Completely disabling DriverSigningPolicy.

[Bâshrat the Sneaky]

I've been thinking... (hehe yes I do think ) And I'm convinced it must be possible to entirely disable DriverSigningPolicy. (so no more AutoIt script that automatically clicks 'continue anyway' when a WHQL violation screen pops up.

The facts:

1. Windows looks in the registry how it should react when you try to install a driver that's not WHQL signed. It looks in the HKCU and HKLM registers (also HKU\.Default?) The safest value is used.

2. Driver Signing Policy Is Automatically Elevated for Unsigned Drivers

This behavior occurs because your computer is configured to display a warning message whenever an installation program tries to install a device driver that does not have a digital signature. Windows automatically raises the driver signing policy from Ignore to Warn whenever an installation program tries to install a device driver that does not have a digital signature. This is a function of Windows File Protection to promote the overall stability of the operating system.

source

Conclusion:

So we'd have to disable WFP completely in order to install _any_driver_ without problems.

So how could we do that? Raverod provides a patched SFCOS.dll Here's the topic

Or just use nLite to patch it!

Now the question: am I really missing some point here or hasn't anyone noticed this option?

[Readiosys]

Do you mean it actually works or did you not test it yet ?

It would be really interesting.

For example, apply the patch during the Windows installation and then restore the original version after the drivers have been installed.

[Bâshrat the Sneaky]

Do you mean it actually works or did you not test it yet ?

It would be really interesting.

For example, apply the patch during the Windows installation and then restore the original version after the drivers have been installed.

I did not test this yet. It's pure theory. Read the blue text .

Do you understand me? I think I *have* to be wrong, because it 'look' so obvious... So I think I must be missing something.

Edit: if THIS works, then I've got some other things to make this a completely new method.

[big poppa pump]

This method is not going to work!

I have my WFP disabled and have tried installing ATI Beta drivers with one of my previous slipstreamed DVD's. It installs every other driver except the video driver since the beta drivers are not WHQL compliant.

[Bâshrat the Sneaky]

This method is not going to work!

I have my WFP disabled and have tried installing ATI Beta drivers with one of my previous slipstreamed DVD's. It installs every other driver except the video driver since the beta drivers are not WHQL compliant.

And did you only disable WFP or did you also disable DriverSigningPolicy? You have to do both... WFP just prevents that you can disable DriverSigningPolicy in a easy way.

[big poppa pump]

I know that! Why would I install an unsigned driver if I did not disable driversigning policy???

[Bâshrat the Sneaky]

I know that! Why would I install an unsigned driver if I did not disable driversigning policy???

No offense man!

How did you disable the DriverSigningPolicy? Only in your winnt.sif?

[big poppa pump]

Yes, Driversigning is disabled in winnt.sif and I use the hacked sfc_os.dll to disable WFP.

[Bâshrat the Sneaky]

Yes, Driversigning is disabled in winnt.sif and I use the hacked sfc_os.dll to disable WFP.

But you can disable the DriverSigningPolicy in another way as well, at least that's what I think. (came up with this myself, read nowhere about it, so I'm not sure, not tested yet)

Windows XP searches the setting for DriverSigninPolicy. It looks in the HKCU and HKLM registers (also HKU\.Default?) The safest value is used. So what if we would change this default value? That would be possible: editing the HIVEDEF.INF and the HIVESFT.INF files in your I386 directory.

That might make the difference IMO...

[big poppa pump]

Hmmm, that may be possible. I can test it out later this evening and see if that actually works.

[Bâshrat the Sneaky]

Hmmm, that may be possible. I can test it out later this evening and see if that actually works.

Thank you very much for testing!

Here are the entries you should add/change:

change:

from

HKLM,"SOFTWARE\Microsoft\Driver Signing",,0x00000010
HKLM,"SOFTWARE\Microsoft\Non-Driver Signing",,0x00000010

to

HKLM,"SOFTWARE\Microsoft\Driver Signing",,0x00000000
HKLM,"SOFTWARE\Microsoft\Non-Driver Signing",,0x00000000

if not working, try to add these:

HKCU,"SOFTWARE\Microsoft\Driver Signing",,0x00000000
HKCU,"SOFTWARE\Microsoft\Non-Driver Signing",,0x00000000
HKU,".DEFAULT\SOFTWARE\Microsoft\Driver Signing",,0x00000000
HKU,".DEFAULT\SOFTWARE\Microsoft\Non-Driver Signing",,0x00000000
HKCU,"SOFTWARE\Policies\Microsoft\Windows NT\Driver Signing\BehaviorOnFailedVerify",,0x000000

a question to the registry-experts: in the registry it's in fact this key:

HKLM,"SOFTWARE\Microsoft\Driver Signing\Policy",,0x00000010

then why is it

HKLM,"SOFTWARE\Microsoft\Driver Signing",,0x00000010

in the HIVESFT.INF?

[Bâshrat the Sneaky]

I've got another idea: Windows prefers the drivers in driver.cab over the ones we add, because sometimes the .cat file is missing, right?

Then, what if we would remove every cat file out of driver.cab? Then Windows would choose our drivers! Because Windows choose drivers to install like this: (highest rule = first rule)

1. Driver signed

2. Driver version

Do I sound like a fool now? Or is this again something nobody has ever noticed before?

[Enabled2k]

where is the winnt.sif file located?

-thx

[djbe]

have you ever made an unattended cd/dvd?

please visit unattended.msfn.org

[edmoncu]

i was wondering how was the progress of this method? will try to experiment on this one...

edit: tried it myself, but it still asks me about now being digitally signed.