these are the fastest dpc deferred procedure call cpu latency windows dvd .iso's i have ever tested and have desperately tried to update them to receive sh-2 , sha-256 encryption including taking all the certs from working windows 7 7600 sp1 updated discs i find like oprekin or archiveORG stuff and winBeta collections. i have made some progress and am making a list of the order of updates which were successful that i will edit this post with later, all dotnet and stuff works fine with the use of many tricks but nothing has really worked since it seems they need sp1 and that requires a nontest windows or nonprelease i have found out so far. but the main problem is a trusted root chain termination which prevents the kb12345 updates with a certificate chain terminated in an untrusted root and trust me i have updated them. other errors are like this update does not apply to your computer, etc. i am a noob to ntlite this is my introductory post which i must say that i post videos about the tips and tweaks, now integrating into windows install discs myself 'to stop the built-in windows viruses before they start' on YT channel: indicator27
Sounds very interesting.
I can't find your YouTube channel BTW.
This is obviously a spam account now. His real channel is ummm OFF-TOPIC.
if this was a spam account i wouldnt be using a level 2 password. anways, so you think you could even assess the value of 20 different 12 hour videos at just a glance? i designed it this way so the lazy will never know the secrets of the trade, there are no scripts made for DCOM (it needs heavy regedits with helge klein's setACL.exe which is what tampers with cpu usage, and as a QUAKE player im on a quest for performance, take it seriously, and cringe when i read about the particular builds being described for their 'appearances and themes'. anway it was just a shot in the dark that someone would post in experience about these three builds and other things i am looking for are winxp ryzen usb3 drivers, for now. so you didnt know windows 8 7700 was still the 6.1 kernel? its the fastest win7 ever made... 
George King
Active Member
XP have ported Generic USB3.x drivers from Windows 8.0if this was a spam account i wouldnt be using a level 2 password. anways, so you think you could even assess the value of 20 different 12 hour videos at just a glance? i designed it this way so the lazy will never know the secrets of the trade, there are no scripts made for DCOM (it needs heavy regedits with helge klein's setACL.exe which is what tampers with cpu usage, and as a QUAKE player im on a quest for performance, take it seriously, and cringe when i read about the particular builds being described for their 'appearances and themes'. anway it was just a shot in the dark that someone would post in experience about these three builds and other things i am looking for are winxp ryzen usb3 drivers, for now. so you didnt know windows 8 7700 was still the 6.1 kernel? its the fastest win7 ever made...
As always, those crazy experts on win-raid.com are so far ahead...
[Solution] Win7/8.1 Drivers for USB 3.0/3.1 Controllers of new AMD Chipset Systems
[Solution] Win7/8.1 Drivers for USB 3.0/3.1 Controllers of new AMD Chipset Systems
how about the error for cant access file or folder on ntlite is this resolved by TAKEOWN /f c:\ntlite /r /d y
as well as on the iso's extracted folder? i have used it before , im on the new version now, with no errors, but now on the newest version as well as the last one before this, 2208160, and this 230833 have noticed this error i believe i actually opened the old one when i had the error and it worked.
garlin, and those are the drivers i use for win7 flawlessly i have not tried them on xp with my ryzen .. do they work? i didnt think to try them and kept looking at other threads and forums for the answer i have read most of the 300 page threads there completely...
ps: i also getting a %userprofile%\appdata\local\temp not enough space, as i have perfectly set my partitions 13751mb for windows 7 minimum, but my enviroment variables %TEMP% %TMP% in sysdm.cpl are set to a big drive, and im working with the iso on a big drive which makes no sense right now
i also got cannot create image when image file already exist trying to load up the wim, but it completed 100% then failed mind you on another program loaded it fine, i click erase temp out of options and reload ...
heres the fix for that if anyone run into it and has another drive which has more space... on windows 7...
rd /s %userprofile%\appdata\local\temp
mklink /j C:\Users\You\appdata\local\temp D:\Tmp
then i set also again the actual folder d:\t in my case and them wim scratch dir to d:\wim7 and i got it working just now, anways so im hitting 6.1.7700 with a lot of 6.1.7601 patches which is all u ever see people use, so there is a reason people have 5-6 ntlite logs because they cant get them all, and i want to find out more about why, how, and be able to fix it based on dismlog so far i have identified a few errors that made another app i tried skip a lot of patches and updates. some files i believe are not there which a normal windows has since this is a pre-release. i believe the key is unlocking the ability to patch it to sp1, but im working out of some silly 'image update.zip' .msu-containing folder which supposedly had most of the sha-2 specific updates if not all. on another note i once clicked my entire drive and it searched it all for every update and i believe i burned that dvd but ran into errors with my early setupcomplete.bat attempts. which it was not processing whatsoever and updates i had inserted into c:\windows\installer did not process either, tho i had been messing with editions, drivers, and features instead of components/updates, which i now know can mess up patches. so i have to find out which ones can run on the wim offline, before installing, and i have had some success in audit mode with about 2 or 3 of the 50 or so i have to use for win 7. mostly package not applicable errors. this wim in the screenshots has been edited with maybe one successful out of the 50 packages, which i do know can also prevent success as ntilite prefers a clean wim, but this is all just a test and i dont know if i even have a blank dvd but i will create a partition and try it today
things found in dismlog not trying hotpatching because root package is not hot-patch aware kb3021917, detect parent package 3021917 disposition state from detectparent: absent -- no parent found, go absent, where it refers to entities that can be found in regeit Component Based Servicing pendingupdates packagesdetect packageindex, etc as well as some stuff in CBS which the pending refers to in the windows folder, which i have copied over at one point and all that i could find and still was not able to update and even if it had the right files in the system32 folder or winsxs folder i dont know if it can even run proper with, what i hope anyone here has encountered, gimped certificates in certmgr.msc that expire the day before they are valid, surely set by the testlab devs, and i had replaced them all and tried but was only running .msu's on audit mode from the explorer desktop, not offline .wim updating. i have also tried this from multiple different windows desktops ive installed to various drives editing various .iso because i also know dism.exe works best if you are editing a .wim of the same type or kind, so there may be and error there and i also have zero experience with boot.wim, can i just take one off someone else's .iso? funnily enough this process made the iso down back to 2.8gb when it was 2.9 after running a few of my own dism's with another app. should i just keep reopening the image and trying to apply all the patches again and again? thats what i did with the other one and i cant confirm but think it took a few times before the image size changed from its original... so what do i really need to do go in audit mode, do some more updates, export a wim 'from the os im on' and take that back to ntlite? heres my imgur with 22 screenshots of my progress so far with the two ntlite and dism log in the first image descripton imgur()com/a/v4q8iFs
drive()google()com/drive/folders/1t0c6eaNVzK1vCFgIw9Eeofzq2m02Nhnr?usp=sharing
as well as on the iso's extracted folder? i have used it before , im on the new version now, with no errors, but now on the newest version as well as the last one before this, 2208160, and this 230833 have noticed this error i believe i actually opened the old one when i had the error and it worked.
garlin, and those are the drivers i use for win7 flawlessly i have not tried them on xp with my ryzen .. do they work? i didnt think to try them and kept looking at other threads and forums for the answer i have read most of the 300 page threads there completely...
ps: i also getting a %userprofile%\appdata\local\temp not enough space, as i have perfectly set my partitions 13751mb for windows 7 minimum, but my enviroment variables %TEMP% %TMP% in sysdm.cpl are set to a big drive, and im working with the iso on a big drive which makes no sense right now
i also got cannot create image when image file already exist trying to load up the wim, but it completed 100% then failed mind you on another program loaded it fine, i click erase temp out of options and reload ...
heres the fix for that if anyone run into it and has another drive which has more space... on windows 7...
rd /s %userprofile%\appdata\local\temp
mklink /j C:\Users\You\appdata\local\temp D:\Tmp
then i set also again the actual folder d:\t in my case and them wim scratch dir to d:\wim7 and i got it working just now, anways so im hitting 6.1.7700 with a lot of 6.1.7601 patches which is all u ever see people use, so there is a reason people have 5-6 ntlite logs because they cant get them all, and i want to find out more about why, how, and be able to fix it based on dismlog so far i have identified a few errors that made another app i tried skip a lot of patches and updates. some files i believe are not there which a normal windows has since this is a pre-release. i believe the key is unlocking the ability to patch it to sp1, but im working out of some silly 'image update.zip' .msu-containing folder which supposedly had most of the sha-2 specific updates if not all. on another note i once clicked my entire drive and it searched it all for every update and i believe i burned that dvd but ran into errors with my early setupcomplete.bat attempts. which it was not processing whatsoever and updates i had inserted into c:\windows\installer did not process either, tho i had been messing with editions, drivers, and features instead of components/updates, which i now know can mess up patches. so i have to find out which ones can run on the wim offline, before installing, and i have had some success in audit mode with about 2 or 3 of the 50 or so i have to use for win 7. mostly package not applicable errors. this wim in the screenshots has been edited with maybe one successful out of the 50 packages, which i do know can also prevent success as ntilite prefers a clean wim, but this is all just a test and i dont know if i even have a blank dvd but i will create a partition and try it today
things found in dismlog not trying hotpatching because root package is not hot-patch aware kb3021917, detect parent package 3021917 disposition state from detectparent: absent -- no parent found, go absent, where it refers to entities that can be found in regeit Component Based Servicing pendingupdates packagesdetect packageindex, etc as well as some stuff in CBS which the pending refers to in the windows folder, which i have copied over at one point and all that i could find and still was not able to update and even if it had the right files in the system32 folder or winsxs folder i dont know if it can even run proper with, what i hope anyone here has encountered, gimped certificates in certmgr.msc that expire the day before they are valid, surely set by the testlab devs, and i had replaced them all and tried but was only running .msu's on audit mode from the explorer desktop, not offline .wim updating. i have also tried this from multiple different windows desktops ive installed to various drives editing various .iso because i also know dism.exe works best if you are editing a .wim of the same type or kind, so there may be and error there and i also have zero experience with boot.wim, can i just take one off someone else's .iso? funnily enough this process made the iso down back to 2.8gb when it was 2.9 after running a few of my own dism's with another app. should i just keep reopening the image and trying to apply all the patches again and again? thats what i did with the other one and i cant confirm but think it took a few times before the image size changed from its original... so what do i really need to do go in audit mode, do some more updates, export a wim 'from the os im on' and take that back to ntlite? heres my imgur with 22 screenshots of my progress so far with the two ntlite and dism log in the first image descripton imgur()com/a/v4q8iFs
drive()google()com/drive/folders/1t0c6eaNVzK1vCFgIw9Eeofzq2m02Nhnr?usp=sharing
ege914 has explained in many threads, use NSudo to work around permissions with system-protected files.
SetACL/TAKEOWN is a tedious and error-prone way to grant/restore user permissions and sooner or later you will mess up. Everybody's been sharing the NSudo tip for over a decade on better-known Windows forums.
If you checked NTLite settings, you can move the scratch folders to a different volume.
SetACL/TAKEOWN is a tedious and error-prone way to grant/restore user permissions and sooner or later you will mess up. Everybody's been sharing the NSudo tip for over a decade on better-known Windows forums.
If you checked NTLite settings, you can move the scratch folders to a different volume.
To be honest even I figured out alone that Nsudo (TrustedInstaller) is much easier and less problematic way to tell Windows: Yes Im really, really, REALLY sure about rename/delete this!
yes you can and my screenshots show i have applied a few as well as gotten windows updates add remove programs > windows features to show two updates that werent on the disc i burned to a dvd and installed. it is still the 6.1 kernel and IS updatable despite beta build wikis saying it cant take updates. i play dota on it regularly as well. all the updates end in certificate terminated in untrusted root authority despite being updated through certmgr.msc and many other ways i have signed the drivers for canonkong just fine with http://woshub.com/how-to-sign-an-unsigned-driver-for-windows-7-x64/
By default, all 64-bit Windows versions, starting from Windows 7, prohibit to install devices drivers that are not signed with a valid digital signature. Unsigned drivers are blocked by the operating system. The digital signature guarantees (to some extent) that the driver has been released by a certain developer or vendor, and its code hasn’t been modified after it was signed.
In 64-bit (x64) Windows 10, 8.1 and 7 there are several ways to disable driver signature verification for the unsigned drivers: using a group policy or a test boot mode. Today we’ll show how to sign any unsigned driver for the 64-bit version of Windows 10 or Windows 7.
Suppose you have a certain unsigned device driver (without digital signature) for Windows 10 x64 or Windows 7 x64. In this example, it is the driver for quite old graphics card. The archive with drivers for your Windows version has been downloaded from the vendor’s website (I was able to find the video driver version for Windows Vista x64) and its contents has been extracted to c:\tools\drv1\. Let’s try to install the driver by adding it to Windows driver store with a standard pnputil tool:
Pnputil –a c:\tools\drv1\xg20gr.inf
Note. This command and all the next ones must be run in the command prompt as administrator.
During driver installation, Windows 7 displays a warning that the system can’t verify the digital signature of this driver:
Windows can’t verify the publisher of this driver software.
In Windows 10 this warning doesn’t appear, but a warning appears in the console:
Processing inf: xg20gr.inf
Adding the driver package failed: The third-party INF does not contain digital signature information.
If you right click on the inf driver file and select Install when installing a driver from File Explorer, you receive an error:
The third-party INF does not contain digital signature information.
Let’s try to sign this driver with a self-signed certificate.
Contents:
Open the command prompt and go to the following directory:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin
Create a self-signed certificate and private key, that is issued, for example, for the company WinOSHub:
makecert -r -sv C:\DriverCert\myDrivers.pvk -n CN="WinOSHub" C:\DriverCert\myDrivers.cer
During the creation of the certificate, the tool will prompt you to specify a password for the key, let it be P@ss0wrd.
Create a public key for a publisher certificate (PKSC) we have created earlier:
cert2spc C:\DriverCert\myDrivers.cer C:\DriverCert\myDrivers.spc
Combine the public key (.spc) and the private key (.pvk) in a single certificate file with format Personal Information Exchange (.pfx):
pvk2pfx -pvk C:\DriverCert\myDrivers.pvk -pi P@ss0wrd -spc C:\DriverCert\myDrivers.spc -pfx C:\DriverCert\myDrivers.pfx -po P@ss0wrd
Tip. You can create a self-signed Code Signing certificate without using third-party tools by using the PowerShell 5.0 cmdlet – New-SelfSifgnedCertificate:
$cert = New-SelfSignedCertificate -Subject "Woshub” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My
Then you need to export this certificate to the pfx file with the password:
$CertPassword = ConvertTo-SecureString -String “P@ss0wrd” -Force –AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\DriverCert\myDrivers.pfx -Password $CertPassword
Note. Although the certificate has a limited validity period, the expiration of the CodeSigning certificate means that you can’t create new signatures. The validity of the driver already signed by this certificate is unlimited (or old signatures are valid during the specified timestamp).
Go to the directory:
cd C:\WinDDK\7600.16385.1\bin\selfsign
Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file. On the base of an inf file using the inf2cat.exe tool (included in the Windows Driver Kit – WDK) generate a cat file for your platform (it contains information about all files in the driver package):
inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose
To make sure that the procedure was correct, check if the log file contains the messages:
and
Note. In my case the command Inf2Cat.exe returned an error:
Signability test failed.
Errors:
22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS) in \hdx861a.inf
To fix the error, find the line with DriverVer = in the [Version] section and replace it with:
DriverVer=05/01/2009,9.9.9.9
After the command is executed, the xg20gr.cat file should be updated in the drivers’ directory.
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin
Sign the set of the driver files with the certificate you have created earlier using Globalsign as a timestamp service. The following command will sign the CAT file with a digital signature using with a certificate stored in a PFX file, protected by a password:
signtool sign /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat
If the file is successfully signed, the following message should appear:
Successfully signed: C:\DriverCert\xg\xg20gr.cat
Number of files successfully Signed: 1
Tip. The digital signature of the driver is contained in the .cat file referenced in the .inf file. You can check the digital signature of the driver in the cat file using the following command:
SignTool verify /v /pa c:\DriverCert\xg\xg20gr.cat
Or in the file properties on the Digital Signatures tab:
The CAT file contains digital signatures (thumbprints) of all the files that are in the driver directory (files listed in the INF file in the CopyFiles section). If any of these files has been changed, the checksum of the files will not match the data in the CAT file, and, as a result, the installation of such a driver will fail.
certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine TRUSTEDPUBLISHER
Or do it with the graphical certificate import wizard (you need to place the certificate in the Trusted Publishers and Trusted Root Certification Authorities stores of the local machine). In a domain, you can distribute this certificate to client computer using Group Policy.
Note. You can check if the certificate we created is in the list of trusted certificated by opening the certificate management snap-in (certmgr.msc) and making sure that our certificate (issued for our company) is in the corresponding stores.
How to Sign an Unsigned Driver for x64 Windows 10, 8.1 or 7 with a Self-signed Certificate
By default, all 64-bit Windows versions, starting from Windows 7, prohibit to install devices drivers that are not signed with a valid digital signature. Unsigned drivers are blocked by the operating system. The digital signature guarantees (to some extent) that the driver has been released by a certain developer or vendor, and its code hasn’t been modified after it was signed.
In 64-bit (x64) Windows 10, 8.1 and 7 there are several ways to disable driver signature verification for the unsigned drivers: using a group policy or a test boot mode. Today we’ll show how to sign any unsigned driver for the 64-bit version of Windows 10 or Windows 7.
Suppose you have a certain unsigned device driver (without digital signature) for Windows 10 x64 or Windows 7 x64. In this example, it is the driver for quite old graphics card. The archive with drivers for your Windows version has been downloaded from the vendor’s website (I was able to find the video driver version for Windows Vista x64) and its contents has been extracted to c:\tools\drv1\. Let’s try to install the driver by adding it to Windows driver store with a standard pnputil tool:
Pnputil –a c:\tools\drv1\xg20gr.inf
Note. This command and all the next ones must be run in the command prompt as administrator.
During driver installation, Windows 7 displays a warning that the system can’t verify the digital signature of this driver:
Windows can’t verify the publisher of this driver software.
In Windows 10 this warning doesn’t appear, but a warning appears in the console:
Processing inf: xg20gr.inf
Adding the driver package failed: The third-party INF does not contain digital signature information.
If you right click on the inf driver file and select Install when installing a driver from File Explorer, you receive an error:
The third-party INF does not contain digital signature information.
Let’s try to sign this driver with a self-signed certificate.
Contents:
- Tools for Signing Drivers
- Create a Self-Signed Certificate and Private Key
- Creating a Catalog File (CAT) for Driver Package
- Signing the Driver Using Self-signed Certificate
- Installing the Self-Signed Certificate
- Installation of the Driver Signed with the Self-signed Certificate
Tools for Signing Drivers
To generate a signature and sign the driver, you need to download and install the following Windows application development tools (with the default settings):- Windows SDK (or Microsoft Visual Studio 2005 or later) for your version of Windows. These packages include Windows SDK Signing tools for Desktop, which includes the necessary utility – signtool.exe;
- Windows Driver Kit 7.1.0.
Create a Self-Signed Certificate and Private Key
Create a C:\DriverCert folder in the root of the system drive.Open the command prompt and go to the following directory:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin
Create a self-signed certificate and private key, that is issued, for example, for the company WinOSHub:
makecert -r -sv C:\DriverCert\myDrivers.pvk -n CN="WinOSHub" C:\DriverCert\myDrivers.cer
During the creation of the certificate, the tool will prompt you to specify a password for the key, let it be P@ss0wrd.
Create a public key for a publisher certificate (PKSC) we have created earlier:
cert2spc C:\DriverCert\myDrivers.cer C:\DriverCert\myDrivers.spc
Combine the public key (.spc) and the private key (.pvk) in a single certificate file with format Personal Information Exchange (.pfx):
pvk2pfx -pvk C:\DriverCert\myDrivers.pvk -pi P@ss0wrd -spc C:\DriverCert\myDrivers.spc -pfx C:\DriverCert\myDrivers.pfx -po P@ss0wrd
Tip. You can create a self-signed Code Signing certificate without using third-party tools by using the PowerShell 5.0 cmdlet – New-SelfSifgnedCertificate:
$cert = New-SelfSignedCertificate -Subject "Woshub” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My
Then you need to export this certificate to the pfx file with the password:
$CertPassword = ConvertTo-SecureString -String “P@ss0wrd” -Force –AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\DriverCert\myDrivers.pfx -Password $CertPassword
Note. Although the certificate has a limited validity period, the expiration of the CodeSigning certificate means that you can’t create new signatures. The validity of the driver already signed by this certificate is unlimited (or old signatures are valid during the specified timestamp).
Creating a Catalog File (CAT) for Driver Package
Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys and .inf among these files (in our case, they are xg20grp.sys and xg20gr.inf).Go to the directory:
cd C:\WinDDK\7600.16385.1\bin\selfsign
Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file. On the base of an inf file using the inf2cat.exe tool (included in the Windows Driver Kit – WDK) generate a cat file for your platform (it contains information about all files in the driver package):
inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose
To make sure that the procedure was correct, check if the log file contains the messages:
| Signability test complete. |
| Catalog generation complete. |
Signability test failed.
Errors:
22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS) in \hdx861a.inf
To fix the error, find the line with DriverVer = in the [Version] section and replace it with:
DriverVer=05/01/2009,9.9.9.9
After the command is executed, the xg20gr.cat file should be updated in the drivers’ directory.
Signing the Driver Using Self-signed Certificate
Go to the following folder:cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin
Sign the set of the driver files with the certificate you have created earlier using Globalsign as a timestamp service. The following command will sign the CAT file with a digital signature using with a certificate stored in a PFX file, protected by a password:
signtool sign /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat
If the file is successfully signed, the following message should appear:
Successfully signed: C:\DriverCert\xg\xg20gr.cat
Number of files successfully Signed: 1
Tip. The digital signature of the driver is contained in the .cat file referenced in the .inf file. You can check the digital signature of the driver in the cat file using the following command:
SignTool verify /v /pa c:\DriverCert\xg\xg20gr.cat
Or in the file properties on the Digital Signatures tab:
The CAT file contains digital signatures (thumbprints) of all the files that are in the driver directory (files listed in the INF file in the CopyFiles section). If any of these files has been changed, the checksum of the files will not match the data in the CAT file, and, as a result, the installation of such a driver will fail.
Installing the Self-Signed Certificate
Since the certificate we created is self-signed, by default the system doesn’t trust it. Add your certificate to the local computer certificate store. You can do it using the following commands:certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine TRUSTEDPUBLISHER
Or do it with the graphical certificate import wizard (you need to place the certificate in the Trusted Publishers and Trusted Root Certification Authorities stores of the local machine). In a domain, you can distribute this certificate to client computer using Group Policy.
Note. You can check if the certificate we created is in the list of trusted certificated by opening the certificate management snap-in (certmgr.msc) and making sure that our certificate (issued for our company) is in the corresponding stores.
Tip. When you check the certificate store with the Sigcheck utility, this certificate will be displayed as untrusted, because it is not on the listed in the list of Microsoft root certificates (this list needs to be updated periodically).
Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf
Now you won’t see the warning about the missing digital signature of the driver.
Successfully installed the driver on a device on the system.
Driver package added successfully.
The following warning appears in Windows 7 x64: Would you like to install this device software? In Windows 10 x64 1803, this pop-up window doesn’t appear. By clicking “Install”, you install the driver in the system.
If for some reason the driver is not installed, the detailed driver installation log is contained in the file C:\Windows\inf\setupapi.dev.log. This log file allows you to get more information about the driver installation errors. In most cases, there is a “Driver package failed signature validation” error – most likely this means that the driver certificate is not added to the trusted certificates store.
If the driver installation was successful, the setupapi.dev.log file should contain the following lines:
>>> [Device Install (DiInstallDriver) - C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf]
>>> Section start 2018/07/22 23:32:57.015
cmd: Pnputil -i -a c:\DriverCert\xg\xg20gr.inf
ndv: Flags: 0x00000000
ndv: INF path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf: {SetupCopyOEMInf: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf} 13:23:37.046
inf: Copy style: 0x00000000
inf: Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf: Published Inf Path: C:\WINDOWS\INF\oem23.inf
inf: {SetupCopyOEMInf exit (0x00000000)} 13:23:37.077
<<< Section end 2018/07/22 13:23:37.155
<<< [Exit status: SUCCESS]
As you can see, to install the self-signed driver we did not even have to disable the digital signature verification of the drivers with the bcdedit.exe commands:
bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit.exe /set testsigning ON
36 comments
7
Facebook Twitter Google + Pinterest
previous post
Don D. March 9, 2015 - 12:33 pm
Unless you unable testmode (bcdedit /set testsigning on) to disable kernel drivers signature verification, Windows won’t allow the driver to load. You will not have the warning when installing the self-signed driver, but it won’t load.
I’ve tested it thoroughly, and it’s confirmed here and there.
Reply
Max March 11, 2015 - 8:03 am
You must add your self signed cert to Trusted Publishers and Trusted Root Certification Authorities containers in the local certificate store
Reply
Don D. March 11, 2015 - 12:16 pm
I followed very carefully all these instructions, and i’m sorry to say that it doesn’t work: Window won’t allow the driver to run if it doen’t have a cross-signed signature.
It is confirmed here: minasi.com/newsletters/nws0903.htm
Mark Minasi: “Windows wants your cert to be cross-signed by Microsoft, which costs money, but you can tell Windows 7 (I’ve not tested Vista) to accept certs that aren’t signed by Microsoft with this command, executed from an elevated command prompt:
bcdedit /set testsigning on
This produces one side-effect: Windows shows “Test Mode” in the lower right-hand corner of the desktop.”
Here: ghisler.ch/board/viewtopic.php?t=24262&postdays=0&postorder=asc&start=15&sid=918bbb55edaeb08e6084af9d30a9ab5d
Flint: “I’ve read many discussions on programmers forums about the matter, everyone there confirmed that it was impossible to load unsigned or self-signed drivers in x64 (among those were many professionals, MVPs and driver programming experts).” (unless by enabling testmode, what is not recommanded because it is a security feature)
And here: msdn.microsoft.com/en-us/library/windows/hardware/ff544872%28v=vs.85%29.aspx
msdn.microsoft.com/en-us/library/windows/hardware/ff552299%28v=vs.85%29.aspx
I have also signed the driver itself (not only the cat file), to no avail.
I don’t know who made the test here, but this information is unaccurate: yes you won’t get a warning, the driver is installed, but it won’t be running.
Reply
ary pramudito (@_tatox_) November 17, 2015 - 7:02 am
interesting. please comment on signing windows 10. moln1.wordpress()com/2015/02/18/creating-self-signed-certificates-in-windows-10/
Reply
MarcK4096 July 22, 2016 - 8:12 pm
This worked great for me. There’s a known problem with Ricoh print drivers in which defaults set on the print server do not propagate to clients. Instead, Ricoh defaults need to be put into an RCF file included with the driver. Editing the RCF file breaks the digital signature, which causes clients to refuse to install the driver downloaded from the print server. Re-signing with a self signed certificate and distributing the certificate using group policy solved the problem.
Thanks so much for putting this article together. You made it easy for me to complete a complex process.
Reply
MarcK4096 July 22, 2016 - 8:14 pm
And I did test with Windows 10. It did work there, too.
Reply
SafetyLok November 7, 2016 - 2:20 am
Just wanted to say thanks for this.
I was able to self sign drivers for Win10 x64. One trick to remember is on the target PC to import the certificate into the “trusted root certification authorities” for “Local Computer”. Using certmgr -add did not seem to import to Local Computer, only Current User.
Thanks
Reply
Brian December 12, 2016 - 10:18 pm
Thanks for this method of self-signing a driver which won’t install due to Windows 10 signed driver installation firewall.
I had a very difficult time installing the Windows 7 SDK in Windows 10 because it kept complaining about the version of .NET Framework 4 was an incomplete version and I couldn’t install .NET Framework 4 because a newer version, 4.6.2 is installed and nothing I tried could deinstall it. What I did was expand the Windows 7 SDK and manually installed all of the modules I could then ran the installer which enabled me to fully install the Windows 7 SDK as an installation repair. As well, it is not in the “Program Files (x86)” folder, it is in the “Program Files” folder so change the instructions by removing “(x86)” from the command strings. After all that, which took a long time to figure out, the rest was a breeze. The only problem was that the date of the driver stated in the “.inf” file had to be updated to 04/21/2009 (at least) because it was too old for Windows 7 as it predated Windows 7. Now the 64bit driver for myAOpen FM56-EXV external serial voice capable modem is fully loaded in Windows 10.
Reply
Jason January 1, 2018 - 3:15 pm
I tried the steps, and it does what it says — it gets rid of the warning message when using pnputil.
It doesn’t make the driver work.
To understand why see this table in David Grayson’s excellent article:
http://www.davidegrayson()com/signing/#reqs
While you’re making the steps to “make it look good” by adding a Trusted Root Certification Authority, you’re still missing a “Microsoft Code Verification Root” because your Trusted Root is not recognized by Microsoft.
Reply
bilbo July 27, 2018 - 9:10 am
Great link, thanks!
Reply
mach Fiverr February 19, 2021 - 11:15 am
I wish the guy had just put (insert your inf file to sign) in the how to instead of confusing the hell out of me by having me create a certificate for a driver and such weird names for stuff that I’m left unsure of which things I should change or commands to use for my libusb0.inf file im wanting to sign. FYI my laptop keyboard is broken I don’t have an external one and command line turn nointegritychecks or testsigning and others via elevated not elevated via PowerShell and every other way I can find or think of doesnt work and due to no keyboard I can’t tap option 7 and I can’t use my touchscreen or pad thingy u know mouse pad thing below keyboard. I’m at burnout stage from all this and installing this app that app searching for just makecert failing then installing the wrong version of visual studio on installing visual studio reinstalling the right version etc… Etc… Its 3am so no I can’t go buy a keyboard atm
Reply
Jens April 17, 2018 - 3:32 pm
You absolutely made my day!!! – Great Article. Worked for me like a charm! Thanks a lot for your input!
Reply
bilbo July 27, 2018 - 8:57 am
Please avoid to spread false informations on the web!
All this does not work and cannot work on 64bit Windows 10 (tested on a third-party PCSC kernel driver)
Reply
ManDudeGirlLady June 3, 2021 - 10:44 am
Except all of this does work on 64bit Windows 10, so maybe reiterate on what you mean, such as “I am too illiterate and need to be held by hand” :^)
Here are some snippets of some commands I had to rewrite, just for some reference. I had renamed the .cat to ass in the .ini file of the driver I wanted to install.
pvk2pfx -pvk C:\DriverCert\mydrivers.pvk -pi password -spc C:\DriverCert\mydrivers.spc -pfx C:\DriverCert\mydrivers.pfx -po password
“C:\WinDDK\7600.16385.1\bin\selfsign\inf2cat.exe” /driver:”C:\DriverCert\Grabber” /os:10_X64 /verbose
“C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe” sign /f C:\DriverCert\\mydrivers.pfx /p password /t _http://time.certum.pl/ /v C:\DriverCert\Grabber\ass.cat
The certificate was installed manually into both Trusted Root and Trusted Publishers
I haven’t bothered pasting the rest of the commands I used, but all in all, with some tweaking, everything works perfectly for me. Used it to install a MT4169 ‘Video Grabber’ driver for W10 64x
Reply
Installation of the Driver Signed with the Self-signed Certificate
Try to install the driver we have signed again using the command:Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf
Now you won’t see the warning about the missing digital signature of the driver.
Successfully installed the driver on a device on the system.
Driver package added successfully.
The following warning appears in Windows 7 x64: Would you like to install this device software? In Windows 10 x64 1803, this pop-up window doesn’t appear. By clicking “Install”, you install the driver in the system.
If for some reason the driver is not installed, the detailed driver installation log is contained in the file C:\Windows\inf\setupapi.dev.log. This log file allows you to get more information about the driver installation errors. In most cases, there is a “Driver package failed signature validation” error – most likely this means that the driver certificate is not added to the trusted certificates store.
If the driver installation was successful, the setupapi.dev.log file should contain the following lines:
>>> [Device Install (DiInstallDriver) - C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf]
>>> Section start 2018/07/22 23:32:57.015
cmd: Pnputil -i -a c:\DriverCert\xg\xg20gr.inf
ndv: Flags: 0x00000000
ndv: INF path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf: {SetupCopyOEMInf: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf} 13:23:37.046
inf: Copy style: 0x00000000
inf: Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr.inf
inf: Published Inf Path: C:\WINDOWS\INF\oem23.inf
inf: {SetupCopyOEMInf exit (0x00000000)} 13:23:37.077
<<< Section end 2018/07/22 13:23:37.155
<<< [Exit status: SUCCESS]
As you can see, to install the self-signed driver we did not even have to disable the digital signature verification of the drivers with the bcdedit.exe commands:
bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit.exe /set testsigning ON
36 comments
7
Facebook Twitter Google + Pinterest
previous post
Auto-Mount a VHD/VHDX File at Startup in Windows 10, 8.1
next postHP Printer Prints Only One Copy of Document
Related Reading
Fix: Windows Stuck at “Preparing to Configure Windows”
August 23, 2021PowerShell SecretManagement Module: Securely Manage Credentials and Secrets
August 18, 2021PowerShell: Get Folder Sizes on Disk in Windows
August 17, 2021Managing Saved Passwords Using Windows Credential Manager
August 9, 2021Kill a Windows Service That Stucks on Stopping...
August 5, 202136 comments
Don D. March 9, 2015 - 12:33 pm
Unless you unable testmode (bcdedit /set testsigning on) to disable kernel drivers signature verification, Windows won’t allow the driver to load. You will not have the warning when installing the self-signed driver, but it won’t load.
I’ve tested it thoroughly, and it’s confirmed here and there.
Reply
Max March 11, 2015 - 8:03 am
You must add your self signed cert to Trusted Publishers and Trusted Root Certification Authorities containers in the local certificate store
Reply
Don D. March 11, 2015 - 12:16 pm
I followed very carefully all these instructions, and i’m sorry to say that it doesn’t work: Window won’t allow the driver to run if it doen’t have a cross-signed signature.
It is confirmed here: minasi.com/newsletters/nws0903.htm
Mark Minasi: “Windows wants your cert to be cross-signed by Microsoft, which costs money, but you can tell Windows 7 (I’ve not tested Vista) to accept certs that aren’t signed by Microsoft with this command, executed from an elevated command prompt:
bcdedit /set testsigning on
This produces one side-effect: Windows shows “Test Mode” in the lower right-hand corner of the desktop.”
Here: ghisler.ch/board/viewtopic.php?t=24262&postdays=0&postorder=asc&start=15&sid=918bbb55edaeb08e6084af9d30a9ab5d
Flint: “I’ve read many discussions on programmers forums about the matter, everyone there confirmed that it was impossible to load unsigned or self-signed drivers in x64 (among those were many professionals, MVPs and driver programming experts).” (unless by enabling testmode, what is not recommanded because it is a security feature)
And here: msdn.microsoft.com/en-us/library/windows/hardware/ff544872%28v=vs.85%29.aspx
msdn.microsoft.com/en-us/library/windows/hardware/ff552299%28v=vs.85%29.aspx
I have also signed the driver itself (not only the cat file), to no avail.
I don’t know who made the test here, but this information is unaccurate: yes you won’t get a warning, the driver is installed, but it won’t be running.
Reply
ary pramudito (@_tatox_) November 17, 2015 - 7:02 am
interesting. please comment on signing windows 10. moln1.wordpress()com/2015/02/18/creating-self-signed-certificates-in-windows-10/
Reply
MarcK4096 July 22, 2016 - 8:12 pm
This worked great for me. There’s a known problem with Ricoh print drivers in which defaults set on the print server do not propagate to clients. Instead, Ricoh defaults need to be put into an RCF file included with the driver. Editing the RCF file breaks the digital signature, which causes clients to refuse to install the driver downloaded from the print server. Re-signing with a self signed certificate and distributing the certificate using group policy solved the problem.
Thanks so much for putting this article together. You made it easy for me to complete a complex process.
Reply
MarcK4096 July 22, 2016 - 8:14 pm
And I did test with Windows 10. It did work there, too.
Reply
SafetyLok November 7, 2016 - 2:20 am
Just wanted to say thanks for this.
I was able to self sign drivers for Win10 x64. One trick to remember is on the target PC to import the certificate into the “trusted root certification authorities” for “Local Computer”. Using certmgr -add did not seem to import to Local Computer, only Current User.
Thanks
Reply
Brian December 12, 2016 - 10:18 pm
Thanks for this method of self-signing a driver which won’t install due to Windows 10 signed driver installation firewall.
I had a very difficult time installing the Windows 7 SDK in Windows 10 because it kept complaining about the version of .NET Framework 4 was an incomplete version and I couldn’t install .NET Framework 4 because a newer version, 4.6.2 is installed and nothing I tried could deinstall it. What I did was expand the Windows 7 SDK and manually installed all of the modules I could then ran the installer which enabled me to fully install the Windows 7 SDK as an installation repair. As well, it is not in the “Program Files (x86)” folder, it is in the “Program Files” folder so change the instructions by removing “(x86)” from the command strings. After all that, which took a long time to figure out, the rest was a breeze. The only problem was that the date of the driver stated in the “.inf” file had to be updated to 04/21/2009 (at least) because it was too old for Windows 7 as it predated Windows 7. Now the 64bit driver for myAOpen FM56-EXV external serial voice capable modem is fully loaded in Windows 10.
Reply
Jason January 1, 2018 - 3:15 pm
I tried the steps, and it does what it says — it gets rid of the warning message when using pnputil.
It doesn’t make the driver work.
To understand why see this table in David Grayson’s excellent article:
http://www.davidegrayson()com/signing/#reqs
While you’re making the steps to “make it look good” by adding a Trusted Root Certification Authority, you’re still missing a “Microsoft Code Verification Root” because your Trusted Root is not recognized by Microsoft.
Reply
bilbo July 27, 2018 - 9:10 am
Great link, thanks!
Reply
mach Fiverr February 19, 2021 - 11:15 am
I wish the guy had just put (insert your inf file to sign) in the how to instead of confusing the hell out of me by having me create a certificate for a driver and such weird names for stuff that I’m left unsure of which things I should change or commands to use for my libusb0.inf file im wanting to sign. FYI my laptop keyboard is broken I don’t have an external one and command line turn nointegritychecks or testsigning and others via elevated not elevated via PowerShell and every other way I can find or think of doesnt work and due to no keyboard I can’t tap option 7 and I can’t use my touchscreen or pad thingy u know mouse pad thing below keyboard. I’m at burnout stage from all this and installing this app that app searching for just makecert failing then installing the wrong version of visual studio on installing visual studio reinstalling the right version etc… Etc… Its 3am so no I can’t go buy a keyboard atm
Reply
Jens April 17, 2018 - 3:32 pm
You absolutely made my day!!! – Great Article. Worked for me like a charm! Thanks a lot for your input!
Reply
bilbo July 27, 2018 - 8:57 am
Please avoid to spread false informations on the web!
All this does not work and cannot work on 64bit Windows 10 (tested on a third-party PCSC kernel driver)
Reply
ManDudeGirlLady June 3, 2021 - 10:44 am
Except all of this does work on 64bit Windows 10, so maybe reiterate on what you mean, such as “I am too illiterate and need to be held by hand” :^)
Here are some snippets of some commands I had to rewrite, just for some reference. I had renamed the .cat to ass in the .ini file of the driver I wanted to install.
pvk2pfx -pvk C:\DriverCert\mydrivers.pvk -pi password -spc C:\DriverCert\mydrivers.spc -pfx C:\DriverCert\mydrivers.pfx -po password
“C:\WinDDK\7600.16385.1\bin\selfsign\inf2cat.exe” /driver:”C:\DriverCert\Grabber” /os:10_X64 /verbose
“C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe” sign /f C:\DriverCert\\mydrivers.pfx /p password /t _http://time.certum.pl/ /v C:\DriverCert\Grabber\ass.cat
The certificate was installed manually into both Trusted Root and Trusted Publishers
I haven’t bothered pasting the rest of the commands I used, but all in all, with some tweaking, everything works perfectly for me. Used it to install a MT4169 ‘Video Grabber’ driver for W10 64x
Reply
Last edited:
ant` August 6, 2018 - 3:34 am
Worked on Windows 10 ,1803 using the enterprise SDK. Obviously, some commands need to be changed and you have to add the ROOT cert to the store or this will not be trusted!!!
Reply
Alain G. October 13, 2018 - 4:30 pm
I can use multi-partitionned SD cards in Windows 10 1803 without any additional driver. Checked on Home and Pro versions.
Reply
TPMJB August 27, 2018 - 1:55 pm
This really only works if test mode is on when adding the cert to the trusted publishers and trusted root certification authority. So basically just have test mode on all the time. It’s better than rebooting every time you want to use it and disabling driver verification.
Reply
Vladimir December 25, 2018 - 5:44 am
Good day.
Where i can find inf2cat.exe? After install all needed software, in thus folder only hrml file with information that this process now is part of build process.
Windows 10 1803
Reply
Keith April 8, 2019 - 6:06 pm
This does not seem to work on Windows 10 when SecureBoot is enabled. If SecureBoot is enabled the digital signatures details on the .cat file generated will say “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.” If you right click and try to install the INF file it claims there is a problem with the signature.
I was able to get it to work on a Windows 10 VMware machine where SecureBoot was not enabled. I googled the error message further and found that with SecureBoot enabled, the driver MUST be signed by Microsoft’s WHQL certification process. So in order for this to work you will have to go into your BIOS and disable Secure Boot.
Reply
admin April 15, 2019 - 11:44 am
Thanks for this info!
Reply
Marcus Ickes May 13, 2019 - 2:44 pm
This 100% absolutely Works!!! Thank you so much. Did this for an MS 2016 Server. Old plotter drivers. Thank you, Thank you, Thank you!
Reply
Chi January 21, 2020 - 1:10 am
This worked for me on windows 10 Pro 64 bit, thanks a ton!
Just a small thing, in some places “MyDriver” and “Driver” are used interchangeably, please fix that for people who don’t get things intuitively.
Reply
admin January 28, 2020 - 6:09 am
I’ve fixed this. Thanks!
Reply
WL February 16, 2020 - 10:05 pm
It works for me on Windows 10 Pro 64bit too. Thanks a lot.
Reply
hwangjin March 27, 2020 - 11:11 am
completely fake information. installing is succeeded, but never working normally. this is possible only when testsigning is on or when old driver was already signed by another legal code certificates
Reply
bloodhand April 10, 2020 - 7:43 pm
Thanks a lot for this guide. Only using your method I could install win7 on uefi class 3: the key to forcing a custom video driver at the installation of windows was to sign it with a selfmade certificate and then add the certificate to the registry of the installation. This way the video driver will be used at first boot, being able to complete the installation while you disable standard vga to ensure full compatibility with uefi.
Reply
Wil Diel May 22, 2020 - 12:18 pm
Thanks a lot for the guide. I was able to install the unsigned driver on my windows 10 without disabling the digital signature verification.
Reply
Graham Scales June 2, 2020 - 5:54 pm
After spending a Sunday trying to do it myself on Windows 10, I came across your article. Worked brilliantly, thank you!! My Windows kit was in C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\ and as I was using Windows 10, used
Inf2Cat.exe /driver:”C:\DriverCert\xg20″ /os:10_X86,10_X64 /verbose
Reply
Chris July 6, 2020 - 1:19 am
I’ve tried three times, but it does not work. Certification process works until I do “signtool.exe verify /v /pa mydriver.cat”, then it says:
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
I also installed the certificate and CertMgr does say it’s valid. Until I connect my device and install my drivers, then in Device Manager the yellow “!” shows up and says that the driver can’t be trusted.
What can I do to fix this?
Reply
Steve April 14, 2021 - 3:20 pm
Yes, ms crap ! The reason why is this necessary, vendors do not want to have additional costs and they don’t sign drivers cos MS want money, and the fact MS OS uses security policy rules (perfect for root viruses) and not root file security like in Linux ! The perfect platform for abandoning a bit older hardware that might still be performing well. This way MS controls what can windows run and what not and that might be against what user want ( i wonder how long will Win7 still be around, if even XP is still alive). So if MS is controlling hardware, why wtf they do not go to closed architecture ? I dont want to be limited if there are drivers that can run what so ever hardware and they aren’t signed cos MS is greedy piece of ass ? On the other hand they want Win on every imaginable devices ???
Reply
Sherif April 19, 2021 - 11:24 pm
I am down to a problem that seems alot of people are having and wondering if there is a fix.
following the Steps exactly using the 7.1 and another try with the newest version of 10, everything is working but the it tells me successfully signed after, note i changed the server because it was giving me timeout response and ofc the cat file name to my driver.
Signtool sign /f C:\DriverCert\myDrivers.pfx /p mypass /t _http://timestamp.comodoca.com/authenticode /v C:\DriverCert\xg20\kmdfsamples.cat
the verify line was showing root verification error line that was fixed after i imported the certificate in trusted user and it shows as in the picture “This signature is OK”.
I can now install the driver, i need to manually update a driver and i select my inf file, but device manager is telling me this does not have digital signature. so i am able to install but the driver does not work/load with the following error.
“Windows cannot verify the digital signature …… (code 52)” why when the signature told me it was OK i am not sure. so my question should the cat file name be the same name of the driver .inf and .sys files or it is fine to be different? will this help, why device manager does not recognize the signature?
Reply
Sherif April 19, 2021 - 11:58 pm
i attempted the Pnputil –i –a C:\DriverCert\xg20\firefly.inf but noticed that the cmd showed successfully imported but nothing was installed, so i opened the logs C:\Windows\inf\setupapi.dev.log and found out an error that the INF file hash is not stored in the catalog, then i looked at my catalog before signing inside C:\DriverCert\xg20 to find out that there was 4 security catalogs each file inf and sys is twice with different hashes, then after signing they became only two. i do not know why this is happened also why the catalog has 4 hashes to begin with.
Reply
Sherif April 20, 2021 - 1:54 am
latest update i realized that the code generate a cat file so i removed the old one and it worked, but it doesn’t just work still refuse to accept it, i will try more tomorrow and check the log thoroughly i am recieving root certificate error again but the verify is working perfectly, the hash error is gone
Reply
Sherif April 20, 2021 - 5:54 am
Bottom line it will not work, my driver need to run in kernal mode, the certifacate verification using signtool verify /v /kp c:\DriverCert\xg20\kmdfsamples.cat shows the next error
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
there is no way around it to my knowledge update me if there is a way around this, i just want to install stupid mouse driver because my mouse driver is bugged. but when i go into testmode most game’s anti cheat just prevent me from even opening the game so microsoft, the games and the mouse company all on me xD and btw the mouse driver was bugged it was a stupid redragon brand the bug was caused by the mouse software and inverted the motion of the mouse in the x direction.
Reply
Akos April 22, 2021 - 1:00 pm
After signing the cat file with timestamp
(./signtool sign /f C:\DriverCert\myDrivers.pfx /p mypass /t _http://timestamp.comodoca.com/authenticode /v C:\DriverCert\x\mp59g.cat)
verification
(.\signtool.exe verify /v /pa C:\DriverCert\x\mp59g.cat)
gives me an error:
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Any clue?
Reply
Akos April 22, 2021 - 2:24 pm
OK, the order in the article were swapped for the following commands:
./certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine ROOT
./certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine TRUSTEDPUBLISHER
.\signtool.exe verify /v /pa C:\DriverCert\x\mp59g.cat
Now it’s fine.
Successfully verified: C:\DriverCert\x\mp59g.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Worked on Windows 10 ,1803 using the enterprise SDK. Obviously, some commands need to be changed and you have to add the ROOT cert to the store or this will not be trusted!!!
Reply
Alain G. October 13, 2018 - 4:30 pm
I can use multi-partitionned SD cards in Windows 10 1803 without any additional driver. Checked on Home and Pro versions.
Reply
TPMJB August 27, 2018 - 1:55 pm
This really only works if test mode is on when adding the cert to the trusted publishers and trusted root certification authority. So basically just have test mode on all the time. It’s better than rebooting every time you want to use it and disabling driver verification.
Reply
Vladimir December 25, 2018 - 5:44 am
Good day.
Where i can find inf2cat.exe? After install all needed software, in thus folder only hrml file with information that this process now is part of build process.
Windows 10 1803
Reply
Keith April 8, 2019 - 6:06 pm
This does not seem to work on Windows 10 when SecureBoot is enabled. If SecureBoot is enabled the digital signatures details on the .cat file generated will say “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.” If you right click and try to install the INF file it claims there is a problem with the signature.
I was able to get it to work on a Windows 10 VMware machine where SecureBoot was not enabled. I googled the error message further and found that with SecureBoot enabled, the driver MUST be signed by Microsoft’s WHQL certification process. So in order for this to work you will have to go into your BIOS and disable Secure Boot.
Reply
admin April 15, 2019 - 11:44 am
Thanks for this info!
Reply
Marcus Ickes May 13, 2019 - 2:44 pm
This 100% absolutely Works!!! Thank you so much. Did this for an MS 2016 Server. Old plotter drivers. Thank you, Thank you, Thank you!
Reply
Chi January 21, 2020 - 1:10 am
This worked for me on windows 10 Pro 64 bit, thanks a ton!
Just a small thing, in some places “MyDriver” and “Driver” are used interchangeably, please fix that for people who don’t get things intuitively.
Reply
admin January 28, 2020 - 6:09 am
I’ve fixed this. Thanks!
Reply
WL February 16, 2020 - 10:05 pm
It works for me on Windows 10 Pro 64bit too. Thanks a lot.
Reply
hwangjin March 27, 2020 - 11:11 am
completely fake information. installing is succeeded, but never working normally. this is possible only when testsigning is on or when old driver was already signed by another legal code certificates
Reply
bloodhand April 10, 2020 - 7:43 pm
Thanks a lot for this guide. Only using your method I could install win7 on uefi class 3: the key to forcing a custom video driver at the installation of windows was to sign it with a selfmade certificate and then add the certificate to the registry of the installation. This way the video driver will be used at first boot, being able to complete the installation while you disable standard vga to ensure full compatibility with uefi.
Reply
Wil Diel May 22, 2020 - 12:18 pm
Thanks a lot for the guide. I was able to install the unsigned driver on my windows 10 without disabling the digital signature verification.
Reply
Graham Scales June 2, 2020 - 5:54 pm
After spending a Sunday trying to do it myself on Windows 10, I came across your article. Worked brilliantly, thank you!! My Windows kit was in C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\ and as I was using Windows 10, used
Inf2Cat.exe /driver:”C:\DriverCert\xg20″ /os:10_X86,10_X64 /verbose
Reply
Chris July 6, 2020 - 1:19 am
I’ve tried three times, but it does not work. Certification process works until I do “signtool.exe verify /v /pa mydriver.cat”, then it says:
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
I also installed the certificate and CertMgr does say it’s valid. Until I connect my device and install my drivers, then in Device Manager the yellow “!” shows up and says that the driver can’t be trusted.
What can I do to fix this?
Reply
Steve April 14, 2021 - 3:20 pm
Yes, ms crap ! The reason why is this necessary, vendors do not want to have additional costs and they don’t sign drivers cos MS want money, and the fact MS OS uses security policy rules (perfect for root viruses) and not root file security like in Linux ! The perfect platform for abandoning a bit older hardware that might still be performing well. This way MS controls what can windows run and what not and that might be against what user want ( i wonder how long will Win7 still be around, if even XP is still alive). So if MS is controlling hardware, why wtf they do not go to closed architecture ? I dont want to be limited if there are drivers that can run what so ever hardware and they aren’t signed cos MS is greedy piece of ass ? On the other hand they want Win on every imaginable devices ???
Reply
Sherif April 19, 2021 - 11:24 pm
I am down to a problem that seems alot of people are having and wondering if there is a fix.
following the Steps exactly using the 7.1 and another try with the newest version of 10, everything is working but the it tells me successfully signed after, note i changed the server because it was giving me timeout response and ofc the cat file name to my driver.
Signtool sign /f C:\DriverCert\myDrivers.pfx /p mypass /t _http://timestamp.comodoca.com/authenticode /v C:\DriverCert\xg20\kmdfsamples.cat
the verify line was showing root verification error line that was fixed after i imported the certificate in trusted user and it shows as in the picture “This signature is OK”.
I can now install the driver, i need to manually update a driver and i select my inf file, but device manager is telling me this does not have digital signature. so i am able to install but the driver does not work/load with the following error.
“Windows cannot verify the digital signature …… (code 52)” why when the signature told me it was OK i am not sure. so my question should the cat file name be the same name of the driver .inf and .sys files or it is fine to be different? will this help, why device manager does not recognize the signature?
Reply
Sherif April 19, 2021 - 11:58 pm
i attempted the Pnputil –i –a C:\DriverCert\xg20\firefly.inf but noticed that the cmd showed successfully imported but nothing was installed, so i opened the logs C:\Windows\inf\setupapi.dev.log and found out an error that the INF file hash is not stored in the catalog, then i looked at my catalog before signing inside C:\DriverCert\xg20 to find out that there was 4 security catalogs each file inf and sys is twice with different hashes, then after signing they became only two. i do not know why this is happened also why the catalog has 4 hashes to begin with.
Reply
Sherif April 20, 2021 - 1:54 am
latest update i realized that the code generate a cat file so i removed the old one and it worked, but it doesn’t just work still refuse to accept it, i will try more tomorrow and check the log thoroughly i am recieving root certificate error again but the verify is working perfectly, the hash error is gone
Reply
Sherif April 20, 2021 - 5:54 am
Bottom line it will not work, my driver need to run in kernal mode, the certifacate verification using signtool verify /v /kp c:\DriverCert\xg20\kmdfsamples.cat shows the next error
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
there is no way around it to my knowledge update me if there is a way around this, i just want to install stupid mouse driver because my mouse driver is bugged. but when i go into testmode most game’s anti cheat just prevent me from even opening the game so microsoft, the games and the mouse company all on me xD and btw the mouse driver was bugged it was a stupid redragon brand the bug was caused by the mouse software and inverted the motion of the mouse in the x direction.
Reply
Akos April 22, 2021 - 1:00 pm
After signing the cat file with timestamp
(./signtool sign /f C:\DriverCert\myDrivers.pfx /p mypass /t _http://timestamp.comodoca.com/authenticode /v C:\DriverCert\x\mp59g.cat)
verification
(.\signtool.exe verify /v /pa C:\DriverCert\x\mp59g.cat)
gives me an error:
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Any clue?
Reply
Akos April 22, 2021 - 2:24 pm
OK, the order in the article were swapped for the following commands:
./certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine ROOT
./certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine TRUSTEDPUBLISHER
.\signtool.exe verify /v /pa C:\DriverCert\x\mp59g.cat
Now it’s fine.
Successfully verified: C:\DriverCert\x\mp59g.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
I'm not gonna scroll thru a million Imgur screen caps. First, you're mounting W7 (not W8), stop with your version 7700,7746,7850 crap.
KB3033929 has been superseded, it's been replaced since 2017 by the monthly rollup. Jan 2020 was the last non-ESU download.
You're obviously throwing in a random set of updates, and NTLite is correctly rejecting them as the wrong release or architecture. W7 & W8 have different patch lists, you can't mix/match. Drivers can generally be shared from XP-W8 because of their design. W10 introduces a new driver model, so anything rewritten for W10 isn't backwards compatible.
Everyone knows about driver resigning... old news.
There's a lot of misplaced effort because you haven't learned the basics of which updates belong to which OS. If NTLite delivers you a working system, it's more of a testament to nuhi's error checking. I'm sorry, a lot of your lists is dead wrong.
Ryzen W7/W8? Check out the many threads where someone's submitted a working preset.
KB3033929 has been superseded, it's been replaced since 2017 by the monthly rollup. Jan 2020 was the last non-ESU download.
You're obviously throwing in a random set of updates, and NTLite is correctly rejecting them as the wrong release or architecture. W7 & W8 have different patch lists, you can't mix/match. Drivers can generally be shared from XP-W8 because of their design. W10 introduces a new driver model, so anything rewritten for W10 isn't backwards compatible.
Everyone knows about driver resigning... old news.
There's a lot of misplaced effort because you haven't learned the basics of which updates belong to which OS. If NTLite delivers you a working system, it's more of a testament to nuhi's error checking. I'm sorry, a lot of your lists is dead wrong.
Ryzen W7/W8? Check out the many threads where someone's submitted a working preset.
Last edited:
now MeKLiN has updated his posts i see a few things of possible interest.
i remember ultraform saying that he may not use something of mine but it gave him ideas.
users have posted things which other users may not know about so while post no1 in its original form was too esoteric and niche for my liking as he and others expanded this thread i see a few things of interest in other areas.
i remember ultraform saying that he may not use something of mine but it gave him ideas.
users have posted things which other users may not know about so while post no1 in its original form was too esoteric and niche for my liking as he and others expanded this thread i see a few things of interest in other areas.
Last edited:
not to a beginner it isnt. we were all beginners at one time.
going off topic(non NTLite) from time to time will bring new users in.