5

I'm trying to create a batch install file and one of the tasks it does is install a 3rd party driver. This is unsigned and so pops up a warning and causes the rest of the script to fail on Windows XP Professional service pack 3.

I've tried the following:

 reg add "HKCU\Software\Policies\Microsoft\Driver Signing" /v BehaviorOnFailedVerify /t     reg_dword /d 00000000 /f

 REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Driver Signing" /t REG_DWORD /v Policy /d 0 /f
 REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing" /t REG_BINARY /v Policy /d 00 /f
 REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing" /t REG_BINARY /v Policy /d 00 /f
 REG ADD "HKEY_USERS\.DEFAULT\Software\Microsoft\Driver Signing" /t REG_DWORD /v Policy /d 0 /f

And none of these appear to change it. The script will have to be run on many machines so I can't do it the manual way. Does anyone know how this can be done?

MikeyB
  • 38,725
  • 10
  • 102
  • 186
probably at the beach
  • 225
  • 1
  • 3
  • 10
  • If you maintain a domain CA, you can issue yourself a cert and [re-]sign the drivers. As the CA should be trusted by all your clients, you should no longer see the prompt when installing. – jscott Oct 19 '11 at 17:19
  • @jscott, thanks we have a signing cert but it's the windows logo validation cert that it's looking for. – probably at the beach Oct 19 '11 at 17:22

3 Answers3

7

This is why you can't do that:

http://support.microsoft.com/kb/298503

It also suggests some workarounds; if your computers are in a domain, you can use a Group Policy setting to configure driver loading behaviour.

Massimo
  • 68,714
  • 56
  • 196
  • 319
6

if you ever find the solution to that then you can sell it to virus/trojan authors. They love to know that as well. This would mean they can distribute malware without asking the user for permission. (That's why Microsoft introduced this feature. Don't hack Microsoft.)

mailq
  • 16,882
  • 2
  • 36
  • 66
  • As a side note, I've found that sometimes you have to hack away at some things to get applications to work properly... :-/ – Bart Silverstrim Oct 19 '11 at 17:07
  • @mailq, thanks for your answer but this is not an attempt to undermine the security model in windows. Merely trying to find the best way to do it gptemplate etc. – probably at the beach Oct 19 '11 at 17:19
2

For windows 7 this can be done (ref: http://www.killertechtips.com/2009/05/05/disable-driver-signing-windows-7/) from an Administrator command window using:

 bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
 bcdedit.exe -set TESTSIGNING ON
probably at the beach
  • 225
  • 1
  • 3
  • 10
  • 1
    And you have to reboot afterwards. You can do the same thing temporarily by pressing F8 to get the boot menu and booting with the requirements off. Then you can reboot again to re-enable them. You likely don't want to permanently disable the signing requirements. – sinping Oct 19 '11 at 19:38