2008-08-10

Installing unsigned drivers on Vista 64

OK, if you ended up here, it's probably because you've been trying to install an unsigned driver (eg. XBCD Xbox Gamepad, PSPLinkUSB), and found out about the requirement for all drivers to be signed in Vista 64.

Now, you shouldn't rush with the first article you found on the web that tells you how to disable signed drivers in Vista altogether. The MUCH smarter way is to run Vista 64 in test mode instead, and self sign your drivers. And to be clear, NO, this does NOT require you to recompile the drivers! You can just pick up the drivers you got from someone and sign them away. Of course, one could comment on yet another of Microsoft's stupid "we don't trust our users" decisions of having to enable the test mode to have users install their self signed drivers. A MUCH SMARTER way would have been to do that outside of the test mode as well. After all, if a user went as far as installing their own root certificate, it's probably that it should be trusted.

Anyway, the procedure is as follows (and it is described in much more details here):

1. Get Vista to boot in test mode always with the command:
bcdedit.exe /store C:\Boot\BCD /set testsigning yes
(And there again, I have to curse Microsoft for NOT indicating with bcdedit /? that you can use the /store option to specify your store, and having to spend HOURS trying to figure out why I was getting the following error which is apparently expected, if you boot multiple OSes and don't let Microsoft take over your boot record:
The boot configuration data store could not be opened.
The system cannot find the file specified.
)

After you enter that command, you MUST reboot Vista.

Note: Once Test Mode is enabled, you will get the Windows Version as well as "Test Mode" displayed over the background image. If you're bothered by this, what on earth are you doing with your computer? Staring at the background?

2. Download the necessary DDK SelfSign files, which I am CONVENIENTLY providing to you HERE, as Microsoft is also an ass there - People shouldn't have to download 2.7 GB to gain access to 700 KB worth of files!
Extract them to the directory where you have your driver

3. Let's say you want to install the PSPLinkusb driver. First you want to generate your own root certificate for that driver with:
makecert -$ individual -r -pe -ss "Self Signed Drivers" -n CN="Self Signed Drivers" selfsign.cer
4. Then you install the certificate you just created to the trusted root directory:
certmgr /add selfsign.cer /s /r localMachine root
(NB: if you have UAC on, you will need to run this command in a "run as administrator" command prompt)

5. Finally, you sign EACH .sys file using the certificate:
signtool sign /v /s "Self Signed Drivers" /n "Self Signed Drivers" libusb0.sys
signtool sign /v /s "Self Signed Drivers" /n "Self Signed Drivers" libusb0_x64.sys
Voila! Now you can install these drivers and get on with your life.

For completion, I am providing below the result of a successful certification for the libusb drivers:
E:\Program Files (x86)\OpenOCD\0.2.0\drivers\ft2232>makecert -$ individual -r -pe -ss "Self Signed Drivers" -n CN="Self Signed Drivers" selfsign.cer
Succeeded

E:\Program Files (x86)\OpenOCD\0.2.0\drivers\ft2232>certmgr /add selfsign.cer /s /r localMachine root
CertMgr Succeeded

E:\Program Files (x86)\OpenOCD\0.2.0\drivers\ft2232>signtool sign /v /s "Self Signed Drivers" /n "Self Signed Drivers" libusb0.sys
The following certificate was selected:
Issued to: Self Signed Drivers
Issued by: Self Signed Drivers
Expires: 2040.01.01 00:59:59
SHA1 hash: E0CEAD6474EFD1BF0F6D47501FF3F069C20FD7C7

Done Adding Additional Store

Attempting to sign: libusb0.sys
Successfully signed: libusb0.sys

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

E:\Program Files (x86)\OpenOCD\0.2.0\drivers\ft2232>signtool sign /v /s "Self Signed Drivers" /n "Self Signed Drivers" libusb0_x64.sys
The following certificate was selected:
Issued to: Self Signed Drivers
Issued by: Self Signed Drivers
Expires: 2040.01.01 00:59:59
SHA1 hash: E0CEAD6474EFD1BF0F6D47501FF3F069C20FD7C7

Done Adding Additional Store

Attempting to sign: libusb0_x64.sys
Successfully signed: libusb0_x64.sys

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

E:\Program Files (x86)\OpenOCD\0.2.0\drivers\ft2232>

5 comments:

  1. Peer Guardian Signed Drivers Windows 7

    Used it for Peer Guardian 2 pgfilter.sys.

    Hi, great job here, this works with Windows 7 as well, if it's a simple installer. If there's different files for different os versions I don't know how do do that.

    Note: You have to install/extract the drivers out first, and sign them first before you try to install, I didn't figure that out right away.

    Good post thanks again.

    ReplyDelete
  2. does this method still watermark your desktop with Test Mode?

    ReplyDelete
  3. could you provide your signed version of the pgfilter.sys file? That would be nice as this machine cannot be rebooted for another month as I am serving files off it my company needs access to all the time. pg helps us sniff out malicious connections as well as block ads (globally) very effectivly.I would appreciate it with a link to mediafire, RS, or MU. Thanks alot!

    ReplyDelete
  4. This is the output from the signtool I receive:

    C:\Windows\Peerguardian>signtool sign /v /s "pgfilter driver" /n "pgfilter driver" pgfilter.sys
    The following certificate was selected:
    Issued to: pgfilter driver
    Issued by: pgfilter driver
    Expires: 12/31/2039 4:59:59 PM
    SHA1 hash: 0D4F95FDD1359C8B8DA6527983FC22048B0885E1

    Done Adding Additional Store

    Attempting to sign: pgfilter.sys
    SignTool Error: This file format cannot be signed because it is not recognized.
    SignTool Error: An error occurred while attempting to sign: pgfilter.sys

    Number of files successfully Signed: 0
    Number of warnings: 0
    Number of errors: 1

    Any ideas? And anyway to get that already signed pgfilter.sys file from you law?

    Oh yeah, I forgot to mention, this was done on Vista 64 bit and I ran the command as administrator to avoid UAC problems as mentioned in the original post.

    ReplyDelete
  5. http://orestech.wordpress.com/2009/05/08/peer-guardian-2-with-windows-7-rc-x64/

    ReplyDelete