none
Kernel driver signing so it works on Windows XP, Vista, 7 and 8? RRS feed

  • Question

  • I have tested my kernel (PnP) driver for an USB device with "Windows HCK 2.1 for Windows 8.1 and 7" (https://developer.microsoft.com/en-us/windows/hardware/windows-hardware-lab-kit) on Win8 (x86 and x64). The driver has an SHA-1 and SHA-2 embedded EV signature from our side. I have activated the relating checkboxes that the driver should be also works on older Windows variants during upload of the test results to get the signed sys/cat files from Microsoft.

    This driver works fine on Win8, Vista and WinXP. The driver works fine and the signature from Microsoft seems to be accepted by the OS.

    But on Win7 the device manger shows error 39 (file corrupt or doesn't exist). I am the opinion that the error is normally error 52 (signature cannot be validated).

    What is the reason of this error 39 and why dows the driver doesn't work on Win7?

    Should I also test the driver also on Win7 (x86 and x64) before I upload the test results together with the Win8 results?

    Tuesday, December 6, 2016 9:59 PM

Answers

  • On our side the problem only occurs on Win7, Vista, XP / x64 side, not on x86 side.

    I have found the reason and the solution:

    We are using KeInitializeSpinLock() in the PnP driver.

    The cause of error 39 (CM_PROB_DRIVER_FAILED_LOAD) in this context is described here: 

    • https://forums.mcci.com/making-connections/entry/building-one-driver-for-win7-win8-win8-1

    Setting #define WIN9X_COMPAT_SPINLOCK before #include "ntddk.h" / "wdm.h" solves the problem at build time.

    • Marked as answer by Alex_S71 Saturday, December 10, 2016 5:04 PM
    Saturday, December 10, 2016 5:04 PM

All replies

  • I have tested my kernel (PnP) driver for an USB device with "Windows HCK 2.1 for Windows 8.1 and 7" (https://developer.microsoft.com/en-us/windows/hardware/windows-hardware-lab-kit) on Win8 (x86 and x64). The driver has an SHA-1 and SHA-2 embedded EV signature from our side. I have activated the relating checkboxes that the driver should be also works on older Windows variants during upload of the test results to get the signed sys/cat files from Microsoft.

    This driver works fine on Win8, Vista and WinXP. The driver works fine and the signature from Microsoft seems to be accepted by the OS.

    But on Win7 the device manger shows error 39 (file corrupt or doesn't exist). I am the opinion that the error is normally error 52 (signature cannot be validated).

    What is the reason of this error 39 and why dows the driver doesn't work on Win7?

    Should I also test the driver also on Win7 (x86 and x64) before I upload the test results together with the Win8 results?


    Tuesday, December 6, 2016 9:41 PM
  • In Windows 7, if you do not have SP1 + KB3033929 installed, it seems that SHA-2 signature cat could not be recognized.

    https://technet.microsoft.com/en-us/library/security/3033929.aspx

    For Windows 7 where KB 3033929 is not installed, you should be able to install it with SHA - 1 signature cat that can be obtained by WLK authentication.

    Wednesday, December 7, 2016 6:12 AM
  • KB 3033929 is currently installed, but it doen't work. The Microsoft signature of the kernel driver is SHA-2 based. 

    Is there are some addtional updates to install? Maybe a new set of public key cerfificates, etc?

    I check if I can get an additional SHA-1 signature from WLK authentication.

    Wednesday, December 7, 2016 6:20 AM
  • Currently I am the opinion that it is no signature problem. The problem does also occur without the WHCK / WHQL.

    The driver is compiled with VC14 (and / or set compiler option DPOOL_NX_OPTIN=1). Could this the problem on Win7? The same driver works on Vista and WinXP.

     

    Wednesday, December 7, 2016 7:13 PM
  • On our side the problem only occurs on Win7, Vista, XP / x64 side, not on x86 side.

    I have found the reason and the solution:

    We are using KeInitializeSpinLock() in the PnP driver.

    The cause of error 39 (CM_PROB_DRIVER_FAILED_LOAD) in this context is described here: 

    • https://forums.mcci.com/making-connections/entry/building-one-driver-for-win7-win8-win8-1

    Setting #define WIN9X_COMPAT_SPINLOCK before #include "ntddk.h" / "wdm.h" solves the problem at build time.

    • Marked as answer by Alex_S71 Saturday, December 10, 2016 5:04 PM
    Saturday, December 10, 2016 5:04 PM