Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy

Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

probably not- let me check that.
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 9:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

xxxxx@telestream.net wrote:

I finally got my driver to compile, but when I call StartService on
it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

On x64, drivers cannot be loaded unless you first EITHER:

A) sign your .sys file with a “normal” authenticode signature (same kind
used for ActiveX controls and self-extracting installation packages).

OR

B) start Vista in a special “Test mode” AND sign your .sys file with a
self-issued test certificate.

This x64 signature check is in addition to (and independent of) the .cat
file signature on WHQL certified drivers and their .inf files.

So sign your freshly compiled .sys file with your own signature and it
should load nicely when you call StartService(). No need to go through
WHQL for this issue. (Though there are many other good reasons for
getting your drivers certified).


Jakob B?hm, M.Sc.Eng. * xxxxx@danware.dk * direct tel:+45-45-90-25-33
Danware Data A/S * Bregnerodvej 127 * DK-3460 Birkerod * DENMARK
http://www.netop.com * tel:+45-45-90-25-25 * fax:+45-45-90-25-26
Information in this mail is hasty, not binding and may not be right.
Information in this posting may not be the official position of Danware
Data A/S, only the personal opinions of the author.

If not, and you’re not booted with driver signing temporarily disabled (F8 at boot time), then that’s your problem.

You need to have a KMCS signature in order to even load a driver (this is distinct from the PnP installation nag signature/WHAL signature check) on Vista x64 / Windows Server 2008 x64 and future Windows x64 systems.

32-bit Windows builds do not have the enforced KMCS signature check to allow a driver to load (the installation nag remains).

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jeremy Chaney
Sent: Wednesday, October 01, 2008 12:32 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

probably not- let me check that.
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 9:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

You were right, I wasn’t signing the driver. I looked around to figure out how to sign the driver and discovered that I need to run makecert- which I did:

makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer

the output of the command was “Succeeded”.

I then double clicked on the certificate and installed it to my PrivateCertStore and then ran signtool:

signtool sign /s PrivateCertStore /n mydrivercert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys

I get the following error, though: “SignTool Error: No certificates were found that met all the given criteria.”

What am I missing?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 9:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Are you sure that you imported the private key an not just the public cert?

If you go to the cert in the certificates mmc snapin, do the cert properties indicate that the private key is present?

  • S

-----Original Message-----
From: Jeremy Chaney
Sent: Wednesday, October 01, 2008 11:58
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

You were right, I wasn’t signing the driver. I looked around to figure out how to sign the driver and discovered that I need to run makecert- which I did:

makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer

the output of the command was “Succeeded”.

I then double clicked on the certificate and installed it to my PrivateCertStore and then ran signtool:

signtool sign /s PrivateCertStore /n mydrivercert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys

I get the following error, though: “SignTool Error: No certificates were found that met all the given criteria.”

What am I missing?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 9:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?

- S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

I ran “certmgr.msc”, opened PrivateCertStore, clicked Certificates, and yes, I see my certificate in there. Under the “Intended Purposes” column it says “” and under “Friendly Name” it says . When I view the properties on the certificate it says that “This CA Root certificate is not trusted. To enable trust,…” Further down it says that I have a private key that corresponds to the certificate.

–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 10:47 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Are you sure that you imported the private key an not just the public cert?

If you go to the cert in the certificates mmc snapin, do the cert properties indicate that the private key is present?

- S

-----Original Message-----
From: Jeremy Chaney
Sent: Wednesday, October 01, 2008 11:58
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

You were right, I wasn’t signing the driver. I looked around to figure out how to sign the driver and discovered that I need to run makecert- which I did:

makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer

the output of the command was “Succeeded”.

I then double clicked on the certificate and installed it to my PrivateCertStore and then ran signtool:

signtool sign /s PrivateCertStore /n mydrivercert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys

I get the following error, though: “SignTool Error: No certificates were found that met all the given criteria.”

What am I missing?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 9:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?

- S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Your subject/common names are different (MyDriver vs mydrivercert.cer).
Check the help file documentation for the parameters for makecert and
signtool.

You could try:
signtool sign /s PrivateCertStore mydriver.sys

I removed the “/n” option because it tries to match an invalid subject
name. You don’t need a subject name match anyway. I also removed the
“/t” option because 1) this is not a Verisign certificate and 2)
timestamps would be useless for test certificates in almost all cases.

Or, you should be able to just:
signtool sign /a mydriver.sys
which will auto-magically choose the signing certificate from your
certificate store.

If you still have problems, signtool does have a “/v” option as well.

-Stephen Cleary

Jeremy Chaney wrote:

I ran “certmgr.msc”, opened PrivateCertStore, clicked Certificates, and yes, I see my certificate in there. Under the “Intended Purposes” column it says “” and under “Friendly Name” it says . When I view the properties on the certificate it says that “This CA Root certificate is not trusted. To enable trust,…” Further down it says that I have a private key that corresponds to the certificate.
>
> --Jeremy
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
> Sent: Wednesday, October 01, 2008 10:47 AM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
> Are you sure that you imported the private key an not just the public cert?
>
> If you go to the cert in the certificates mmc snapin, do the cert properties indicate that the private key is present?
>
> - S
>
> -----Original Message-----
> From: Jeremy Chaney
> Sent: Wednesday, October 01, 2008 11:58
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
>
> You were right, I wasn’t signing the driver. I looked around to figure out how to sign the driver and discovered that I need to run makecert- which I did:
>
> makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer
>
> the output of the command was “Succeeded”.
>
> I then double clicked on the certificate and installed it to my PrivateCertStore and then ran signtool:
>
> signtool sign /s PrivateCertStore /n mydrivercert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys
>
>
> I get the following error, though: “SignTool Error: No certificates were found that met all the given criteria.”
>
> What am I missing?
>
> Thanks,
> --Jeremy
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
> Sent: Wednesday, October 01, 2008 9:26 AM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
> Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?
>
> - S
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
> Sent: Wednesday, October 01, 2008 12:23 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Error when calling StartService
>
> I finally got my driver to compile, but when I call StartService on it, I get the following error:
>
> “This driver has been blocked from loading”
>
>
> I’m running Vista x64 if that makes any difference.
>
> Thanks,
> --Jeremy

I haven’t been completely following this thread, but I did finally get my
drivers to load on Vista x64 and I know you need to not only sign the
driver, but also cross-sign with a Microsoft cert. That in turn means you
have to have a code-signing cert from one of a small list of certificate
providers.

See
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

(and this might be helpful too for the actual signing)
http://msdn.microsoft.com/en-us/library/aa906334.aspx

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-338833-
xxxxx@lists.osr.com] On Behalf Of Jeremy Chaney
Sent: Wednesday, October 01, 2008 1:03 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

I ran “certmgr.msc”, opened PrivateCertStore, clicked Certificates, and
yes, I see my certificate in there. Under the “Intended Purposes”
column it says “” and under “Friendly Name” it says . When I
> view the properties on the certificate it says that “This CA Root
> certificate is not trusted. To enable trust,…” Further down it says
> that I have a private key that corresponds to the certificate.
>
> --Jeremy
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-338832-
> xxxxx@lists.osr.com] On Behalf Of Skywing
> Sent: Wednesday, October 01, 2008 10:47 AM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
> Are you sure that you imported the private key an not just the public
> cert?
>
> If you go to the cert in the certificates mmc snapin, do the cert
> properties indicate that the private key is present?
>
> - S
>
> -----Original Message-----
> From: Jeremy Chaney
> Sent: Wednesday, October 01, 2008 11:58
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
>
> You were right, I wasn’t signing the driver. I looked around to figure
> out how to sign the driver and discovered that I need to run makecert-
> which I did:
>
> makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer
>
> the output of the command was “Succeeded”.
>
> I then double clicked on the certificate and installed it to my
> PrivateCertStore and then ran signtool:
>
> signtool sign /s PrivateCertStore /n mydrivercert.cer /t
> http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys
>
>
> I get the following error, though: “SignTool Error: No certificates
> were found that met all the given criteria.”
>
> What am I missing?
>
> Thanks,
> --Jeremy
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-338823-
> xxxxx@lists.osr.com] On Behalf Of Skywing
> Sent: Wednesday, October 01, 2008 9:26 AM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
> Did you sign it in accordance with the KMCS (kernel mode code signing)
> documentation included with the WDK?
>
> - S
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-338822-
> xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
> Sent: Wednesday, October 01, 2008 12:23 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Error when calling StartService
>
> I finally got my driver to compile, but when I call StartService on it,
> I get the following error:
>
> “This driver has been blocked from loading”
>
>
> I’m running Vista x64 if that makes any difference.
>
> Thanks,
> --Jeremy
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com

I recreated my cert using mydriver as the certname, and then resigned as you suggested (I also tried the /v option), but still no love…
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Stephen Cleary
Sent: Wednesday, October 01, 2008 11:35 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Error when calling StartService

Your subject/common names are different (MyDriver vs mydrivercert.cer).
Check the help file documentation for the parameters for makecert and
signtool.

You could try:
signtool sign /s PrivateCertStore mydriver.sys

I removed the “/n” option because it tries to match an invalid subject
name. You don’t need a subject name match anyway. I also removed the
“/t” option because 1) this is not a Verisign certificate and 2)
timestamps would be useless for test certificates in almost all cases.

Or, you should be able to just:
signtool sign /a mydriver.sys
which will auto-magically choose the signing certificate from your
certificate store.

If you still have problems, signtool does have a “/v” option as well.

-Stephen Cleary

Jeremy Chaney wrote:

I ran “certmgr.msc”, opened PrivateCertStore, clicked Certificates, and yes, I see my certificate in there. Under the “Intended Purposes” column it says “” and under “Friendly Name” it says . When I view the properties on the certificate it says that “This CA Root certificate is not trusted. To enable trust,…” Further down it says that I have a private key that corresponds to the certificate.
>
> --Jeremy
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
> Sent: Wednesday, October 01, 2008 10:47 AM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
> Are you sure that you imported the private key an not just the public cert?
>
> If you go to the cert in the certificates mmc snapin, do the cert properties indicate that the private key is present?
>
> - S
>
> -----Original Message-----
> From: Jeremy Chaney
> Sent: Wednesday, October 01, 2008 11:58
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
>
> You were right, I wasn’t signing the driver. I looked around to figure out how to sign the driver and discovered that I need to run makecert- which I did:
>
> makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer
>
> the output of the command was “Succeeded”.
>
> I then double clicked on the certificate and installed it to my PrivateCertStore and then ran signtool:
>
> signtool sign /s PrivateCertStore /n mydrivercert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys
>
>
> I get the following error, though: “SignTool Error: No certificates were found that met all the given criteria.”
>
> What am I missing?
>
> Thanks,
> --Jeremy
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
> Sent: Wednesday, October 01, 2008 9:26 AM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Error when calling StartService
>
> Did you sign it in accordance with the KMCS (kernel mode code signing) documentation included with the WDK?
>
> - S
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@telestream.net
> Sent: Wednesday, October 01, 2008 12:23 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Error when calling StartService
>
> I finally got my driver to compile, but when I call StartService on it, I get the following error:
>
> “This driver has been blocked from loading”
>
>
> I’m running Vista x64 if that makes any difference.
>
> Thanks,
> --Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@telestream.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

I went through this process recently Jeremy, Hagen Patzke linked me to this
walkthrough document:

http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx

I would recommend reading it, I found it very useful.

C

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeremy Chaney
Sent: 01 October 2008 19:03
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

I ran “certmgr.msc”, opened PrivateCertStore, clicked Certificates, and yes,
I see my certificate in there. Under the “Intended Purposes” column it says
“” and under “Friendly Name” it says . When I view the properties
on the certificate it says that “This CA Root certificate is not trusted. To
enable trust,…” Further down it says that I have a private key that
corresponds to the certificate.

–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 10:47 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Are you sure that you imported the private key an not just the public cert?

If you go to the cert in the certificates mmc snapin, do the cert properties
indicate that the private key is present?

- S

-----Original Message-----
From: Jeremy Chaney
Sent: Wednesday, October 01, 2008 11:58
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

You were right, I wasn’t signing the driver. I looked around to figure out
how to sign the driver and discovered that I need to run makecert- which I
did:

makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer

the output of the command was “Succeeded”.

I then double clicked on the certificate and installed it to my
PrivateCertStore and then ran signtool:

signtool sign /s PrivateCertStore /n mydrivercert.cer /t
http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys

I get the following error, though: “SignTool Error: No certificates were
found that met all the given criteria.”

What am I missing?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 9:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Did you sign it in accordance with the KMCS (kernel mode code signing)
documentation included with the WDK?

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I
get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Information from ESET NOD32 Antivirus, version of virus signature
database 3486 (20081001)


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Information from ESET NOD32 Antivirus, version of virus signature
database 3486 (20081001)


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

I’m not following this thread either but who knows, maybe it helps if I post
you how I execute my signtool:

signtool.exe sign /v /ac s:\lib\cybertrust\cybertrust.cer /s my /n
xxxxx@resplendence.com
/t http://timestamp.verisign.com/scripts/timestamp.dll crusifix.sys

I got a cybertrust certificate and ‘my’ refers to the personal certificate
store. I believe a normal authenticode signature is not enough, you need
one for which a cross certificate exist and the cross certificate.

//Daniel

wrote in message news:xxxxx@ntfsd…
> I finally got my driver to compile, but when I call StartService on it, I
> get the following error:
>
> “This driver has been blocked from loading”
>
>
> I’m running Vista x64 if that makes any difference.
>
> Thanks,
> --Jeremy
>
>
>

Thank you for the link. I download the Word doc and found that there is a self sign sample script for the Toaster sample project. I modified the script to point at my driver files, but when I run it I get an error when it runs:

inf2cat.exe /driver:D:\projects\Gaz\Code\Windows\Driver\Main /os:Vista_x86,Vista_X64

The error is:

“No installation INF found in the root path of the driver.”

I do have the installation INF in Driver\Main, though. Any suggestions on where else I should be looking for the root path of the driver?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Crispin Wright
Sent: Wednesday, October 01, 2008 12:12 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

I went through this process recently Jeremy, Hagen Patzke linked me to this
walkthrough document:

http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx

I would recommend reading it, I found it very useful.

C

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeremy Chaney
Sent: 01 October 2008 19:03
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

I ran “certmgr.msc”, opened PrivateCertStore, clicked Certificates, and yes,
I see my certificate in there. Under the “Intended Purposes” column it says
“” and under “Friendly Name” it says . When I view the properties
on the certificate it says that “This CA Root certificate is not trusted. To
enable trust,…” Further down it says that I have a private key that
corresponds to the certificate.

–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 10:47 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Are you sure that you imported the private key an not just the public cert?

If you go to the cert in the certificates mmc snapin, do the cert properties
indicate that the private key is present?

- S

-----Original Message-----
From: Jeremy Chaney
Sent: Wednesday, October 01, 2008 11:58
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

You were right, I wasn’t signing the driver. I looked around to figure out
how to sign the driver and discovered that I need to run makecert- which I
did:

makecert -r -pe -ss PrivateCertStore -n “CN=MyDriver” mydrivercert.cer

the output of the command was “Succeeded”.

I then double clicked on the certificate and installed it to my
PrivateCertStore and then ran signtool:

signtool sign /s PrivateCertStore /n mydrivercert.cer /t
http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys

I get the following error, though: “SignTool Error: No certificates were
found that met all the given criteria.”

What am I missing?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Wednesday, October 01, 2008 9:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Did you sign it in accordance with the KMCS (kernel mode code signing)
documentation included with the WDK?

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@telestream.net
Sent: Wednesday, October 01, 2008 12:23 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Error when calling StartService

I finally got my driver to compile, but when I call StartService on it, I
get the following error:

“This driver has been blocked from loading”

I’m running Vista x64 if that makes any difference.

Thanks,
–Jeremy


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Information from ESET NOD32 Antivirus, version of virus signature
database 3486 (20081001)


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Information from ESET NOD32 Antivirus, version of virus signature
database 3486 (20081001)


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@telestream.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Several things you must do to selfsign- these appear to be the steps you are missing:

(1) install the cert as a root authority.
(2) Install it as a trusted publisher
(3) Install it in the local machine store, not the per-user store.

In testing the Windows driver frameworks, we literally self-sign 1000’s of test drivers each week (dozens each day on each of the dozens of machines we test on).

These are the commands we issue (I’d rather you didn’t identify yourelf as WDFWA, but I doubt I’d really ever find out if you did).

Makecert -r -pe -ss WDFQACertStore -n “CN=WDFQA-Test-Cert” TestCert.cer
certmgr.exe -add testcert.cer -s -r localMachine root
certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher

I assume you’re using an embedded cert (we just build a huge catalog).
signtool sign /a /v /s WDFQACertStore mydriver.sys

To enable self-signing, from any administrative prompt
Bcdedit /set testsigning on

Then reboot (you must have a kernel debugger attached).

Bob Kjelgaard
Sr SDET
Windows Driver Frameworks QA
Microsoft Corporation

I followed your steps exactly (except replaced mydrivers.sys with the actual name of my driver). Every step completed successfully, but when I call StartService, I still get the “This driver has been blocked from loading” error.

Also, what does WDFWA stand for?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Bob Kjelgaard
Sent: Wednesday, October 01, 2008 3:41 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Several things you must do to selfsign- these appear to be the steps you are missing:

(1) install the cert as a root authority.
(2) Install it as a trusted publisher
(3) Install it in the local machine store, not the per-user store.

In testing the Windows driver frameworks, we literally self-sign 1000’s of test drivers each week (dozens each day on each of the dozens of machines we test on).

These are the commands we issue (I’d rather you didn’t identify yourelf as WDFWA, but I doubt I’d really ever find out if you did).

Makecert -r -pe -ss WDFQACertStore -n “CN=WDFQA-Test-Cert” TestCert.cer
certmgr.exe -add testcert.cer -s -r localMachine root
certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher

I assume you’re using an embedded cert (we just build a huge catalog).
signtool sign /a /v /s WDFQACertStore mydriver.sys

To enable self-signing, from any administrative prompt
Bcdedit /set testsigning on

Then reboot (you must have a kernel debugger attached).

Bob Kjelgaard
Sr SDET
Windows Driver Frameworks QA
Microsoft Corporation


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

[“WDFWA” is “WDFQA” when an overtired 50-something engineer with lousy eyesight is doing the typing instead of going home after a few 14-hour days of conference attendance and the like. “WDFQA” would be Windows Driver Frameworks Quality Assurance- not too original, but at least we can tell if it’s ours by just looking at the certificate.]

Those are the correct steps, so to triage, you:

(1) check the signed driver’s properties (and make sure it’s the binary in %windir%\system32\drivers) with Explorer, and investigate the certificate (digital signatures tab). From user mode, it should be identified as valid, and chained to the certificate you created [actually it IS the certificate you created- pretty short chain].
(2) run bcdedit with no parameters, and make sure it says testsigning is on.
(3) Check your debugger and make sure it really connected at the time you booted the system.

If that still doesn’t cure it [and you can also try the F8/ turn off the checking method someone mentioned earlier on this thread], then I really doubt this has anything to do with code signing. We use this method of signing on everything from Win2K to Windows 7, we do it each and every day, and I know it works.

My guess from what I’m reading here is that the binary you are loading is coming from the driver store, where it was copied by one of your previous attempts, so it isn’t the one you have signed [so you see no cert in step 1], and think you have installed. You can use “pnputil -d” to remove the offending package from the driver store [although I don’t have the complete syntax handy at the moment I believe it takes the hardware ID used to install, but I’m not certain how that translates to file system drivers]- if you’ve done this multiple times, they have to be removed one at a time.

Another alternative is to just replace the file with one that has been signed by this method, since it seems the rest of the installation has already succeeded [but I’m uncomfortable with the fact that I’m offering advice based on assumptions about what you are seeing without the intermediate feedback that verifies you are seeing what I think you are].

If that’s the case, and it looks like you’re still blocked at this step when I return to work tomorrow morning, I’ll look up the syntax [but perhaps someone else already knows it or posts it up in the meantime, or the issue is one of the other possibilities I mentioned].

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jeremy Chaney
Sent: Wednesday, October 01, 2008 4:03 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

I followed your steps exactly (except replaced mydrivers.sys with the actual name of my driver). Every step completed successfully, but when I call StartService, I still get the “This driver has been blocked from loading” error.

Also, what does WDFWA stand for?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Bob Kjelgaard
Sent: Wednesday, October 01, 2008 3:41 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Several things you must do to selfsign- these appear to be the steps you are missing:

(1) install the cert as a root authority.
(2) Install it as a trusted publisher
(3) Install it in the local machine store, not the per-user store.

In testing the Windows driver frameworks, we literally self-sign 1000’s of test drivers each week (dozens each day on each of the dozens of machines we test on).

These are the commands we issue (I’d rather you didn’t identify yourelf as WDFWA, but I doubt I’d really ever find out if you did).

Makecert -r -pe -ss WDFQACertStore -n “CN=WDFQA-Test-Cert” TestCert.cer
certmgr.exe -add testcert.cer -s -r localMachine root
certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher

I assume you’re using an embedded cert (we just build a huge catalog).
signtool sign /a /v /s WDFQACertStore mydriver.sys

To enable self-signing, from any administrative prompt
Bcdedit /set testsigning on

Then reboot (you must have a kernel debugger attached).

Bob Kjelgaard
Sr SDET
Windows Driver Frameworks QA
Microsoft Corporation

One last follow-up: If you have testsigning on, the addition to root and trustedpublisher store isn’t needed to get the driver to load- any cert at all will work if testsigning is on. They are needed in order to be treated as a signed driver for installation purposes [rather than being loaded in the kernel]. So my initial advice was a bit probably off-the-mark anyway.

I copied the signed driver to Windows\System32\Drivers, right clicked on it, clicked the Digital Signatures tab. In the Signature list, it showed “Name of signer:” as the name I gave it, and e-mail address and timestamp as “Not available”. Clicking on the details button showed the same information, along with a message that said “This digital signature is OK”. When I run “StartService”, though, I still get the " This driver has been blocked from loading" error…

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Bob Kjelgaard
Sent: Wednesday, October 01, 2008 5:36 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

[“WDFWA” is “WDFQA” when an overtired 50-something engineer with lousy eyesight is doing the typing instead of going home after a few 14-hour days of conference attendance and the like. “WDFQA” would be Windows Driver Frameworks Quality Assurance- not too original, but at least we can tell if it’s ours by just looking at the certificate.]

Those are the correct steps, so to triage, you:

(1) check the signed driver’s properties (and make sure it’s the binary in %windir%\system32\drivers) with Explorer, and investigate the certificate (digital signatures tab). From user mode, it should be identified as valid, and chained to the certificate you created [actually it IS the certificate you created- pretty short chain].
(2) run bcdedit with no parameters, and make sure it says testsigning is on.
(3) Check your debugger and make sure it really connected at the time you booted the system.

If that still doesn’t cure it [and you can also try the F8/ turn off the checking method someone mentioned earlier on this thread], then I really doubt this has anything to do with code signing. We use this method of signing on everything from Win2K to Windows 7, we do it each and every day, and I know it works.

My guess from what I’m reading here is that the binary you are loading is coming from the driver store, where it was copied by one of your previous attempts, so it isn’t the one you have signed [so you see no cert in step 1], and think you have installed. You can use “pnputil -d” to remove the offending package from the driver store [although I don’t have the complete syntax handy at the moment I believe it takes the hardware ID used to install, but I’m not certain how that translates to file system drivers]- if you’ve done this multiple times, they have to be removed one at a time.

Another alternative is to just replace the file with one that has been signed by this method, since it seems the rest of the installation has already succeeded [but I’m uncomfortable with the fact that I’m offering advice based on assumptions about what you are seeing without the intermediate feedback that verifies you are seeing what I think you are].

If that’s the case, and it looks like you’re still blocked at this step when I return to work tomorrow morning, I’ll look up the syntax [but perhaps someone else already knows it or posts it up in the meantime, or the issue is one of the other possibilities I mentioned].

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jeremy Chaney
Sent: Wednesday, October 01, 2008 4:03 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

I followed your steps exactly (except replaced mydrivers.sys with the actual name of my driver). Every step completed successfully, but when I call StartService, I still get the “This driver has been blocked from loading” error.

Also, what does WDFWA stand for?

Thanks,
–Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Bob Kjelgaard
Sent: Wednesday, October 01, 2008 3:41 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Error when calling StartService

Several things you must do to selfsign- these appear to be the steps you are missing:

(1) install the cert as a root authority.
(2) Install it as a trusted publisher
(3) Install it in the local machine store, not the per-user store.

In testing the Windows driver frameworks, we literally self-sign 1000’s of test drivers each week (dozens each day on each of the dozens of machines we test on).

These are the commands we issue (I’d rather you didn’t identify yourelf as WDFWA, but I doubt I’d really ever find out if you did).

Makecert -r -pe -ss WDFQACertStore -n “CN=WDFQA-Test-Cert” TestCert.cer
certmgr.exe -add testcert.cer -s -r localMachine root
certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher

I assume you’re using an embedded cert (we just build a huge catalog).
signtool sign /a /v /s WDFQACertStore mydriver.sys

To enable self-signing, from any administrative prompt
Bcdedit /set testsigning on

Then reboot (you must have a kernel debugger attached).

Bob Kjelgaard
Sr SDET
Windows Driver Frameworks QA
Microsoft Corporation


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

>>
I copied the signed driver to Windows\System32\Drivers, right clicked on it, clicked the Digital Signatures tab. In the Signature list, it showed “Name of signer:” as the name I gave it, and e-mail address and timestamp as “Not available”. Clicking on the details button showed the same information, along with a message that said “This digital signature is OK”. When I run “StartService”, though, I still get the " This driver has been blocked from loading" error…

Thanks,
–Jeremy
<<

(1) Do the four corners of your primary display all say “Test Mode” (visual feedback that testsigning is active)?
(2) Do you have a kernel debugger attached to this machine?

If the answer to both is “yes”, then you’ve met the requirements for loading an unverifiable driver into the kernel.

Are you by any chance trying to hook the system call table or some other form of kernel patching? Those will also be blocked on X64, and I don’t believe there is any way to get unblocked if that is the case.

Out of curiosity, how is this error being reported? Pop-up? Logged somewhere? It seems to me I’ve not seen that particular phrasing before…