Peter Hinchley

Microsoft Windows Vista does not permit the silent installation of unsigned drivers. This is a good thing, unless of course you've been provided with a third party device driver that hasn't been signed, and you need to silently deploy that driver to multiple computers. Fortunately it is possible to work around this issue by using Authenticode to digitally sign a driver package.

The first step is to acquire the necessary tools. You will need the following from the Windows Server 2003 SP1 Platform SDK (installed under C:\Program Files\Microsoft Platform SDK\Bin):

• makecert.exe
• cert2spc.exe
• pvk2pfx.exe
• certmgr.Exe
• signtool.exe

You will also need inf2cat.exe (installed under C:\WinDDK\7600.16385.0\bin\selfsign) and dpinst.exe (installed under C:\WinDDK\7600.16385.0\redist\DIFx\dpinst\EngMui\x86) from the Windows Driver Kit.

To make life a little easier, I've zipped up all of these tools into a handy bundle which you can download.

The first step is to generate your own Authenticode signing certificate using the following commands (replacing all instances of company with an appropriate identifier, and all instances of password with a suitable password).

makecert.exe -r -sv company.pvk -n "CN=Company" company.cer

This command uses makecert.exe to create a self-signed certificate with a CN of Company. You will be prompted to set the password (let's set it to password) of a newly created private key store if none exists.

Next we use cert2spc.exe to create a software publisher certificate:

cert2spc.exe company.cer company.spc

Finally we use pvk2pfx.exe to copy the public and private key information from the pvk and spc files into a Personal Information Exchange (pfx) file (where ^ is used as a line continuation character.

pvk2pfx.exe -pvk company.pvk -pi password ^
 -spc company.spc -pfx company.pfx -po password

Now, let's assume that the driver package you need to install is for the Avision AV210C2 scanner, and that you've downloaded the drivers into the folder C:\Temp\AV210C2. The next step is to confirm that the CatalogFile and DriverVer properties within the driver inf file are correct. In the case of the AC210C2 scanner, the inf file is named AV210C2.inf, the CatalogFile property was set to AV220.cat (but commented out), and the DriverVer property was set to 05/10/2002. These two properties are critical to the success of the project. Firstly, we need to uncomment the CatalogFile property, and secondly, we need to adjust the DriverVer date to later than 04/01/2006 (a requirement for Windows Vista).

The next step is to generate a catalog file for the driver package. We do this by using inf2cat.exe as follows:

inf2cat.exe /driver:"C:\Temp\AV210c2" /os:Vista_X86 /verbose

Having now created the .cat file, we need to sign it using the command shown below. As stated previously, change company and password as appropriate.

signtool.exe sign /f company.pfx /p password ^
 /t http://timestamp.verisign.com/scripts/timstamp.dll ^
 /v C:\Temp\AV210C2\AV220.cat

Where http://timestamp.verisign.com/scripts/timstamp.dll is a public Time Service URL, and AV220.cat is the name of the catalog file previously generated.

That's it. We now have a signed driver package. However, our signing certificate is private, and not yet trusted by the operating system. To trust the certificate on a single computer, use certmgr.exe as shown below:

certmgr.exe -add "company.cer" -s -r localMachine ROOT
certmgr.exe -add "company.cer" -s -r localMachine TRUSTEDPUBLISHER

If you intend to deploy the device driver across an enterprise, it would probably make more sense to distribute the certificate via group policy. Using the Group Policy Management Console, open an existing domain-wide policy, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities, and import the certificate named company.cer. Also import the certificate in the Trusted Publishers container. The certificate will now be pushed out to all computers across the organization.

Now all that remains is for us to silently install the newly signed driver package. For this we will use dpinst.exe as shown below:

dpinst /PATH C:\Temp\AV210c2\. /A /F /SA /S

After running the above command, a user can log onto a computer, connect, and then use an Avision AV210C2 scanner without being prompted to supply administrative credentials. Sweet.