By default, all 64-bit Windows versions, starting from Windows 7, prohibit to install drivers of the devices that do not have a valid digital signature. The digital signature guarantees (to some extent) that the driver has been issued by a certain developer or vendor, and its code hasn’t been modified after it was signed.
In Windows 7 x64, there are several ways to disable the verification of a digital signature of the installed driver: with a group policy or a test boot mode.
Today we’ll show how to sign any unsigned driver for the 64-bit version of Windows 7.
Suppose we have a certain device driver for Windows 7 x64 for which there is no digital signature (in our example, it is the driver for quite old video card). The archive with drivers for our Windows version has been downloaded from the manufacturer’s website and its contents has been extracted to c:\tools\drv1\. Let’s try to install the driver by adding it to Windows driver store with a standard tool pnputil.
Pnputil –a c:\tools\drv1\xg20gr.inf
During installation, the system displays a warning that it cannot verify the digital signature for this driver.
Let’s try to sign this driver with a self-signed certificate.
What Tools We Need
For our work, we need to download and install (with default settings) the following Windows app development tools.
- Microsoft Windows SDK for Windows is distributed as an ISO image GRMSDK_EN_DVD.iso with the size of 595 MB
- Windows Driver Kit 7.1.0 is the ISO of the image GRMWDK_EN_7600_1.ISO with the size of 649 MB
Create a Self-Signed Certificate and Private Key
Create a C:\DriverCert folder in the root directory.
Open the command line and go to the following directory:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin
Create a self-signed certificate and private key, issued, say, for the company WinOSHub:
makecert -r -sv C:\DriverCert\Drivers.pvk -n CN="WinOSHub" C:\DriverCert\Drivers.cer
In process of creation the tool prompts you to specify a password for the key, let it be P@ss0wrd.
Create a public key for a publisher certificate (PKSC) we have created earlier.
cert2spc C:\DriverCert\Drivers.cer C:\DriverCert\Drivers.spc
Combine the public key (.spc) and the private key (.pvk) in a single certificate file into a single file with format Personal Information Exchange (.pfx)
pvk2pfx -pvk C:\DriverCert\Drivers.pvk -pi P@ss0wrd -spc C:\DriverCert\Drivers.spc -pfx C:\DriverCert\Drivers.pfx -po P@ss0wrd
Preparation of the Driver Package
Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys and .inf among these files (in our case, they are xg20grp.sys and xg20gr.inf).
Go to the directory:
cd C:\WinDDK\7600.16385.1\bin\selfsign
Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file.
inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose
To make sure that the procedure was correct, check if the log file contains the messages:
Signability test complete.
|
and
Catalog generation complete.
|
After the command is executed, xg20gr.cat in the driver directory should be updated
Sign the driver with the self-signed certificate
Go to the directory
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin
Sign the set of the driver files with the certificate we have created using Verisign as a timestamp service.
signtool sign /f C:\DriverCert\Drivers.pfx /p P@ss0wrd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat
Installing the Certificate
Since the certificate we created is self-signed, by default the system doesn’t trust it. Add our certificate in the local certificate store. You can do it using the following commands:
certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine TRUSTEDPUBLISHER
Or with the graphical certificate import wizard (the certificate should be put in Trusted Publishers and Trusted Root Certification Authorities stores)
Installation of the Driver Validated with the Self-signed Certificate
Try to install the driver we have signed again using the command:
Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf
Now you won’t see the warning of the missing digital signature of the driver, the system only asks you instead if you are sure you want to install this driver. By clicking «Install», you install the driver in the system.
Unless you unable testmode (bcdedit /set testsigning on) to disable kernel drivers signature verification, Windows won’t allow the driver to load. You will not have the warning when installing the self-signed driver, but it won’t load.
I’ve tested it thoroughly, and it’s confirmed here and there.
You must add your self signed cert to Trusted Publishers and Trusted Root Certification Authorities containers in the local certificate store
I followed very carefully all these instructions, and i’m sorry to say that it doesn’t work: Window won’t allow the driver to run if it doen’t have a cross-signed signature.
It is confirmed here: minasi.com/newsletters/nws0903.htm
Mark Minasi: “Windows wants your cert to be cross-signed by Microsoft, which costs money, but you can tell Windows 7 (I’ve not tested Vista) to accept certs that aren’t signed by Microsoft with this command, executed from an elevated command prompt:
bcdedit /set testsigning on
This produces one side-effect: Windows shows “Test Mode” in the lower right-hand corner of the desktop.”
Here: ghisler.ch/board/viewtopic.php?t=24262&postdays=0&postorder=asc&start=15&sid=918bbb55edaeb08e6084af9d30a9ab5d
Flint: “I’ve read many discussions on programmers forums about the matter, everyone there confirmed that it was impossible to load unsigned or self-signed drivers in x64 (among those were many professionals, MVPs and driver programming experts).” (unless by enabling testmode, what is not recommanded because it is a security feature)
And here: msdn.microsoft.com/en-us/library/windows/hardware/ff544872%28v=vs.85%29.aspx
msdn.microsoft.com/en-us/library/windows/hardware/ff552299%28v=vs.85%29.aspx
I have also signed the driver itself (not only the cat file), to no avail.
I don’t know who made the test here, but this information is unaccurate: yes you won’t get a warning, the driver is installed, but it won’t be running.
interesting. please comment on signing windows 10. https://moln1.wordpress.com/2015/02/18/creating-self-signed-certificates-in-windows-10/
This worked great for me. There’s a known problem with Ricoh print drivers in which defaults set on the print server do not propagate to clients. Instead, Ricoh defaults need to be put into an RCF file included with the driver. Editing the RCF file breaks the digital signature, which causes clients to refuse to install the driver downloaded from the print server. Re-signing with a self signed certificate and distributing the certificate using group policy solved the problem.
Thanks so much for putting this article together. You made it easy for me to complete a complex process.
And I did test with Windows 10. It did work there, too.
Just wanted to say thanks for this.
I was able to self sign drivers for Win10 x64. One trick to remember is on the target PC to import the certificate into the “trusted root certification authorities” for “Local Computer”. Using certmgr -add did not seem to import to Local Computer, only Current User.
Thanks
Thanks for this method of self-signing a driver which won’t install due to Windows 10 signed driver installation firewall.
I had a very difficult time installing the Windows 7 SDK in Windows 10 because it kept complaining about the version of .NET Framework 4 was an incomplete version and I couldn’t install .NET Framework 4 because a newer version, 4.6.2 is installed and nothing I tried could deinstall it. What I did was expand the Windows 7 SDK and manually installed all of the modules I could then ran the installer which enabled me to fully install the Windows 7 SDK as an installation repair. As well, it is not in the “Program Files (x86)” folder, it is in the “Program Files” folder so change the instructions by removing “(x86)” from the command strings. After all that, which took a long time to figure out, the rest was a breeze. The only problem was that the date of the driver stated in the “.inf” file had to be updated to 04/21/2009 (at least) because it was too old for Windows 7 as it predated Windows 7. Now the 64bit driver for myAOpen FM56-EXV external serial voice capable modem is fully loaded in Windows 10.