How to run driver without signature on windows 7 64bit

Hi, I am currently developing VirtualMonitor. which is a cross-platform opensource software, it allows you to use compute, tablet, smartphone as a second monitor for your primary computer.
I ported the driver from VirtualBox Guest addition display driver. this driver will create virtual display adapter. When guest OS request to draw something on screen. this driver will store the content. and update dirty pixels data through Guest Host Share Memory Mechanism.

I have ported this driver works on host OS directly. and send out dirty pixels to another device through network.
http://virtualmonitor.github.io/

ReactOS team helped me signed the driver. but still can’t pass the signature verification process of windows during the installation phase. but if i run signtool to verify it. it show success.
signtool verify /pa virtualmonitorDisp.dll
it shows: Successfully verified: VirtualMonitorDisp.dll.
signtool verify /pa virtualmonitor.sys
it shows: Successfully verified: VirtualMonitor.sys

My question is, is there any way to run the driver on 64bit windows without signature. Thanks.

If you mean in a production environment no. For testing you can either on
boot use F8 to disable driver signing, or test sign the driver and install
the test signature on the system.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, February 02, 2014 5:34 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to run driver without signature on windows 7 64bit

Hi, I am currently developing VirtualMonitor. which is a cross-platform
opensource software, it allows you to use compute, tablet, smartphone as a
second monitor for your primary computer.
I ported the driver from VirtualBox Guest addition display driver. this
driver will create virtual display adapter. When guest OS request to draw
something on screen. this driver will store the content. and update dirty
pixels data through Guest Host Share Memory Mechanism.

I have ported this driver works on host OS directly. and send out dirty
pixels to another device through network.
http://virtualmonitor.github.io/

ReactOS team helped me signed the driver. but still can’t pass the signature
verification process of windows during the installation phase. but if i run
signtool to verify it. it show success.
signtool verify /pa virtualmonitorDisp.dll it shows: Successfully verified:
VirtualMonitorDisp.dll.
signtool verify /pa virtualmonitor.sys
it shows: Successfully verified: VirtualMonitor.sys

My question is, is there any way to run the driver on 64bit windows without
signature. Thanks.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

xxxxx@gmail.com wrote:

I have ported this driver works on host OS directly. and send out dirty pixels to another device through network.
http://virtualmonitor.github.io/

ReactOS team helped me signed the driver. but still can’t pass the signature verification process of windows during the installation phase. but if i run signtool to verify it. it show success.
signtool verify /pa virtualmonitorDisp.dll
it shows: Successfully verified: VirtualMonitorDisp.dll.
signtool verify /pa virtualmonitor.sys
it shows: Successfully verified: VirtualMonitor.sys

Signing the driver is not enough. You need to sign it using a
certificate from a Microsoft-approved certificate authority – one that
has a “cross certificate” – and you have to apply that cross
certificate when you do the signing. When you verify your driver, you
need to use the /kp switch to use the kernel-mode policy, not the
default policy.
signtool verify /pa virtualmonitordisp.dll
signtool verify /v /kp virtualmonitor.sys

If the second one does not include the “Microsoft Code Vertification
Root”, then you have signed it incorrectly.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks, Don, I know that F8 option. So my purpose is not for testing.
Hi, Tim. with signtool verify /v /kp virtualmonitor.sys or virtualmonitordisp.dll both files shows
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root^M
Issued by: Microsoft Code Verification Root^M
Expires: Sat Nov 01 05:54:03 2025^M
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3^M

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5^M
Issued by: Microsoft Code Verification Root^M
Expires: Mon Feb 22 11:35:17 2021^M
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B^M

Issued to: VeriSign Class 3 Code Signing 2010 CA^M
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5^M
Expires: Fri Feb 07 15:59:59 2020^M
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F^M

Issued to: ReactOS Foundation^M
Issued by: VeriSign Class 3 Code Signing 2010 CA^M
Expires: Thu Dec 03 15:59:59 2015^M
SHA1 hash: A8348D17A267871C0495B6492C4277F3E4B747F9^M

Successfully verified: VirtualMonitorVideo.sys^M

Number of files successfully Verified: 1^M

Is there any other action or setup configuration, i have to do in order to pass signature verification process during installation. right now i only have the following files:

  1. an INF file
  2. a .sys File
  3. a .dll file
    do i have to prepare another .cab file?

Thanks.

Tim Roberts wrote:

xxxxx@gmail.com wrote:
> I have ported this driver works on host OS directly. and send out dirty pixels to another device through network.
> http://virtualmonitor.github.io/
>
> ReactOS team helped me signed the driver. but still can’t pass the signature verification process of windows during the installation phase. but if i run signtool to verify it. it show success.

I should have read more carefully. You are talking about the
INSTALL-time signature check.

You will always get that warning unless your driver is signed by WHQL.
The user is always given the option of approving the driver anyway. If
you sign your CAT file using the certificate you just posted, you can
change that to a “Do you trust this publisher?” dialog. If the user
decides to trust you, then all future installs for that certificate will
be silent.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hi, Tim

You will always get that warning unless your driver is signed by WHQL.

Do you means that during installation, even get that warning, but at least, if I choose ignore, then install anyway, then at least, Windows will load and run that driver. but for my case, after installed, windows still will not load that driver. from device manager, it shows:

windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

Any other things i have missed?

Is your cert signed with SHA-1 or SHA-256? I had similar installation issues when Symantec issued my cert and it used SHA-256. It seems Win7 does not like that so I had to have it reissued using SHA-1.

Also you mention you don’t have CAT file. To make a CAT from INF:

First run ChkInf to make sure it is legit
C:\Program Files (x86)\Windows Kits\8.0\tools\x86\ChkInf>chkinf “path to inf” /b

Once that passed run Inf2cat
C:\WinDDK\7600.16385.0>Inf2cat /driver:path\where\driver\and\inf\are\located\ /os:7_x64 (your mileage will vary depending on your target platform)

That will spit out a CAT which the INF uses to install the driver.

Below is a copy of an INF that I have used that passes chkinf. You’ll have to fill in or change the pertinent info but the structure is good. Hope it helps.

;;;
;;; xxxxx
;;;
;;;
;;; Copyright (c) 2014
;;;

[Version]
signature = “$Windows NT$”
Provider = %Str1%
DriverVer = 12/18/2013,1.2013.12.18
Class = “ActivityMonitor” (or whatever your class may be)
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
CatalogFile.NTx86 = drv86.cat
CatalogFile.NTIA64 = drvia64.cat
CatalogFile.NTAMD64 = drv64.cat

[DestinationDirs]
DefaultDestDir = 12
drv.DriverFiles = 12 ;%windir%\system32\drivers

[SourceDisksNames]
1 = %Disk1%

[SourceDisksFiles]
{driver_file_name} = 1

;;
;; Default install sections
;;

[DefaultInstall]
OptionDesc = %Str2%
CopyFiles = drv.DriverFiles

[DefaultInstall.Services]
AddService = %Str3%,drv.Service

;;
;; Default uninstall sections
;;

[DefaultUninstall]
DelFiles = drv.DriverFiles

[DefaultUninstall.Services]
DelService = drv,0x200 ; Flags note to stop service first

;
; Services Section
;

[drv.Service]
DisplayName = %Str3%
Description = %Str2%
ServiceBinary = %12%{driver_file_name} ;%windir%\system32\drivers{driver_file_name}
ServiceType = 1 ;SERVICE_KERNEL_DRIVER
StartType = 3 ;SERVICE_DEMAND_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL

;
; Copy Files
;

[drv.DriverFiles]
{driver_file_name},0x00000040 ; COPYFLG_OVERWRITE_OLDER_ONLY

;;
;; String Section
;;

[Strings]
Str1 = “Your Company Name”
Str2 = “Your description”
Str3 = “Your service name”
Str4 = “Your registry key”
Disk1 = "Your disk "