Updating drivers with SetupCopyOemInf and INetCfg

NTDEV
1

Hi All, hoping someone can help.

We have an NDIS Filter driver. According to MSDN, it must be installed using SetupCopyOemInf, and bound to adapters using the INetCfg series of COM objects.

This all works fine, and we are able to install and uninstall our driver.

However, we have a problem with the update case. It works fine, except for one small problem - it pops a dialog box. We need our updates to be able to run unattended.

The way we work the upgrade case is by

  1. Get a class installer, and call DeInstall
  2. call SetupUninstallOEMInf to remove old inf file
  3. call SetupCopyOEMInf to copy in new inf and cat files
  4. Get a class installer, and call Install
  5. Call Apply on the INetCfg object

We’ve tried previously not calling SetupUninstallOEMInf but it leaves old copies of the driver in the driver store, which means they are still available for “Installation” manually on a network adapter (which is bad).

There is a parameter in INetCfgClassSetup::Install for an answer file for unattended setup. There is of course no documentation (that I could find) for this.

Does anyone know what the best way to update such a driver is? Since they are all signed, we can’t just replace .sys files, since the .cat file that is compiled into the oeminfXX.pnf file then won’t match. The docs for SetupCopyOEMInf are horrible, and although they mention copying just the cat file, they also explicitly state that no changes will be made to stored inf, cat files etc.

Or should I just write code to click the OK button on the “Windows Security” nag dialog about installing a driver…

TIA

Adrien

2

p.s.

I should clarify. It pops the dialog on install as well, but since this is generally done by a human, it’s not a problem. The dialog is the OS security system asking if the user really wants to install a driver from such-and-such. It’s the update that’s the problem, since this is done by our updater service with no desktop, and no human to click buttons.

Code-signing everything under the sun still doesn’t seem to help here.

3

Is it the same dialog on update that is displayed on install?

And please be specific. Trying to guess what you mean by “OS security
system” and “install a driver from such-and-such” is not really very
helpful. The precise text of the message would be helpful. In particular,
distinguishing between a driver signing warning and a privilege escalation
request is quite important.

Are you running your update process with elevated privilege?

Regarding your update steps: I don’t know that what you are trying will not
work. I just know that in the situations where I have created installers
that update an NDIS Filter driver I have chosen to remove the old NetService
package prior to installing the new NetService package. That means getting
all the way to ->Apply() to the NetCfg on remove before launching into
install. I also remove the INFs for both the NetService and Net (if this is
an NDIS IM Filter) after uninstall and before installing the new ones. I
stress that I am just sharing what I have found to work. I am not saying
that your sequence does not work. I just have never tried doing a ‘remove’,
cleanup INFs, ‘install’ new within the same NetCfg configuration update
(transaction).

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@qbik.com
Sent: Saturday, March 27, 2010 8:56 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Updating drivers with SetupCopyOemInf and INetCfg

p.s.

I should clarify. It pops the dialog on install as well, but since this is
generally done by a human, it’s not a problem. The dialog is the OS
security system asking if the user really wants to install a driver from
such-and-such. It’s the update that’s the problem, since this is done by our
updater service with no desktop, and no human to click buttons.

Code-signing everything under the sun still doesn’t seem to help here.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

Hi David, thanks for your reply.

On 28/03/2010 4:11 p.m., David R. Cattley wrote:

Is it the same dialog on update that is displayed on install?

Yes.

And please be specific. Trying to guess what you mean by “OS security
system” and “install a driver from such-and-such” is not really very
helpful. The precise text of the message would be helpful. In particular,
distinguishing between a driver signing warning and a privilege escalation
request is quite important.

It doesn’t look like a signing warning. It’s not a UAC dialog.

The installer is running elevated.

The dialog details are:

Title: “Windows Security”.

Would you like to install this device software?
Name: Qbik New Zealand Limited Network Service
Publisher: Qbik New Zealand Limited

Always trust software from “Qbik New Zealand Limited”

There’s an icon showing an old win2k-style computer sharing icon
(computer on a hand).

Are you running your update process with elevated privilege?

yep

Regarding your update steps: I don’t know that what you are trying will not
work. I just know that in the situations where I have created installers
that update an NDIS Filter driver I have chosen to remove the old NetService
package prior to installing the new NetService package.

I tried this first, but it requires a reboot (I think due to the
characterstics of the driver itself - required driver) on uninstall, so
if you call Apply, then the install fails. I didn’t yet try using
another INetCfg object, or uninitializing and reinitializing it. We had
previously used netcfg.exe -u for the initial step, and that seemed to
work (except it left a copy of the old driver in the driver store). So
perhaps getting a new INetCfg object and initialising it for the install
phase would also work.

I tried not calling Apply in desperation, and it worked, so I can only
presume that the system is smart enough to combine the 2 requests before
applying.

I’m presuming therefore that this driver update case is seen by the OS
as an uninstall, and install (which is how it’s coded), and therefore
sees the install as a new driver, hence the warning.

Is it usual to see such a warning or does it indicate a signing problem?

I’m using a 64bit external app to do the install. It’s possible that it
doesn’t get the elevated privileges (since I don’t know that child
processes inherit that on Vista +).

I also found however I can get a 32bit app to install a driver on 2k8 R2
x64, simply by disabling file system redirection.

So this could be due to privilege level maybe due to the child process.

That means getting
all the way to ->Apply() to the NetCfg on remove before launching into
install. I also remove the INFs for both the NetService and Net (if this is
an NDIS IM Filter) after uninstall and before installing the new ones. I
stress that I am just sharing what I have found to work. I am not saying
that your sequence does not work. I just have never tried doing a ‘remove’,
cleanup INFs, ‘install’ new within the same NetCfg configuration update
(transaction).

Good Luck,

thanks!

Adrien de Croy

Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@qbik.com
Sent: Saturday, March 27, 2010 8:56 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Updating drivers with SetupCopyOemInf and INetCfg

p.s.

I should clarify. It pops the dialog on install as well, but since this is
generally done by a human, it’s not a problem. The dialog is the OS
security system asking if the user really wants to install a driver from
such-and-such. It’s the update that’s the problem, since this is done by our
updater service with no desktop, and no human to click buttons.

Code-signing everything under the sun still doesn’t seem to help here.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

5

OK, I double-checked everything.

a) made sure only signing sys files once, prior to making cat file
b) made sure running installer as administrator

No difference - still getting the dialog. I’m picking it’s just windows
way to show the user a driver is being installed.

There is a parameter in the INetCfgClassSetup::Install for an answer
file for unattended setup. anyone used this?

Regards

Adrien

On 28/03/2010 4:52 p.m., Adrien de Croy wrote:

Hi David, thanks for your reply.

On 28/03/2010 4:11 p.m., David R. Cattley wrote:
> Is it the same dialog on update that is displayed on install?

Yes.

> And please be specific. Trying to guess what you mean by “OS security
> system” and “install a driver from such-and-such” is not really very
> helpful. The precise text of the message would be helpful. In
> particular,
> distinguishing between a driver signing warning and a privilege
> escalation
> request is quite important.

It doesn’t look like a signing warning. It’s not a UAC dialog.

The installer is running elevated.

The dialog details are:

Title: “Windows Security”.

Would you like to install this device software?
Name: Qbik New Zealand Limited Network Service
Publisher: Qbik New Zealand Limited

Always trust software from “Qbik New Zealand Limited”

There’s an icon showing an old win2k-style computer sharing icon
(computer on a hand).

> Are you running your update process with elevated privilege?

yep

> Regarding your update steps: I don’t know that what you are trying
> will not
> work. I just know that in the situations where I have created
> installers
> that update an NDIS Filter driver I have chosen to remove the old
> NetService
> package prior to installing the new NetService package.

I tried this first, but it requires a reboot (I think due to the
characterstics of the driver itself - required driver) on uninstall,
so if you call Apply, then the install fails. I didn’t yet try using
another INetCfg object, or uninitializing and reinitializing it. We
had previously used netcfg.exe -u for the initial step, and that
seemed to work (except it left a copy of the old driver in the driver
store). So perhaps getting a new INetCfg object and initialising it
for the install phase would also work.

I tried not calling Apply in desperation, and it worked, so I can only
presume that the system is smart enough to combine the 2 requests
before applying.

I’m presuming therefore that this driver update case is seen by the OS
as an uninstall, and install (which is how it’s coded), and therefore
sees the install as a new driver, hence the warning.

Is it usual to see such a warning or does it indicate a signing problem?

I’m using a 64bit external app to do the install. It’s possible that
it doesn’t get the elevated privileges (since I don’t know that child
processes inherit that on Vista +).

I also found however I can get a 32bit app to install a driver on 2k8
R2 x64, simply by disabling file system redirection.

So this could be due to privilege level maybe due to the child process.

> That means getting
> all the way to ->Apply() to the NetCfg on remove before launching into
> install. I also remove the INFs for both the NetService and Net (if
> this is
> an NDIS IM Filter) after uninstall and before installing the new
> ones. I
> stress that I am just sharing what I have found to work. I am not
> saying
> that your sequence does not work. I just have never tried doing a
> ‘remove’,
> cleanup INFs, ‘install’ new within the same NetCfg configuration update
> (transaction).
>
> Good Luck,

thanks!

Adrien de Croy

> Dave Cattley
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@qbik.com
> Sent: Saturday, March 27, 2010 8:56 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Updating drivers with SetupCopyOemInf and INetCfg
>
> p.s.
>
> I should clarify. It pops the dialog on install as well, but since
> this is
> generally done by a human, it’s not a problem. The dialog is the OS
> security system asking if the user really wants to install a driver from
> such-and-such. It’s the update that’s the problem, since this is done
> by our
> updater service with no desktop, and no human to click buttons.
>
> Code-signing everything under the sun still doesn’t seem to help here.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

6

The warning message is generated when the certificate used to sign the
package is not in the Trusted Publisher’s store.

The answer file mechanism is a way to provide answers unattended to a custom
notify object to avoid UI during system setup. It cannot ‘answer’ the
publisher certificate prompt.

You can just pre-install the certificate for testing purposes. If you had
checked the box the first time you installed the driver, the system would
have installed the certificate in the Trusted Pub store and you would not
have been prompted again. Which is typically what would happen in a user
install if the user decided the organization behind the certificate was
trustworthy.

The netcfg -u command (as you have discovered) does not remove a driver
package from the driver store. The devcon dp_delete command will remove
the driver package from the driver store. Of course you would need to
determine the OEM.inf name of the NetService (and Net if this is an IM
filter) driver packages. You could ‘script’ the process using netcfg &
devcon to experiment & prototype your precise upgrade sequence.

If removing the NetService requires a reboot then more than likely upgrading
the NetService will require a reboot. Have you verified that the old driver
unloads and the new driver is copied & then actually loaded during your
upgrade sequence?

Also: Is this an IM Filter with both a NetService class INF and Net class
INF or is it a Light Weight Filter with just a NetService class INF.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Adrien de Croy
Sent: Sunday, March 28, 2010 3:10 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Updating drivers with SetupCopyOemInf and INetCfg

OK, I double-checked everything.

a) made sure only signing sys files once, prior to making cat file
b) made sure running installer as administrator

No difference - still getting the dialog. I’m picking it’s just windows
way to show the user a driver is being installed.

There is a parameter in the INetCfgClassSetup::Install for an answer
file for unattended setup. anyone used this?

Regards

Adrien

On 28/03/2010 4:52 p.m., Adrien de Croy wrote:
>
> Hi David, thanks for your reply.
>
> On 28/03/2010 4:11 p.m., David R. Cattley wrote:
>> Is it the same dialog on update that is displayed on install?
>
> Yes.
>
>> And please be specific. Trying to guess what you mean by “OS security
>> system” and “install a driver from such-and-such” is not really very
>> helpful. The precise text of the message would be helpful. In
>> particular,
>> distinguishing between a driver signing warning and a privilege
>> escalation
>> request is quite important.
>
> It doesn’t look like a signing warning. It’s not a UAC dialog.
>
> The installer is running elevated.
>
> The dialog details are:
>
> Title: “Windows Security”.
>
> Would you like to install this device software?
> Name: Qbik New Zealand Limited Network Service
> Publisher: Qbik New Zealand Limited
>
> Always trust software from “Qbik New Zealand Limited”
>
> There’s an icon showing an old win2k-style computer sharing icon
> (computer on a hand).
>
>> Are you running your update process with elevated privilege?
>
> yep
>
>> Regarding your update steps: I don’t know that what you are trying
>> will not
>> work. I just know that in the situations where I have created
>> installers
>> that update an NDIS Filter driver I have chosen to remove the old
>> NetService
>> package prior to installing the new NetService package.
>
> I tried this first, but it requires a reboot (I think due to the
> characterstics of the driver itself - required driver) on uninstall,
> so if you call Apply, then the install fails. I didn’t yet try using
> another INetCfg object, or uninitializing and reinitializing it. We
> had previously used netcfg.exe -u for the initial step, and that
> seemed to work (except it left a copy of the old driver in the driver
> store). So perhaps getting a new INetCfg object and initialising it
> for the install phase would also work.
>
> I tried not calling Apply in desperation, and it worked, so I can only
> presume that the system is smart enough to combine the 2 requests
> before applying.
>
> I’m presuming therefore that this driver update case is seen by the OS
> as an uninstall, and install (which is how it’s coded), and therefore
> sees the install as a new driver, hence the warning.
>
> Is it usual to see such a warning or does it indicate a signing problem?
>
> I’m using a 64bit external app to do the install. It’s possible that
> it doesn’t get the elevated privileges (since I don’t know that child
> processes inherit that on Vista +).
>
> I also found however I can get a 32bit app to install a driver on 2k8
> R2 x64, simply by disabling file system redirection.
>
> So this could be due to privilege level maybe due to the child process.
>
>> That means getting
>> all the way to ->Apply() to the NetCfg on remove before launching into
>> install. I also remove the INFs for both the NetService and Net (if
>> this is
>> an NDIS IM Filter) after uninstall and before installing the new
>> ones. I
>> stress that I am just sharing what I have found to work. I am not
>> saying
>> that your sequence does not work. I just have never tried doing a
>> ‘remove’,
>> cleanup INFs, ‘install’ new within the same NetCfg configuration update
>> (transaction).
>>
>> Good Luck,
>
> thanks!
>
> Adrien de Croy
>
>> Dave Cattley
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@qbik.com
>> Sent: Saturday, March 27, 2010 8:56 PM
>> To: Windows System Software Devs Interest List
>> Subject: RE:[ntdev] Updating drivers with SetupCopyOemInf and INetCfg
>>
>> p.s.
>>
>> I should clarify. It pops the dialog on install as well, but since
>> this is
>> generally done by a human, it’s not a problem. The dialog is the OS
>> security system asking if the user really wants to install a driver from
>> such-and-such. It’s the update that’s the problem, since this is done
>> by our
>> updater service with no desktop, and no human to click buttons.
>>
>> Code-signing everything under the sun still doesn’t seem to help here.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>


Adrien de Croy - WinGate Proxy Server - http://www.wingate.com


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer