How to install unsigned drivers in Windows 7 and Vista?

D

DanDroiD

Level F
I found the solution to this annoying little problem...

I copied this word for word... this is not my work but I thank those who put this together. Link to original here

Unlike previous versions of Windows, Microsoft has introduced a very restricted module of driver signature enforcement in Windows Vista SP1 and Windows 7 in order to maintain the stability of the system. All drivers and system files must be digitally verified; otherwise it will not run properly. You may notice this when installing driver file in Windows 7.Here is free tool called ‘Driver Signature Enforcement Overrider’ that may helps you to install digitally unsigned drivers by creating your own unverified certificates. This tool supports both 32 and 64 bits of Windows Vista and 7.

Procedure for using this tool: Download and run the tool. Enable ‘Enable Test Mode’ and click ‘Next’ button and follow the instruction (restart your system). Now enable ‘Sign a System File’ and select the driver file that you want to install. Repeat it if you have more than one. That’s all.

driverq.jpg


If for some reason you are interested to revert it, launch the application again, choose “Disable Test Mode†from the main menu, and restart your system. The tool is free and clean and use at your own risk​

 
Earlier we had to disable the driver signature enforcement during the boot process manually or via ReadyDriver app, yes?
 
Yes earlier it was some boot options to be set/disabled...

I personally would not trust such a tool. Even if virus checkers do not report anything, the tool can easily be a trojan which transmits the digital certificate to a waiting hacker who can then send you malicious files which might get silently installed now that you have trusted the certificate which the hacker also uses to digitally sign the malicious code.

Once I get my hands on the Win 7 RC and if I face driver problems I might try manually performing similar steps like:

Generating your own self-signed digital certificate (maybe using OpenSSL) and installing it into Windows as a trusted publisher: Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5

Then using Microsoft's Authenticode signing tools to sign the driver packages so that they install without the OS complaining: Using Authenticode to Digitally Sign Driver Packages for Windows Server 2003 (doc link on the right).

These are just quick links I've not fully read them or tried out the steps... when I need to I'll try it...
 
yes you have to do it through boot process or edit boot file so it does it automatically each time you boot. I guess this little app does that for you.
 
No this tool appears to be a little more sophisticated where it looks like it generates a self signed digital certificate and installs it into Windows as a trusted publisher, then it uses the certificate to sign the driver files you need so that Windows does not complain while installing since its now a trusted and digitally signed/verified piece of code :)
 
I used this command on a friend's laptop last week - bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS

But the app is always preferred.
 
^^ yes but there is a subtle difference. When you do the bcedit of DDISABLE_INTEGRITY_CHECKS, you are disabling digital signing for everything which I think is far more insecure. With this method once the software has generated it own digital signature, you will choose only the specific programs you want to be signed and everything else will still be stopped by the OS.... I think there is a level of personal control with this. I have been playing with my G1 and there is an unsigned driver that is built from open source to access the phone and it has been annoying to keep hitting F8 at boot to change the menu options to disable digital signing. :P
 
Update:

While trying to play around with installing Hamachi which wouldnt load on Win7 found the following links which may be useful if you want to try generating your own digital certificates and authenticode-signing any drivers yourself:

Decrypt my World : How to sign EXE files with an Authenticode certificate (VB.NET)

and:

Code Signing for Developers - An Authenticode How-To

Basic steps (I failed to get Hamachi to work though :)):

Tools are: makecert, signtool, pvk2pfx, crt2spc.

Create your own cert:

Code: 
makecert.exe -sv mykey.pvk -n "CN=Acme Software Inc." mycert.cer

Make SPC (Software Publisher Cert):

Code: 
cert2spc.exe mycert.cer mycert.spc

Sign the file(s):

Code: 
pvk2pfx.exe -pvk mykey.pvk -pi <password> -spc mycert.spc -pfx mycert.pfx -po <password>

signtool.exe sign /f mycert.pfx /p <password> /t <timestamp URL> /v "<file to be signed>"

Sample timestamp URLs: (pick one)

Code: 
- [url]http://timestamp.verisign.com/scripts/timstamp.dll[/url]

- [url]http://timestamp.globalsign.com/scripts/timstamp.dll[/url]

- [url]http://timestamp.comodoca.com/authenticode[/url]

Checking the signed file:

Right click and select digital signature tab to view certificate.

You may need to install your .cer or .pfx which you generated into Trusted Publishers or Trusted Root Certificate store:

Run certmgr.msc and under Trusted Root Certs -> Certs right click and select All Tasks then click Import... and point it to your .cer or pfx...

I couldn't get it to work, will try again next time I face driver problems :)
 
vishalrao said:
While trying to play around with installing Hamachi which wouldnt load on Win7 found the following links which may be useful if you want to try generating your own digital certificates and authenticode-signing any drivers yourself:

Basic steps (I failed to get Hamachi to work though :))
Click to expand...

Ran into the same problem with Hamachi 0.9.9.9 and Win 7.

However I managed to get it to run using the tool mentioned in the original post.

Was too lazy to try your steps :P
 
Back
Top