You are here:   Research
Register   |  Login
The quickest way to find articles is to use the below search option.

However, if you go to the end of this page, you also find the Blog archive (calendar format) that allows for browsing of older articles.

Search:

Sign your unsigned drivers - Damn It

Jun 8

Written by:
6/8/2012 2:09 PM  RssIcon

The drivers saga continues...

Note: This article is for Windows 7 only, requirements for Windows 8 or Windows 8.1 drivers are different.

For a driver to be ranked correctly by the windows 7 setup it should be signed, and for Windows 7 x64 deployments it really needs to be signed. However, sometimes vendors don't provide signed drivers, or you need to modify a driver for a specific device, and when you do, you break the signing. For Windows 7, the solution is to sign the driver yourself.

In this example you sign an unsigned driver for Windows 7 named b57nd60a.inf (yes, it's the Broadcom NetXtreme Desktop driver) for the fictive company ViaMonstra. The scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.

This means if you for example try to add the driver to the Windows 7 driver store using pnputil -a b57nd60a.inf you will be met by the following.






Signing drivers - Overview

- Get the tools
- Create the certificate and private key
- Create the catalog file
- Sign and timestamp the driver
- Install the certificate


Signing drivers - Detailed steps

Again, in this example you sign an unsigned driver named b57nd60a.inf for the fictive company ViaMonstra. Remember that the scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.


Step 1 - Get the tools

- Go to www.microsoft.com/downloads, download and then install the Windows SDK for Windows 7

- Go to www.microsoft.com/downloads, download and then install the Windows Driver Kit 7.1.0



Step 2 - Create the certificate and private key

- Create a folder named C:\ViaMonstraDriversCert

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"

makecert -r -sv C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -n CN="ViaMonstra" C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer


Assign a password of P@ss0wrd


cert2spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc

pvk2pfx -pvk C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -pi P@ssw0rd -spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc -pfx C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx -po P@ssw0rd


Step 3 - Create the catalog file

- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf and b57nd60a.sys file to it.

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\WinDDK\7600.16385.1\bin\selfsign"

inf2cat.exe /driver:"C:\ViaMonstraDriversCert\Broadcom" /os:7_X64 /verbose



Running inf2cat.exe


Step 4 - Sign and timestamp the driver

- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf file to it.

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"

signtool sign /f C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx /p P@ssw0rd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\ViaMonstraDriversCert\Broadcom\b57nd60a.cat




Running the Signtool


Step 5 - Install the certificate


To trust the certificate on a single test computer (current signing certificate is private, and not yet trusted by the operating system) start the command prompt and type the following commands, press Enter after each command.

certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine ROOT

certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine TRUSTEDPUBLISHER

Note #1:
You can also use certutil to install the certificate

Note#2:
You also need to configure Windows to allow drivers certificates that are not cross-signed by Microsoft by running the following command in an elevated command prompt and then reboot: bcdedit /set testsigning on


After configuring the bcd and rebooting Windows 7, you see the new "Test Mode" text in the right hand corner.




Now when you try running pnputil -a b57nd60a.inf you will be met by the following:









References:

MSDN docs on driver ranking:

How Windows Ranks Drivers (Windows Vista and Later)
http://msdn.microsoft.com/en-us/library/windows/hardware/ff546225%28v=vs.85%29.aspx


/ Johan

20 comment(s) so far...


Gravatar

Re: Sign your unsigned drivers - Damn It

I have been wanting to re-sign drivers for a long time, but never wanted to invest the time to figure out how to do it, thanks.
This is especially useful with NIC drivers where you might want to adjust some default settings different from the manufacturer (like powersave/sleeping.)

I am thinking of signing the certs with one issued from the domain CA - that way all domain clients will automatically trust the drivers without further action. You also mention deploying these certs via a GPO. In both methods though, this gets the certs to the client too late during OS deployment, doesn't it? The client, when it is looking for drivers during the OSD deployment is not going to be joined to the domain yet - so it will neither trust the Domain root cetrificate authority nor will it have applied the cert via a GPO yet.

Right?

I wonder if we can even import a root CA via TS prior to the PnP driver detection phase. Maybe it has to go into the WIM build process so that it is baked into Windows from the start?

By tmiller on   6/12/2012 12:05 PM
Gravatar

Re: Sign your unsigned drivers - Damn It

You are absolutely correct, pushing a cert via GPO won't help if you inject drivers during deployment... only for running pnputil or dpinst to push out drivers as an "application". For adding drivers during deployment the certificate needs to go in the reference image

/ Johan

By Arwidmark on   6/22/2012 5:15 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Printer drivers is another area there this could be very usefull.
Color/Black and White, duplex settings and so on correctly set in accordance to your policies.....

By mats on   6/22/2012 11:32 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

After following all the procedure successfully, still I couldn't install my driver on X64. Finally I found elsewhere solution, Which should be added to above.
Open Cmd in elevated mode(Run as administrator)

Type bcdedit.exe -set TESTSIGNING ON
Reboot
Now Install Driver.

By has on   8/13/2013 7:32 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Thanks for the feedback, I have made a note in the post.

/ Johan

By Arwidmark on   8/13/2013 7:06 PM
Gravatar

Re: Sign your unsigned drivers - Damn It

Hi Johan,
This is what was puzzling me, because this is complete procedure for driver signing, and I tried to install certificate over and over, it says every time successfully installed.following all of the five steps give me exactly same results as mentioned above. Even in group policy, everything is fine. Reboot , uninstall, reinstall etc.. all the possible methods attempted. I have windows 7 X64, enterprise version, and its corporate (company)laptop,may have some hidden scripts running.

By has on   8/16/2013 1:47 PM
Gravatar

Re: Sign your unsigned drivers - Damn It

Hi

We've been trying to use your method to get WDS to add our Intel HD Graphics drivers into the Console under the drivers branch.
We've used the command line to add the drivers and verified it won't add the drivers because the drivers aren't signed.

Now, we've followed the procedure and effectively, we get the same end result as you do.
BUT, WDS still says the driver is unsigned when we try to add it.

I have to admit I'm not entirely understanding the proces.

Could you provide any help as to what steps might be different when you try to sign a driver to use in WDS compared to your scenario?

By Wim on   8/21/2013 4:47 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

I never ever use WDS as is for deployment so I don't know. You should integrate WDS with MDT to get a deployment solutions that provides with solid driver injection routines. The driver (and OS deployment) handling in WDS is nothing but a joke. The only thing WDS is good at is provide a way to network boot the MDT boot image, and to provide multicast (optional) for the OS images in MDT.

/ Johan

By Arwidmark on   8/24/2013 10:37 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Thanks for your reply! We were actually happy with WDS/WSIM combination but this 'x64 drivers have to be signed' is just silly. We're the friggin sys administrators, we know it's not signed we changed them ourselves. Come on Microsoft! Provide an 'ignore' button...

Anyways, thanks again for your reply, I'll look into MDT and see if that offers us any advantages!

By Wim on   8/28/2013 3:18 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

To clarify. We didnt want to inject the drivers in the images as we use quite a few different images. But from what I gather there might be a good way to do it headache free so I'll look into it!

By Wim on   8/28/2013 3:21 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

hi! successfully signed driver based on instructions above but i still get the notice on device manager:

"Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)"

i used godaddy code signing cert to sign driver. was wondering how to get rid of this message?

thanks

By anba on   9/11/2013 5:21 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

If the certificate you used to sign the driver is trusted by the machine you should be good.

/ Johan

By Arwidmark on   9/18/2013 11:30 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Just tried to start following your instructions. Interestingly, the download from Microsoft for Windows SDK gives me a message that it cannot execute because a .cab file in the executable is unsigned. I found that a bit ironic.

By bigredeo on   12/23/2013 10:24 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Sorry, haven't seen that... If you still need help, please ping me offline (see contact info in the About link).

/ Johan

By Arwidmark on   1/5/2014 5:39 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Great post . How do you do this for windows 2012 r2 ?

By hgreenwood on   7/30/2014 12:20 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Please can you tell me if this will resolve my problem?
I am trying to install W7 x64, my system only has SCSI drives via an Adaptec 2940u/uw controller card. There is no W7 x64 support for this card, however there was x64 support for Vista. I have the Vista drivers but of course W7 says "driver not signed". Can I use your info to sign this driver for W7.
Many Thanks

By Jeeves on   7/31/2014 2:35 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Please can you tell me if this will resolve my problem?
I am trying to install W7 x64, my system only has SCSI drives via an Adaptec 2940u/uw controller card. There is no W7 x64 support for this card, however there was x64 support for Vista. I have the Vista drivers but of course W7 says "driver not signed". Can I use your info to sign this driver for W7.
Many Thanks

By Jeeves on   7/31/2014 2:53 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Jeeves, Not really, this post is not for using the driver as part of deployment, just to provide a way of adding unsigned drivers to a running system, primarily for testing....

According to Adaptec, they don't support any x64 drivers for the 2940 u/uw, only x86 drivers. More info here: www.adaptec.com/en-us/support/scsi/2940/aha-2940uw

My tip is buy a new controller.

/ Johan

By Arwidmark on   7/31/2014 6:57 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

hgreenwood, Windows 8.1 and Windows Server 2012 R2 have slightly different requirement for drivers. I'll see if I can update the post to reflect that.

/ Johan

By Arwidmark on   7/31/2014 6:59 AM
Gravatar

Re: Sign your unsigned drivers - Damn It

Many thanks for your reply, a new controller it is then.

By Jeeves on   7/31/2014 10:14 PM