By default, all 64-bit Windows versions, starting from Windows 7, prohibit to install devices drivers that are not signed with a valid digital signature. Unsigned drivers are blocked by the operating system. The digital signature guarantees (to some extent) that the driver has been released by a certain developer or vendor, and its code hasn’t been modified after it was signed.
In 64-bit (x64) Windows 10, 8.1 and 7 there are several ways to disable driver signature verification for the unsigned drivers: using a group policy or a test boot mode. Today we’ll show how to sign any unsigned driver for the 64-bit version of Windows 10 or Windows 7.
Suppose you have a certain unsigned device driver (without digital signature) for Windows 10 x64 or Windows 7 x64. In this example, it is the driver for quite old graphics card. The archive with drivers for your Windows version has been downloaded from the vendor’s website (I was able to find the video driver version for Windows Vista x64) and its contents has been extracted to c:\tools\drv1\. Let’s try to install the driver by adding it to Windows driver store with a standard pnputil tool:
Pnputil –a c:\tools\drv1\xg20gr.inf
During driver installation, Windows 7 displays a warning that the system can’t verify the digital signature of this driver:
Windows can’t verify the publisher of this driver software.
In Windows 10 this warning doesn’t appear, but a warning appears in the console:
Processing inf: xg20gr.inf
Adding the driver package failed: The third-party INF does not contain digital signature information.
If you right click on the inf driver file and select Install when installing a driver from File Explorer, you receive an error:
The third-party INF does not contain digital signature information.
Let’s try to sign this driver with a self-signed certificate.
Tools for Signing Drivers
To generate a signature and sign the driver, you need to download and install the following Windows application development tools (with the default settings):
- Windows SDK (or Microsoft Visual Studio 2005 or later) for your version of Windows. These packages include Windows SDK Signing tools for Desktop, which includes the necessary utility – signtool.exe;
- Windows Driver Kit 7.1.0.
Create a Self-Signed Certificate and Private Key
Create a C:\DriverCert folder in the root of the system drive.
Open the command prompt and go to the following directory:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin
Create a self-signed certificate and private key, that is issued, for example, for the company WinOSHub:
makecert -r -sv C:\DriverCert\myDrivers.pvk -n CN="WinOSHub" C:\DriverCert\myDrivers.cer
During the creation of the certificate, the tool will prompt you to specify a password for the key, let it be P@ss0wrd.
Create a public key for a publisher certificate (PKSC) we have created earlier:
cert2spc C:\DriverCert\myDrivers.cer C:\DriverCert\myDrivers.spc
Combine the public key (.spc) and the private key (.pvk) in a single certificate file with format Personal Information Exchange (.pfx):
pvk2pfx -pvk C:\DriverCert\Drivers.pvk -pi P@ss0wrd -spc C:\DriverCert\Drivers.spc -pfx C:\DriverCert\Drivers.pfx -po P@ss0wrd
$cert = New-SelfSignedCertificate -Subject "Woshub” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My
Then you need to export this certificate to the pfx file with the password:
$CertPassword = ConvertTo-SecureString -String “P@ss0wrd” -Force –AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\DriverCert\myDrivers.pfx -Password $CertPassword
Creating a Catalog File (CAT) for Driver Package
Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys and .inf among these files (in our case, they are xg20grp.sys and xg20gr.inf).
Go to the directory:
cd C:\WinDDK\7600.16385.1\bin\selfsign
Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file. On the base of an inf file using the inf2cat.exe tool (included in the Windows Driver Kit – WDK) generate a cat file for your platform (it contains information about all files in the driver package):
inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose
To make sure that the procedure was correct, check if the log file contains the messages:
Signability test complete. |
and
Catalog generation complete. |
Signability test failed.
Errors:
22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS) in \hdx861a.inf
To fix the error, find the line with DriverVer = in the [Version] section and replace it with:
DriverVer=05/01/2009,9.9.9.9
After the command is executed, the xg20gr.cat file should be updated in the drivers’ directory.
Signing the Driver Using Self-signed Certificate
Go to the following folder:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin
Sign the set of the driver files with the certificate you have created earlier using Globalsign as a timestamp service. The following command will sign the CAT file with a digital signature using with a certificate stored in a PFX file, protected by a password:
signtool sign /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat
If the file is successfully signed, the following message should appear:
Successfully signed: C:\DriverCert\xg\xg20gr.cat
Number of files successfully Signed: 1
SignTool verify /v /pa c:\DriverCert\xg\xg20gr.cat
Or in the file properties on the Digital Signatures tab:
The CAT file contains digital signatures (thumbprints) of all the files that are in the driver directory (files listed in the INF file in the CopyFiles section). If any of these files has been changed, the checksum of the files will not match the data in the CAT file, and, as a result, the installation of such a driver will fail.
Installing the Self-Signed Certificate
Since the certificate we created is self-signed, by default the system doesn’t trust it. Add your certificate to the local computer certificate store. You can do it using the following commands:
certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine TRUSTEDPUBLISHER
Or do it with the graphical certificate import wizard (you need to place the certificate in the Trusted Publishers and Trusted Root Certification Authorities stores of the local machine). In a domain, you can distribute this certificate to client computer using Group Policy.
Installation of the Driver Signed with the Self-signed Certificate
Try to install the driver we have signed again using the command:
Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf
Now you won’t see the warning about the missing digital signature of the driver.
Successfully installed the driver on a device on the system.
Driver package added successfully.
The following warning appears in Windows 7 x64: Would you like to install this device software? In Windows 10 x64 1803, this pop-up window doesn’t appear. By clicking «Install», you install the driver in the system.
If for some reason the driver is not installed, the detailed driver installation log is contained in the file C:\Windows\inf\setupapi.dev.log. This log file allows you to get more information about the driver installation errors. In most cases, there is a “Driver package failed signature validation” error – most likely this means that the driver certificate is not added to the trusted certificates store.
If the driver installation was successful, the setupapi.dev.log file should contain the following lines:
>>> [Device Install (DiInstallDriver) - C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf]
>>> Section start 2018/07/22 23:32:57.015
cmd: Pnputil -i -a c:\DriverCert\xg\xg20gr.inf
ndv: Flags: 0x00000000
ndv: INF path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf: {SetupCopyOEMInf: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf} 13:23:37.046
inf: Copy style: 0x00000000
inf: Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf: Published Inf Path: C:\WINDOWS\INF\oem23.inf
inf: {SetupCopyOEMInf exit (0x00000000)} 13:23:37.077
<<< Section end 2018/07/22 13:23:37.155
<<< [Exit status: SUCCESS]
As you can see, to install the self-signed driver we did not even have to disable the digital signature verification of the drivers with the bcdedit.exe commands:
bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit.exe /set testsigning ON
13 comments
Unless you unable testmode (bcdedit /set testsigning on) to disable kernel drivers signature verification, Windows won’t allow the driver to load. You will not have the warning when installing the self-signed driver, but it won’t load.
I’ve tested it thoroughly, and it’s confirmed here and there.
You must add your self signed cert to Trusted Publishers and Trusted Root Certification Authorities containers in the local certificate store
I followed very carefully all these instructions, and i’m sorry to say that it doesn’t work: Window won’t allow the driver to run if it doen’t have a cross-signed signature.
It is confirmed here: minasi.com/newsletters/nws0903.htm
Mark Minasi: “Windows wants your cert to be cross-signed by Microsoft, which costs money, but you can tell Windows 7 (I’ve not tested Vista) to accept certs that aren’t signed by Microsoft with this command, executed from an elevated command prompt:
bcdedit /set testsigning on
This produces one side-effect: Windows shows “Test Mode” in the lower right-hand corner of the desktop.”
Here: ghisler.ch/board/viewtopic.php?t=24262&postdays=0&postorder=asc&start=15&sid=918bbb55edaeb08e6084af9d30a9ab5d
Flint: “I’ve read many discussions on programmers forums about the matter, everyone there confirmed that it was impossible to load unsigned or self-signed drivers in x64 (among those were many professionals, MVPs and driver programming experts).” (unless by enabling testmode, what is not recommanded because it is a security feature)
And here: msdn.microsoft.com/en-us/library/windows/hardware/ff544872%28v=vs.85%29.aspx
msdn.microsoft.com/en-us/library/windows/hardware/ff552299%28v=vs.85%29.aspx
I have also signed the driver itself (not only the cat file), to no avail.
I don’t know who made the test here, but this information is unaccurate: yes you won’t get a warning, the driver is installed, but it won’t be running.
interesting. please comment on signing windows 10. https://moln1.wordpress.com/2015/02/18/creating-self-signed-certificates-in-windows-10/
This worked great for me. There’s a known problem with Ricoh print drivers in which defaults set on the print server do not propagate to clients. Instead, Ricoh defaults need to be put into an RCF file included with the driver. Editing the RCF file breaks the digital signature, which causes clients to refuse to install the driver downloaded from the print server. Re-signing with a self signed certificate and distributing the certificate using group policy solved the problem.
Thanks so much for putting this article together. You made it easy for me to complete a complex process.
And I did test with Windows 10. It did work there, too.
Just wanted to say thanks for this.
I was able to self sign drivers for Win10 x64. One trick to remember is on the target PC to import the certificate into the “trusted root certification authorities” for “Local Computer”. Using certmgr -add did not seem to import to Local Computer, only Current User.
Thanks
Thanks for this method of self-signing a driver which won’t install due to Windows 10 signed driver installation firewall.
I had a very difficult time installing the Windows 7 SDK in Windows 10 because it kept complaining about the version of .NET Framework 4 was an incomplete version and I couldn’t install .NET Framework 4 because a newer version, 4.6.2 is installed and nothing I tried could deinstall it. What I did was expand the Windows 7 SDK and manually installed all of the modules I could then ran the installer which enabled me to fully install the Windows 7 SDK as an installation repair. As well, it is not in the “Program Files (x86)” folder, it is in the “Program Files” folder so change the instructions by removing “(x86)” from the command strings. After all that, which took a long time to figure out, the rest was a breeze. The only problem was that the date of the driver stated in the “.inf” file had to be updated to 04/21/2009 (at least) because it was too old for Windows 7 as it predated Windows 7. Now the 64bit driver for myAOpen FM56-EXV external serial voice capable modem is fully loaded in Windows 10.
I tried the steps, and it does what it says — it gets rid of the warning message when using pnputil.
It doesn’t make the driver work.
To understand why see this table in David Grayson’s excellent article:
http://www.davidegrayson.com/signing/#reqs
While you’re making the steps to “make it look good” by adding a Trusted Root Certification Authority, you’re still missing a “Microsoft Code Verification Root” because your Trusted Root is not recognized by Microsoft.
Great link, thanks!
You absolutely made my day!!! – Great Article. Worked for me like a charm! Thanks a lot for your input!
Please avoid to spread false informations on the web!
All this does not work and cannot work on 64bit Windows 10 (tested on a third-party PCSC kernel driver)
Worked on Windows 10 ,1803 using the enterprise SDK. Obviously, some commands need to be changed and you have to add the ROOT cert to the store or this will not be trusted!!!