elahe shekuhi wrote:
Dear Tim, Thanks a lot for your attention. Yes I uninstalled the old
driver. Must the chain for the sys file end at the Microsoft Code
Verification Root? Or Is it necessary just for catalog file?
This may be a good time to expand on the excellent point Maxim made
overnight.
There are two completely separate signature requirements in Windows, and
they use two separate sets of rules. First is the install-time
signature check, which determines whether your driver can be installed.
This check applies to all systems clear back to Windows 2000, and it
applies to all PnP installations that use an INF file. This check only
looks at the CAT file. This is where WHQL comes into play. If your CAT
file is signed by WHQL, your package installs with no user involvement.
If your CAT file is signed by you, you get a dialog saying “Do you trust
this publisher?”. If your CAT file is unsigned, you get the dreaded
“CAUTION! Unsigned driver!” warning. However, even if you don’t pass
this check, the user can still say “sure, I don’t care, go ahead.” This
check is only done once, when your driver is installed.
The other check is the KMCS check. This is only done on the 64-bit
systems, but it is done each and every time your driver is loaded into
memory. There is no override dialog; if you fail this check, your
driver will not be loaded. Here, the kernel first checks the SYS file.
If the SYS file is unsigned, it tries to find the CAT file. This check
DOES require a cross-certificate ending in the Microsoft Code
Verification Root.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.