Work around driver signing requirement in 64-bit Windows Vista/7/2008
Mark Minasi’s excellent newsletter #76 provides a great solution to working around the signed drivers requirement within 64 bit versions of Windows Vista/7/2008. The solution ultimately boils down to self-signing those drivers that you absolutely need to run (and trust) that aren’t already signed.
Below is a partial overview of the full article. Read his full solution here.
From newsletter #76:
Solving 64-Bit Windows’ "I Only Want Signed Drivers!" Tantrums
I love 64-bit Windows. I love the ability to stick 8 gigs of RAM on a laptop, allowing me to run several virtual servers, each of which I can equip with 1.5 GB of RAM. (Life’s too short to wait for Server 2008 to get things done in 512 MB of RAM, y’know?) I love how much snappier Adobe Lightroom is when it’s no longer shackled to the 2 GB limits that 32-bit Windows requires. And I especially love that the main problem with 64-bit Windows — the lack of 64-bit drivers — is largely a thing of the past, save for those cases where vendors use the new architecture as a way to force you to upgrade (and yes, I am talking to you, HP printer division and Cisco VPN folks).
Once in a while, though, I run up against the the thing that I most don’t like about 64-bit Windows: the iron rule of driver signing. Ever since XP and 2003, the 64-bit versions of Windows have refused to load kernel executables or device drivers unless those executables and drivers are digitally signed. Load a driver that’s not signed, and 64-bit Windows pops up some scary-looking message essentially saying, "take a walk, buddy, and take your unsigned driver with you… I mean you don’t really know where this thing’s been, do you?" You can get around it by pressing F8 every time you boot and disabling driver signing, but that’s a pain. There was once, briefly, a setting in bcdedit that would let you tell Windows to always skip driver signing, but Vista SP1 put an end to that — and besides, I don’t want Windows to ignore checking the signatures on all drivers, I just want it to allow me to run the occasional unsigned driver.
Look, I understand the whole thought process behind this totalitarian approach, which I understand runs something like this:
- Unsigned drivers cause the vast majority of Windows bluescreens.
- Unknowing users don’t know that, and so blame Microsoft for blue screens
- This really irritates people at Microsoft and in particular Dave Cutler, Windows’ Architectus Maximus
- Dave wants to make it easy to finger the culprit of any given blue screen
- Signing a driver carries with it something of a statement of personal confidence in that driver (and here, I feel, is where the whole thing falls down a bit: signing a driver says you wrote it, not that it lacks bugs), so…
- 64-bit Windows requires that all drivers and kernel executables be signed.
It all just seems a bit heavy-handed for my taste — sort of like, oh, say, scaring a large room full of people into thinking that you’ve just released a bunch of malaria-infected mosquitoes into the air to make a point about poverty. Anyway, this month I wanted to offer a workaround for those who run 64-bit systems and really need to run an unsigned driver now and then. The workaround? Create your own driver signing certificate and sign the driver or application yourself! Here are the steps.