As the title. I do not want to see the annoying warning dialogs for installing unsigned drivers.
Someone told me to try with “dpinst /lm /sw /se”. But according to its help message, this does not work with “latest version of Windows” (I think it means Vista).
Any ideas?
The following is an excerpt from WDK documentation
==================================
Driver packages should be digitally signed for the following reasons:
To ensure the integrity of driver packages. Windows uses digital
signatures to verify the identity of the publisher and to verify that
the driver has not been altered since it was published.
To provide the best user experience by facilitating automatic driver
installation. If a driver is not signed, Plug and Play (PnP) driver
installation policy requires that a system administrator manually
authorize the installation of an unsigned driver, adding an extra step
to the installation process. This extra step can be potentially
confusing and bothersome to the average user.
This excerpt indicates that…
Its been my experience too.
Hope this helps.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@ybwork.com
Sent: Thursday, January 25, 2007 10:19 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Any way to disable Drive Signing on Vista? (not that
code signing for Vista x64)
As the title. I do not want to see the annoying warning dialogs for
installing unsigned drivers.
Someone told me to try with “dpinst /lm /sw /se”. But according to its
help message, this does not work with “latest version of Windows” (I
think it means Vista).
Any ideas?
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I agree with both statements about the documentation, as well as the
Vijaya’s observation about them. However, just a couple of additions
that might save you some time:
The documentation talks about a BCD option to do exactly what you
seek. While it is documented in someplaces as not working anymore, it
some other places, like the command line help for bcdedit, it doesn’t
say this. I can’t say that I have ever tried it, but I would against it
working.
If you can survive running on one of the earlier beta versions,
there may be a way to do what you wish. If there is, I can’t say that I
know it, and while I really haven’t looked at this portion of the
process, I can tell you that options that controlled similar behavior in
other parts of the system used to exist and have been removed or
crippled, so it is a realistic possibility that might be worth persuing
at least as far as taking a close look at GPEDIT.MSC, assuming that an
earlier system is a viable option for you/your client. I don’t imagine
that this will help you, even if it does work, but if this interests
you, I could pretty easily at least come up with reasonable build number
at which to start and go backwards.
Given that you are not likely to get much of any comment on this one
on this list, as how stuff like this works and to a real extent is just
perceived, the way to look at this one, in my opinion, having looked at
the kernel portion only of this process, is that such an undertaking is
not likely to be profitable for any client whose goal is not in and of
itself to circumvent this feature. In the end, this is all even the
best of security measures can hope to accomplish. Principally, I
mention this because, in my opinion, there is a fair amount of
information floating around that is misleading, mostly because either no
build numbers are mentioned, or the word “working” is printed in a
somewhat larger type than “proof of concept,” which at best means more
or less what it means in academic circles or anywhere else that
generally require funding up front before the remaining issues can be
addressed. I haven’t any idea of how useful the conditions under which
the proposed ideas work actually are, and I’d be willing to be that most
of the authors do know how to get around this, but I also feel quite
comfortable saying that they are not likely to give that information up
as it might either directly or indirectly affect how they make their
living. I realize that this is kind of a downer, and you very well may
already know this, but I personally find this process very frustrating
at times, and I hope here only to give you what I hope is a more
realistic answer than I find some of the published ones to be, as many
of them fail to, for example, even mention anything about addressing the
considerably more difficult issues that the patching that would be
required to do anything like this on a production x64 Vista system.
They probably know; they’re just no going to tell you.
I hope this helps,
mm
>> xxxxx@phoenix.com 2007-01-25 07:40 >>>
The following is an excerpt from WDK documentation
==================================
Driver packages should be digitally signed for the following reasons:
To ensure the integrity of driver packages. Windows uses digital
signatures to verify the identity of the publisher and to verify that
the driver has not been altered since it was published.
To provide the best user experience by facilitating automatic driver
installation. If a driver is not signed, Plug and Play (PnP) driver
installation policy requires that a system administrator manually
authorize the installation of an unsigned driver, adding an extra step
to the installation process. This extra step can be potentially
confusing and bothersome to the average user.
This excerpt indicates that…
Its been my experience too.
Hope this helps.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@ybwork.com
Sent: Thursday, January 25, 2007 10:19 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Any way to disable Drive Signing on Vista? (not that
code signing for Vista x64)
As the title. I do not want to see the annoying warning dialogs for
installing unsigned drivers.
Someone told me to try with “dpinst /lm /sw /se”. But according to its
help message, this does not work with “latest version of Windows” (I
think it means Vista).
Any ideas?
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
In fact, I just want to know if there’s a way to disable Driver Signing on Vista RTM (or later version) as what I can do on Win 2K/XP. The problem is, even I sign drivers with Code Signing the warning dialogs are still there. So on Vista I think Code Signing and Driver Signing (or some other names from MS???) are different. Maybe Driver Signing is still from WHQL?
Some time ago, when MS released Vista RC1 or beta, I heard that Driver Signing can not be disabled on Vista. But it’s RTM now, so I want to know if the policy has been changed by MS.
xxxxx@ybwork.com wrote:
In fact, I just want to know if there’s a way to disable Driver Signing on Vista RTM (or later version) as what I can do on Win 2K/XP. The problem is, even I sign drivers with Code Signing the warning dialogs
It is my belief that the security model of Vista (for “premium” “HD”
content, such as HDCP/HD-DVD and friends) depends on a trusted kernel,
and the only way to get a trusted kernel is for Microsoft to verify and
sign every driver, looking somehow to screen out foul play in the process.
Thus, if you install a non-signed driver on Vista, I would assume that
HDCP would detect that the kernel is tampered, and only allow
down-scaled content. Hence, it’s probably not possible to turn off the
driver signing requirement.
This is, however, entirely speculation on my part, as they’ve been
kind-of quiet on the specifics of the trust model for content on the
64-bit kernel. (The 32-bit kernel is more open, and thus may never
actually see “HD” content support)
Cheers,
/ h+