Windows 7 NVMe signed driver madness

[The_Pissed_One]

I have bought a brand new Crucial P2 NVMe drive. I want to install Windows 7 Pro 64 to it as a separate bootable install to what I have now. I have tried, and tried and tried to slipstream the USB 3.0 and NVMe drivers to the install using tools I have found on YouTube and what have you to no joy. Finally, I tried NTLite and was then able to (somewhat) slipstream the NVMe and USB drivers and compile to ISO and write that ISO to a USB drive. It booted, but I got an error about a missing CD driver yada, yada, so perhaps the USB driver was wrong. No problem. This time I just burned the damn ISO to DVD and booted that. Now I was not only able to get further in the install process, but Windows sees the NVMe drive! Hurray! Well, the party was short lived because after waiting for the install on slow optical media which was successful, Windows did its required reboot and said the damn NVMe driver was unsigned. "BS!" I yelled, because I checked the INF files and whatnot I downloaded from Crucial's website and all are signed.

So with that, this computer tech needs help even though I know TONS about computers, websites, cybersecurity, you name it. This signed driver crap is for the birds.

A) Here's the driver I downloaded. Scroll to the bottom where it says, "NVMe SSD driver for Windows OS." I slipstreamed the legacy 64 bit version into Windows 7 Pro 64 using NTLite. I also removed the other Windows versions to slightly lighten the ISO size using NTLite. If you download the driver you can see this driver is signed by right clicking on the sys and cat files and viewing properties. The INF isn't signed however and I think that's a manefest file or something. Been a while since I learned what an INF was. And in my current Windows 7 install I installed the NVMe driver with the MSI installer with no issue once so ever. (an MSI installer)! Though, I have a very uniqe setup where I may have ripped driver signing crap right out of Windows. I don't remember. Never the less, in my current running Windows 7 computer the NVMe drive DOES shows up in "My Computer"

B) Is there a way I can just rip this driver signing facility right out of Windows 7 using NTLite or some other third party tool?


C) Why on earth am I getting a signed driver error after Windows was installed and where the driver is clearly signed?

If it helps, here's my NTLite log (password: Winblows) (alternative link/alternative site) The first part of the log referring to drive E was my first and failed attempt. Latter, I read this write upand was successful (I think). Drive G is where all the action is. You'll note I added to the Microsoft Windows Recovery Environment, Microsoft Windows PE, boot.wim and install.wim. Should I just use boot and install?

Addendum:

When I installed the driver to this current running Windows 7 install using the MSI installer, this is what I see in Device Manager. Windows? 2006?! I was expecting it to say Micron with a year of 2021.





Thanks for any help and shedding any light to this massive issue. Perhaps I won't need to get hair replacement after all...

​

​

 

[Clanger]

When I installed the driver to this current running Windows 7 install using the MSI installer, this is what I see in Device Manager. Windows? 2006?! I was expecting it to say Micron with a year of 2021.

That driver is the standard ms inbox nvme driver but there is a later driver in KB3125574.

 

[The_Pissed_One]

Since I can see the contents in my NVMe drive in this current Windows 7 install, I looked through the incomplete install of Windows on the NVMe drive and see there's a log called "setupact.log" I opened it in Notepad++ and filtered all refernces to NVMe and here's what I got. https://www.klgrth.io/paste/tkyr2

And I see somone posted as I typed this. I'll read that now.

 

[The_Pissed_One]

That driver is the standard ms inbox nvme driver but there is a later driver in KB3125574.

Is one better than the other or something? Is that why Windows install threw a signed error at me on Windows install? Has to be a reason for this.

Edit-

And let me guess, I have to use some tool to unpack the KB just to get the driver? Oh, I guess adding it to NTLite would work, wouldn't it? But is that the answer?

 

[Clanger]

What chipset, amd or intel, if intel, what is the exact chipset? Intel has working usb3 drivers that work on 8/9th gen chipsets.

 

[garlin]

When I installed the driver to this current running Windows 7 install using the MSI installer, this is what I see in Device Manager. Windows? 2006?! I was expecting it to say Micron with a year of 2021.

View attachment 8311

Under Driver Details, what is the actual driver name? Did Windows match against a different driver?

 

[Clanger]

Hang on. THat driver isnt an inbox driver, its part of the 2 nvme KB's which are linked to the driver pack on my profile page along with the intel usb3 drivers

 

[The_Pissed_One]

Okay, I got this working - sort of...

Turns out I had slipped stream the wrong USB 3.0/1 drivers. So I slipped streamed the correct USB drivers and the Micron driver that came from Micron's website, used Ventoy to install and it worked as the NVMe drive showed up for install and I was able to boot via USB. But the problem now is (and this was a real PITA to figure out) I had to press F8 and select don't check for driver signatures or something on boot. This was due to the mtinvme.sys file dated March, 2021 (SHA:41F6D22A2E9B7BE915F0DD8DC8621A210201D2D66CEC736BBED1AB711F842C9C). Yet, this is what I see in the attached image for this driver file.

Then the fun really started to happen. Windows 7 kept rebooting into recovery mode or what ever its called. Not knowing what to do, and about ten freaking installs later, I figured out how to modify bcdedit to NOT check Windows on boot up so the computer could boot and not in this everlasting cycle of boot hell. I also confirmed why Windows was doing this by reading a log who's name I forget that was in the system32 folder. It said this mtinvme.sys file was to blame. Interesting enough, it had the drive letter of D:\ and not C:\ to the path of the mtinvme.sys file shown in the log. Yet my install is certainly C drive. I made sure of that because I read that could be an issue. (D drive may have refereed to the USB drive).

So now here I am. Even though I used bcdedit to not check driver integrity and whatnot and I'm now in so-called "test mode" with the watermark on the bottom right screen, I still have to press F8 on boot up to disable driver verification.

What makes matters worse is that there are anti-cheat programs (specifically for Seven Days To Die) that are part of some Steam games that don't like you in test mode like this for obvious reasons. So now I'm in a massive catch 22^45 freaking power!

The driver that's being the problem is the Micron NVMe Storage Controller. The disk drive driver seems to be fine and signature checks out.

So, question:

Is there a way to use a third-party storage controller driver for my Crucial P2 NVMe drive? Or perhaps what ever driver Windows 10 might have? Perhaps it'll work in 7? Kinda doubt it.

I'm not willing to install 10 right now and configure with various anti-telemetry scripts and whatnot until I get OPNSense (I like the added ZeroTier functionality) installed to block all the BS telemetry ASNs. LOL! Well, it's my PC, right? Personal Computer? I saw the telemetry just pour though VMware's NIC, let me tell you. No where near Windows 7 or even XP. To the Web Dev: I forge my UA in browser...

So yeah, how on earth do I fix this issue of not having to press F8 all the time on boot up just to bypass the driver signature crap?

Thanks in advance.

 

[Clanger]

Ive got a 250GB P2 and it uses the MS nvmes driver quite happily.
Windows6.1-KB2990941-v3-x??.msu = stornvme v6.1.7601.16385
KB3125574 --------------------------- = stornvme v6.1.7601.23403

If you absolutely insist on using the micron driver i can cover that if needed.

 

[The_Pissed_One]

Thanks. I'll give KBxxx74 a try first I think.

I'm curios about this statement:

If you absolutely insist on using the micron driver i can cover that if needed.

How would that be possible?

 

[Clanger]

I'm curios about this statement:
How would that be possible?

Short version, if you install an unsigned driver(from an exe installer) and you get the "always trust software from X" and you press "Yes - always trust software from X" it goes into the registry - windows will now always trust software from that publisher, you find that location, export key, import onto mounted image, either add the bare driver files, inf sys or an installer Post Setup and the driver will install. Savvy?

It works 100% for the Lexicon Alpha(usb audio interface) unsigned driver on w7 w8.1 and w10 1809. No disable signing enforcements, no watermarks.

I will post a guide with screen grabs only if 100% necessary because it takes time and effort.

You can use Windows6.1-KB2990941-v3-x??.msu = stornvme v6.1.7601.16385 on the install wim if you are not using kb3125574. I dont think the later driver is availible as a standalone update, i dont know for certain.

 

[garlin]

Long version is W7 SP1 image is so old, most of the default root certificates are expired or superceded. This isn't a problem on a live system, with WU installing newer certs. Unless you copy the certificate store from an updated system, your signed driver (2021) can't be validated.

I should probably do a write up, when there's more time.

 

[Clanger]

and thats only on systems where WU isnt cpu blocked.

 

[The_Pissed_One]

Yeah, that's makes sense I guess, and I've seen that "trust this hardware etc" popup before installing third party drivers for all kinds of things.

The issue here is, an I want to be clear, I slipped streamed this driver (the NVMe Micron driver) and it is NOW where I have to press F8 on boot up to tell Windows to ignore the apparent unsigned driver.

Now this is odd to me because like I said here, in my current running Windows environment I used the Micron installer and I can navigate to the NVMe drive under "My Computer" perfectly fine. Windows never threw a fit about lack of a signature when I double clicked the driver installer to install. It is only with me slipstreaming this driver and upon boot I get this error on the NVMe drive where I installed a fresh copy of Windows.

So in a nutshell, I have in fact two hard drives with Windows 7 installed. The one I'm using now which is on a SSD, and another install in the NVMe where it is I'm having this signature problem on boot up. I have to press F8 and chose the option to bypass driver signature verification or what ever it's called.

Now reading about that Cert. store is an interesting one and maybe that's the issue with this new install in the NVMe. Here are a couple screenshots of this NVMe driver running in this current Windows 7 install on the SSD where there's no trouble at all. It is the storage control driver I'm having issues with in the NVMe install of Windows 7. https://devicehunt.com/view/type/pci/vendor/C0A9/device/540A

(The missing network controller is just the WiFI PCI card here I've not yet installed the driver to. Yes, I use Truecrypt. I'll be migrating to Veracrypt. I followed the TC audit...)

Q: If I use KBxxxx941, is KB3087873 necessary? I got both from the Win-RAID post.

Q2: Is there a single update to update the root Certs.?

Edit-

CPU is an i5 6600K (No OC). I had an i7 7700 installed, but I temporally pulled it to test what a possible issue was with my computer which is unrelated to this NVMe install. So no, no unique motherboard setup here and whatnot. I do recall seeing that blocked CPU patch at Github. I'll probably go AMD Zen4 in the future anyway which means Windows 10. In the interim that's not happening.

 

[garlin]

I haven't validated it, but if you want to try -- integrate this reg file into install.wim. It's the root certificates exported from W10.
More for proof of concept.

My suspicion is all those "one weird trick" where you build SP1 with a different boot device, magically substitute the real driver later are actually exploiting the fact that the live system has updated its root certificates so the driver swap works.

 

[The_Pissed_One]

I'll give that a try. Thanks.

 

[Clanger]

Q: If I use KBxxxx941, is KB3087873 necessary? I got both from the Win-RAID post.

Yes, you must use both because KB3087873 is a hotfix for KBxxxx941.

 

[Clanger]

Keeping old OS's going can be a PiTA at times.

 

[Clanger]

garlin I found this, win-raid. I dont know where or how i found it originally but somehow i got it.
It might have come from that W-R google drive driver dump or from the site.

Edit - ahh, it came from w-r forum.

Spoiler

echo off &TITLE Win-RAID CA.cer install script
:WELCOME
cls
echo.
echo This will install the "Win-RAID CA.cer" as Trusted Root and Trusted Publisher Certificate.
echo.
set /P "START=Continue? (y/n): "

if '%START%' equ 'y' goto WORK
if '%START%' equ 'n' exit /B
goto WELCOME

:WORK
if not exist "%SYSTEMROOT%\System32\certutil.exe" goto CERTUTIL_NOT_FOUND
set "CA=%tmp%\Win-RAID CA.cer"
cls
echo ***************************************************************************
echo Creating 'Win-RAID CA.cer'
echo ***************************************************************************
echo.
:: extract certificat informations into tmp file
echo -----BEGIN CERTIFICATE----- > "%CA%.txt"
echo MIIGhzCCBG+gAwIBAgIQ5/ExbCzfI71GlXVExEmkNDANBgkqhkiG9w0BAQsFADCB>> "%CA%.txt"
echo lTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdtYWlsLmNvbTELMAkGA1UE>> "%CA%.txt"
echo BhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZlcjEZMBcGA1UEChMQd3d3>> "%CA%.txt"
echo Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8xFDASBgNVBAMTC1dpbi1S>> "%CA%.txt"
echo QUlEIENBMB4XDTE1MTAyNTE4NTMyMloXDTM5MTIzMTIzNTk1OVowgZUxJTAjBgkq>> "%CA%.txt"
echo hkiG9w0BCQEWFmZlcm5hbmRvLnVub0BnbWFpbC5jb20xCzAJBgNVBAYTAkRFMQsw>> "%CA%.txt"
echo CQYDVQQIEwJOSTEOMAwGA1UEBxMFSmV2ZXIxGTAXBgNVBAoTEHd3dy53aW4tcmFp>> "%CA%.txt"
echo ZC5jb20xETAPBgNVBAsTCEZlcm5hbmRvMRQwEgYDVQQDEwtXaW4tUkFJRCBDQTCC>> "%CA%.txt"
echo AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANnjNZ0a7ultPdOGQOaEcd2h>> "%CA%.txt"
echo UImcX0685LMsVWei9gk3rpmLy2Sl7BxqeufC5EogXD9LZ1z4WE6Tw3NBUhgt0XrP>> "%CA%.txt"
echo ZWyfCNCUSfcvcV1dVux53LI+ySyUp2AcavHY8sbdhn7/jwHdkgTd3/xE+cn+U+2a>> "%CA%.txt"
echo 7X6Y0zQU7Sy8Up75ls7kq+rp61XfmntWIsGrtJbs09Bt3CYVo7SA57jHDJNGkuSV>> "%CA%.txt"
echo UwDNgUycuRiZT8qnarph0D3RamCpHYyEPnX87t0nRFbdRFMjI5JhBYuD/UE+2PXi>> "%CA%.txt"
echo 4+f2epX52VlpgqZn650kcTEmdl2sS+itxjQZpg1phRLrvYJHjShhNXYJZrq+WU1R>> "%CA%.txt"
echo ZdGOhH0cLz3yoAzW0JKwhOy8HgAjU1EkLcRYLtG6jl46BB6mEM8GXQXdogi9b+ul>> "%CA%.txt"
echo 6J1Pu6v7DvXY+CyJTHTX797DBdcSL/VWH9sA9cZ/ogLwu65BpD/m5ZhjpovX0AS4>> "%CA%.txt"
echo cI74ChYV0lXUhvWQ1KX5hBI4pPFjPZY+j3X5oagg7ERk2XVYdUBkwO8YAnF9O2lI>> "%CA%.txt"
echo s3r0KpZBTp5lvK+EdTp51VlK7LbMQQwwGMDOBGH6JHru7FR6f45a/1nKhcoNU689>> "%CA%.txt"
echo 0EQ9U/1vnOdiU3NVJC+DqtO9b1zvpDlwQUq075a4YizUQA4yj27biJH5dOERipGM>> "%CA%.txt"
echo s8BYrAZSh8m0Om/+/UmhAgMBAAGjgdAwgc0wgcoGA1UdAQSBwjCBv4AQ1POGTxms>> "%CA%.txt"
echo M91sp2WJs2oeOqGBmDCBlTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdt>> "%CA%.txt"
echo YWlsLmNvbTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZl>> "%CA%.txt"
echo cjEZMBcGA1UEChMQd3d3Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8x>> "%CA%.txt"
echo FDASBgNVBAMTC1dpbi1SQUlEIENBghDn8TFsLN8jvUaVdUTESaQ0MA0GCSqGSIb3>> "%CA%.txt"
echo DQEBCwUAA4ICAQDHTjgYnmRoQazjtYUXvlVzMDQ+81PN+Wfxe6HYJC2gUGJMFaeJ>> "%CA%.txt"
echo 43kkZPDgy7FAhmqxGTciUK42qRmYmE9cRtvBx/PI+VmtmNAhu3xaJHdFDZsyz6Ac>> "%CA%.txt"
echo 3j/3+HuA63MhXjEeO+XRBplYtg0xDJh8L7jFqLtMSUpET7mRA2i5ltOOv7eOrZcJ>> "%CA%.txt"
echo KGJHLqeGBlQOUyp2XVRO3Atg8H5E9Lr94VCAsN9eMyKkzI//iJLQm89FokjS9Qeo>> "%CA%.txt"
echo bDivRVZKqbcXx0RVSczmU/zAiVk87GEToJQyaKjp9KtOLyGNlEyb1WBb9CZUopaU>> "%CA%.txt"
echo H9b5qYmNJXR8lcmO2aGP61ssp1mQxWi+l9Ru8TKu32uGIazU34X3J8MUapkONLIj>> "%CA%.txt"
echo zboPzituAXyNQ0I6EHhw+RuAWpKhHSTpCzoONS38OJckhHtQImcMB75WUuxZO6LQ>> "%CA%.txt"
echo 1r2L6FrNAnHONSDPsOrYlowlE3qv6rCsKCgYKJEho8OlumLyUer6OYF/ujvmBnxy>> "%CA%.txt"
echo MMIjb8E9leWSexhIa4MipFWJ6JEoF/3TSg5uvUSBmwnVtC4rpuJyLIzIAAIA7I2W>> "%CA%.txt"
echo mkFzt1d8bScgw0aZmgFylOlfs6UG8wFByDqOxrIMMqgs0Uia06wzIWqXhU4UnaII>> "%CA%.txt"
echo 45UIXDc15FPanGjxbrP67bV92l7vpLzsyzxccVnADB6fK/F/EGByZiUAXA== >> "%CA%.txt"
echo -----END CERTIFICATE----- >> "%CA%.txt"

:: create Win-RAID CA.cer and delete tmp file
call %SYSTEMROOT%\System32\certutil.exe -decode "%CA%.txt" "%CA%"
call del /F "%CA%.txt"
echo. &echo.

echo ***************************************************************************
echo Installing 'Win-RAID CA.cer' as Trusted Root Certificate
echo ***************************************************************************
echo.
call %SYSTEMROOT%\System32\certutil.exe -f -addstore "Root" "%CA%"
echo. &echo.

echo ***************************************************************************
echo Installing 'Win-RAID CA.cer' as Trusted Publisher Certificate
echo ***************************************************************************
echo.
call %SYSTEMROOT%\System32\certutil.exe -f -addstore "TrustedPublisher" "%CA%"
echo. &echo.
call del /f "%CA%"
@pause
exit /B

:CERTUTIL_NOT_FOUND
cls
echo.
echo Failure: Windows tool "Certutil.exe" not found.
echo Certificate couldn't be installed.
echo.
@pause
exit /B

 

[garlin]

Win-RAID's certificate imported to offline SP1 image, using reg file.