[Tips+Discussion] Usage of "mod+signed" Drivers

Preliminary words:
Although I have modded a lot of drivers since 2003/2004, I didn’t know for a very long time, that and how it is possible to give these modded drivers a specific digital signature, which is accepted by the latest Windows Operating Systems.
My ignorance regarding this point ended in April 2015, when our Forum member mrces2 started this thread with a complete and perfect guide about how to manually sign my modded drivers with a “Win-RAID CA” Certificate. Later on the Forum members e.v.o and Zwulf wrote scripts, which allowed me to sign the modded drivers automaticly by using a unique Win-RAID CA certificate.
Meanwhile there is no need anymore for me to read any guide about how to sign a modded driver, but the users need a guide about how to get them properly installed. That is why I have cleaned this thread, removed the dispensable signature guides and scripts and put all informations regarding the usage of the “mod+signed” drivers into the new start post.
This is the place to say “Thank you!” to mrces2, e.v.o and in particular Zwulf for their phantastic support. Without their help I wouldn’t be able to offer my “mod+signed” drivers.

Advantages for the users:

  • All my “mod+signed” drivers can easily been installed even while running Win8/10 without disabling the “Driver Signature Enforcement”.
  • The import of the certificate has only to be done once and not with each modded driver.

Advantage for me:
  • Due to the guides and scripts I got from mrces2, e.v.o and Zwulf it is very easy for me to offer all my modded drivers with a unique digital signature.



How to get modded drivers installed,
which are digitally signed by “Win-RAID CA”


I. Import of the Certificate to your personal system

To get full benefit from the driver’s digital signature, it is necessary to import the related Certificate (here: the Win-RAID CA one) and to declare it as trustworthy.
Important:
  • This procedure has to be done only once! (before you are trying to get the first “mod+signed” driver installed)
  • Mod+signed drivers cannot be used from scratch! (Reason: The Setup of modern Windows OSes demands WHQL certified third party storage drivers.)

The import of the Certificate can be done in 3 different ways (but with the same result):
  • a) manually by using the “*.CAT” file of any driver, which has been signed by me, or
  • b) manually by using a file named “Win-RAID CA.ceror
  • c) automaticly by using a script named “ImportCertificate.cmd” (built by Zwulf)
Note: To make it as easy as possible for you, I have added to all my “mod+signed” driverpacks a separate folder named “Win-RAID CA Certificate”, where you can find the needed files for the options b) and c).

a) Here is a short guide for the .cat file method:
  • Right click onto a *.cat file of any mod+signed driver > “Properties” > “Digital Signatures” > Click onto “Win-RAID CA” > “Details” > “View Certificate” > “Install Certificate” > “Local Machine” >“Next” > “Yes” > “Place all certificates in the following store” > “Browse” > Select “Trusted Root Certification Authorities” > “Ok” > “Next” > “Finish” > "Ok"

b) The Win-RAID CA.cer file method is a little bit easier:
  • Double click onto the file named “Win-RAID CA.cer” > hit “Install Certificate…” > check “Local Computer” > “Ok” > choose “Place all certificates in the following store” > “Browse” > select “Trusted Root Certification Authorities” > “Next” > “Finish” > “Ok” > “Ok”.

c) And here is the easiest way to import the Win-RAID CA certificate:
  • Thankfully our Forum member Zwulf has created for you a batch file script named ImportCertificate.cmd, which will import the Win-RAID CA certificate automaticly.
    This is the content of the CMD file (just for those, who are interested to know it):

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
     
    echo off &TITLE Win-RAID CA.cer install script
    :WELCOME
    cls
    echo.
    echo This will install the "Win-RAID CA.cer" as Trusted Root and Trusted Publisher Certificate.
    echo.
    set /P "START=Continue? (y/n): "
     
    if '%START%' equ 'y' goto WORK
    if '%START%' equ 'n' exit /B
    goto WELCOME
     
    :WORK
    if not exist "%SYSTEMROOT%\System32\certutil.exe" goto CERTUTIL_NOT_FOUND
    set "CA=%tmp%\Win-RAID CA.cer"
    cls
    echo ***************************************************************************
    echo Creating 'Win-RAID CA.cer'
    echo ***************************************************************************
    echo.
    :: extract certificat informations into tmp file
    echo -----BEGIN CERTIFICATE----- > "%CA%.txt"
    echo MIIGhzCCBG+gAwIBAgIQ5/ExbCzfI71GlXVExEmkNDANBgkqhkiG9w0BAQsFADCB>> "%CA%.txt"
    echo lTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdtYWlsLmNvbTELMAkGA1UE>> "%CA%.txt"
    echo BhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZlcjEZMBcGA1UEChMQd3d3>> "%CA%.txt"
    echo Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8xFDASBgNVBAMTC1dpbi1S>> "%CA%.txt"
    echo QUlEIENBMB4XDTE1MTAyNTE4NTMyMloXDTM5MTIzMTIzNTk1OVowgZUxJTAjBgkq>> "%CA%.txt"
    echo hkiG9w0BCQEWFmZlcm5hbmRvLnVub0BnbWFpbC5jb20xCzAJBgNVBAYTAkRFMQsw>> "%CA%.txt"
    echo CQYDVQQIEwJOSTEOMAwGA1UEBxMFSmV2ZXIxGTAXBgNVBAoTEHd3dy53aW4tcmFp>> "%CA%.txt"
    echo ZC5jb20xETAPBgNVBAsTCEZlcm5hbmRvMRQwEgYDVQQDEwtXaW4tUkFJRCBDQTCC>> "%CA%.txt"
    echo AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANnjNZ0a7ultPdOGQOaEcd2h>> "%CA%.txt"
    echo UImcX0685LMsVWei9gk3rpmLy2Sl7BxqeufC5EogXD9LZ1z4WE6Tw3NBUhgt0XrP>> "%CA%.txt"
    echo ZWyfCNCUSfcvcV1dVux53LI+ySyUp2AcavHY8sbdhn7/jwHdkgTd3/xE+cn+U+2a>> "%CA%.txt"
    echo 7X6Y0zQU7Sy8Up75ls7kq+rp61XfmntWIsGrtJbs09Bt3CYVo7SA57jHDJNGkuSV>> "%CA%.txt"
    echo UwDNgUycuRiZT8qnarph0D3RamCpHYyEPnX87t0nRFbdRFMjI5JhBYuD/UE+2PXi>> "%CA%.txt"
    echo 4+f2epX52VlpgqZn650kcTEmdl2sS+itxjQZpg1phRLrvYJHjShhNXYJZrq+WU1R>> "%CA%.txt"
    echo ZdGOhH0cLz3yoAzW0JKwhOy8HgAjU1EkLcRYLtG6jl46BB6mEM8GXQXdogi9b+ul>> "%CA%.txt"
    echo 6J1Pu6v7DvXY+CyJTHTX797DBdcSL/VWH9sA9cZ/ogLwu65BpD/m5ZhjpovX0AS4>> "%CA%.txt"
    echo cI74ChYV0lXUhvWQ1KX5hBI4pPFjPZY+j3X5oagg7ERk2XVYdUBkwO8YAnF9O2lI>> "%CA%.txt"
    echo s3r0KpZBTp5lvK+EdTp51VlK7LbMQQwwGMDOBGH6JHru7FR6f45a/1nKhcoNU689>> "%CA%.txt"
    echo 0EQ9U/1vnOdiU3NVJC+DqtO9b1zvpDlwQUq075a4YizUQA4yj27biJH5dOERipGM>> "%CA%.txt"
    echo s8BYrAZSh8m0Om/+/UmhAgMBAAGjgdAwgc0wgcoGA1UdAQSBwjCBv4AQ1POGTxms>> "%CA%.txt"
    echo M91sp2WJs2oeOqGBmDCBlTElMCMGCSqGSIb3DQEJARYWZmVybmFuZG8udW5vQGdt>> "%CA%.txt"
    echo YWlsLmNvbTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAk5JMQ4wDAYDVQQHEwVKZXZl>> "%CA%.txt"
    echo cjEZMBcGA1UEChMQd3d3Lndpbi1yYWlkLmNvbTERMA8GA1UECxMIRmVybmFuZG8x>> "%CA%.txt"
    echo FDASBgNVBAMTC1dpbi1SQUlEIENBghDn8TFsLN8jvUaVdUTESaQ0MA0GCSqGSIb3>> "%CA%.txt"
    echo DQEBCwUAA4ICAQDHTjgYnmRoQazjtYUXvlVzMDQ+81PN+Wfxe6HYJC2gUGJMFaeJ>> "%CA%.txt"
    echo 43kkZPDgy7FAhmqxGTciUK42qRmYmE9cRtvBx/PI+VmtmNAhu3xaJHdFDZsyz6Ac>> "%CA%.txt"
    echo 3j/3+HuA63MhXjEeO+XRBplYtg0xDJh8L7jFqLtMSUpET7mRA2i5ltOOv7eOrZcJ>> "%CA%.txt"
    echo KGJHLqeGBlQOUyp2XVRO3Atg8H5E9Lr94VCAsN9eMyKkzI//iJLQm89FokjS9Qeo>> "%CA%.txt"
    echo bDivRVZKqbcXx0RVSczmU/zAiVk87GEToJQyaKjp9KtOLyGNlEyb1WBb9CZUopaU>> "%CA%.txt"
    echo H9b5qYmNJXR8lcmO2aGP61ssp1mQxWi+l9Ru8TKu32uGIazU34X3J8MUapkONLIj>> "%CA%.txt"
    echo zboPzituAXyNQ0I6EHhw+RuAWpKhHSTpCzoONS38OJckhHtQImcMB75WUuxZO6LQ>> "%CA%.txt"
    echo 1r2L6FrNAnHONSDPsOrYlowlE3qv6rCsKCgYKJEho8OlumLyUer6OYF/ujvmBnxy>> "%CA%.txt"
    echo MMIjb8E9leWSexhIa4MipFWJ6JEoF/3TSg5uvUSBmwnVtC4rpuJyLIzIAAIA7I2W>> "%CA%.txt"
    echo mkFzt1d8bScgw0aZmgFylOlfs6UG8wFByDqOxrIMMqgs0Uia06wzIWqXhU4UnaII>> "%CA%.txt"
    echo 45UIXDc15FPanGjxbrP67bV92l7vpLzsyzxccVnADB6fK/F/EGByZiUAXA== >> "%CA%.txt"
    echo -----END CERTIFICATE----- >> "%CA%.txt"
     
    :: create Win-RAID CA.cer and delete tmp file
    call %SYSTEMROOT%\System32\certutil.exe -decode "%CA%.txt" "%CA%"
    call del /F "%CA%.txt"
    echo. &echo.
     
    echo ***************************************************************************
    echo Installing 'Win-RAID CA.cer' as Trusted Root Certificate
    echo ***************************************************************************
    echo.
    call %SYSTEMROOT%\System32\certutil.exe -f -addstore "Root" "%CA%"
    echo. &echo.
     
    echo ***************************************************************************
    echo Installing 'Win-RAID CA.cer' as Trusted Publisher Certificate
    echo ***************************************************************************
    echo.
    call %SYSTEMROOT%\System32\certutil.exe -f -addstore "TrustedPublisher" "%CA%"
    echo. &echo.
    call del /f "%CA%"
    @pause
    exit /B
     
    :CERTUTIL_NOT_FOUND
    cls
    echo.
    echo Failure: Windows tool "Certutil.exe" not found.
    echo Certificate couldn't be installed.
    echo.
    @pause
    exit /B
     
    Usage: Right click onto the CMD file > "Run as Administrator" > Enter "y" (for Yes!), when prompted - That's all!
    New since Win10 v1703 ("Creators Update"): Due to Microsoft's new security features the easiest option to get the Certificate imported doesn't work anymore.
    This is the new way how to do it:
    1. Create a folder named "Certificate" within the system drive (= drive C:) and copy the 2 files of the folder "Win-RAID CA Certificate" into it.
    2. Right-click onto the start button and choose the option "Windows PowerShell (Admin)".
    3. Write "cd C:\Certificate" and hit the "Enter" key.
    4. Write ".\ImportCertificate.cmd" (don't forget the dot and the backslash in front of the command!) and hit the "Enter" key again.
    5. Enter "y" (for "Yes!"), when prompted - thats all!


II. Installation of "pure" drivers (incl. the "mod+signed" ones)

The installation of any "pure" driverpack (containing visible *.inf, *.sys and *.cat files) can either be done
  • a) from within the Device Manager (usual method) or
  • b) from within the Command Prompt by using a special MS tool named DPInst.exe (method for advanced users).

A. Installation via Device Manager:
This is the way how to get any "mod+signed" driver properly installed (precondition: the Win-RAID CA certificate had already been successfully imported):
  1. Run the Device Manager and expand the section, where the related device is listed, whose driver you want to change/update. If you are unsure, which one of the listed devices is your candidate for a driver update, you should check the HardwareIDs.
  2. Right click onto the device, whose driver you want to install or update > "Update Driver Software..." > "Browse my Computer..."
  3. The next steps depend on the date, compatibility and digital signature of the driver you want to get installed:
    • a) "normal" driver installation (desired driver is newer, fully compatible and digitally signed by a trustworthy Certificate):
      > "Browse" > navigate to the root of the folder, which contains the needed extracted files (*.CAT, *.INF and *.SYS) of the desired driver > "OK"
      The OS Hardware Management will find the suitable driver files by its own (even from within any sub-folder).
    • b) "forced" driver installation (pre-condition: the driver is compatible with the related device):
      > "Let me pick ..." > "Have Disk" > navigate to the folder, which contains the needed files (*.CAT, *.INF and *.SYS) > double click onto the suitable *.INF file > "OK"

B. Installation via DPInst.exe:
Precondition for this method is the availability of a tool named DPInst.exe, which is part of the OS specific Microsoft application named "Windows Driver Kit" (WDK.EXE).
Example: The "Windows 10 Driver Kit" can be downloaded from >here<.
Tip: Since only the small 32/64bit tool named DPInst is required, you can store just this file somewhere for any later usage without the need to reinstall the complete WDK Set.
Our Forum member Zwulf has written a short guide, which will make the usage of the DPInst tool much easier for you:
  1. Open the "Command prompt" with Admin rights and navigate to the folder, which contains the suitable 32/64bit DPInst.exe file:
    1
     
    cd %PROGRAMFILES(X86)%\Windows Kits\10\redist\DIFx\dpinst\MultiLin\<x86|x64>
     
    Note: This is the standard path after having installed the complete "Windows Driver Kit". If you have stored the previously extracted DPInst.exe somewhere else, the path has to be customized.
  2. Install all needed driver files from your specific <DriverPath> (the exact path has to be edited) by running this command:
    1
     
    dpinst.exe /q /sa /f /path "<DriverPath>"
     
    The installation will be forced, even if a "better" driver is allready installed. The automated uninstaller creation is suppressed.
  3. Tip: The command line parameters are explained >here<.

Valid for both Driver Installation Methods:
Important; Although the driver (hopefully) has been successfully installed, it will not be used until the next (re-)boot.


III. Result

This is what you will see (using your OS language) after having successfully installed any driver, which has been "mod+signed" by me:

Win-RAID CA Driver Signature Pic1.png

Win-RAID CA Driver Signature Pic2.png

Win-RAID CA Driver Signature Pic3.png

Win-RAID CA Driver Signature Pic4.png




Credits go to:

  • mrces2 for his perfect manual guide about how to digitally sign the drivers
  • Zwulf for his phantastic scripts and his continuous help
  • e.v.o for his tests and scripts
  • zt3 for his useful tips

1 Like

@Fernando

Hi, its me again! You need to distribute the certs as well, otherwise the drivers will be considered as not digitally signed on another PCs.

To all fellow members, be my guests anytime.
As I was assisted, so I offered my two pence in return as well.

Let’s keep overhauling!

How can I distribute the certificates?
I have no idea.



You can try to export the certificate and save it in the same folder as the driver for others to install it beforehand.
I have tried to load the signed drivers during Windows installation and, since the certificate is not yet stored in the OS, it cannot be verified.
I see no problem in using M$ Standard Driver just for installing the system and then properly updating. This is "healthier", in fact.

Regarding feedback for RST 13.6.2.1001, I have installed the OS and updated the driver as mentioned above.
So far the performance is unparalleled by any other previous version.

This is what I have done now.
All driverpacks dated 04/30/2015 contain an additional file with the signature certificate.

Hello Dieter,

I want to use “>64bit Intel RSTe AHCI & RAID drivers v14.0.0.1095 mod & signed by Fernando<” on Win8.1.
For me the driver’s doesn’t work, because they are not dig. signed as provided!

Any idea?

driver without signature.png

Not really. Have you already tried to import the digital signature certificate, which I have added to the driverpack?

Today i was playing around with this driver because since i installed Windows 10 and switched to UEFI it showed up with an yellow mark in the device manager.
And, i finally managed to install it. What you need to do is to install the Certificate so it can recognize the signature when you load the driver from Device Manager.

To install the Certificate, do the following:
- Right click on the file Driver Signature Certificate.cer > Install Certificate > Open > Local Machine > Place all certificates in the following store > Select Trusted Root Certification Authorities > Ok > Finish

Problem solved.

driver with signature.png

@ zt3:
Thank you very much for your very useful guide regarding the import of the "Driver Signature Certificate.

Today I have tested it while running Win10 x64, but the update from the original Intel Smart Connect Technology Driver v1.0.8.0 WHQL to the modded and signed v1.1.0.0 failed at first try.
Although the import itself had been successful, the Win10 hardware management didn’t do the desired update (not even by using the “Have Disk” option) and gave me the message, that a problem occured during the update.
After a while I tried the update again (without repeating the import of the “Driver Signature Certificate”) by just using the option “Update Diver Software…” > “Browse my computer…” > “Browse” and navigating to the related INF file. Then I got a pop-up window, where I was asked, whether I trust the digital signature of “Win-RAID CA”. After having checked the option “I always trust this signature” and clicked onto the “Yes” button, the modded driver has been successfully installed. Look here:

Successful installation of a modded signed driver.png


Question:
Do you know why the installation of the modded and signed driver failed at first try?

@Fernando

Good question, i was wondering that too because it also happened to me. It went from “This driver isn’t digital signed” to “This driver has a signature” but as you said when click next it gave an error anyways. I don’t know for sure why this happened and since i tested other things before that i got even more confused. Even after the successful installation i reverted the driver a couple of times to test it again but now it installs everytime, probably because of that popup you also talked about, typical lan popup, asking if i wanted to install the driver and whether I wanted to trust the digital signature of “Win-RAID CA” which i just clicked next.

After this driver i tried your Intel’s modded one and i just did the “install certificate”. I think once you press next on that “trust popup” with the option to trust Win-RAID CA" checked you won’t get any more problems because the Intel’s one installed in the first try without giving that error.

@ zt3:
Thanks for your quick reply.
So we obviously had the same problem while trying to get the digital signature accepted by Win10.
Nevertheless I would still like to know, what exactly has to be done to prevent the failure at first try (many users will give up the installation at this point). If you should ever find it out, please let me know it.

Yes, this seems to be a big advantage for users, who are going to install more often any of my modded & signed drivers: Once the digital signature from "Win-RAID CA" is accepted, all these modded and signed drivers will be installed similar to a WHQL certified driver.

Which signed driver package can i try for testing the certificate? There must be a no-brainer solution. I am willing to help and try find a solution.

You can try any of my modded drivers, which I am offering as “mod and signed”.
Here are some examples:
1. Intel Smart Connect Technology driver v1.1.0.0. (look into the start post)
2. several Intel USB 3.0 drivers (look >here<)
3. several Intel RST drivers (look >here<)

@Fernando

Yep, that was strange indeed but as you said it installed right after, BUT i’d also like to know why it didn’t in the first place. I can’t do more tests here because i clicked install when the “trust popup” appeared with the option to always trust your certificate checked and so it now installs everytime.

Although and sorry if this is getting a bit off topic but i just tried again your Intel’s modded driver on a laptop (it doesn’t have Intel Smart Connect Technology and i never used it before to install these certificates) that i have here at home following the steps i mentioned above (installing the certificate) and it installed without giving any error in the first place. The problem seems to reside on this particular driver.

It fails at the frist time but for some reason after a few tries it works good, weird.

Found it! Actually here’s what you need to do:

- Right click on the isctd.cat file > Properties > Digital Signatures > Click on Win-RAID CA > Details > See Certificate > Install Certificate > Local Machine > Place all certificates in the following store > Select Trusted Root Certification Authorities > Ok > Finish

Once you do this, the driver will install without any problem and as soon as you load it from the device manager it shows “This driver has a signature” the opposite if you use the certificate file which states that “this driver isn’t digital signed”. Maybe a problem with the certificate? The other drivers i tested your certificate works good but here it seems that we need to install it directly from the .cat file.

PS: If you want to test it by yourself all you have to do is to uninstall the driver (or drivers, depending if you had one before this one) checking the option to “Remove the software controller of this device” until you get that driver with a yellow mark. If you want you can also open the certificates manager of your computer > Win key + X > Run > certmgr.msc to uninstall it.

Next just do what i’ve said above about the .cat file and you’ll see that it works without any problem. You can even delete de Certificate file as it makes no difference.

@ zt3:
Thanks for having found the solution for our remaining problem!

Does that mean, that I don’t need to add the certificate file to the driver files?

@Fernando

That is correct, you can get "this driver has a signature" and a successful installation by directly install the certificate from the .cat files properties.

@ mrces, @ Tito, @ ole258, @ zt3, @ e.v.o:

As already previously announced, I have merged all important contributions about the topic "Digital Signature for Modded Drivers" into this freshly created thread.
This way it will be easier for you and other visitors of the Forum to get compact informations about this topic.
So please post all future topic related ideas, tips, questions and answers into this new thread.

Hoping, that this is ok for you
Dieter

I can confirm that everything is working fine and wrote a little PowerShell Script to import the cert. Save the following code to the folder that holds the .cer-File as Import-CertToRootCA.ps1:

1
2
3
4
5
6
7
8
9
 
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.import($PSScriptRoot + "\Driver Signature Certificate.cer")

$store = new-object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root,"LocalMachine")
$store.Open(“MaxAllowed”)
$store.add($pfx)
$store.close()
 
gci cert:\LocalMachine\root | sls "Win-RAID CA"
 


If everything went fine it should output some information about the cert. If not nothing is displayed the cert isn't installed. The script is not that nice and could be made to auto import the driver after importing the cert...

To execute the scripts fire up a admin PowerShell and "Set-ExecutionPolicy Unrestricted". I can't upload any files... ?