Is That Driver Signed?
As we noted earlier in this article, Windows 7 requires that all driver packages be trusted before they can be added to the driver store. Drivers pass an initial threshold of trust when they are digitally signed. But not all signatures are created equal. Here’s a description of how Windows handles different types of drivers:
The highest level of trust is assigned to drivers that are signed by Microsoft’s Windows Hardware Quality Lab (WHQL, often pronounced wickle by Microsoft insiders) through the Windows Logo Program. These so-called WHQL-signed drivers can be installed by any user, on any 32-bit or 64-bit version of Windows 7, without any warnings or requests for an administrator’s consent. Any driver that is listed as Compatible with Windows 7 is also compatible with Windows Server 2008 R2, and vice versa.
Drivers can also be signed by third parties using Authenticode signatures, which use a certificate that is issued by a Certificate Authority whose certificate is stored in the Trusted Root Certification Authorities store. If an administrator has added the publisher’s certificate to the Trusted Publishers store, the driver can be installed with no prompts by any user.
If a driver is signed by a publisher whose certificate is not in the Trusted Publishers store, it can be installed by an administrator only. Installation will fail silently for users who are not members of the Administrators group. An administrator can also choose to add this type of signed driver to the driver store, after which it can be installed by any user with no prompts.
Drivers that are unsigned, have a signature that is invalid or cannot be verified by a trusted Certificate Authority, or have a digital signature that has been altered can be installed by an administrator on 32-bit (x86) versions of Windows, but they cannot be installed on any 64-bit (x64) version of Windows.
To make the issue of driver signing even more confusing, there are two additional levels of digital signing to consider. For most driver packages, the only file that must be digitally signed is the catalog file, which uses a .cat extension. It lists the files included with the driver package and provides hashed digest numbers that uniquely identify each file and confirm that it has not been tampered with. For drivers that start at boot-up on x64 versions of Windows, the driver file itself must contain an embedded signature. In addition, any device that is used to play back media that uses the Protected Media Path (PMP), such as Blu-ray discs and other formats that use the Advanced Access Content System (AACS) specification, must have a driver that is signed using a PMP-PE certificate. You can verify the contents of a Security Catalog file by double-clicking it in Windows Explorer.
In general, you should prefer WHQL-signed drivers, which have undergone extensive compatibility testing using procedures established by Microsoft’s hardware testing labs. These procedures provide strong assurance that the driver follows installation guidelines and that you can count on it not to cause your operating system to crash or become unstable. A digital signature from another trusted source doesn’t confer the same assurance of reliability but does provide confidence that the driver hasn’t been tampered with by other installation programs or by a virus or Trojan horse program.
Don’t underestimate the negative consequences that can result from installing an unsigned driver that turns out to be faulty. Because hardware drivers access low-level functions in the operating operating system, a badly written driver is much more likely to cause Stop (blue screen) errors than a buggy program. Even a seemingly innocuous driver can result in sudden crashes that result in loss of data and prevent you from restarting your computer.
Sometimes you will have to make the difficult decision of whether to install an unsigned driver or give up the use of a piece of hardware. If the hardware device is essential and replacing it would be prohibitively expensive, and you’re using a 32-bit version of Windows, you might decide that the risk is worth it. In other cases, the choice is more difficult, as in the case when you have to choose between a signed driver that offers a minimal set of features and an unsigned alternative driver that allows you to take advantage of special features that are specific to your hardware.
Our website is not responsible for the information contained by this article. Webworldarticles.com is a free articles resource thus practically any visitor can submit an article. However if you notice any copyrighted material, please contact us and we will remove the article(s) in discussion right away.
This article was sent to us by:
Jimmy U. at
01122010
1. Handling the WM GESTURE Message
All articles in this directory are property of their respective authors. Additionally, read our Privacy Policy
© 2010 WebWorldarticles.com - All Rights Reserved.