OSRLogo
OSRLogoOSRLogoOSRLogo x OSR Custom Development Services
OSRLogo
x

Everything Windows Driver Development

x
x
x
GoToHomePage xLoginx
 
 

    Wed, 17 Sep 2014     104575 members

   Login
   Join


 
 
Contents
  About This Site
What's New?
OSR Dev Blog
The NT Insider
The Basics
File Systems
Downloads
ListServer / Forum
Driver Jobs
Store
  Express Links
  · The NT Insider Digital Edition - Sept-Oct 2014 Now Available!
  · Sept-Oct Issue of The NT Insider Released!
  · Writing WDF Drivers: Advanced Implementation Techniques
  · OSR Seminar Schedule
  · Windows 8.1 Update: VS Express Now Supported

Only Signed Drivers To Run on Vista X64

In the latest shocker to hit the driver development community, it seems that Microsoft has decdied that only signed drivers will be loadable on 64-bit Windows Vista systems.

In a paper released today (19 January) on the WHDC website Microsoft indicated that for Windows Vista "unsigned kernel-mode software will not load and will not run on x64-based systems." This is in addition to the fact the users without administrator privilege, on any Vista system (32-bit or 64-bit) will not be able to load unsigned drivers.

These announcements, which took most of the driver development community by surprise, follow closely last month's announcement that KMDF would not run on Windows 2000 systems.  While the KMDF decision is being "reconsidered" according to Microsoft sources, we can't imagine the same happening for Vista driver signing.

Note that Microsoft's statements do not mean that drivers must pass WHQL testing to be loaded.  While getting the Design For Windows logo by passing the WHQL tests is one option, developers can obtain a Publisher Identify Certificate (PIC) from Microsoft and use that to sign their code.  Prerequisite to obtaining a PIC is an organization having a Class 3 Commercial Software Publisher Certificate issued by Verisign. What?  Your org doesn't use Verisign for their PKI infrastructure?  Apparently that's just too bad.  The necessary certification is only $500 (valid for a year), which shouldn't present a burden for most companies.

With bombshells like this one being dropped only months before Vista's release, we can't wait to see what the next few months will bring.

Related Articles
Getting DbgPrint Output To Appear In Vista and Later
Feb CTP (5308) Symbols Now Available on Symbol Server
USB 2.0 Debugging
Disabling User Account Control on Vista
No More x86 Only Submissions to WHQL
Power Play - Power Management Changes in Vista
Take Two - x64 Driver Signing
Just Sign Everything - What to Sign and How to Sign It for Vista
What is Coming with Vista - Limited User Access
Write No Code...Get a GUI - Vista Power Plan Integration

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
Post Your Comment

"It's not all that bad..."
Let's be honest. The number of people that will really *need* to install unsigned 64-bit drivers is miniscule in comparison with number of uneducated users who don't understand that double-clicking that "way cool attachment" they got via email will install rootkits on their system. If professionals can't afford $400 per year, I think they need to reconsider their business model. And for the students and hobbyists out there who don't have a budget -- just plug in the kernel debugger or hit F8 before boot.

Re: Ouch

I think you were on the wrong page. Code signing certificates are only $499/year. Take a look here:

http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html

I think Microsoft leverages Verisign's "due diligence" process to make sure some bozon virus writer won't end up with a PIC. Or at least, if they do, there will be an evidence trail leading directly to the culprit.

Re: Chilling

If you have a driver for a piece of old hardware that needs to be signed, you can buy one certificate and timestamp the file(s) you're signing, so the signature is good even after the certificate expires.

Rating:
01-Mar-06, Dan Germann


"Chilling"
I'm surprised there seems to be so much acceptance of this.

I can understand having an option to reject unsigned kernel mode code that administrators can choose to employ, but for MS to tell me what I can and can't run on my own PC...That's not right.

I've written a driver for a piece of hardware whose manufacturer is long gone. Now MS is telling me that if I want to run this driver on my PC in Vista x64, I have to pay hundreds of dollars to Verisign each year?

Be careful. The road we're on likely ends with future versions of Windows requiring _all_ code to be signed. That'll have chilling effects on open source, independent and shareware developers.

25-Feb-06, Marc Klenotic


"Only Signed Drivers To Run on Vista X64"
It sucks. Another reason MS will go into oblivion. I hate to say this but Linux is the way to go.

Rating:
22-Feb-06, John Chiu


"Signing filter driver"
That's great but what about the non-AV file system filters? We don't have a program.

Rating:
10-Feb-06, Jerry Kelley


"Ouch"
What's with the insistence on verisign?

Their certificates are far from cheap... Clicking on 'buy' presents you will a nice bill for $1,295. I pay $100 a year for our non-verisign ones that work perfectly.

btw. the only place I can find 'Class 3 Commercial Software Publisher Certificate' is in their insurance plan.. they don't appear to sell them under that name on their website.

08-Feb-06, Tony Hoyle


"Test Test Test"
Let's hope that the quality of the software tests from Microsoft that we need to pass increase too! What about making some to the tests open source so that we as Developers can develop better test and then supply the changed code to Microsoft?

Rating:
03-Feb-06, William Jones


"One more result of viral attacks on the OS"
This shouldn't really be unexpected (although the timing sucks); it's just one more way that the big M is responding to criticism about the security of the OS.

It's interesting to speculate that we'll see is an increased push by MSFT to move everyone to 64-bit hardware, whether they need it or not. They have a lot more headroom to support things like prohibiting hooking and requiring signing (and supporting the memory necessary for the new Vista UI) with 64-bit hardware.

Rating:
24-Jan-06, David Beaver


"Only Signed Drivers To Run on Vista X64"
I'm actually OK with this one. Just as long as they don't change their minds about WHQL testing.

Rating:
20-Jan-06, Mike Yoke


Post Your Comments.
Print this article.
Email this article.

Writing WDF Drivers: Core Concepts
LAB

Boston/Waltham, MA
22-26 Sep 2014

Windows Internals and SW Drivers
LAB

Dulles/Sterling, VA
20-24 Oct 2014

Developing File Systems for Windows
Seattle, WA
4-7 Nov 2014

Kernel Debugging and Crash Analysis
LAB

Boston/Waltham, MA
10-14 Nov 2014

 
 

Windows Debugger

Checked Build Downloads
29-Apr-10

Debugging Symbols

WDK Documentation

Windows WDK

 
 
x
LetUsHelp
 

Need to develop a Windows file system solution?

We've got a kit for that.

Need Windows internals or kernel driver expertise?

Bring us your most challenging project - we can help!

System hangs/crashes?

We've got a special diagnostic team that's standing by.

Visit the OSR Corporate Web site for more information about how OSR can help!

 
bottom nav links