How to Release-Sign File System Drivers
Updated: April 23, 2008
Kernel-mode driver binaries for 64-bit versions of Windows Server 2008 and Windows Vista must be signed, or Windows will not load the binary. This requirement applies to file system drivers, including minifilters, legacy filters, and redirectors. Some drivers can meet this requirement by including a signed catalog file for the driver package. However, all boot-start and system-start driver binaries must be embedded signed to improve system boot performance.
Because non-Plug and Play drivers such as file system drivers do not require a signed catalog file, the most generic approach to signing is to embedded-sign the driver binaries. This driver tip provides basic information on signing for file system drivers, including a detailed walkthrough of the embedded-release signing process.
The walkthrough is based on the Windows Driver Kit (WDK) Minispy sample, which is located in the WDK's minispy directory. For example, for the Windows Server 2008 version of the WDK, the sample is typically located at C:\WinDDK\6001\src\filesys\miniFilter\minispy.
For general background information regarding file system driver signing, see the IFS "
File System Driver Signing" presentation.
Before You Start
To prepare your system:
The walkthrough uses the following terms:
|mySPCfile.spc||Your public key certificate file.|
|myPVKfile.pvk||Your private key certificate file.|
|myPVKpassword||The password for the private key certificate file.|
|myCrossCert.cer||The correct cross-certificate file for your SPC.|
|CN Value||The CN value of the SPC (in the Personal certificate store).|
Tip: Do not copy and paste command syntax from this content. This can result in incorrect characters in your command line.
The following procedures use the WDK's Minispy sample to demonstrate the process.
Sign the Minispy Driver
The signing operation has three basic phases:
Prepare the driver and certificates.
Sign the driver.
Verify that the driver installs correctly.
To prepare the Minispy driver sample and the signing certificates
Open a WDK build environment window with elevated privileges.
Note: Because signing tools and signatures do not depend on the particular Windows version, you can use any WDK build environment window to sign your drivers.
Use the WDK build utility to build the Minispy driver sample. For details, see "Minispy Minifilter Sample" in a local installation of the WDK documentation.
Create a folder named C:\MinispyPkg and copy the driver package files—minispy.exe, minispy.sys, and minispy.inf—from the project’s target folders to MinispyPkg.
Create a folder named C:\MyCerts and copy mySPCfile.spc and myPVKfile.pvk to that folder.
Navigate to C:\myCerts and run the following command to convert the .pvk and .spc files to a system-usable .pfx file—myPFXfile.pfx:
pvk2pfx -pvk myPVKfile.pvk -pi myPVKpassword -spc mySPCfile.spc -pfx myPFXfile.pfx -f
Use Certutil to install myPFXfile.pfx into the current user's Personal certificate store by running the following command :
certutil -user -p myPVKpassword -importPFX IfsSPC.pfx
Be sure to record the CN value returned by Certutil. You can also accomplish the preceding task by double-clicking the .pfx file to run the Certificate Wizard and using the wizard’s default values.
Note: Certutil is included with Windows Vista and most Windows server operating systems, including Windows Server 2008. Certutil is not included with Windows XP, but you can copy the tool from another computer or install the Windows Server 2003 SP1 Administration Tools Pack. For more information on the Tools pack, see "
Windows Server 2003 Administration Tools Pack."
To embedded-sign the Minispy driver’s binary file
Navigate to c:\minispyPkg and run the following Inf2Cat command to validate the driver package’s INF file for the target Windows version:
inf2cat /driver:C:\minispyPkg /os:Vista_X6
From c:\minispyPkg, run the following SignTool command to sign the driver binary file—minispy.sys:
signtool sign /v /ac c:\minispyPkg\myCrossCert.cer /s my /n "CN Value" /t http://timestamp.verisign.com/scripts/timestamp.dll minispy.sys
Note: If you do not have the SPC’s CN value, you can obtain it from the Microsoft Management Console (MMC) Certificates plug-in. To open the plug-in, run the following command:
Validate the signature by running the following SignTool command:
Signtool verify /v /kp minispy.sys
This command displays the certificate chain. The following example shows the certificate chain for a VeriSign code-signing certificate and the Microsoft/VeriSign cross-certificate:
Note that in this example, the top certificate is the one with the least indentation.
Important: If the Microsoft Code Verification Root is not the top certificate, you have not successfully signed your binary with a cross-certificate.
To verify that the signed Minispy driver installs correctly
Install the driver on a 64-bit Windows Server 2008 or Windows Vista system by right-clicking minispy.inf in Windows Explorer and then clicking Install.
Load the signed driver by running the following fltmc command:
Note that the name used to load the driver ("minispy" for this example) is the ServiceName value from the driver’s INF file. You can also load the driver by running the '
net start minispy' or '
sc start minispy' commands.
Verify that the signed driver has successfully loaded by running fltmc without arguments, to display the list of loaded filters:
Unload and uninstall the signed driver by running the following command:
rundll32 setupapi,InstallHinfSection DefaultUninstall 132 C:\minispyPkg\minispy.inf
Note: To verify that the driver was successfully unloaded and uninstalled, run fltmc again.
How to Sign by Using a Hardware Security Module
Private keys are a valuable asset and should be carefully secured against compromise. A recommended practice is to keep private keys in a hardware security module (HSM). This reduces the risk of a private key becoming compromised, even if the computer on which the HSM is used becomes compromised. For details on how to manage public and private keys, see "
Code-Signing Best Practices."
To sign minispy.sys when myPVKfile.pvk is stored in an HSM, run the following SignTool command:
signtool sign /v /ac c:\minispyPkg\myCrossCert.cer /s my /n "CN Value"
/csp "Cryptographic Service Provider Name" /kc "KeyContainerName"
/t http://timestamp.verisign.com/scripts/timestamp.dll minispy.sys
Important: Any names that contain spaces must be in double quotes.
Note: The procedures for importing the private key to the HSM are vendor specific, as are the cryptographic service provider name and the key container name.
For more information:
Code-Signing Best Practices
How to Get the Windows Driver Kit and the Windows Logo Kit
Windows Server 2003 Administration Tools Pack
Microsoft Cross-Certificates for Windows Vista Kernel Mode Code Signing
For a video presentation of the above material (recorded January 2008 at IFS Plugfest 18), see
"File System Driver Signing" (Discussion begins at time index 09:34). The slides from the presentation can be downloaded
For a general discussion of driver signing, see
"Kernel-Mode Code Signing Walkthrough."