Preliminary words:
Although I have modded a lot of drivers since 2003/2004, I didn’t know for a very long time, that and how it is possible to give these modded drivers a specific digital signature, which is accepted by the latest Windows Operating Systems.
My ignorance regarding this point ended in April 2015, when our Forum member mrces2 started this thread with a complete and perfect guide about how to manually sign my modded drivers with a “Win-RAID CA” Certificate. Later on the Forum members e.v.o and Zwulf wrote scripts, which allowed me to sign the modded drivers automaticly by using a unique Win-RAID CA certificate.
Meanwhile there is no need anymore for me to read any guide about how to sign a modded driver, but the users need a guide about how to get them properly installed. That is why I have cleaned this thread, removed the dispensable signature guides and scripts and put all informations regarding the usage of the “mod+signed” drivers into the new start post.
This is the place to say “Thank you!” to mrces2, e.v.o and in particular Zwulf for their phantastic support. Without their help I wouldn’t be able to offer my “mod+signed” drivers.
Advantages for the users:
- All my “mod+signed” drivers can easily been installed even while running Win8/10 without disabling the “Driver Signature Enforcement”.
- The import of the certificate has only to be done once and not with each modded driver.
Advantage for me:
- Due to the guides and scripts I got from mrces2, e.v.o and Zwulf it is very easy for me to offer all my modded drivers with a unique digital signature.
How to get modded drivers installed,
which are digitally signed by “Win-RAID CA”
I. Import of the Certificate to your personal system
To get full benefit from the driver’s digital signature, it is necessary to import the related Certificate (here: the Win-RAID CA one) and to declare it as trustworthy.
Important:
- This procedure has to be done only once! (before you are trying to get the first “mod+signed” driver installed)
- Mod+signed drivers cannot be used from scratch! (Reason: The Setup of modern Windows OSes demands WHQL certified third party storage drivers.)
The import of the Certificate can be done in 3 different ways (but with the same result):
- a) manually by using the “*.CAT” file of any driver, which has been signed by me, or
- b) manually by using a file named “Win-RAID CA.cer” or
- c) automaticly by using a script named “ImportCertificate.cmd” (built by Zwulf)
a) Here is a short guide for the .cat file method:
- Right click onto a *.cat file of any mod+signed driver > “Properties” > “Digital Signatures” > Click onto “Win-RAID CA” > “Details” > “View Certificate” > “Install Certificate” > “Local Machine” >“Next” > “Yes” > “Place all certificates in the following store” > “Browse” > Select “Trusted Root Certification Authorities” > “Ok” > “Next” > “Finish” > "Ok"
b) The Win-RAID CA.cer file method is a little bit easier:
- Double click onto the file named “Win-RAID CA.cer” > hit “Install Certificate…” > check “Local Computer” > “Ok” > choose “Place all certificates in the following store” > “Browse” > select “Trusted Root Certification Authorities” > “Next” > “Finish” > “Ok” > “Ok”.
c) And here is the easiest way to import the Win-RAID CA certificate:
- Thankfully our Forum member Zwulf has created for you a batch file script named ImportCertificate.cmd, which will import the Win-RAID CA certificate automaticly.
This is the content of the CMD file (just for those, who are interested to know it):1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
echo off &TITLE Win-RAID CA.cer install script
:WELCOME
cls
echo.
echo This will install the "Win-RAID CA.cer" as Trusted Root and Trusted Publisher Certificate.
echo.
set /P "START=Continue? (y/n): "
if '%START%' equ 'y' goto WORK
if '%START%' equ 'n' exit /B
goto WELCOME
:WORK
if not exist "%SYSTEMROOT%\System32\certutil.exe" goto CERTUTIL_NOT_FOUND
set "CA=%tmp%\Win-RAID CA.cer"
cls
echo ***************************************************************************
echo Creating 'Win-RAID CA.cer'
echo ***************************************************************************
echo.
:: extract certificat informations into tmp file
echo -----BEGIN CERTIFICATE----- > "%CA%.txt"
echo MIIGhzCCBG+gAwIBAgIQ5/ExbCzfI71GlXVExEmkNDANBgkqhkiG9w0BAQsFADCB>> "%CA%.txt"
echo lTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdtYWlsLmNvbTELMAkGA1UE>> "%CA%.txt"
echo BhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZlcjEZMBcGA1UEChMQd3d3>> "%CA%.txt"
echo Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8xFDASBgNVBAMTC1dpbi1S>> "%CA%.txt"
echo QUlEIENBMB4XDTE1MTAyNTE4NTMyMloXDTM5MTIzMTIzNTk1OVowgZUxJTAjBgkq>> "%CA%.txt"
echo hkiG9w0BCQEWFmZlcm5hbmRvLnVub0BnbWFpbC5jb20xCzAJBgNVBAYTAkRFMQsw>> "%CA%.txt"
echo CQYDVQQIEwJOSTEOMAwGA1UEBxMFSmV2ZXIxGTAXBgNVBAoTEHd3dy53aW4tcmFp>> "%CA%.txt"
echo ZC5jb20xETAPBgNVBAsTCEZlcm5hbmRvMRQwEgYDVQQDEwtXaW4tUkFJRCBDQTCC>> "%CA%.txt"
echo AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANnjNZ0a7ultPdOGQOaEcd2h>> "%CA%.txt"
echo UImcX0685LMsVWei9gk3rpmLy2Sl7BxqeufC5EogXD9LZ1z4WE6Tw3NBUhgt0XrP>> "%CA%.txt"
echo ZWyfCNCUSfcvcV1dVux53LI+ySyUp2AcavHY8sbdhn7/jwHdkgTd3/xE+cn+U+2a>> "%CA%.txt"
echo 7X6Y0zQU7Sy8Up75ls7kq+rp61XfmntWIsGrtJbs09Bt3CYVo7SA57jHDJNGkuSV>> "%CA%.txt"
echo UwDNgUycuRiZT8qnarph0D3RamCpHYyEPnX87t0nRFbdRFMjI5JhBYuD/UE+2PXi>> "%CA%.txt"
echo 4+f2epX52VlpgqZn650kcTEmdl2sS+itxjQZpg1phRLrvYJHjShhNXYJZrq+WU1R>> "%CA%.txt"
echo ZdGOhH0cLz3yoAzW0JKwhOy8HgAjU1EkLcRYLtG6jl46BB6mEM8GXQXdogi9b+ul>> "%CA%.txt"
echo 6J1Pu6v7DvXY+CyJTHTX797DBdcSL/VWH9sA9cZ/ogLwu65BpD/m5ZhjpovX0AS4>> "%CA%.txt"
echo cI74ChYV0lXUhvWQ1KX5hBI4pPFjPZY+j3X5oagg7ERk2XVYdUBkwO8YAnF9O2lI>> "%CA%.txt"
echo s3r0KpZBTp5lvK+EdTp51VlK7LbMQQwwGMDOBGH6JHru7FR6f45a/1nKhcoNU689>> "%CA%.txt"
echo 0EQ9U/1vnOdiU3NVJC+DqtO9b1zvpDlwQUq075a4YizUQA4yj27biJH5dOERipGM>> "%CA%.txt"
echo s8BYrAZSh8m0Om/+/UmhAgMBAAGjgdAwgc0wgcoGA1UdAQSBwjCBv4AQ1POGTxms>> "%CA%.txt"
echo M91sp2WJs2oeOqGBmDCBlTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdt>> "%CA%.txt"
echo YWlsLmNvbTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZl>> "%CA%.txt"
echo cjEZMBcGA1UEChMQd3d3Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8x>> "%CA%.txt"
echo FDASBgNVBAMTC1dpbi1SQUlEIENBghDn8TFsLN8jvUaVdUTESaQ0MA0GCSqGSIb3>> "%CA%.txt"
echo DQEBCwUAA4ICAQDHTjgYnmRoQazjtYUXvlVzMDQ+81PN+Wfxe6HYJC2gUGJMFaeJ>> "%CA%.txt"
echo 43kkZPDgy7FAhmqxGTciUK42qRmYmE9cRtvBx/PI+VmtmNAhu3xaJHdFDZsyz6Ac>> "%CA%.txt"
echo 3j/3+HuA63MhXjEeO+XRBplYtg0xDJh8L7jFqLtMSUpET7mRA2i5ltOOv7eOrZcJ>> "%CA%.txt"
echo KGJHLqeGBlQOUyp2XVRO3Atg8H5E9Lr94VCAsN9eMyKkzI//iJLQm89FokjS9Qeo>> "%CA%.txt"
echo bDivRVZKqbcXx0RVSczmU/zAiVk87GEToJQyaKjp9KtOLyGNlEyb1WBb9CZUopaU>> "%CA%.txt"
echo H9b5qYmNJXR8lcmO2aGP61ssp1mQxWi+l9Ru8TKu32uGIazU34X3J8MUapkONLIj>> "%CA%.txt"
echo zboPzituAXyNQ0I6EHhw+RuAWpKhHSTpCzoONS38OJckhHtQImcMB75WUuxZO6LQ>> "%CA%.txt"
echo 1r2L6FrNAnHONSDPsOrYlowlE3qv6rCsKCgYKJEho8OlumLyUer6OYF/ujvmBnxy>> "%CA%.txt"
echo MMIjb8E9leWSexhIa4MipFWJ6JEoF/3TSg5uvUSBmwnVtC4rpuJyLIzIAAIA7I2W>> "%CA%.txt"
echo mkFzt1d8bScgw0aZmgFylOlfs6UG8wFByDqOxrIMMqgs0Uia06wzIWqXhU4UnaII>> "%CA%.txt"
echo 45UIXDc15FPanGjxbrP67bV92l7vpLzsyzxccVnADB6fK/F/EGByZiUAXA== >> "%CA%.txt"
echo -----END CERTIFICATE----- >> "%CA%.txt"
:: create Win-RAID CA.cer and delete tmp file
call %SYSTEMROOT%\System32\certutil.exe -decode "%CA%.txt" "%CA%"
call del /F "%CA%.txt"
echo. &echo.
echo ***************************************************************************
echo Installing 'Win-RAID CA.cer' as Trusted Root Certificate
echo ***************************************************************************
echo.
call %SYSTEMROOT%\System32\certutil.exe -f -addstore "Root" "%CA%"
echo. &echo.
echo ***************************************************************************
echo Installing 'Win-RAID CA.cer' as Trusted Publisher Certificate
echo ***************************************************************************
echo.
call %SYSTEMROOT%\System32\certutil.exe -f -addstore "TrustedPublisher" "%CA%"
echo. &echo.
call del /f "%CA%"
@pause
exit /B
:CERTUTIL_NOT_FOUND
cls
echo.
echo Failure: Windows tool "Certutil.exe" not found.
echo Certificate couldn't be installed.
echo.
@pause
exit /B
New since Win10 v1703 ("Creators Update"): Due to Microsoft's new security features the easiest option to get the Certificate imported doesn't work anymore.
This is the new way how to do it:- Create a folder named "Certificate" within the system drive (= drive C:) and copy the 2 files of the folder "Win-RAID CA Certificate" into it.
- Right-click onto the start button and choose the option "Windows PowerShell (Admin)".
- Write "cd C:\Certificate" and hit the "Enter" key.
- Write ".\ImportCertificate.cmd" (don't forget the dot and the backslash in front of the command!) and hit the "Enter" key again.
- Enter "y" (for "Yes!"), when prompted - thats all!
II. Installation of "pure" drivers (incl. the "mod+signed" ones)
The installation of any "pure" driverpack (containing visible *.inf, *.sys and *.cat files) can either be done
- a) from within the Device Manager (usual method) or
- b) from within the Command Prompt by using a special MS tool named DPInst.exe (method for advanced users).
A. Installation via Device Manager:
This is the way how to get any "mod+signed" driver properly installed (precondition: the Win-RAID CA certificate had already been successfully imported):
- Run the Device Manager and expand the section, where the related device is listed, whose driver you want to change/update. If you are unsure, which one of the listed devices is your candidate for a driver update, you should check the HardwareIDs.
- Right click onto the device, whose driver you want to install or update > "Update Driver Software..." > "Browse my Computer..."
- The next steps depend on the date, compatibility and digital signature of the driver you want to get installed:
-
a) "normal" driver installation (desired driver is newer, fully compatible and digitally signed by a trustworthy Certificate):
> "Browse" > navigate to the root of the folder, which contains the needed extracted files (*.CAT, *.INF and *.SYS) of the desired driver > "OK"
The OS Hardware Management will find the suitable driver files by its own (even from within any sub-folder). -
b) "forced" driver installation (pre-condition: the driver is compatible with the related device):
> "Let me pick ..." > "Have Disk" > navigate to the folder, which contains the needed files (*.CAT, *.INF and *.SYS) > double click onto the suitable *.INF file > "OK"
-
a) "normal" driver installation (desired driver is newer, fully compatible and digitally signed by a trustworthy Certificate):
B. Installation via DPInst.exe:
Precondition for this method is the availability of a tool named DPInst.exe, which is part of the OS specific Microsoft application named "Windows Driver Kit" (WDK.EXE).
Example: The "Windows 10 Driver Kit" can be downloaded from >here<.
Tip: Since only the small 32/64bit tool named DPInst is required, you can store just this file somewhere for any later usage without the need to reinstall the complete WDK Set.
Our Forum member Zwulf has written a short guide, which will make the usage of the DPInst tool much easier for you:
- Open the "Command prompt" with Admin rights and navigate to the folder, which contains the suitable 32/64bit DPInst.exe file:
Note: This is the standard path after having installed the complete "Windows Driver Kit". If you have stored the previously extracted DPInst.exe somewhere else, the path has to be customized.1
cd %PROGRAMFILES(X86)%\Windows Kits\10\redist\DIFx\dpinst\MultiLin\<x86|x64>
- Install all needed driver files from your specific <DriverPath> (the exact path has to be edited) by running this command:
The installation will be forced, even if a "better" driver is allready installed. The automated uninstaller creation is suppressed.1
dpinst.exe /q /sa /f /path "<DriverPath>"
Tip: The command line parameters are explained >here<.
Valid for both Driver Installation Methods:
Important; Although the driver (hopefully) has been successfully installed, it will not be used until the next (re-)boot.
III. Result
This is what you will see (using your OS language) after having successfully installed any driver, which has been "mod+signed" by me:
Credits go to:
- mrces2 for his perfect manual guide about how to digitally sign the drivers
- Zwulf for his phantastic scripts and his continuous help
- e.v.o for his tests and scripts
- zt3 for his useful tips