Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / How to Sign an Unsigned Device Driver in Windows?

February 14, 2022 Windows 10Windows 11Windows 7Windows Server 2016

How to Sign an Unsigned Device Driver in Windows?

By default, all 64-bit Windows versions prevent the installation of devices drivers that are not signed with a valid digital signature. Unsigned drivers are blocked by the operating system. A digital signature ensures that the driver has been released by a trusted developer or vendor, and its code hasn’t been modified.

There are several ways to disable driver signature verification for the unsigned drivers in Windows (using a GPO, a test boot mode, etc). Today we’ll show how to sign any unsigned driver for Windows x64 (the guide is applicable for Windows 11, 10, 8.1, and 7).

Contents:
  • Create a Self-Signed Driver Certificate
  • Creating a Catalog File (CAT) for Signing a Driver Package
  • Signing the Driver Package with a Self-Signed Certificate
  • Installing a Self-Signed Driver on Windows
  • User-Mode and Kernel-Mode Drivers in Windows

Suppose you have a certain unsigned device driver (without digital signature) for Windows 10 x64. In this example, it is the driver for a quite old graphics card. The archive with drivers for your Windows version has been downloaded from the vendor’s website (I was able to find the video driver version only for Windows Vista x64) and its contents have been extracted to the c:\tools\drv1\. Let’s try to install the driver by adding it to the Windows driver store with a built-in pnputil tool:
Pnputil –a c:\tools\drv1\xg20gr.inf

Note. This command and all the next ones must be run in the command prompt as an administrator.

During driver installation, Windows 7 displays a warning that the operating system can’t verify the digital signature of this driver:

Windows can’t verify the publisher of this driver software.

win7 x64 install unsigned driver

In Windows 10 (21H2) this warning doesn’t appear, but an error appears in the console:

Processing inf: xg20gr.inf
Adding the driver package failed: The third-party INF does not contain digital signature information.

Adding the driver package failed: The third-party INF does not contain digital signature information.

If you right-click on the inf driver file and select Install when installing a driver from File Explorer, you receive an error:

installing driver from the inf file

The third-party INF does not contain digital signature information.

The third-party INF does not contain digital signature information.

Let’s try to sign this driver with a self-signed certificate.

To generate a signature and sign the driver, you need to download and install the following Windows application development tools:

  • Windows SDK (Software Development Kit) or Microsoft Visual Studio 2005+ for your Windows version. Install the Windows SDK Signing tools for Desktop package which contains the signtool.exe;install windows sdk signing tools
  • Windows Driver Kit (WDK) — https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk
Tip. Before installing these tools, make sure that the .NET Framework 4 is installed on your computer.

Create a Self-Signed Driver Certificate

Create a C:\DriverCert folder at the root of the system drive.

You can use the New-SelfSifgnedCertificate PowerShell cmdlet to create a code signing certificate. In this example, we will create a self-signed certificate with a validity period of 3 years.

$todaydate = Get-Date
$add3year = $todaydate.AddYears(3)
$cert = New-SelfSignedCertificate -Subject "WOSHUB” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My -notafter $add3year

Then you need to export this certificate to a pfx file with a password:

$CertPassword = ConvertTo-SecureString -String “P@ss0wrd” -Force –AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\DriverCert\myDrivers.pfx -Password $CertPassword

New-SelfSignedCertificate create cert using powershell

Since the certificate we created is self-signed, Windows doesn’t trust it by default. When you check the certificate store with the Sigcheck utility, this certificate will be displayed as untrusted, because it is not listed in the list of Microsoft Trusted Root Certificates (this list needs to be updated periodically).

Now you need to add the certificate to the Trusted Root store and to the Trusted Publisher certificates:

$certFile = Export-Certificate -Cert $cert -FilePath C:\DriverCert\drivecert.cer
Import-Certificate -CertStoreLocation Cert:\LocalMachine\AuthRoot -FilePath $certFile.FullName
Import-Certificate -CertStoreLocation Cert:\LocalMachine\TrustedPublisher -FilePath $certFile.FullName

In previous versions of Windows, you must use the makecert.exe tool from the Windows Software Development Kit (SDK) to generate self-signed certificates. In this case, the commands to create a certificate will look like this:

cd “C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin”

Create a self-signed certificate and private key, that is issued, for example, for the company WinOSHub:

makecert -r -sv C:\DriverCert\myDrivers.pvk -n CN="WinOSHub" C:\DriverCert\myDrivers.cer

During the creation of the certificate, the tool will prompt you to specify a password for the key. Let it be P@ss0wrd.

Create a public key for a publisher certificate (PKSC) we have created earlier:

cert2spc C:\DriverCert\myDrivers.cer C:\DriverCert\myDrivers.spc

Combine the public key (.spc) and the private key (.pvk) in a single certificate file with format Personal Information Exchange (.pfx):

pvk2pfx -pvk C:\DriverCert\myDrivers.pvk -pi P@ss0wrd -spc C:\DriverCert\myDrivers.spc -pfx C:\DriverCert\myDrivers.pfx -po P@ss0wrd

Add the certificate to trusted:

certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine TRUSTEDPUBLISHER

You can centrally deploy this certificate to client computers using Group Policy in an AD domain.

Open the machine’s local certificate management snap-in (certlm.msc) and verify that your certificate is in the Trusted Publishers and Trusted Root Certification Authorities.

self signed cert in trusted root authorities

Note. Even though the certificate has a limited validity period, the expiration of the CodeSigning certificate means that you can’t create new signatures. The validity of the driver already signed by this certificate is unlimited (or old signatures are valid during the specified timestamp).

Creating a Catalog File (CAT) for Signing a Driver Package

Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys and .inf among these files (in our case, they are xg20grp.sys and xg20gr.inf).

md C:\DriverCert\xg
xcopy c:\tools\drv1\ C:\DriverCert\xg /i /c /k /e /r /y

Go to the directory:

cd “C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86”

Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file. The inf2cat.exe tool (from the Windows Driver Kit, WDK) allows you to generate a CAT file for your platform:

inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose

inf2cat generating driver cat file

To make sure that the procedure was correct, check that the file C:\DriverCert\xg\xg20gr.cat has appeared in the target directory, and there are messages in the log:

Signability test complete.

and

Catalog generation complete.
Note. In my case the command Inf2Cat.exe returned an error:

Signability test failed.
Errors:
22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS) in \hdx861a.inf

22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS) in inf file

To fix the error, find the line with DriverVer = in the [Version] section and replace it with:

DriverVer=05/01/2009,9.9.9.9

inf file: DriverVer=05/01/2009,9.9.9.9

If you get an error Missing AMD64 CatalogFile entry (for x64) or Missing 32-bit CatalogFile entry, then add the line CatalogFile=xg20gr.cat to the [Version] section of the .inf file.

Signing the Driver Package with a Self-Signed Certificate

Go to the following folder:

cd "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64"

Sign the driver package (set of files) with the certificate you have created earlier using Verisign as a timestamp service. The following command will sign the CAT file with a digital signature using a certificate stored in a password-protected .pfx file:

signtool sign /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat

On modern versions of Windows 10 and Windows 11, running this command will result in an error:

SignTool Error: No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.

You need to use another command:

signtool sign /tr http://timestamp.digicert.com /td SHA256 /v /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd "C:\DriverCert\xg\xg20gr.cat"

signtool sign command: signing driver cat file with cert

If the command returns an error SignTool Error: An unexpected internal error has occurred, or Error information: SignerTimeStamp() failed. (-2147012865/0x80072eff), try a different timestamp server URL. Try any of the list:

http://timestamp.comodoca.com/authenticode
http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.verisign.com/scripts/timstamp.dll
http://tsa.starfieldtech.com
http://www.startssl.com/timestamp

If the CAT file is signed successfully, the following message should appear:

Successfully signed: C:\DriverCert\xg\xg20gr.cat
Number of files successfully Signed: 1

The driver’s digital signature is contained in the .cat file referenced in the .inf file. You can check the digital signature of the driver in the cat file using the following command:

SignTool verify /v /pa c:\DriverCert\xg\xg20gr.cat

SignTool verify cat file digital signature

You can also see information about the certificate in the properties of the CAT file on the Digital Signatures tab.

cat file digital signature

If the certificate is not trusted (or has not been added to the Trusted Root Certificate Store), then an error will appear when running the SignTool verify command:

SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
The CAT file contains digital signatures (thumbprints) of all the files that are in the driver directory (files listed in the INF file in the CopyFiles section). If any of these files have been changed, then the checksum of the files will not match the data in the CAT file, and, as a result, the installation of such a driver will fail.

Installing a Self-Signed Driver on Windows

Try to install the driver we have signed again using the command:

Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf

Now you won’t see the warning about the missing digital signature of the driver.

Successfully installed the driver on a device on the system.
Driver package added successfully.

pnputil install selfsigned device driver

The following warning appears in Windows 10 and 11:

Would you like to install this device software?

Click “Install” to install the driver package on Windows.

install self signed driver on windows

If for some reason the driver is not installed, a detailed driver installation log is contained in the file C:\Windows\inf\setupapi.dev.log. This log file allows you to get more information about the driver installation errors. In most cases, there is a “Driver package failed signature validation” error. Most likely this means that the driver’s certificate is not added to the trusted certificates store.

setupapi.dev.log

If the driver installation was successful, the setupapi.dev.log file should contain the following lines:

>>>  [Device Install (DiInstallDriver) - C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf]
>>>  Section start 2018/07/22 23:32:57.015
cmd: Pnputil  -i -a c:\DriverCert\xg\xg20gr.inf
ndv: Flags: 0x00000000
ndv: INF path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf: {SetupCopyOEMInf: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf} 13:23:37.046
inf:      Copy style: 0x00000000
inf:      Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf:      Published Inf Path: C:\WINDOWS\INF\oem23.inf
inf: {SetupCopyOEMInf exit (0x00000000)} 13:23:37.077
<<<  Section end 2018/07/22 13:23:37.155
<<<  [Exit status: SUCCESS]

User-Mode and Kernel-Mode Drivers in Windows

Let me remind you that in Windows the driver can be executed in a kernel-mode or in a user mode. Kernel-mode drivers signed this way won’t load when Windows boots on the UEFI device with Secure Boot enabled with the error:

Event ID: 7000
ERROR_DRIVER_BLOCKED
1275 (0x4FB)
This driver has been blocked from loading.

eventid 7000 driver blocked from loading

You can check if Secure Boot mode is enabled using the PowerShell command:
Confirm-SecureBootUEFI

check windows uefi boot with Confirm-SecureBootUEFI

All kernel-mode drivers loaded with SecureBoot enabled must be signed during the Microsoft certification process (WHQL – Windows Hardware Quality Lab). The reason is that when the kernel is loaded, UEFI cannot verify the certificates in the Windows local machine certificate store.

SignTool Error: Signing Cert does not chain to a Microsoft Code Verification Root.

Microsoft requires mandatory third-party driver certification under the Windows Hardware Compatibility Program starting with Windows 10 1607.

Self-signed user-mode drivers (usually printers, scanners, plotters, etc.) will work even with SecureBoot enabled.
For kernel-mode drivers, you will have to disable digital signature verification and boot Windows in a test mode with the bcdedit.exe commands:
bcdedit.exe /set /nointegritychecks on
bcdedit.exe /set testsigning ON

38 comments
8
Facebook Twitter Google + Pinterest
previous post
Configure SR-IOV for Hyper-V Virtual Machines on Windows Server
next post
Checking User Sign-in Logs in Azure AD (Microsoft 365)

Related Reading

Recovering Files from BitLocker Encrypted Drive

June 1, 2023

Microsoft Key Management Service (KMS) Volume Activation FAQs

May 31, 2023

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Recovering Files from BitLocker Encrypted Drive

    June 1, 2023
  • Microsoft Key Management Service (KMS) Volume Activation FAQs

    May 31, 2023
  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10 and 11?
  • How to Repair EFI/GPT Bootloader on Windows 10 or 11?
  • How to Restore Deleted EFI System Partition in Windows?
  • Network Computers are not Showing Up in Windows 10/11
  • How to Run Program without Admin Privileges and Bypass UAC Prompt?
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows
  • How to Create a Wi-Fi Hotspot on your Windows PC?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top