Before you start
Objectives: learn how to check that drivers are compatible with XP, and how to use available tools to check that drivers are signed (sigverif, driverquery, sfc).
Prerequisites: you have to know what drivers are.
Key terms: driver, system, signed, check, tool, verification, signature
Quality of Drivers
There is a lot of concern about the quality of the drivers because they can cause system instability or they can contain viruses. Because of that Microsoft came up with a way to help us ensure the quality and compatibility of the device drivers on our system. This feature is known as Driver Signing. Driver signing is intended to ensure that the device software is compatible with Windows XP and to ensure that nobody has tampered with the drivers (that nobody inserted malicious code).
Since not all hardware manufacturers are on board with the Driver Signing, it becomes important for us to be able to allow or deny the unsigned driver to be installed on the system. In XP, Microsoft provided us with three levels of control for installation of unsigned drivers. These levels are Block, Warn and Ignore. To manage this settings, go to the Start Menu, right-click My Computer, select Properties, go to the Hardware tab and then click on Driver Signing.
Image 207.1 – Driver Signing Options
Block level will block the installation of any unsigned driver to the system. This will ensure that drivers are always compatible with the system, and that our drivers don’t have any viruses. The negative side of this is that many manufacturers are not on board with driver signing, so if we want to use the latest drivers, they may not be available. The Warn level will give us a warning when we try to install an unsigned driver. The criteria here is do we trust the source where we got our driver from. The Ignore level will simply install all the drivers without prompting us for our approval. Of course, we would recommend that the Warn level is enabled at least.
We can make any of this level the default setting through out our system. To do that simply check the ‘Make this action the system default’ option. Another way to enforce driver signing is through GPOs. We can do this either at the local level, or at the domain level, which makes it easy to manage driver signing through out our organization. Group membership can also have a little bit of control over driver signing as well. Remember, only members of the Power User group (and up) have the ability of installing software. As a result of that, only Power Users and Administrators can install drivers.
Driver Verification Tools
Microsoft also provided useful tools to check if the drivers are signed. The first one of these tools is Sigverif.exe, which is used to check if files are signed or not. Another utility that we can use is Driverquery.exe which enables us to check existing drivers on the system (it is command line tool, so use ‘/si’ switch to check driver signing). Another utility that we can use is Msinfo32.exe, which can show us information for all our drivers (like dates, manufacturers, and also if they are signed or not). Another command line utility that we can use is Sfc.exe. Normally, Sfc.exe allows us to check the system files and verify their integrity. The thing is, sometimes drivers can overwrite key system files. We can use Sfc.exe /scannow command to see if our system files have been overwritten or become corrupted when we installed new drivers, especially when we installed unsigned drivers.
File Signature Verification Tool (sigverif)
The first tool is File Signature Verification tool. Let’s go to the Run command, type in ‘sigverif‘, and click the OK button to run the File Signature Verification tool. By default, this tool checks all system files in the Windows directory. To limit this search a little bit, click on Advanced , and browse to System32, and select ‘drivers‘ folder. This will limit the search to the drivers folder and its sub-folders (if we check the ‘Include sub-folders’ option). Click ‘Start’ to start the file signature verification process.
Image 207.2 – File Verification
In our case, all our files are verified as digitally signed. In other case, this tool would show us a list of unsigned files.
Another way we can verify digital signatures for driver files is through the Driver Query program. To run this program, we need to go to the Run command and open the Command Prompt. To do that, type in ‘cmd‘ in Run menu and click OK button. Next, we need to type in ‘driverquery‘, and then provide the ‘/si‘ switch. The ‘/si’ switch reports back the signature status.
Image 207.3 – Driverquery Result
As you can see, we have a column named ‘IsSigned‘. If we look down, in our case all our drivers are signed. Here we can see exactly which device does not have a signed driver.
Another tool that we can use to find the same information is ‘msinfo32‘. Again, we will go to the Run command, type in ‘msinfo32’, and click the OK button. Now, we need to browse to the Software Environment, and then Signed Drivers section.
Image 207.4 – Signed Drivers in System Information
In this window we can sort drivers by the Signed column, so that we can see unsigned drivers first.
Driver signing is intended to ensure that the device software is compatible with Windows XP and to ensure that nobody has tampered with the drivers. In XP, Microsoft provided us with three levels of control for installation of unsigned drivers. These levels are Block, Warn and Ignore. To verify drivers we can use these tools: sigverif, driverquery (in CLI), msinfo32 and sfc (CLI).