Requirements for Device Driver Signing and Staging

Applies To: Windows 7, Windows Server 2008 R2

To successfully complete the procedures in this guide, you must meet the following requirements:

  • A client computer running Windows 7 32-bit edition. This guide refers to this computer as DMI-Client1.

Important

The 64-bit versions of Windows 7 and Windows Server 2008 R2 have special signature requirements for kernel mode device drivers. If you use a 64-bit version of Windows, then you cannot create your own certificate for signing. Instead, you must use a Software Publishing Certificate that chains to an approved certification authority (CA). You can find approved CA list at Microsoft Cross-Certificates for Windows Kernel Mode Code Signing (https://go.microsoft.com/fwlink/?linkid=150525) in the Technical Library. You will also find links to more information about 64-bit signing, including a walkthrough paper about kernel mode driver signing in the “Additional Resources” section of the Conclusion topic at the end of this guide.

  • A device and its corresponding device driver package. The device driver package you use must not already be present on the computer, as either part of the in-box device driver set supplied by Microsoft with Windows, or already in the driver store on the DMI-Client1. If the device was previously installed on the computer then the driver package is likely to be in the driver store, and must be removed before starting the procedures in this guide. As long as the driver package is not one of the in-box driver packages provided with Windows, you can follow the steps in Remove driver installed in the previous procedure to remove the old copy and prepare the computer for this guide. The procedures in this guide use the sample "Toaster" device driver package which you can get as part of the Windows Driver Kit. If you choose to use some other device with its device driver package, the screens you see may differ from those described in this guide, and you may have to adapt certain steps to work with the driver package you are using.

  • Access to a protected administrator account on DMI-Client1. This guide calls this account TestAdmin. The procedures in this guide require administrator privileges for most steps. You must be logged into DMI-Client1 using this administrator account at the beginning of each procedure, unless you are directed otherwise.

Note

Windows 7 and Windows Server 2008 R2 support the concept of a protected administrator account. This account is a member of the Administrators group, but by default that security token is not directly used. Any attempt to carry out a task that requires the elevated rights of an administrator generates a dialog box asking for permission to perform that task. This dialog box is discussed in the section Responding to the User Account Control page. We recommend that you use a protected administrator account, rather than the built-in Administrator account whenever possible.

  • Access to a standard user account on DMI-Client1. This user account has no special memberships that grant any kind of elevated permissions. This guide calls this account TestUser. Do not log onto your computer with this account unless instructed to do so. With a standard user account, any attempt to carry out a task that requires the elevated rights of an administrator can generate a dialog box requesting the credentials of an account with administrator privileges. This dialog box is discussed in the section Responding to the User Account Control page.

Prerequisite procedures

Use the following procedures to configure your computer for the procedures in this guide.

  1. Responding to the User Account Control page

  2. Disable automatic searching of Windows Update for device drivers

  3. Install the Windows Driver Kit

  4. Configure the Toaster sample device driver package for use in this guide

  5. Install the Toaster Bus device driver

Responding to the User Account Control page

Membership in the Administrators group, or equivalent, is the minimum required to complete many procedures in this guide. In Windows 7 and Windows Server 2008 R2, when you attempt to perform a procedure that requires administrator rights, the following occurs:

  • The built-in administrator account is disabled by default. However, if you are logged in as the built-in Administrator account (not recommended) then the operation proceeds.

  • If you are logged on as a member of the Administrators group that is not the built-in Administrator account, then a User Account Control dialog box appears requests permission to continue. Click Continue to allow the operation to proceed.

  • If you are logged on as a standard user, then you could be prevented from performing the procedure. Depending on the procedure, a User Account Control dialog box might request the user name and password for an administrator account. If you provide valid credentials, then the operation runs in the security context of the administrator account you provided. If you cannot provide administrative credentials, then you are prevented from performing the procedure.

Important

Before providing credentials to run any administrative operation, ensure that the User Account Control page is displayed in response to an operation that you initiated. If the page appears unexpectedly, click the Details button, and then ensure that the task that is one you wish to allow.

This guide does not specify every occurrence of the User Account Control dialog box that you might encounter in performing these procedures. When special steps are required to run specific tasks as an administrator, those steps are documented in the guide.

Disable automatic searching of Windows Update for device drivers

Windows can be configured to include the driver library maintained by Microsoft on the Windows Update Web site.

Inclusion of Windows Update in the search is very useful for home users. However, many administrators need more control over which device drivers users can install. You can configure a computer policy to disable the inclusion of Windows Update in the search for device drivers. If you are using a device whose driver package is available on Windows Update for the scenarios in this guide, then you must use the following procedure for the scenarios to work as described. If you are using the sample “Toaster” driver, then you do not need to disable this search.

To disable automatic searching of Windows Update for device drivers

  1. Click Start, right-click Computer, and then click Properties.

  2. In the Tasks list, click Advanced System Settings.

  3. On the System Properties dialog box, click the Hardware tab, and then click Device Installation Settings.

  4. Select No, let me choose what to do, and then select Never install driver software from Windows Update.

  5. Click Save Changes, and then click OK twice, to close the System dialog box.

Without Windows Update, your computer searches only in the driver store (see second task in this guide) and in the folders listed in the DriverPath registry entry (see third task in this guide). Unlike previous versions of Windows, Windows 7 and Windows Server 2008 R2 do not prompt the user for media if the driver package is not found.

Note

Manual configuration of settings is useful only when managing a small number of computers. If you want to disable Windows Update search for device drivers, use Group Policy. The Specify search order for device driver source locations setting can be found in Group Policy Management Console at: Computer Configuration, Administrative Templates, System, Device Installation. To disable Windows Update, select Enabled, and then in the Select search order list select Do not search Windows Update.

Install the Windows Driver Kit

The tools used to digitally sign device driver packages -- MakeCert, Signability, and SignTool -- are part of the Windows Driver Kit (WDK). The sample device driver used for demonstration in this guide, Toaster, is also part of the WDK. If you do not already have a copy of the WDK installed, follow the steps in this procedure.

To install the WDK

  1. Log on to DMI-Client1 as DMI-Client1\TestAdmin.

  2. Browse to the local or shared network folder where you have a copy of the Windows Driver Kit version 7 for Windows 7 and Windows Server 2008 R2 installation files.

  3. Double-click Kitsetup.exe.

  4. In the Features list, click Full Development Environment, and then click OK.

  5. Specify the path to which the WDK components are to be installed, and then click OK.

  6. On the End-User License Agreement page, read the terms, select I Agree, and then click OK.

  7. When the installation is complete, click Finish to close the installer.

Configure the Toaster sample device driver package for use in this guide

If you have access to the Windows Driver Kit, you can use the following procedure to configure the Toaster sample device drivers for use with this guide.

If you do not have access to the Windows Driver Kit, then you can use any device for which the device driver is not already present in the driver store. The driver package for such a device must already be signed.

Use this procedure to compile the sample device drivers, and to copy them to a folder in a way that resembles how a third-party commercial driver package is typically provided.

To configure the Toaster sample device driver package

  1. Log onto DMI-Client1 as DMI-Client1\TestAdmin.

  2. Click Start, and then click All Programs.

  3. Click the following: Windows Driver Kits, **WDK **YourBuildNumber, Build Environments, Windows 7, and then x86 Free Build Environment.

    A command prompt window configured to build device drivers appears.

Note

You cannot use a standard Command Prompt window. The x86 Free Build Environment menu option configures the Path and other environment variables to specifically support the tools used for building device drivers.

  1. Start Notepad by typing the following at the command prompt. You must still be in the **c:\winddk\**YourBuildNumber folder.

    notepad copytoastfiles.cmd
    
  2. In the confirmation dialog box, click Yes to create a new file.

  3. Copy and paste the following text into the Notepad window:

    @REM ----------START COPY HERE----------
    @echo off
    pushd
    Set destpath=c:\toaster
    Echo Creating destination folder structure:
    Md %destpath%
    Md %destpath%\bus
    Md %destpath%\device
    Md %destpath%\device\i386
    Echo Compiling the Bus device driver:
    Cd .\src\general\toaster\wdm\bus
    Build -cZ
    Echo Compiling the Plug-in Utility:
    Cd ..\..\exe\enum
    Build -cZ
    Echo Copying the device driver files to the destination folders:
    Cd ..\..
    Copy .\wdm\bus\objfre_win7_x86\i386\busenum.sys %destpath%\bus
    Copy .\wdm\inf\i386\bus.inf %destpath%\bus
    Copy .\toastpkg\toastcd\toastpkg.inf %destpath%\device
    Copy .\toastpkg\toastcd\i386\toaster.sys %destpath%\device\i386
    Copy .\toastpkg\toastcd\i386\tostrcls.dll %destpath%\device\i386
    Copy .\exe\enum\objfre_win7_x86\i386\enum.exe %destpath%
    Echo Toaster sample device driver is ready to use in %destpath%
    popd
    dir %destpath%
    @REM ----------END COPY HERE----------
    

Note

You must have write permissions to the destination folder. The command file uses the path c:\toaster by default. If you change that path, then you must use your altered path in the procedures that follow.

  1. Save the file, and then close Notepad.

  2. In the Build Environment command window, run the .cmd file you just created.

    copytoastfiles
    

Important

The file must be run at the command prompt in the folder specified, or it fails.

Install the Toaster Bus device driver

There is no physical Toaster device that you plug in and unplug for this guide. Instead, the sample Toaster device is simulated by a device driver, and supported by the combination of a special bus driver and a tool. Like a USB bus, the Toaster Bus device driver starts the installation of a device driver when it detects the insertion of the sample Toaster device. The insertion of the Toaster device is simulated by the Enum.exe tool included with the Toaster sample package. Before you can simulate insertion and removal of the device by running Enum.exe, the Toaster Bus device driver must be installed.

To install the Toaster Bus device driver

  1. In the x86 Free Build Environment command prompt window, run the following command:

    mmc devmgmt.msc
    
  2. Right-click the top node that represents your computer, and then click Add legacy hardware.

  3. On the Welcome to the Add Hardware Wizard page, click Next.

  4. On the The wizard can help you install other hardware page, select Install the hardware that I manually select from a list (Advanced), and then click Next.

  5. In the list, scroll down and select System devices, and then click Next.

  6. On the Select the device driver you want to install for this hardware page, click Have Disk.

  7. Click Browse, and then navigate to the toaster bus driver folder created by the script you ran. This folder is c:\toaster\bus, unless you modified the script.

  8. In the file window, click the bus setup information file (.inf) file, and then click Open.

  9. Back on the Install from Disk dialog box, click OK.

  10. In the Select the device driver you want to install for this hardware dialog box, select Toaster Bus Enumerator, and then click Next.

  11. On the The wizard is ready to install your hardware page, click Next.

    The Windows Security dialog box appears, because there is not a valid digital signature for the device driver. Click Install this driver software anyway to allow installation to proceed.

  12. After installation completes, on the Completing the Add Hardware Wizard page, click Finish.

  13. In Device Manager, double-click System Devices to expand the list.

  14. Confirm that Toaster Bus Enumerator is in the list, and then close Device Manager.

  15. Close the x86 Free Build Environment command prompt window.