Windows 7 prevent installation of system drivers
Background of the problem - SHA1 and SHA2 support
In recent years, several changes have been made to verify the suitability during the installation of Windows drivers. For long time used SHA1 certificates are no longer trusted and therefore were replaced by SHA256 certificate series. Moreover, with new Windows 10, requirements have been further tightened and drivers must be signed with an EV certificates (Extended Validation Certificate).
Certificate requirements depending on the version of Windows are clearly described in the table below.
For clarification - all TEDIA drivers have been signed SHA1 + SHA256 since 2015 and since October 2017 they are available with an EV certificate as well.
Issue description
During 2017, number of Windows 7 users contacted TEDIA technical support with a problem installing new device drivers; Windows rejected drivers as unsigned with the alert message shown in the picture below.
In the case of the 32-bit version of Windows 7, the warning could be ignored and the driver installed, but 64-bit version does not allow installation at all.
However, this is not a driver issue, because the problem is caused by the lack of system updates.
As can be seen in the table below, Windows 7 has stopped supporting the SHA1 certificate from January 1, 2017 and no longer trusts any SHA1 signed driver. In the case of updated Windows 7, SHA256 support has been installed on the system, and the system chooses a SHA256 certificate (see paragraph with SHA1 + SHA256 dual signing above).
If Windows 7 was not upgraded, they do not trust SHA1 certificates and can not process SHA256 certificates.
So the solution is to update the system or at least install the SHA256 support (see the table below).
Support for certificates with different versions of Windows
| Operating System |
SHA256 Support |
Up through Dec. 31, 2015 |
Jan. 1 - Dec. 31, 2016 |
Jan. 1, 2017 + |
|---|---|---|---|---|
| Windows Vista |
Limited Microsoft 2763674 |
User Mode: SHA1, limited SHA256 download/install support with patch Kernel Mode: SHA1 ONLY |
User Mode: SHA1, limited SHA256 download/install support with patch Kernel Mode: SHA1 ONLY |
User Mode: SHA1, limited SHA256 download/install support with patch Kernel Mode: SHA1 ONLY |
| Windows Server 2008 |
Limited Microsoft 2763674 |
User Mode: SHA1, limited SHA256 download/install support with patch Kernel Mode: SHA1 ONLY |
User Mode: SHA1, limited SHA256 download/install support with patch Kernel Mode: SHA1 ONLY |
User Mode: SHA1, limited SHA256 download/install support with patch Kernel Mode: SHA1 ONLY |
| Windows Server 2008 R2 |
With update Microsoft 2949927 |
User & Kernel Mode: SHA1, SHA256 with hotfix |
User & Kernel Mode: SHA256 with hotfix. Windows continues to verify SHA1 signed code which has been timestamped prior to Jan. 1, 2016. |
User & Kernel Mode: SHA256 only (with hotfix). Windows no longer trusts any SHA1 signed code. |
| Windows 7 |
With update Microsoft 2949927 |
User & Kernel Mode: SHA1, SHA256 with hotfix |
User & Kernel Mode: SHA256 with hotfix. Windows continues to verify SHA1 signed code which has been timestamped prior to Jan. 1, 2016. |
User & Kernel Mode: SHA256 only (with hotfix). Windows no longer trusts any SHA1 signed code. |
| Windows Server 2012 |
Yes | User & Kernel Mode: SHA1, SHA256 with hotfix |
User & Kernel Mode: SHA256. Windows continues to verify SHA1 signed code which has been timestamped prior to Jan. 1, 2016. |
User & Kernel Mode: SHA256 only. Windows no longer trusts any SHA1 signed code. |
| Windows 8 |
Yes | User & Kernel Mode: SHA1, SHA256 |
User & Kernel Mode: SHA256. Windows continues to verify SHA1 signed code which has been timestamped prior to Jan. 1, 2016. |
User & Kernel Mode: SHA256 only. Windows no longer trusts any SHA1 signed code. |
| Windows 10 |
Yes | User Mode: SHA1, SHA256. Kernel Mode: EV Code Signing cert + Microsoft Submission |
User Mode: SHA256. Windows continues to verify SHA1 signed code which has been timestamped prior to Jan. 1, 2016. Kernel Mode: EV Code Signing cert + Microsoft Submission |
User Mode: SHA256 only. Windows no longer trusts any SHA1 signed code. Kernel Mode: EV Code Signing cert + Microsoft Submission |
| The content of this table has been taken from symantec.com. | ||||
How to verify which certificates the driver is signed to?
Information about certificates, respectively publisher's signatures can be easily found among file properties, just right-click on the driver file (SYS or DLL) and choose Properties => Digital Signatures. The picture below shows the file properties with two TEDIA signatures and one Microsoft signature.
