6

When installing a signed driver (i.e. with a properly signed .CAB) on Windows 7 through DpInst, unless it's a WHQL-signed driver, you cannot install it silently. If you run DpInst in the non-silent mode, it'll prompt you to trust the "publisher". If you run DpInst in silent mode, it would fail with a signing-related error code (something like 0x800b0109 -- check your setupapi.app.log).

Ilya
  • 5,533
  • 2
  • 29
  • 57

4 Answers4

5

While ilya's answer is good, the solution on Windows 7 is even easier. The command below deploys the certificate to both the current user and the system trusted publisher certificate stores. It requires administrative privileges and is provided by Microsoft.

For Windows 7

certutil.exe -addstore TrustedPublisher cert.cer

I verified that this works on Windows 7 64-bit to deploy signed, but not WHQL-certified, drivers - without prompting the user.

Windows XP

WHQL Certification

It appears that on XP you still need to have the drivers WHQL-certified in order to avoid prompts on install.

Pre-Installing SPC on Windows XP

For Windows XP you'll need to download the Windows Server 2003 Admin Tools Pack from Microsoft and extract certutil.exe and certadm.dll. Then the command above will work on XP as well.

Admin Tools Pack: http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=16770

Note that the extracted msi file can be inspected by 7-zip, so you don't need to install it to obtain the exe and dll you need.

Community
  • 1
  • 1
Will Bickford
  • 5,381
  • 2
  • 30
  • 45
  • Actually this is quite elegant, since certutil.exe seems to come with Windows 7. (Well, I have it in my System32 so I assume it's not part of some SDK or whatnot.) – Ilya Dec 07 '11 at 19:14
3

The straightforward way to do it is to add the signing certificate to the TrustedPublishers. You can do it programatically (the implementation of win32exception is left as an exercise to the reader):

#include <windows.h>
#include <wincrypt.h>
#include "win32exception.h"

void InstallTrustedPublisherCertificate(LPCTSTR CertificateFilePath)
{
    DWORD dwContentType;
    PCCERT_CONTEXT pCertContext = NULL;
    if (!CryptQueryObject(
            CERT_QUERY_OBJECT_FILE,
            CertificateFilePath,
            CERT_QUERY_CONTENT_FLAG_ALL,
            CERT_QUERY_FORMAT_FLAG_ALL,
            0,
            NULL,
            &dwContentType,
            NULL,
            NULL,
            NULL,
            (const void **)&pCertContext))
            throw win32exception("CryptQueryObject");

    if (dwContentType != CERT_QUERY_CONTENT_CERT)
        throw exception("Incorrect content type of crypto object.");

    __try
    {
        HCERTSTORE hCertStore = CertOpenStore(
            CERT_STORE_PROV_SYSTEM,
            0,
            0,
            CERT_STORE_OPEN_EXISTING_FLAG |
            CERT_SYSTEM_STORE_CURRENT_USER,
            _T("TrustedPublisher"));
        if (hCertStore == NULL)
            throw win32exception("CertOpenStore");

        __try
        {
            if (CertAddCertificateContextToStore(hCertStore, pCertContext, CERT_STORE_ADD_NEWER, NULL))
            {
                // Added certificate to TrustedPublisher store.
            }
            else
            {
                DWORD err = GetLastError();
                if (err == CRYPT_E_EXISTS)
                {
                    // Certificate already exists in TrustedPublisher store.
                }
                else
                    throw win32exception("CertAddCertificateContextToStore", err);
            }
        }
        __finally
        {
            CertCloseStore (hCertStore, 0);
        }
    }
    __finally
    {
        CertFreeCertificateContext(pCertContext);
    }
}
Ilya
  • 5,533
  • 2
  • 29
  • 57
  • The fact that this works seems like a security flaw in Windows, no? – David Grayson Mar 29 '14 at 05:58
  • 1
    It's not a security flaw. You're supposed to be able to modify your own certificate store, of course. If you run arbitrary programs, they can perform arbitrary actions on your behalf (as long as you have the permission to perform them). – Ilya Mar 31 '14 at 13:03
2

And the question is? If the driver is not WHQL-certified, it can't be installed silently. This is a security measure of Windows.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Please note that DpInst allows you to make further installations of drivers by the same publisher silent. How does it do that? By installing the publisher's certificate, of course. – Ilya Dec 22 '10 at 21:07
  • @Ilya then you are probably talking about different warning than I do. The type of warning depends on driver type. – Eugene Mayevski 'Callback Dec 22 '10 at 21:11
  • @Eugene I'm talking about this warning -- "This driver is published by XYZ Corp. Do you trust XYZ Corp.? [x] Always trust XYZ Corp". It's not as severe as a warning for an unsigned driver, but it's a warning nonetheless -- and DpInst will fail silently if you run it with /silent. – Ilya Dec 27 '10 at 00:38
  • @Ilya this is the one shown for non-certified drivers that I said about. As I know, one can avoid it only by actually obtaining WHQL certification. This is the step we didn't take yet. – Eugene Mayevski 'Callback Dec 27 '10 at 08:13
  • @Eugene Since you can mark "Always trust XYZ Corp", then it should be clear WHQL is not the only way to avoid this particular warning. My answer above should show you how to avoid it. – Ilya Dec 29 '10 at 10:40
  • 1
    @Ilya Thank you for the tip, but I am not not sure if silent modification of certificate stores is always allowed by policies. Yet, it's an interesting way to solve a problem. – Eugene Mayevski 'Callback Dec 29 '10 at 10:52
0

The Drivers have to go through WHQL Certification to avoid any kind of un-signed pop-ups.

If you are looking for any third-party WHQLTesting Service providers let us know, we would be happy to help you in this regards.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
user563268
  • 9
  • 1