how to disable "Digitally signed driver" check for 64 bits OSes?

Hi Firends,
I have made a display driver and did required change in INF file for
64bits OSes but since my driver is not digitally signed OS is not allowing
it to load. I can see my driver in device manager with Yellow Bang.

I have heard there is a way to disabled or skip signature check. Please let
me know if it is good to skip or disable the check for my driver. Also how
to disable it?

Note: I have tried and found there are other digitally unsigned drivers
which are running on 64 bits OSes, so I believe it is possible.

Thanks
/sarbojit

Google for “KMCS”.

Binaries are always signed, not so with INF/CAT files.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Sarbojit Sarkar” wrote in message news:xxxxx@ntdev…
Hi Firends,
I have made a display driver and did required change in INF file for 64bits OSes but since my driver is not digitally signed OS is not allowing it to load. I can see my driver in device manager with Yellow Bang.

I have heard there is a way to disabled or skip signature check. Please let me know if it is good to skip or disable the check for my driver. Also how to disable it?

Note: I have tried and found there are other digitally unsigned drivers which are running on 64 bits OSes, so I believe it is possible.

Thanks
/sarbojit

Boot start driver binaries have to be signed.

Driver packages do not have to be signed, but will require the user to
manually allow the install.

Mark Roddy

On Thu, Sep 23, 2010 at 9:13 AM, Sarbojit Sarkar wrote:

> Hi Firends,
> I have made a display driver and did required change in INF file for
> 64bits OSes but since my driver is not digitally signed OS is not allowing
> it to load. I can see my driver in device manager with Yellow Bang.
>
> I have heard there is a way to disabled or skip signature check. Please let
> me know if it is good to skip or disable the check for my driver. Also how
> to disable it?
>
> Note: I have tried and found there are other digitally unsigned drivers
> which are running on 64 bits OSes, so I believe it is possible.
>
> Thanks
> /sarbojit
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

The only legal way(s) of disabling 64 bit signing is to either set test
signing via BCDEDIT and have WinDBG connected, or create a Test certificate
and sign your driver with that certificate. However, that only applies to
your target machine, and I believe you still have to have WinDbg connected.
Of course, at each boot, you can disable all signatures, but you have to do
that at each boot. Not really recommended for delivery to customers. I know
that were I a customer, I’d laugh my ass off all the way to the dumpster
where I would dump your product on my way to Best Buy to replace it with a
product that can properly handle signing.

Gary G. Little

H (952) 223-1349

C (952) 454-4629

xxxxx@comcast.net

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, September 23, 2010 8:13 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how to disable “Digitally signed driver” check for 64 bits
OSes?

Hi Firends,

I have made a display driver and did required change in INF file for
64bits OSes but since my driver is not digitally signed OS is not allowing
it to load. I can see my driver in device manager with Yellow Bang.

I have heard there is a way to disabled or skip signature check. Please let
me know if it is good to skip or disable the check for my driver. Also how
to disable it?

Note: I have tried and found there are other digitally unsigned drivers
which are running on 64 bits OSes, so I believe it is possible.

Thanks

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Let’s be clear about this: on x64 operating systems under normal
circumstances, ALL driver binaries require to be properly signed (and cross
signed) in order to allow them to become loaded whether they are boot start
drivers or not.

//Daniel

“Mark Roddy” wrote in message news:xxxxx@ntdev…
>Boot start driver binaries have to be signed.

Yuppers, Daniel is correct. You may also be required to create and sign a
CAT file. I know my WFP driver requires a signature on both CAT and SYS
files.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@resplendence.com
Sent: Thursday, September 23, 2010 9:57 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?

Let’s be clear about this: on x64 operating systems under normal
circumstances, ALL driver binaries require to be properly signed (and cross
signed) in order to allow them to become loaded whether they are boot start
drivers or not.

//Daniel

“Mark Roddy” wrote in message news:xxxxx@ntdev…
>Boot start driver binaries have to be signed.

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>at each boot, you can disable all signatures, but you have to do that at each boot.

…and this also disables audio, BTW.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim S. Shatskih wrote:

> at each boot, you can disable all signatures, but you have to do that at each boot.
…and this also disables audio, BTW.

It disables the playback of DRM-protected audio. Plain old audio should
still run.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Gary G. Little wrote:

Yuppers, Daniel is correct. You may also be required to create and sign a
CAT file. I know my WFP driver requires a signature on both CAT and SYS
files.

I’d be surprised by that. It’s certainly not true in the general case.
I have no direct experience with WFP, but for normal drivers, you may
sign either the SYS or the CAT. That’s even true for boot-start
drivers, although they recommend signing the SYS because of the time it
takes to locate the CAT.

As soon as you copy in a new SYS file, the CAT becomes invalid, so by
habit I always sign the SYS files during development.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> It disables the playback of DRM-protected audio. Plain old audio should

still run.

On my 2008 R2 x64, the audio device (inbox HDAudio driver for Intel’s G33 chipset) disappears when I boot in this mode.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Sarbojit Sarkar wrote:

I have made a display driver and did required change in INF file
for 64bits OSes but since my driver is not digitally signed OS is not
allowing it to load. I can see my driver in device manager with Yellow
Bang.

I have heard there is a way to disabled or skip signature check.
Please let me know if it is good to skip or disable the check for my
driver. Also how to disable it?

If there were an easy way to disable the check, there wouldn’t be much
point in having a check, would there?

Note: I have tried and found there are other digitally unsigned
drivers which are running on 64 bits OSes, so I believe it is possible.

I don’t know where you looked, but without taking special steps at each
boot, there’s no way to load an unsigned driver in 64-bit Windows.

Driver developers simply have to resign themselves to buying a
certificate as a cost of doing business. They cost less than a day’s
labor, so if you’ve spent a day trying to figure out a way around it,
you are already wasting your money.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I was relating my own experience in handing signing issues in a non-PNP
driver. I have had to sign my CAT and SYS file for the 64bit version of my
driver to load. Now, I have not signed the CAT file for quite a while,
simply copying the signed version to the install package which then is
copied, initially, to the same directory path as the SYS file. During the
driver install, the destination paths and INF and WDF files get sorted out,
and the SYS file moved to the SYSTEM32 path.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, September 23, 2010 11:41 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?

Gary G. Little wrote:

Yuppers, Daniel is correct. You may also be required to create and
sign a CAT file. I know my WFP driver requires a signature on both CAT
and SYS files.

I’d be surprised by that. It’s certainly not true in the general case.
I have no direct experience with WFP, but for normal drivers, you may sign
either the SYS or the CAT. That’s even true for boot-start drivers,
although they recommend signing the SYS because of the time it takes to
locate the CAT.

As soon as you copy in a new SYS file, the CAT becomes invalid, so by habit
I always sign the SYS files during development.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> As soon as you copy in a new SYS file, the CAT becomes invalid, so by

habit I always sign the SYS files during development.

If you sign the SYS, the CAT still remains valid.

I think it was documented in the KMCS document.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim S. Shatskih wrote:

> As soon as you copy in a new SYS file, the CAT becomes invalid, so by
> habit I always sign the SYS files during development.
If you sign the SYS, the CAT still remains valid.

I think it was documented in the KMCS document.

I’m not sure that’s relevant. If you sign the SYS file, the CAT file
doesn’t serve any purpose, so it doesn’t really matter very much whether
it is valid.

However, I don’t see how it could be valid. The CAT contains a checksum
of the SYS file (not counting the signature). If I create a new SYS
file, the checksum isn’t going to match.

Now, if I create a CAT file with an unsigned driver, and then sign that
driver, I can certainly believe that the CAT file remains valid, but
that’s not the situation I was talking about.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> I’m not sure that’s relevant. If you sign the SYS file, the CAT file

doesn’t serve any purpose, so it doesn’t really matter very much whether
it is valid.

The CAT file still must be signed for PnP installation procedure. The SYS signature is enough for KMCS and not enough for PnP.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Thanks a lot for all responses. I will read mentioned documents. But I am
having few doubts.

1. So the conclusion I got from above responses is I have to make .sys
   and .cat file digitally signed. But my driver is in development stage now
   and we are changing it almost daily basis. So I was looking for some work
   around like disabling digital sign check during development, please suggest.
   Also some update was saying it could create problem for audio?
2. I have seen Ultra VNC driver and that is not digitally signed but I am
   able to load and use that driver, how? On 64 bits.
3. All drivers need to disable signature check separately at boot time or
   if any one is disabling then other need not to? Also how to confirm if some
   one has disabled signed check or not?
4. If I need to make .sys and .cat file digitally signed then how I can
   make it? Is any tool available to make it digitally signed?

I never been into this signed issue so it may happen that my doubts are very
basic. I am very sorry for that but your guidance is required here.

/sarbojit

On Fri, Sep 24, 2010 at 2:03 AM, Maxim S. Shatskih
wrote:

> > I’m not sure that’s relevant. If you sign the SYS file, the CAT file
> > doesn’t serve any purpose, so it doesn’t really matter very much whether
> > it is valid.
>
> The CAT file still must be signed for PnP installation procedure. The SYS
> signature is enough for KMCS and not enough for PnP.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

You will get answers to most of your questions if you download (google it)and read KMCS_Wlakthrough.doc or kmsigning.doc.

and for your questions

1. You can test sign your driver during development.

2. You get an option at boot time to completely disable signing enforcement. So you can install any unsigned driver if you boot with that option.

3. There is test sign and release sign. Read the doc, you will understand. You need signing tools which you can download freely but you might need a Software publisher certificate to release sign it and see that it installs in all 64 bit machines

>some work around like disabling digital sign check during development, please suggest.

Hit F8 each reboot and choose to ignore signatures.

Also some update was saying it could create problem for audio?

Sorry, I tried a lot today and cannot confirm this. The lack of audio on my machine could be due to jack/KVM switch issue, not due to Windows boot mode.

I have seen Ultra VNC driver and that is not digitally signed

Are you really sure of it?

I never been into this signed issue so it may happen that my doubts are very basic

1. buy the cert - it’s cheap, cheaper then 1 computer at it is for 1 year. For a team, this is neglectable price, compared to salaries/rent/equipment, and is probably lesser then even Internet service payments.
2. sign any well-debugged intermediate versions which do deserve the source control label.
3. hit F8 to boot with unsigned driver - this is for debugging/bugfixing/developer’s testing only, so, developer’s test machines only. Testers will only have the intermediate versions which are signed.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Sarbojit Sarkar wrote:

Thanks a lot for all responses. I will read mentioned documents. But I
am having few doubts.

1. So the conclusion I got from above responses is I have to make
   .sys and .cat file digitally signed. But my driver is in
   development stage now and we are changing it almost daily basis.
   So I was looking for some work around like disabling digital
   sign check during development, please suggest. Also some update
   was saying it could create problem for audio?

So what if you change it daily? It’s not like it costs you money every
time you sign. Just make it part of your build procedure, like linking
or applying resources.

1. I have seen Ultra VNC driver and that is not digitally signed
   but I am able to load and use that driver, how? On 64 bits.

Why do you think it is not digitally signed? It may not be WHQL signed,
but it is digitally signed. Also remember that UltraVNC works perfectly
well without its mirror driver.

1. All drivers need to disable signature check separately at boot
   time or if any one is disabling then other need not to? Also how
   to confirm if some one has disabled signed check or not?

It’s a global switch. There will be a warning notice displayed in the 4
corners of the screen.

1. If I need to make .sys and .cat file digitally signed then how I
   can make it? Is any tool available to make it digitally signed?

I never been into this signed issue so it may happen that my doubts
are very basic. I am very sorry for that but your guidance is required
here.

You need a certificate, and you need the “signtool” command in the WDK.
As others have suggested, the KMCS_Walkthrough white paper is an
invaluable asset here.

http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim & Maxim,

1. I have seen Ultra VNC driver and that is not digitally signed

but I am able to load and use that driver, how? On 64 bits.

Why do you think it is not digitally signed? It may not be WHQL signed,

but it is digitally signed. Also remember that UltraVNC works perfectly

well without its mirror driver.

I have checked in driver property and found “Digital Signer : Not digitally
signed”. Please let me know if my assumption is wrong.

Tim, I know ULTRA VNC can work without driver but my doubt is why my driver
is showing yellow bang and ULTRA VNC driver is not showing yellow bang. Also
I have confirmed from code that it is using driver.

Any suggestion will be highly appreciable.

Thanks,
/sarbojit

On Sat, Sep 25, 2010 at 12:03 AM, Tim Roberts wrote:

> Sarbojit Sarkar wrote:
> > Thanks a lot for all responses. I will read mentioned documents. But I
> > am having few doubts.
> >
> > 1. So the conclusion I got from above responses is I have to make
> > .sys and .cat file digitally signed. But my driver is in
> > development stage now and we are changing it almost daily basis.
> > So I was looking for some work around like disabling digital
> > sign check during development, please suggest. Also some update
> > was saying it could create problem for audio?
> >
>
> So what if you change it daily? It’s not like it costs you money every
> time you sign. Just make it part of your build procedure, like linking
> or applying resources.
>
> > 1. I have seen Ultra VNC driver and that is not digitally signed
> > but I am able to load and use that driver, how? On 64 bits.
> >
>
> Why do you think it is not digitally signed? It may not be WHQL signed,
> but it is digitally signed. Also remember that UltraVNC works perfectly
> well without its mirror driver.
>
> > 1. All drivers need to disable signature check separately at boot
> > time or if any one is disabling then other need not to? Also how
> > to confirm if some one has disabled signed check or not?
> >
>
> It’s a global switch. There will be a warning notice displayed in the 4
> corners of the screen.
>
> > 1. If I need to make .sys and .cat file digitally signed then how I
> > can make it? Is any tool available to make it digitally signed?
> >
> > I never been into this signed issue so it may happen that my doubts
> > are very basic. I am very sorry for that but your guidance is required
> > here.
>
> You need a certificate, and you need the “signtool” command in the WDK.
> As others have suggested, the KMCS_Walkthrough white paper is an
> invaluable asset here.
>
> http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>