Logo Kit" link on that page.
These steps should take only a couple of minutes to complete. The download may take longer, depending on your connection speed. Go watch a movie unless you have a 5mbps+ connection and are locally situated to the Microsoft download servers.
Installing the Windows Driver Kit:
Once you have downloaded the ISO file, you will need to access the files within. Either burn it to DVD, mount it in a Virtual DVD drive or extract it to your hard drive.
Now you need to install the kit, by running the installer, satisfying the pre-requisites, and finally installing the WDK. Note that this can use up to 1800mb of drive space.
Finding the driver signing executables
Now we need to gather the tools we need. We want to use the following executables and files:
Code:
capicom.dll certmgr.exe makecert.exe signtool.exe
Code:
C:\WinDDK\6000\bin\SelfSign
.Yes, we download a 2.7Gb ISO and installed a 1.7Gb set of applications, to get access to 700Kb of files.
If anyone knows how to get the executables and libraries directly from the image, please let me know.Copy the files to a temporary work location, such as C:\driversign\ (create the folder if it doesn't exist).
Create a Certificate:
The first thing we need is a certificate. This is a test certificate, as you yourself are declaring the authenticity of the files you sign. Thus, only sign drivers you trust, and don't use anyone else's test certificate. To create your certificate, open a command window, as an administrator, change directory to your temporary work location and enter the following commands:
Code:
> makecert.exe -$ individual -r -pe -ss "Caveman Certificate Store" -n CN="Caveman Certificate" "Caveman Certificate.cer" > certmgr.exe /add "Caveman Certificate.cer" /s /r localMachine root
Code:
> %WINDIR%\system32\certmgr.msc
Now we need to gather the driver files we want to sign. For example, if I am going to use VMware Server 1.0.5, I run the download and run the installer executable. I Followed the prompts until the red banded Driver Signing alerts appeared - which took some time, as Windows tries to verify the drivers itself before throwing an alert back to the user. Be patient, and ignore any warning messages that appear indicating that the Windows Installer has encountered a problem or failed. Once the Driver Signing alerts appear, navigate to the install directory, and find the driver files - all the .sys extension files. Copy these to the temporary work location you created earlier. Now, accept the driver signing warnings, and complete the installation of the software. Don't try and run it yet.
Signing The Drivers:
For each driver listed in the temporary work location, run the signtool executable as follows:
Code:
signtool.exe sign /v /s "Caveman Certificate Store" /n "Caveman Certificate" [I]drivername[/I].sys
Now verify the validity, by running the signtool executable again:
Code:
signtool.exe verify /pa /v [I]drivername[/I].sys
Test Sign Mode:
Finally we need to allow Test Signed drivers to be allowed to load in to the Kernel. To do this we need to edit start up options, using BCDedit:
Code:
bcdedit.exe /set TESTSIGNING ON
Note that if the drivers you are attempting to install are not compatible with 64bit systems, this process will not help.
Reboot and Test:
Now reboot your system. If all is well, then you should see the Test Mode alerts in all four corners of the screen. Check the Windows Event logs for failed driver loads. If there are any, find them and sign them, copy them to where they need to be and reboot. Rinse and repeat as needed.
Cleanup:
Uninstall the WDK using Control Panel's Programs and Features - Uninstall a Program and delete the downloaded ISO if there is nothing further you need from it. I suggest burning it to DVD, just in case you need it again later.
its ok, it does seem ludicrous to have to download 2.8gb and install 1.8gb to get 700kb of files.
Comment