Topic: Disable driver signing

Hello

using nlite to creat super XP disc!!!

It all works just dandy, but wanted to know if it is possible to disable driver signing in XP before booting (I am aware you can disable in XP after install) hoped this would speed install I get 600+ prompts on the funny driver pack finisher program, also does driver pack require .net? assume it does? (mine works because I slip .net 3.5)

Re: Disable driver signing

DriverPacks BASE automatically makes the appropriate entries to disable the driver-sign prompts.
So we can only assume that you did not use DriverPacks BASE to integrated the DriverPacks otherwise you'd have no problems.
Remember, Nlite first. Do not integrate/remove drivers with nlite.  Leave open.
DriverPacks BASE last.  Close DriverPacks BASE.
Build ISO with nlite.

Welcome to DriverPacks.net! smile

Read BEFORE you post.  HWID tool   DriverPacks Tutorial   DONATE!
http://driverpacks.net/userbar/admin-1.png
Not all heroes wear capes, some wear Kevlar!

Re: Disable driver signing

Hi did that and Nlite did work perfectly! (got an issue with this error

setup.exe - Unable to locate component

This application failed to start because iertutil.dll was not found. Re-installing the application may fix this problem.

But just wondered if it was possible to disable driver signing temporarily to avoid the prompts and speed the driver pack finisher.

Re: Disable driver signing

Can you read this thread and post the requested log files?
It sounds to me like your XP source is tainted somehow, unless you didn't follow instructions.
iertutil.dll is only for IE-7.  You probably integrated ie7 somewhere along the way and it went wrong.
When integrated properly with DriverPacks BASE, driver signing policy is disabled for the duration of XP install until after you reach the desktop.  If you're seeing those prompts, you didn't do something correctly.

Read BEFORE you post.  HWID tool   DriverPacks Tutorial   DONATE!
http://driverpacks.net/userbar/admin-1.png
Not all heroes wear capes, some wear Kevlar!

Re: Disable driver signing

Fixed the iertutil.dll problem (I just changed the order in which nlite slips the updates.

It is the Driverpack finisher which "clicks" on the prompts automatically so it works (and is brilliant btw) will post those files when I next see the PC (as it works it's okay!

Re: Disable driver signing

p.s none other than Scott Mueller recommended Driver packs so you must be doing something right!!

Re: Disable driver signing

we get a million downloads a week - he is not the only one recommending us wink

Thanks for the positive feedback!   It's still a joy to hear that we have helped!

Welcome and Have a great day.

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.

Re: Disable driver signing

When the economy settles down and the £ is double the $ I will donate, that way my donation will be worth double.

Re: Disable driver signing

LOL - Twice as much beer for Wim!

Lord knows college students never have enough money!

PS You'll need to figure your conversion based on Euro as Wim is from Belgium wink

Last edited by OverFlow (2009-03-02 16:00:46)

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.

Re: Disable driver signing

I'm suddenly having the same issue with the latest DriverPacks BASE after a year of building using NLite and DriverPacks the same way with no problems.  Thanks for the tip on iertutil.dll, I'll have to look at my integration order and see if that's my problem too.

In my case it's extra annoying right now since driver signature checking stays broken after the install, so EVERY driver you install (even ones from Microsoft) report themselves as unsigned.

Re: Disable driver signing

That is because you are using KTD. KTD uses MakePNF which is supposed to cache the INFs to speed finding drivers but instead it creates duplicate unsigned INTs that are referred to their originals... although PNFs are a MS convention PNFs don't work and is further aggravated by XP SP3
Don't use KTD it never worked well and never used the finisher (which is key to installing MANY drivers)
that is why we wrote SAD...

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.

Re: Disable driver signing

Looks like I am going to have to redo my install disk too!!
I used nlite and driver packs to incorporate my drivers and I get the beep warning about unsigned drivers but it just keeps loading.
I do have one question though. I need to integrate the sata drivers for XP. Do I need to use the separate driver or can I use the driver packs? In the past if I did not include the sata drivers though F6, the install would fail by not being able to access the sata drive.
Thanks

Mark Minnich
MCTS Microsoft Windows Vista: Configuration,
MCTS Microsoft Server 2008 Network Infrastructure: Configuration
MCTS Microsoft Server 2008 Active Directory: Configuration

Re: Disable driver signing

that is because the drivers can not be properly installed with nLite...

you must use DriverPacks BASE to install the drivers... and if you select text mode then you wont need f6...

Please follow the DriverPacks BASE tutorial in my signature....
ALSO please note that IT SPECIFICALY SAYS not to install the DriverPacks with nLite in the tut...

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.

Re: Disable driver signing

Disable driver signing :

Microsoft has introduced a new kernel security component for the 64-bit editions of Vista. Windows mandatory kernel mode and driver signing implies that all modules or drivers designed to run at kernel level have to feature digital signatures, to attest the software is provided by a legitimate publisher. Still, not all drivers are signed and there are many legitimate reasons for disabling driver signing in Vista.

Many of the virus, adware, security, and crash problems with Windows occu when someone installs a driver of dubious origin. The driver supposedly provides some special feature for Windows but in reality makes Windows unstable and can open doors for people of ill intent who want your system for themselves. Of course, Microsoft’s solution is to lock down Windows so that you can use only signed drivers. A signed driver is one in which the driver creator uses a special digital signature to “sign” the driver software. You can examine this signature (as can Windows) to ensure that the driver is legitimate.

Windows 2008 doesn’t load a driver that the vendor hasn’t signed. Unfortunately, you’ll find more unsigned than signed drivers on the market right now. Vendors haven’t signed their drivers, for the most part, because the process is incredibly expensive and difficult. Many vendors see the new Windows 2008 feature as Microsoft’s method of forcing them to spend money on something that they dispute as having value. Theoretically, someone can forge a signature, which means that the signing process isn’t foolproof and may not actually make Windows more secure or reliable. Of course, the market will eventually decide whether Microsoft or the vendors are correct, but for now you have to worry about having signed drivers to use with Windows.

Sometimes, not having a signed driver can cause your system to boot incorrectly or not at all. The Disable Driver Signature Enforcement option lets you override Microsoft’s decision to use only signed drivers. When you choose this option, Windows boots as it normally does. The only difference is that it doesn’t check the drivers it loads for a signature. You may even notice that Windows starts faster. Of course, you’re giving up a little extra reliability and security to use this feature — at least in theory.

You can’t permanently disable the use of signed drivers in the 64-bit version of Windows Server 2008 — at least, not using any Microsoft-recognized technique. It’s possible to disable the use of signed drivers in the 32-bit version by making a change in the global policy (more on this technique later in the section). A company named Linchpin Labs has a product called Atsiv (http://www.linchpinlabs.com/resources/a … design.htm), which lets you overcome this problem, even on 64-bit systems. Microsoft is fighting a very nasty war to prevent people from using the product. (They recently asked VeriSign to revoke the company’s digital certificate and had the product declared malware; read more about this issue at http://avantgo.computerworld.com.au/ava … 69104626.) doesn’t check the drivers it loads for a signature. You may even notice that Windows starts faster. Of course, you’re giving up a little extra reliability and security to use this feature — at least in theory.

I have several devise drivers that are not digitally signed but otherwise work happily under windows server 2008.

At present, during booting up, I need to go thorugh the loop F8 to manually disable "digital driver enforcement", but this is good for the current session only.

Is there a clever way to permanently disable digital driver enforcement, so that I do not have to use the F8 option manually every time?

Thanks.

NO SPAM LINKS!

Re: Disable driver signing

Respectfully, kanmani shanmugam, can you offer evidence of this, as the following quote from you seems at first blush to be patently false.

kanmani shanmugam wrote:

"Unfortunately, you’ll find more unsigned than signed drivers on the market right now."

At least offer up three examples of hardware that cannot work without disabling Driver Signing, and the version of Windows used.  Perhaps this would be of assistance to find properly signed drivers from official channels.  hmm

You may be correct, yet you should offer some proof, not just blanket statements which could mislead people.

Sûnnet Beskerming wrote:

"As with any other system modification and administration tool, system instability, failure or unresponsiveness may be encountered when using Atsiv - so use is at the user's own risk."
http://www.theregister.co.uk/2007/07/30 … iver_tool/

It is good that you do acknowledge this.

kanmani shanmugam wrote:

"Of course, you’re giving up a little extra reliability and security to use this feature — at least in theory."

Another note; your link to Atsiv comes up "404 Not Found" on my system AND the link to article you mentioned on "avantgo.computerworld.com.au" reveals an all-but blank page!

Edit:  I finally got through to Linchpinlabs site you linked to above.  It says that Atsiv was declared to be malware by MS & it's digital signature was revoked on August 3, 2007.

Here is some more food for thought concerning drivers, driver signing, & malware:

Quote from Cisco's Cyber Risk Report, July 19–25, 2010

"Microsoft recently collaborated with Verisign to revoke certificates issued to Realtek and JMicron, two hardware companies whose private keys for their driver-signing signatures were apparently compromised. These companies' signatures were used to sign malicious drivers distributed as part of the Stuxnet malware that has recently targeted SCADA systems via USB drives. Realtek and JMicron were issued new certificates to sign future drivers."
...
"IntelliShield Analysis: Some reports, which appear to originate with Sophos' Mike Wood, indicate that signed drivers whose certificates have been revoked will continue to function if they were signed prior to the revocation date. Only drivers signed with a revoked certificate after the revocation date will not load. If this is true, then this action by Microsoft and Verisign will apparently only prevent the malware distributors from further signing additional malware with Realtek and JMicron's compromised private keys. If Wood and others are not correct, then organizations using Realtek and JMicron hardware with signed drivers may soon notice that their hardware is not functioning as expected. "
http://www.cisco.com/web/about/security … -25.html#4

Additional info here --> http://www.securelist.com/en/blog/2236/ … _questions
   & here, all from July, 2010 --> http://blogs.cisco.com/security/stuxnet … _behavior/

Last edited by TechDud (2012-11-02 14:44:28)

Re: Disable driver signing

kanmani shanmugam wrote:

...
At present, during booting up, I need to go thorugh the loop F8 to manually disable "digital driver enforcement", but this is good for the current session only.

Is there a clever way to permanently disable digital driver enforcement, so that I do not have to use the F8 option manually every time?

Thanks.

Wow most of that post was copy and paste... A little google searching would yield the below

Errr...http://www.google.com/#hl=en&tbo=d&output=search&sclient=psy-ab&q=disable+unsigned+driver+windows+8&oq=disable+unsigned+driver+windows+8

http://laslow.net/2012/03/14/disable-dr … windows-8/
http://social.technet.microsoft.com/For … a60cd6c109

Last edited by stamandster (2012-11-05 13:49:08)

Re: Disable driver signing

one important tidbit concerning Driver Signing.  If it's just a modded .Inf that is at issue:

Laslow wrote:

"Once the driver is installed you don’t need to leave enforcement disabled."

I realized over half-way through responding to that post that i was merely responding to a bot.
Then i remembered that some readers here are on the opposite half of the computer-savvy bell-curve.
I responded for them.

PS:  I thought it was <ctrl>F8.

Re: Disable driver signing

you guys are giving a rebuttal to a spambot tongue

that is why it looks cut and pasted and why the links are dead. Also why Mr_S removed his signature...

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.