Microsoft Windows Driver Signing Requirements

Last Revision Date: 6/21/2016

This article describes the driver signing requirements for various Microsoft operating systems.       

Much of the information in this article was drawn from the Summary of Windows Kernel-mode Driver Signing Requirements article that can be found on the Microsoft web site at:

http://msdn.microsoft.com/en-us/library/windows/hardware/dn653563(v=vs.85).aspx

The WHQL (Windows Hardware Quality Labs) driver signing process involves a driver qualification process followed by a submission to Microsoft. In addition to allowing the user to insure the validity of the driver source, this process is aimed at guaranteeing a positive experience with the driver. The qualification process involves a rigorous series of steps that test the driver’s interaction with a variety of standard operating system events. The goal of this process is to make sure that the driver will behave when integrated with the rest of the Operating System.

The signing process differs amongst the various operating systems. Therefore, users can expect to find a variety of different versions of the signed driver included with software distributions. Each of these drivers will consist of 3 components:

    • The driver (.sys) file
    • The driver information file (.inf) file
    • The security catalog file (.cat) file

Driver signing requirements depend on the version of the operating system in question. Older versions of Windows made it possible to effectively work around these requirements. Although there are still configurations under which it is possible to get unsigned drivers to work with the latest generation of Windows, WHQL signing has effectively become a requirement.

The following table outlines the driver signing requirements:

Windows Operating System

Unsigned No signing process performed. Priority 0 (lowest)

Self-signed Signed with a manually generated certificate. Priority 1

Authenticode-signed Signed with a certificate that was purchased from a known entity such as Verisign. Priority 2

WHQL-signed Signed by Microsoft. Priority 3 (highest)

2000

All Users: Warning issued before installing

All Users: Warning issued before installing

All Users: Warning issued before installing

All Users: Clean install

XP x86

All Users: Warning issued before installing

All Users: Warning issued before installing

All Users: Warning issued before installing

All Users: Clean install

XP x64 and Server 2003

All Users: Warning issued before installing

All Users: Warning issued before installing

All Users: Will install based on trust level and administrative settings

All Users: Clean install

Vista x86
to Windows 10 x86

Normal Users: Cannot install
Administrator: Warning issued before installing

Normal Users: Cannot install
Administrator: Warning issued before installing

All Users: Will install based on trust level and administrative settings

All Users: Clean install

Vista x64 to Windows 10 x64

All Users: Will only load on designated test machines

All Users: Will only load on designated test machines

All Users: Will install based on trust level and administrative settings

All Users: Clean install

Which driver will be installed?

The decision process executed by the operating system when trying to decide between two drivers that are both compatible with the same device is not illustrated in the table above. The decision process can be summarized as follows:

    • Select the driver that meets the highest priority class.
    • If the priority classes are the same, select a driver which explicitly names the device in the driver information file over one which uses a generic hardware identifier.

The details of this process are important to note because the installation of the wrong driver can result in a non-functional system.