Steps for Staging a Device Driver Package in the Driver Store

  • Article

Applies To: Windows 7, Windows Server 2008 R2

Staging a device driver package in the driver store on the client computer ensures the smoothest user experience. After the signed driver package is in the driver store, Windows considers the package trusted. As long as you do not have a device installation restriction policy in effect for a specific device, the user can simply plug in the device and Windows silently installs the device driver.

Windows includes a tool called PnPUtil that you can use to manage the driver store, including adding driver packages, removing driver packages, and listing the driver packages that are in the store.

Important

You can only run the PnPUtil tool from a command prompt that is running with administrator permissions. The tool cannot invoke the User Account Control dialog box. If you attempt to use the PnPUtil tool to add or remove packages from a command prompt that is not running as administrator, the command will fail.

Steps Outline: staging a device driver package in the driver store

Step 1: Attempt to stage an unsigned driver package

Step 2: Attempt to stage a signed, but improperly modified driver package

Step 3: Attempt to stage the properly signed driver package.

Step 4: Test installation of the package.

Step 1: Attempt to stage an unsigned driver package

Windows interrupts an attempt to install an improperly signed driver package.

To attempt staging of an unsigned driver package

  1. At the x86 Free Build Environment command prompt with administrator permissions, temporarily rename the .cat file to effectively remove the signature from the driver package. You must be in the folder containing your device driver files (c:\toaster\device). Type the following command:

    ren toaster.cat toaster.nosig

  2. Attempt to stage the unsigned package. At the command prompt running with elevated permissions, type the command:

    pnputil.exe -a toastpkg.inf

    The Windows Security dialog box appears because the .inf file is not signed. Windows cannot match it against the certificates that are trusted by the computer.

  3. Click Don't install this driver software.

    The PnPUtil tool indicates that the staging operation failed:

    Adding the driver package failed : A file could not be verified because it does not have an associated catalog signed via Authenticode(tm).
Total attempted:              1
Number successfully imported: 0

  4. Rename the catalog file back to its correct name. At the command prompt, type:

    ren toaster.nosig toaster.cat

Step 2: Attempt to stage a signed, but improperly modified driver package

Windows will also interrupt an attempt to install a driver package that has been modified after it was signed. Because the signature includes thumbprints for each file, making a change to any of the files in the package causes the validity check for the signature to fail.

To attempt staging a signed, but modified driver package

  1. Save a copy of the correct toastpkg.inf file. At the command prompt type:

    Copy toastpkg.inf toastpkg.orig

  2. Modify toastpkg.inf so that its thumbprint is no longer valid. Open it in Notepad:

    notepad toastpkg.inf

  3. With the cursor at the very beginning of the file, press Enter to add a blank line, and then save your changes and close Notepad.

  4. Attempt to stage the modified package. At the command prompt, type:

    pnputil.exe -a toastpkg.inf

    Because the package was modified after being signed, the Windows Security dialog box appears, warning you that Windows cannot verify the publisher, an indication that the signature is invalid. In this case it is invalid because one of the hashes included in the signature no longer matches the associated file.

  5. Click Don't install this driver software.

  6. Overwrite the modified .inf with the original. At the command prompt, type:

    Copy /y toastpkg.orig toastpkg.inf

Step 3: Attempt to stage the properly signed driver package

To attempt staging a properly signed package

  1. Attempt to stage the package. At the command prompt, type:

    pnputil.exe -a toastpkg.inf

    Because the signature attached to the package is valid, the files are unmodified, and the file thumbprints match the signature, Windows successfully stages the package, with no prompts. The output includes the published name with the OEM number that you can use to remove the driver package from the store later, if needed.

  2. Make note of the number assigned to your package.

    Microsoft PnP Utility

Processing inf :            toastpkg.inf
Driver Package added successfully.
Published name :            oem2.inf

Total attempted:              1
Number successfully imported: 1

Note

The number assigned to your package might be different due to the number of driver packages that are already installed on your computer.

You can view the package in the store by running the PnPUtil tool with the -e (for 'enumerate') parameter.

To examine the package in the driver store

  1. At the command prompt, type:

    pnputil.exe -e

  2. Look for the package with your OEM## listed in the output. Make note of this number because you might need it later. You can also see the version number and date that you entered in the .inf file.

    Published name :            oem2.inf
Driver package provider :   Toast´R´Us
Class :                     Unknown driver class
Driver version and date :   05/01/2009 9.9.9.9
Signer name :               MyCompany - for test use only

Step 4: Test installation of the package

At this point, the driver package is now in the driver store. The driver package was staged by an account that has the required administrative rights, and Windows has checked the validity of the digital signature, so the device driver can be installed by a standard user by simply attaching the device.

Note

In this procedure, you run the Enum.exe tool as an administrator, even though Windows can install a device driver from the store as a standard user. The elevated permissions are required because of the simulation of the hardware in software, not because of the device driver installation process. If you follow these procedures with a real hardware device, using a vendor-provided device driver, you do not need to be logged on as an administrator when inserting the device.

To test installation of the staged package

  1. Log off, and then log on as DMI-Client1\TestUser.

  2. Open a command prompt with administrator rights. Click Start and All Programs, and then click Accessories. Right-click Command Prompt, and then click Run as administrator.

  3. On the User Account Control page, you are asked to specify an administrator account and its password. Select TestAdmin, enter its password, and then click Yes.

    The command prompt opens.

  4. Start Device Manager so you can view the installed device. At the command prompt with elevated permissions, type the following command:

    mmc devmgmt.msc

  5. Rearrange the windows so you can use the command prompt while still seeing the contents of Device Manager.

  6. Change to the c:\toaster folder. At the command prompt, type the following command:

    cd \toaster

  7. Run the Enum.exe tool, which simulates plugging in a Toaster device. At the command prompt, type:

    Enum -p 1

    After the device driver finishes installing, the device appears in Device Manager.

Note

Do not attempt to uninstall the device driver until instructed to do so in the following procedure.