Menu
While developing our 64bit driver, we came to understand that every driver needs to be correctly digitally signed to install (except in Test Mode).
Recently, we stumbled over a driver (for an USB camera), that seems to be missing a valid signature. During installation, we get the red warning screen about unsigned drivers, but the device works correctly using this driver.
I have taken photos. Sorry for the wall of images, I was afraid to miss an important point, since I obviously don't understand what's going on here.
Devive Manager
Driver Properties
Driver Details
Driver Files from %system32%\DriverStore\FileRepository
Certificate Details
Test Mode was off for this (and our own driver correctly failed to load).
How did they do that? Why is Windows loading this driver? I would be grateful for some links into the documentation explaining this behaviour.
Edit:
Using the verbose CodeIntegrity log as suggested in the comments, I find nothing off. The log shows a line
Code Integrity found a file hash for the file in oem132.cat
This file exists in %system32%\catroot\some-guid and is identical to the cat file shown in the screenshot above; expired certificate included.
signtool verify /v /c .\mvBlueFOX_amd64.cat .\mvBlueFOX2.sys gives
Verifying: .\mvBlueFOX2.sys
File is signed in catalog: .\mvBlueFOX_amd64.cat
Hash of file (sha1): 19E6125B9C5F31E21EDA5DBAA5F77798F8E394C4
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Thu Aug 03 00:59:59 2028
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 00:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: MATRIX VISION GmbH
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Tue May 07 00:59:59 2013
SHA1 hash: 75859F3121E3852E2894E1A7B388CB9E68EBC237
File is not timestamped.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
852
In the right panel, double click on ‘Code Signing for Device Drivers’. d. Choose ‘Enabled’ in the window that appears. In the underlying options, choose ‘Ignore’. This disables drivers signing in Windows 7, and now you can install unsigned drivers in Windows. e. Click Apply, OK. Restart your computer to install unsigned drivers.
On both Vista and Windows 7 64 bit editions (also Windows Server 2008 and Windows Server 2008 R2) any drivers which need to run in your kernel need to be signed (this is most drivers). If there is a .SYS file in the folder for instance, this will be the case.
One of the common problems that people face when using a 64-bit Windows is loading unsigned drivers. This is by design to provide a more restrictive environment to protect Windows from easily being infected by rootkits, a type of malware that uses a driver for low level hooking.
It appears the obtaining a certificate to perform driver signing costs hundreds of dollars per year and not every software developer can afford that kind of money especially when their software is freeware or open source. Fortunately, there are ways to force the unsigned drivers to load in 64-bit (x64) versions of Windows 7, 8 and Vista.
You can disable Driver Signature Check enforcement as follows. Open a command prompt as an admin and type:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
See security risk warning. If it doesn't work for whatever reason you can just remove loadoptions with bcedit and switch testsigning off.
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
Goodluck!
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
