How to distribute a windows kmdf driver to clients privately - windows

I'm very new to windows driver development.
I've written a KMDF windows driver and I'm able to test deploy it to my target machine using VS deploy. It worked fine and now I'd like to ship this driver with the application that uses this driver.
Here the problem comes... I couldn't find anything on Google that telling us how to distribute a KMDF driver(like making an installer). This driver is an upper class filter driver and it is only needed for my application so it should not be published to windows update.
My question is how to make something like an installer to distribute this driver? Thanks for any suggestion or tutorial.
EDIT 1
It is a fake device driver(meaning there is no physical device to drive)

Usually, device drivers for software won't be pushed out through Windows Update. There's exceptions for vendors like Intel, AMD, NVIDIA, but that is because of what those companies are and how popular/well-used they are (they will be working with Microsoft for such). You can't just have your driver pushed out via Windows Update.
You're going to need a digital signature to sign your kernel-mode software with as long as you're going to be distributing it onto machines using modern versions of Windows x64 (for the record, even Windows Vista x64 will enforce this requirement). This requirement will not be present on x86 versions of Windows as-of right now, but in all truth, it would be unethical to not sign your kernel-mode software anyway.
Starting on Windows 10 on a specific patch which was released really early-on, the requirement changed from having a normal digital signature which could work for signing kernel-mode binaries to it having to be an EV digital signature; to get your hands on an EV digital signature for kernel-mode software signing, you will undoubtedly need to be legally registered as a company (and likely require a company bank account as well).
See the following for more information about this.
https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/04/01/driver-signing-changes-in-windows-10/
Here's the twist though... For systems which are using Secure Boot (new modern systems tend to have it enabled by default now, it is a security feature), you will need to have your kernel-mode software co-signed by Microsoft themselves. This will require you to share your kernel-mode software with Microsoft by uploading it via an online portal, but you'll still need your EV digital signature before you can move to that stage.
See the following for more information regarding the Microsoft co-signing requirement (depending on the environment):
https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/
Note: Please do not try to come up with ideas to circumvent this (e.g. enabling Test Mode on a clients system and then using a Test certificate for your driver, or disabling Secure Boot on a system which relies on it... such work-arounds come with a huge price of reducing the security on the system, and should never be applied as a solution to this problem in the real-world).
For actually installing the device driver, you could programmatically use the .INF file with the Win32 API and then use the StartService routine to start the service post-installation with the .INF. Also see: https://msdn.microsoft.com/en-us/library/aa376957%28v=vs.85%29.aspx
Alternatively, you can register the service yourself with the CreateService routine and then start it with the StartService routine (or reboot and have it load on start-up depending on the flags for the service creation).
Bear in mind, sometimes using the Service Manager, you'll miss important things in registration for some driver types (e.g. Filesystem Minifilter), and you'd need to handle this manually otherwise it won't work. Check the .INF and make sure anything that needs to be done as an requirement is done when you use the Service Manager for installation (if you decide not to rely on the .INF).
Hope this helps you get to where you need to be.

Related

Monitor process resources on Windows CE 5.0

I'm developing a WinCE 5.0 application that uses two commercial libraries. When the application starts calling the second library it gets slowlier and then after some use, it hangs and the whole OS freezes. It has to be rebooted to work again. The thing is that I'm developing this without a physical device (a testing person installs each release and runs the tests) and without an emulator (the device provider is not facilitating an OS image).
My intuition tells me that the second library is using all the available resources (basically, handles and memory) for a WinCE 5.0 process. I have to prove this to the library vendor. So I wish to add to my logs some general process and system information. Could you recommend me which APIs to call to get this information in CE?
I would really appreciate any hint
Thanks in advance!
Windows CE provides a very robust set of APIs for a subsystem called CeLog. CeLog is what Kernel Tracker uses to collect and display it's information. You can get all the way down to scheduler calls and thread migrations if you want. The real danger with using CeLog is in collecting too much data so that making sense of it is difficult, but if you filter the collections to just your process, that should help. You could collect the data to a log file, then use Kernel Tracker to open and view that data.
Here are some good starting points for info:
Introduction to Remote Kernel Tracker
More on Remote Kernel Tracker
CeLogFlush.exe (particularly the section 'Collecting Data on a Standalone Device with CeLogFlush')
Implementing a Custom Event Tracking Library
Embedded Visual C++ 4 contained "Remote Performance Monitor" that could do just that. Microsoft retracted EVC4 as free download some time ago, but it can still be downloaded from MSDN or found on the internet.
With service pack 4 it should work for WinCE 5.0. It does not appear to work with Windows Embedded 6.0 and newer though.

Is it possible to install USB serial converter in Windows without administrator privileges?

I have got a piece of hardware which communicates with my program using an FT2232C USB serial converter. All works fine if the device has already been attached to a computer before and the drivers were installed using an administrator account. But that is not the usual case.
These devices will be attached and removed at will and it will also not always be the same device that will be attached to a particular computer. Also, most of the users will not have administrator privileges and the computers are not connected to a LAN.
It is possible to automatically push files to these computers and add registry entries.
Does anybody have got any pointers on how to make Windows believe the devices driver has already been installed? I am currently thinking along the lines of tracking all changes that the driver installer does to the Windows installation and making these changes without any user interaction. But maybe there is an easier way?
We are currently talking Windows XP but in the not so far future there will be more and more Windows 7 (64 bit) computers as well.
While you could "pre-install" the driver by doing all the changes to the registry yourself (under a SYSTEM account, not regular Administrator -- you can use SysInternals PsExec to do this), this wouldn't help you unless you'd preinstall it for all possible ports. (Only USB devices which have an embedded serial number can be installed just once. Others are installed per-port.)
Another option is to sign the driver. A signed driver installs silently without the need for administrative credentials.
Does the vendor driver come with a .cat file? (And is the .cat file WHQL-signed?) If yes, you don't have a problem. Just install the driver with the standard tools (e.g. DPInst).
If not, you can always generate your own WHQL certificate (you cannot BUY a WHQL certificate), push this to all computers (since you're an administrator, you can do this) and then use the regular Windows tools (e.g. DPInst) to place the driver in the machines' driver stores. To generate the certificate, use CertUtil.exe and make sure you specify the "Windows System Component Verification" EKU. To sign the driver, use MakeCat.exe and SignTool.exe.
The best method with XP for the timebeing is to get hold of the administrator password, I used the following method a few months back and it has been brilliant, there is free software and instructions available here:
http://www.loginrecovery.com/

What do you need on a Windows PC if you use a library that uses OpenGL?

I am looking at adding 3D functionality into my application. For this I will probably use the QtOpenGl library, but it's not entirely clear if this requires anything special on my customers' PC's.
Will my customers need an OpenGL video card?
Will my customers need an OpenGL driver?
Is a minimum Windows release required?
Or does it require something else to be installed on the customers' PC's (besides Qt itself)
Or will it run out of the box?
Thanks
Will my customers need an OpenGL video card?
Not neccessarily, there's always the software rasterizer fallback.
Will my customers need an OpenGL driver?
Preferrably. But there's always the software rasterizer fallback.
Is a minimum Windows release required?
Yes, Windows NT 4 or Windows 95B
Or does it require something else to be installed on the customers' PC's (besides Qt itself)
Ideally the customer has installed the drivers for his graphics card, as they are distributed by the graphics card maker. Until Windows Vista this was the case anyway. Since Windows Vista, Windows ships with stripped graphics drivers: Microsoft has that policy to remove the OpenGL-ICD from the bundled drivers. So customers have to install the original drivers from the vendor directly. Without vendor OpenGL-ICDs you'll only have the OpenGL-1.4 emulation shipping with Windows Vista/7. For anything beyond, the customer must install the original drivers.
Or will it run out of the box?
Most likely, but the performance may not be the best, if the vendor drivers have not been installed. My recommendation: Do it like the games: Upon programm start detect which graphics card is present and if the right drivers are installed, and if not, inform the user about it and offer to go to the vendors website to download and install the right driver for his box (that's how I do it).
All modern computers support OpenGL, according to their web site. From personal experience, it will run out of the box with no additional setup required, but you will have to distribute an additional DLL file (QtOpenGL.dll) with your program.

Kernel driver signing

I have done a great deal of looking around, and I can't seem to get a straightforward answer to this issue.
I am hobbyist programmer, I have done a great deal of work with windows drivers, and wrote my own personal 'antivirus' driver for windows XP. So don't get me wrong here, I don't work for any software development firm or anything of the like.
My question is: as far as windows 7 x64 is concerned, is there any possible legit and legal method I can use to release sign my driver that would only be for my own personal use?
Yes I am well aware I can test sign my driver and run it in a virtual machine under windows test mode, which I do quite frequently. However if you have used windows in test mode you know there are some major drawbacks.
So to to sum this all up, is it possible for me ( a hobbyist ) to release sign a driver for my own personal use and not have to deal with windows test mode?
Thanks.
If it's a boot time required driver, I don't think there is a way you can get it to use it without signing it with a certificate from a Microsoft sanctioned provider (Verisign only I think for drivers?).
If this is a normal device driver that isn't required at boot you can create your own certificates and use those instead. I did it myself for Vista x64 to get an HP ScanJet driver to work from XP x64 by signing the .sys and the .inf files.
I used Active Directory Certificate Services on my domain to issue a Code Signing certificate for my use and had my machine trust the ADCS CA certificate. These two actions will cause Windows to trust your signed driver.
I believe you could use OpenSSL to create a CA certificate and issue code signing certificates with that, but I've had no practice with it.
Again, to reiterate, if this driver is required at boot then this method will not work, if it's used for a device which can be attached at anytime, it should work.
You can have the ReactOS Foundation do it for you.
Please refer to my answer to this post: Windows 7 kernel driver signing.
So to to sum this all up, is it possible for me ( a hobbyist ) to release sign a driver for my own personal use and not have to deal with windows test mode?
Yes.
For boot time drivers: Go to VeriSign, buy the (only?) code signing certificate ($500), and sign your driver.
For non-boot drivers: You can self-sign, with appropriate warnings.

Rescan device tree for hardware changes during Driver installation

I'm using InstallShield to install my application, a driver and a service.
I need to install the plug-N-play driver only if it's hardware ID was found in the device manager. The driver installation is done using DPInst.exe.
My problem, is that a user can sometimes manually uninstall the driver (After it was installed or even uninstall the "Unknown driver" under "Other devices") and then I can't find the hardware ID in the device tree, although the device is plugged.
If I rescan the device tree during installation using CM_Reenumerate_DevNode_Ex (The code equivalent of "Scan for new hardware"), I can find the hardware ID but this brings up the "Found new hardware wizard".
Is there anyway to rescan the device tree but suppress the "Found new hardware wizard" or to avoid rescanning but still making sure my device hardware ID is present in the system?
I'm writing a new answer since we already have too many comments on my older one, and its content was based on a small misunderstanding of the situation.
The actual problem, as I understand it now, is the "Add new hardware" wizard that pops-up when rescanning for devices, before installing your driver. Unfortunately, this wizard pops-up whenever no suitable driver is found to handle a new device in the system, so in order to overcome it, the only option is to make sure that such a driver exists in the system. This leads to two possible solutions that I can see:
Go for a software first installation, and make sure that your driver is suitable for the device (the inf is well formed, and you have WHQL signing). As far I understand, this is not an option, because you do not want to install the driver on machines that don't have the device connected (I would love to hear why).
Make sure that some other driver in the system is suitable to handle it. In that case you need to choose one of the built-in drivers (one that wouldn't wreak havoc if it were to act as a function driver for your device), and give your device a matching compatible ID - one that would cause the built-in driver to be found suitable. This way you will not have to wait for the user after re-scanning for devices, but depending on your device, finding a fitting built-in driver might be impossible.
It sounds like you're going about it the wrong way. If you have an MSI based installation, why not use DIFxApp instead of DPInst?
As for the "Found new hardware" wizard, you'll need two things here:
Make sure that your inf file is correct (so that your driver is associated with the hardware id)
Get a WHQL signature from MS. This step is needed for XP, as untrusted drivers will not be automatically assigned to devices. With Vista and 7 you can digitally sign the driver yourself, but you'll get a warning during installation, asking the user whether he/she wishes to trust this publisher (you).

Resources