user1910600
user1910600

Reputation: 33

How can I pre-install self-signed USB drivers on Windows XP?

I'm trying to get some USB drivers for medical devices pre-installed on our corporate workstations. Unfortunately, these drivers are not signed. Based on some research done here and elsewhere, I self-signed these drivers using a certificate that I created:

makecert -r -pe -n "CN=Self Root CA" -b 01/01/2006 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.6 -sv selfcert.pvk selfcert.cer

I added the certificate to the "Trusted Root CA" and "Trusted Publishers CA" and and signed the drivers:

signtool sign /f selfcert.pfx /p password /uw /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\gendex\fusiondexis.cat

I added the '/uw' parameter because the "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6) and "Code Signing" (1.3.6.1.5.5.7.3.3) are present in the certificate, thus it seemed appropriate.

I then verified the signatures with signtool:

signtool.exe verify /pa /v /c C:\gendex\fusiondexis.cat C:\gendex\fusiondexis.inf

The driver files were copied to 'C:\gendex' and I updated the registry key 'DevicePath' to include this path when searching for driver files. However, when I plug-in the device, Windows displays the Add New Hardware Wizard which requires an admin to enter their credentials. If I don't do that, the device remains in an unrecognized state, and if I do--it works fine.

I've been banging my head trying to figure this out all day. Any help would be appreciated! Thanks.

Upvotes: 1

Views: 882

Answers (1)

Oleg
Oleg

Reputation: 222007

Be sure that you added selfcert.cer (Self Root CA) to local machine store and not to the user specific store. You can use

CertMgr.exe -add -c selfcert.cer -s -r localMachine AuthRoot

I deviloped the solution for one my customer about 8 years ago and it still work. I used at the time old version of SignTool which doesn't had /uw switch. I used just

SignTool.exe signwizard /v LXT52Xxp.cat

For the troubleshooting I would recommend you to set detailed SetupAPI log (see here and here). It will shows whether which drives from which directory will be get and whether the ranking of the driver will be interpreted the same as "Microsoft signed".

Upvotes: 1

Related Questions