J.P.'s Blog

There will be people out there who won’t want me to tell you this. It somewhat goes against the point of the feature in place to prevent it. In my case though, I have a scanner and a scsi card which would not have worked without these steps.

I wanted to share them with everyone for the next person out there which needs to do this.

Let’s start with some background. On both Vista and Windows 7 64 bit editions (also Windows Server 2008 and Windows Server 2008 R2) any drivers which need to run in your kernel need to be signed (this is most drivers). If there is a .SYS file in the folder for instance, this will be the case. Besides the warning you get in device manager, how can you tell if they are signed or not? Is there a .CAT file in the folder? (If not, they are not signed.) Right-click on the .CAT file and select properties, then check for a “Digital Signatures” tab. Is there one? If so, and there is a signature present then your driver is signed. Selecting the signature and clicking “Details” from there can provide more information about who the driver is signed by. (One note to mention at this point though is that if the signer is not trusted by your computer, then the driver is still as if it isn’t signed. That is something which should and will always remain true. You can read below how to trust the signer.)

In my case, until recently, I have been using all-in-one printers as my scanner. I had a HP inkjet all in one followed by a Kodak inkjet all in one. I honestly got completely sick of inkjet printers. When my Kodak printer would not scan or print in black just because a specific color was out of ink I was furious and so purchased a laser printer the next day. Given that I didn’t want to really leave either of the all-in-one’s connected to the pc still, I fished out my old HP ScanJet 5p from the garage. At that point I had forgotten how it connected to the PC. It uses SCSI to connect. Drats! Well I also fished out my old SCSI card (Tekram DC-395U). The first time I tried it in my pc, my network card stopped working! I was pissed, but just figured that is what happens when devices which don’t properly negotiate their IRQ talk with each other. After purchasing a second scsi card on ebay, only to find no 64 bit drivers for that one either… and also to find the same network card problem, I realized I had a problem.

Solving the first problem turned out to not be hard. For whatever reason, in my Dell pc, if I install ANY pci card, then my realtek lan adapter stops working. The only workaround is to reboot in safe mode, uninstall the driver, then reboot normally and re-install the driver (followed by another reboot to “set” it).

Solving the second problem (no 64 bit drivers) turned out harder. Let me first say that I HATE all the darn predatory websites out there preying on people that need drivers. You should be ashamed. Funny thing though is that I had NO luck at all finding 64 bit drivers for the Advansys ADC-1300 card (Jaz Jet) I got off ebay, but I did randomly find UNSIGNED 64 bit drivers for my Tekram DC-395U. Crap I thought. That’s no help. I can’t get the driver installed.

Unwilling to give up, from work, I knew that we use test-signed drivers a LOT for testing new hardware. There are some tools we have to do that which I didn’t want to use at home (or share here), but I figured I could look up how it works. Well, it turns out that MS actually does what I feel is a great job at explaining exactly how to do it. (Even if it’s not easy.)

Follow the link above for all the specific details, however, here is a general rundown of what to do:

1. Open an elevated command prompt. Type “bcdedit /set testsigning on”. You will now need to reboot.
2. Download the WDK and install it.
3. Create a test certificate using MakeCert. (Note: Instead of Contoso, I just used my name: “CN=Your Name Here”)
4. Navigate to <ddk_folder>\bin\selfsign and use inf2cat to make a NEW cat file for your driver (I tried signing an existing cat file at first, and signtool didn’t like that). (Note: You will probably need to fix up your .inf file based on the errors & warnings.)
5. Navigate to <ddk_folder>\bin\<arch> (where <arch> is your architecture) and use signtool to sign the .CAT file you just created.
6. Run certmgr.msc, first navigate to PrivateCertStore\Certificates then click the arrow next to “Trusted Root Certification Authorities” so that you can see “Certificates” below it. Hold down the CTRL button and drag the test cert from the PrivateCertStore to “Certificates” under “Trusted Root Certification Authorities”. (There should be a plus sign on the icon as you drag. Also you will be basically warned not to do that. Make sure you selected ONLY the test cert you created. Also Note: NEVER EVER do this with anything else unless you know what you are doing.)
7. That’s it! Just install the driver from the location on your machine where you modified the .INF file and .CAT file.
8. You WILL still get a warning that the driver is not signed. That is because there is no authenticode signature in place. (You WANT this to happen, since this is what allows others to not do this automatically without showing you a warning.) As long as you enabled test signing in step 1, have an actual signed driver in step 5, and trust the signature in step 6, then the driver should work properly.

Earlier today, I had to repeat 4 and 5 for both the Tekram driver as well as a hacked up HP Scanjet 5p driver that I found (thanks random internet forum). After doing this, they both work great in windows 7. I was able to scan some pictures in today already.

At this point I would LOVE to be able to share with everyone the lovely little zip file I created which has the two signed drivers in it and make it possible for people that stumble upon this site to make easy use from my work. However unfortunately drivers are something which fall under copyright protection, so I can’t post them. That is exactly the reason I went through such an effort in explaining the exact steps you need to take above to do this yourself if you need to.

Also, please don’t shoot the messenger here as well, this really isn’t something all that secret or a hole in the design. As you can see above, all I did was link to existing MSDN articles. Its more a “feature” to be able to work around the security requirement. I generally don’t recommend doing this for many things. For instance, if you do this and you start getting blue-screens because the device has not gone through logo testing, well that’s your own darn fault. ;)

J.P.