Page 1 of 6
#1 [Tips+Discussion] Usage of "mod+signed" Drivers by Fernando 29.04.2015 00:23

avatar

Preliminary words:
Although I have modded a lot of drivers since 2003/2004, I didn't know for a very long time, that and how it is possible to give these modded drivers a specific digital signature, which is accepted by the latest Windows Operating Systems.
My ignorance regarding this point ended in April 2015, when our Forum member mrces2 started this thread with a complete and perfect guide about how to manually sign my modded drivers with a "Win-RAID CA" Certificate. Later on the Forum members e.v.o and Zwulf wrote scripts, which allowed me to sign the modded drivers automaticly by using a unique Win-RAID CA certificate.
Meanwhile there is no need anymore for me to read any guide about how to sign a modded driver, but the users need a guide about how to get them properly installed. That is why I have cleaned this thread, removed the dispensable signature guides and scripts and put all informations regarding the usage of the "mod+signed" drivers into the new start post.
This is the place to say "Thank you!" to mrces2, e.v.o and in particular Zwulf for their phantastic support. Without their help I wouldn't be able to offer my "mod+signed" drivers.

Advantages for the users:

  • All my "mod+signed" drivers can easily been installed even while running Win8/10 without disabling the "Driver Signature Enforcement".
  • The import of the certificate has only to be done once and not with each modded driver.

Advantage for me:
  • Due to the guides and scripts I got from mrces2, e.v.o and Zwulf it is very easy for me to offer all my modded drivers with a unique digital signature.



How to get modded drivers installed,
which are digitally signed by "Win-RAID CA"


I. Import of the Certificate to your personal system

To get full benefit from the driver's digital signature, it is necessary to import the related Certificate (here: the Win-RAID CA one) and to declare it as trustworthy.
Important: This procedure has to be done only once, but before you are trying to get the first "mod+signed" driver installed.

The import of the Certificate can be done in 3 different ways (but with the same result):
  • a) manually by using the "*.CAT" file of any driver, which has been signed by me, or
  • b) manually by using a file named "Win-RAID CA.cer" or
  • c) automaticly by using a script named "ImportCertificate.cmd" (built by Zwulf)
Note: To make it as easy as possible for you, I have added to all my "mod+signed" driverpacks a separate folder named "Win-RAID CA Certificate", where you can find the needed files for the options b) and c).

a) Here is a short guide for the .cat file method:
  • Right click onto a *.cat file of any mod+signed driver > "Properties" > "Digital Signatures" > Click onto "Win-RAID CA" > "Details" > "View Certificate" > "Install Certificate" > "Local Machine" >"Next" > "Yes" > "Place all certificates in the following store" > "Browse" > Select "Trusted Root Certification Authorities" > "Ok" > "Next" > "Finish" > "Ok"

b) The Win-RAID CA.cer file method is a little bit easier:
  • Double click onto the file named "Win-RAID CA.cer" > hit "Install Certificate..." > check "Local Computer" > "Ok" > choose "Place all certificates in the following store" > "Browse" > select "Trusted Root Certification Authorities" > "Next" > "Finish" > "Ok" > "Ok".

c) And here is the easiest way to import the Win-RAID CA certificate:
  • Thankfully our Forum member Zwulf has created for you a batch file script named ImportCertificate.cmd, which will import the Win-RAID CA certificate automaticly.
    This is the content of the CMD file (just for those, who are interested to know it):

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
     
    echo off &TITLE Win-RAID CA.cer install script
    :WELCOME
    cls
    echo.
    echo This will install the "Win-RAID CA.cer" as Trusted Root and Trusted Publisher Certificate.
    echo.
    set /P "START=Continue? (y/n): "
     
    if '%START%' equ 'y' goto WORK
    if '%START%' equ 'n' exit /B
    goto WELCOME
     
    :WORK
    if not exist "%SYSTEMROOT%\System32\certutil.exe" goto CERTUTIL_NOT_FOUND
    set "CA=%tmp%\Win-RAID CA.cer"
    cls
    echo ***************************************************************************
    echo Creating 'Win-RAID CA.cer'
    echo ***************************************************************************
    echo.
    :: extract certificat informations into tmp file
    echo -----BEGIN CERTIFICATE----- > "%CA%.txt"
    echo MIIGhzCCBG+gAwIBAgIQ5/ExbCzfI71GlXVExEmkNDANBgkqhkiG9w0BAQsFADCB>> "%CA%.txt"
    echo lTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdtYWlsLmNvbTELMAkGA1UE>> "%CA%.txt"
    echo BhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZlcjEZMBcGA1UEChMQd3d3>> "%CA%.txt"
    echo Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8xFDASBgNVBAMTC1dpbi1S>> "%CA%.txt"
    echo QUlEIENBMB4XDTE1MTAyNTE4NTMyMloXDTM5MTIzMTIzNTk1OVowgZUxJTAjBgkq>> "%CA%.txt"
    echo hkiG9w0BCQEWFmZlcm5hbmRvLnVub0BnbWFpbC5jb20xCzAJBgNVBAYTAkRFMQsw>> "%CA%.txt"
    echo CQYDVQQIEwJOSTEOMAwGA1UEBxMFSmV2ZXIxGTAXBgNVBAoTEHd3dy53aW4tcmFp>> "%CA%.txt"
    echo ZC5jb20xETAPBgNVBAsTCEZlcm5hbmRvMRQwEgYDVQQDEwtXaW4tUkFJRCBDQTCC>> "%CA%.txt"
    echo AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANnjNZ0a7ultPdOGQOaEcd2h>> "%CA%.txt"
    echo UImcX0685LMsVWei9gk3rpmLy2Sl7BxqeufC5EogXD9LZ1z4WE6Tw3NBUhgt0XrP>> "%CA%.txt"
    echo ZWyfCNCUSfcvcV1dVux53LI+ySyUp2AcavHY8sbdhn7/jwHdkgTd3/xE+cn+U+2a>> "%CA%.txt"
    echo 7X6Y0zQU7Sy8Up75ls7kq+rp61XfmntWIsGrtJbs09Bt3CYVo7SA57jHDJNGkuSV>> "%CA%.txt"
    echo UwDNgUycuRiZT8qnarph0D3RamCpHYyEPnX87t0nRFbdRFMjI5JhBYuD/UE+2PXi>> "%CA%.txt"
    echo 4+f2epX52VlpgqZn650kcTEmdl2sS+itxjQZpg1phRLrvYJHjShhNXYJZrq+WU1R>> "%CA%.txt"
    echo ZdGOhH0cLz3yoAzW0JKwhOy8HgAjU1EkLcRYLtG6jl46BB6mEM8GXQXdogi9b+ul>> "%CA%.txt"
    echo 6J1Pu6v7DvXY+CyJTHTX797DBdcSL/VWH9sA9cZ/ogLwu65BpD/m5ZhjpovX0AS4>> "%CA%.txt"
    echo cI74ChYV0lXUhvWQ1KX5hBI4pPFjPZY+j3X5oagg7ERk2XVYdUBkwO8YAnF9O2lI>> "%CA%.txt"
    echo s3r0KpZBTp5lvK+EdTp51VlK7LbMQQwwGMDOBGH6JHru7FR6f45a/1nKhcoNU689>> "%CA%.txt"
    echo 0EQ9U/1vnOdiU3NVJC+DqtO9b1zvpDlwQUq075a4YizUQA4yj27biJH5dOERipGM>> "%CA%.txt"
    echo s8BYrAZSh8m0Om/+/UmhAgMBAAGjgdAwgc0wgcoGA1UdAQSBwjCBv4AQ1POGTxms>> "%CA%.txt"
    echo M91sp2WJs2oeOqGBmDCBlTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdt>> "%CA%.txt"
    echo YWlsLmNvbTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZl>> "%CA%.txt"
    echo cjEZMBcGA1UEChMQd3d3Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8x>> "%CA%.txt"
    echo FDASBgNVBAMTC1dpbi1SQUlEIENBghDn8TFsLN8jvUaVdUTESaQ0MA0GCSqGSIb3>> "%CA%.txt"
    echo DQEBCwUAA4ICAQDHTjgYnmRoQazjtYUXvlVzMDQ+81PN+Wfxe6HYJC2gUGJMFaeJ>> "%CA%.txt"
    echo 43kkZPDgy7FAhmqxGTciUK42qRmYmE9cRtvBx/PI+VmtmNAhu3xaJHdFDZsyz6Ac>> "%CA%.txt"
    echo 3j/3+HuA63MhXjEeO+XRBplYtg0xDJh8L7jFqLtMSUpET7mRA2i5ltOOv7eOrZcJ>> "%CA%.txt"
    echo KGJHLqeGBlQOUyp2XVRO3Atg8H5E9Lr94VCAsN9eMyKkzI//iJLQm89FokjS9Qeo>> "%CA%.txt"
    echo bDivRVZKqbcXx0RVSczmU/zAiVk87GEToJQyaKjp9KtOLyGNlEyb1WBb9CZUopaU>> "%CA%.txt"
    echo H9b5qYmNJXR8lcmO2aGP61ssp1mQxWi+l9Ru8TKu32uGIazU34X3J8MUapkONLIj>> "%CA%.txt"
    echo zboPzituAXyNQ0I6EHhw+RuAWpKhHSTpCzoONS38OJckhHtQImcMB75WUuxZO6LQ>> "%CA%.txt"
    echo 1r2L6FrNAnHONSDPsOrYlowlE3qv6rCsKCgYKJEho8OlumLyUer6OYF/ujvmBnxy>> "%CA%.txt"
    echo MMIjb8E9leWSexhIa4MipFWJ6JEoF/3TSg5uvUSBmwnVtC4rpuJyLIzIAAIA7I2W>> "%CA%.txt"
    echo mkFzt1d8bScgw0aZmgFylOlfs6UG8wFByDqOxrIMMqgs0Uia06wzIWqXhU4UnaII>> "%CA%.txt"
    echo 45UIXDc15FPanGjxbrP67bV92l7vpLzsyzxccVnADB6fK/F/EGByZiUAXA== >> "%CA%.txt"
    echo -----END CERTIFICATE----- >> "%CA%.txt"
     
    :: create Win-RAID CA.cer and delete tmp file
    call %SYSTEMROOT%\System32\certutil.exe -decode "%CA%.txt" "%CA%"
    call del /F "%CA%.txt"
    echo. &echo.
     
    echo ***************************************************************************
    echo Installing 'Win-RAID CA.cer' as Trusted Root Certificate
    echo ***************************************************************************
    echo.
    call %SYSTEMROOT%\System32\certutil.exe -f -addstore "Root" "%CA%"
    echo. &echo.
     
    echo ***************************************************************************
    echo Installing 'Win-RAID CA.cer' as Trusted Publisher Certificate
    echo ***************************************************************************
    echo.
    call %SYSTEMROOT%\System32\certutil.exe -f -addstore "TrustedPublisher" "%CA%"
    echo. &echo.
    call del /f "%CA%"
    @pause
    exit /B
     
    :CERTUTIL_NOT_FOUND
    cls
    echo.
    echo Failure: Windows tool "Certutil.exe" not found.
    echo Certificate couldn't be installed.
    echo.
    @pause
    exit /B
     

    Usage: Right click onto the CMD file > "Run as Administrator" > Enter "y" (for Yes!), when prompted - That's all!
    New since Win10 v1703 ("Creators Update"): Due to Microsoft's new security features the easiest option to get the Certificate imported doesn't work anymore.
    This is the new way how to do it:
    1. Create a folder named "Certificate" within the system drive (= drive C:) and copy the 2 files of the folder "Win-RAID CA Certificate" into it.
    2. Right-click onto the start button ad choose the option "Windows PowerShell (Admin)".
    3. Write "cd C:\Certificate" and hit the "Enter" key.
    4. Write ".\ImportCertificate.cmd" (don't forget the dot and the backslash in front of the command!) and hit the "Enter" key again.
    5. Enter "y" (for "Yes!"), when prompted - thats all!


II. Installation of "pure" drivers (incl. the "mod+signed" ones)

The installation of any "pure" driverpack (containing visible *.inf, *.sys and *.cat files) can either be done
  • a) from within the Device Manager (usual method) or
  • b) from within the Command Prompt by using a special MS tool named DPInst.exe (method for advanced users).

A. Installation via Device Manager:
This is the way how to get any "mod+signed" driver properly installed (precondition: the Win-RAID CA certificate had already been successfully imported):
  1. Run the Device Manager and expand the section, where the related device is listed, whose driver you want to change/update. If you are unsure, which one of the listed devices is your candidate for a driver update, you should check the HardwareIDs.
  2. Right click onto the device, whose driver you want to install or update > "Update Driver Software..." > "Browse my Computer..."
  3. The next steps depend on the date, compatibility and digital signature of the driver you want to get installed:
    • a) "normal" driver installation (desired driver is newer, fully compatible and digitally signed by a trustworthy Certificate):
      > "Browse" > navigate to the root of the folder, which contains the needed extracted files (*.CAT, *.INF and *.SYS) of the desired driver > "OK"
      The OS Hardware Management will find the suitable driver files by its own (even from within any sub-folder).
    • b) "forced" driver installation (pre-condition: the driver is compatible with the related device):
      > "Let me pick ..." > "Have Disk" > navigate to the folder, which contains the needed files (*.CAT, *.INF and *.SYS) > double click onto the suitable *.INF file > "OK"

B. Installation via DPInst.exe:
Precondition for this method is the availability of a tool named DPInst.exe, which is part of the OS specific Microsoft application named "Windows Driver Kit" (WDK.EXE).
Example: The "Windows 10 Driver Kit" can be downloaded from >here<.
Tip: Since only the small 32/64bit tool named DPInst is required, you can store just this file somewhere for any later usage without the need to reinstall the complete WDK Set.
Our Forum member Zwulf has written a short guide, which will make the usage of the DPInst tool much easier for you:
  1. Open the "Command prompt" with Admin rights and navigate to the folder, which contains the suitable 32/64bit DPInst.exe file:

    1
     
    cd %PROGRAMFILES(X86)%\Windows Kits\10\redist\DIFx\dpinst\MultiLin\<x86|x64>
     

    Note: This is the standard path after having installed the complete "Windows Driver Kit". If you have stored the previously extracted DPInst.exe somewhere else, the path has to be customized.

  2. Install all needed driver files from your specific <DriverPath> (the exact path has to be edited) by running this command:

    1
     
    dpinst.exe /q /sa /f /path "<DriverPath>"
     

    The installation will be forced, even if a "better" driver is allready installed. The automated uninstaller creation is suppressed.

  3. Tip: The command line parameters are explained >here<.

Valid for both Driver Installation Methods:
Important; Although the driver (hopefully) has been successfully installed, it will not be used until the next (re-)boot.


III. Result

This is what you will see (using your OS language) after having successfully installed any driver, which has been "mod+signed" by me:



Credits go to:
  • mrces2 for his perfect manual guide about how to digitally sign the drivers
  • Zwulf for his phantastic scripts and his continuous help
  • e.v.o for his tests and scripts
  • zt3 for his useful tips

#2 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by Tito 29.04.2015 18:06

@Fernando

Hi, its me again! You need to distribute the certs as well, otherwise the drivers will be considered as not digitally signed on another PCs.

#3 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by mrces2 29.04.2015 19:21

To all fellow members, be my guests anytime.
As I was assisted, so I offered my two pence in return as well.

Let's keep overhauling!

#4 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by Fernando 29.04.2015 20:23

avatar

Zitat von Tito im Beitrag #338
You need to distribute the certs as well, otherwise the drivers will be considered as not digitally signed on another PCs.
How can I distribute the certificates?
I have no idea.

#5 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by mrces2 29.04.2015 23:52

Zitat
How can I distribute the certificates?
I have no idea.



You can try to export the certificate and save it in the same folder as the driver for others to install it beforehand.
I have tried to load the signed drivers during Windows installation and, since the certificate is not yet stored in the OS, it cannot be verified.
I see no problem in using M$ Standard Driver just for installing the system and then properly updating. This is "healthier", in fact.

Regarding feedback for RST 13.6.2.1001, I have installed the OS and updated the driver as mentioned above.
So far the performance is unparalleled by any other previous version.

#6 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by Fernando 30.04.2015 01:40

avatar

Zitat von mrces2 im Beitrag #341
You can try to export the certificate and save it in the same folder as the driver for others to install it beforehand.
This is what I have done now.
All driverpacks dated 04/30/2015 contain an additional file with the signature certificate.

#7 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by ole258 03.05.2015 16:02

Hello Dieter,

I want to use ">64bit Intel RSTe AHCI & RAID drivers v14.0.0.1095 mod & signed by Fernando<" on Win8.1.
For me the driver's doesn't work, because they are not dig. signed as provided!

Any idea?

#8 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by Fernando 03.05.2015 20:07

avatar

Zitat von ole258 im Beitrag #349
I want to use ">64bit Intel RSTe AHCI & RAID drivers v14.0.0.1095 mod & signed by Fernando<" on Win8.1.
For me the driver's doesn't work, because they are not dig. signed as provided!
Any idea?
Not really. Have you already tried to import the digital signature certificate, which I have added to the driverpack?

#9 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by zt3 23.08.2015 00:11

Today i was playing around with this driver because since i installed Windows 10 and switched to UEFI it showed up with an yellow mark in the device manager.
And, i finally managed to install it. What you need to do is to install the Certificate so it can recognize the signature when you load the driver from Device Manager.

To install the Certificate, do the following:
- Right click on the file Driver Signature Certificate.cer > Install Certificate > Open > Local Machine > Place all certificates in the following store > Select Trusted Root Certification Authorities > Ok > Finish

Problem solved.

#10 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by Fernando 23.08.2015 13:21

avatar

@ zt3:
Thank you very much for your very useful guide regarding the import of the "Driver Signature Certificate.

Today I have tested it while running Win10 x64, but the update from the original Intel Smart Connect Technology Driver v1.0.8.0 WHQL to the modded and signed v1.1.0.0 failed at first try.
Although the import itself had been successful, the Win10 hardware management didn't do the desired update (not even by using the "Have Disk" option) and gave me the message, that a problem occured during the update.
After a while I tried the update again (without repeating the import of the "Driver Signature Certificate") by just using the option "Update Diver Software..." > "Browse my computer..." > "Browse" and navigating to the related INF file. Then I got a pop-up window, where I was asked, whether I trust the digital signature of "Win-RAID CA". After having checked the option "I always trust this signature" and clicked onto the "Yes" button, the modded driver has been successfully installed. Look here:

Question:
Do you know why the installation of the modded and signed driver failed at first try?

#11 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by zt3 23.08.2015 18:06

@Fernando

Good question, i was wondering that too because it also happened to me. It went from "This driver isn't digital signed" to "This driver has a signature" but as you said when click next it gave an error anyways. I don't know for sure why this happened and since i tested other things before that i got even more confused. Even after the successful installation i reverted the driver a couple of times to test it again but now it installs everytime, probably because of that popup you also talked about, typical lan popup, asking if i wanted to install the driver and whether I wanted to trust the digital signature of "Win-RAID CA" which i just clicked next.

After this driver i tried your Intel's modded one and i just did the "install certificate". I think once you press next on that "trust popup" with the option to trust Win-RAID CA" checked you won't get any more problems because the Intel's one installed in the first try without giving that error.

#12 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by Fernando 23.08.2015 18:24

avatar

@ zt3:
Thanks for your quick reply.
So we obviously had the same problem while trying to get the digital signature accepted by Win10.
Nevertheless I would still like to know, what exactly has to be done to prevent the failure at first try (many users will give up the installation at this point). If you should ever find it out, please let me know it.

Zitat von zt3 im Beitrag #8
After this driver i tried your Intel's modded one and i just did the "install certificate". I think once you press next on that "trust popup" with the option to trust Win-RAID CA" checked you won't get any more problems because the Intel's one installed in the first try without giving that error.
Yes, this seems to be a big advantage for users, who are going to install more often any of my modded & signed drivers: Once the digital signature from "Win-RAID CA" is accepted, all these modded and signed drivers will be installed similar to a WHQL certified driver.

#13 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by e.v.o 23.08.2015 18:29

avatar

Which signed driver package can i try for testing the certificate? There must be a no-brainer solution. I am willing to help and try find a solution.

#14 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by Fernando 23.08.2015 18:38

avatar

Zitat von e.v.o im Beitrag #10
Which signed driver package can i try for testing the certificate?
You can try any of my modded drivers, which I am offering as "mod and signed".
Here are some examples:
1. Intel Smart Connect Technology driver v1.1.0.0. (look into the start post)
2. several Intel USB 3.0 drivers (look >here<)
3. several Intel RST drivers (look >here<)

#15 RE:[Tips+Discussion] Use of Drivers mod+signed by Win-RAID CA by zt3 23.08.2015 19:09

@Fernando

Yep, that was strange indeed but as you said it installed right after, BUT i'd also like to know why it didn't in the first place. I can't do more tests here because i clicked install when the "trust popup" appeared with the option to always trust your certificate checked and so it now installs everytime.

Although and sorry if this is getting a bit off topic but i just tried again your Intel's modded driver on a laptop (it doesn't have Intel Smart Connect Technology and i never used it before to install these certificates) that i have here at home following the steps i mentioned above (installing the certificate) and it installed without giving any error in the first place. The problem seems to reside on this particular driver.

It fails at the frist time but for some reason after a few tries it works good, weird.

Xobor Forum Software von Xobor
Datenschutz