Just been messing around with Microsoft Windows Driver Install Frameworks (Difx) to install device drivers onto Win XP boxes and found some annoying bugs (features?) on another wise great utility.

I'm trying to quietly install drivers which are not signed by MS WHQL. To get them to install at all I've used authenticode to create a root certificate and a publishers certificate. I've signed the drivers with the trusted publisher certificate and now they will install fine with DPinst.exe and DifxApp (.msi).

The problem is quiet installs with DifxApp. It fails completely on a /qn and on a /qb software first install it is not quiet and prompts for the user to plug in the device.

However on a hardware first install the /qb switch works fine, without prompts. (Besides standard OS prompts for the hardware of course.)

The DifxApp documentation says quiet installs work fine, without caveat.
DIFxApp supports the silent installation of an MSI installation package. A silent installation does not display dialog boxes or messages to the user.
The readme.txt however says authenticode signed drivers will fail always on Windows 2000 and WinXP because of the OS having to prompt.
An authenticode-signed, Plug and Play driver cannot be installed silently on Windows XP and Windows 2000. This is due to the fact that both Windows XP and Windows 2000 do not recognize authenticode-signed drivers, as a result of which they will always attempt to display the unsigned driver dialog. But in silent mode, since they are not allowed to display any UI, the install will fail silently.
Now I've seen it work silently with /qb so the failure isn't because of the OS and I'm a little concerned that MS have not seen that and actually moved this out of beta.

I've gotten around the prompt using an AutoIt script so I can have installs without interaction.

Another gripe is the automatically putting another entry in the ARP list. Nice feature but some companies might not want it. (It may also cause problems with Managesoft which takes over the Add/Remove list). A option to turn this on or off would be better. Fortunately there is an option to implement this with the Flags column.

Otherwise I have found this to be a great utility to get WHQL signed drivers out there onto the users PCs.

Cheers,

Jeff Endres
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Well I don't have my notes in front of me as I am on course in Toronto right now but the DIFx app will not be silent with an in house signed cat file unless you are running Windows Server 2003 or Longhorn. This is the response I got from MS in the newsgroups around June. It would be nice if they could change the behaviour in XP but as far as I know this is not going to happen.
Answered 10/13/2004 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
Otherwise I have found this to be a great utility to get WHQL signed drivers out there onto the users PCs.

It's possible to patch DPInst.exe/DIFXAppA.dll to bypass WHQL signature check and deploy non-signed drivers. Removing "Plug new hardware now" prompt from DIFXApp.dll was even easier. However, license issues after changes like these are another thing..
Answered 11/12/2004 by: johu
Senior Yellow Belt

Please log in to comment
0
I think that it pretty much not going to happen... But I found this on some other post on the board a couple weeks ago for trying to deploy those unsigned drivers.

https://adelie.ucs.ed.ac.uk/dstwiki/index.php/device%20drivers'

Unfortunately it is not a complete walkthrough but its better than nothing.
Answered 11/15/2004 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
I meant that patched DPInst/DIFXApp that deploys non-WHQL drivers is possible and patched binaries do exist. Just open DPInst.exe in W32Dasm, find call to WinTrust and change couple jne's to jmp after that so it always thinks certificate is ok. Then it will install signed and non-signed drivers. I've done it and it does work.

I assume you mean that Microsoft will not release such version and I agree. I think they eventually want everything to be signed by them - including all binaries.
Answered 11/16/2004 by: johu
Senior Yellow Belt

Please log in to comment
0
That's really cool because Microsoft lead me to believe that the limitation was in the OS and not the tool. They gave me a rant about how I'll have to wait until Longhorn before I can sign unsigned drivers for corporate deployments.
Answered 11/16/2004 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
Thanks John,
I thought it looked like a bit suspicious and wasn't an OS issue. I'll look into the "patched" dll option. It sounds promising not having to authenticode the drivers would be great.

kkaminsk, I think MS is just trying to sell their WHQL service. Don't believe everything you hear from them. [;)]
Answered 11/17/2004 by: jendres
Senior Yellow Belt

Please log in to comment
0
Gentlemen,

I am glad to hear that you are using, or at least attempting to use, our DIFx tools for your driver deployment needs. The 2.0 version of the DIFx tools includes a legacy mode switch which disables the signature check within the tools. To be perfectly clear, this only disables the DIFx tools signature checking and leaves the signature policy of the OS intact. As stated above, Windows Server 2003 supports Authenticode signatures for non-WHQL class drivers. Windows Longhorn current plan of record will allow Authenticode signatures for all device classes. There are currently no plans for the tools to modify the signature policies of downlevel OSes. We are listening to the feedback of our partners and maintaining an aggresive schedule to keep up with partner feature requests for the tools.

You can download DIFx version 2.0 from:

http://www.microsoft.com/whdc/driver/install/DIFxtls.mspx

Altiris has just shipped support for the 2.0 version of the tools in:

Wise for Windows Installer 6.1
Wise Package Studio® 5.6

Please send us feedback at DIFxBeta@Microsoft.com. If you have the bandwidth, we would love to have you join our beta program so we can align our roadmap to your needs.

Best regards,

Joe Marusak
Partner Development Program Manager
Microsoft Corporation
Answered 04/29/2005 by: jmarusak
Yellow Belt

Please log in to comment
0
Hi all intelligent people ,

Although I have gone through a lot of forum posts but still I am not able to find the best way to package unsigned drivers .

So that I can avoid turning Win XP security settings for unsigned drivers OFF through GPO .

If somebody can spare sometime and can post an elaborate procedure that will be of great help to me .

Cheers ,
V
Answered 05/02/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
0
I used DIFx for a few drivers at a previous client's site and I can say that it works great when the product's limitations do not get in the way. Currently the method that MSIMaker documented seems to be the method of choice by the community on this board:

http://www.appdeploy.com/messageboards/m.asp?m=4596


I cannot comment on it because I have not had a chance to try it but I'm sure someone can comment on how it compares to DIFx.
Answered 05/02/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
Hi Viv,

See the post above yours from Joe Marusak from Microsoft - it appears the new version of DIFx tools support installing unsigned drivers. Happy days. Not having used it yet, I'd have a look at their webiste, but you should be able to just include it as a custom action in your package. Once I need to use it I can draft up a step by step guide, but I'm sure with a bit of care and reading documentation it should go OK.

Hope thats helped

Paul
Answered 05/02/2005 by: plangton
Second Degree Blue Belt

Please log in to comment
0
Hi Guys ,
Finally made some progress with DiFxApp tools .

But I am still not able to install my driver : I am getting following error in my installation log files : DIFXAPP: ERROR more than one driver package found in C:\WINDOWS\inf\

Has anyone experienced this error before .

I followed following steps :

1) Created the driver Installer database (Installshield Repackager as the original driver set up is not MSI)
2) Applied DiFxApp.msm to the Installer Database
3) Added the Component (which contains the INF file ) to the component table
4) Added Flag value in the component table to 8 for Legacy install (unsigned driver)
5) Saved the new merged MSI
6) Installed the driver Package with msiexec options for verbose logging

As I am trying this for the first time , I might be having a completely wrong understanding .

Kindly suggest .

Cheers ,
V
Answered 05/04/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
0
ORIGINAL: viv_bhatt1

Hi Guys ,
Finally made some progress with DiFxApp tools .

But I am still not able to install my driver : I am getting following error in my installation log files : DIFXAPP: ERROR more than one driver package found in C:\WINDOWS\inf\

Has anyone experienced this error before .

I followed following steps :

1) Created the driver Installer database (Installshield Repackager as the original driver set up is not MSI)
2) Applied DiFxApp.msm to the Installer Database
3) Added the Component (which contains the INF file ) to the component table
4) Added Flag value in the component table to 8 for Legacy install (unsigned driver)
5) Saved the new merged MSI
6) Installed the driver Package with msiexec options for verbose logging

As I am trying this for the first time , I might be having a completely wrong understanding .

Kindly suggest .

Cheers ,
V




Where are you delivering your source driver files to that you have set to install via DIFxAPP?

I used DIFxAPP 2 to sucessfully deploy an unsigned driver (using the flag value 8 - even though Wise PS5.6 saw this as a table error).
Answered 06/03/2005 by: GB1
Orange Belt

Please log in to comment
0
I'm assuming you've set your MSI to copy your inf file to c:\windows\inf.

The DifXApp documentation states that each 'driver package' needs to have it's own unique folder (MS recommend c:\program files\company\title\driver package), hence the 'more than one driver package found' message. I think I remember mention of unpredictable results if Difxapp finds more than one inf in the source folder.

Difxapp will copy the inf file to c:\windows\inf when it doesn't find it there, and will also deal with installation of the drivers.

hth
Answered 06/27/2005 by: meastaugh1
Senior Purple Belt

Please log in to comment
0
i have an installshield admin studio and a wps 5.6.. my question is how do you add the flag value using wps?

thanks
rick
Answered 06/28/2005 by: rikx2
Purple Belt

Please log in to comment
0
Edit the MsiDriverPackages table in the MSI. You will have to do this with the table editor.

View -> Setup Editor
Click Tables tab

Edit away...
Answered 06/28/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
thanks kkaminsk =)
i did get a fatal error "installation ended prematurely bla bla.." but i'm pretty sure this is on my package or inf... i'll try another one

also.. i'm pretty fairly new (sic =) with this difxapp to the point i'm not sure i'm using the right msm.. i just downloaded it and just selected the one in the difxapp\localized\mergemodules\x86 directory.. is that the correct one? =)

regards
Answered 06/28/2005 by: rikx2
Purple Belt

Please log in to comment
0
Try to use DPInst.exe to ensure that DIFx will work with the inf file you are trying to use.

Also make sure you are using 2.0 because there are very significant improvements in the useability of the product.

http://www.microsoft.com/whdc/driver/install/DIFxtlsdwn.mspx?
Answered 06/28/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
Just a follow up regarding DifX v2.0.

Nice to see some of the features i had gripes with being resolved with the new version. However the core issue has not been addressed. That is silent installs of unsigned drivers in an enterprise environment.

I have tried Difx to install a driver signed by a trusted authority (me) and with the bit16 flag set. The driver will install on /qb and /qn but with a prompt. (/q is supposed to be quiet!) This also causes the machine to hang if installed via Group Policy.

MS has put this down to a OS issue that will be resolved with Longhorn, (twiddle my thumbs while i wait for that?) but it is possible to install silently with a modified version of DifxApp. This shows that the WHQL check is built into the DifxApp.

I can understand the concern of allowing installation of unsigned drivers in general, but if a driver has been signed by an appropriate authority (Root or Trusted Publisher) it should not be a requirement for the user to click a button to have the application installed.

Well this particular driver has been pushed back to the manufacturer and we will see how we go.

--
Regards,

Jeff
Answered 07/11/2005 by: jendres
Senior Yellow Belt

Please log in to comment
0
Be patient and obey the M$ rule. The product is not useable until the third revision. Well at least we can hope that by V3 they support silent unsigned driver installs on XP.
Answered 07/12/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
I am still using the method that I posted in the stickies but I have added something to the process. I am now using an AutoIT script to detect the Authenticode Yes/No screen and hit the Yes button. It's not pretty but it works.

I have used this for the Nero ImageDrive drivers and its works ok.

I'm interested to see this "doctored" DIFXApp.dll because if you are deploying with GPO it might save a few headaches.
Answered 07/13/2005 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
ORIGINAL: jmarusak

Gentlemen,

I am glad to hear that you are using, or at least attempting to use, our DIFx tools for your driver deployment needs. The 2.0 version of the DIFx tools includes a legacy mode switch which disables the signature check within the tools. To be perfectly clear, this only disables the DIFx tools signature checking and leaves the signature policy of the OS intact. As stated above, Windows Server 2003 supports Authenticode signatures for non-WHQL class drivers. Windows Longhorn current plan of record will allow Authenticode signatures for all device classes. There are currently no plans for the tools to modify the signature policies of downlevel OSes. We are listening to the feedback of our partners and maintaining an aggresive schedule to keep up with partner feature requests for the tools.

You can download DIFx version 2.0 from:

http://www.microsoft.com/whdc/driver/install/DIFxtls.mspx

Altiris has just shipped support for the 2.0 version of the tools in:

Wise for Windows Installer 6.1
Wise Package Studio® 5.6

Please send us feedback at DIFxBeta@Microsoft.com. If you have the bandwidth, we would love to have you join our beta program so we can align our roadmap to your needs.

Best regards,

Joe Marusak
Partner Development Program Manager
Microsoft Corporation


Welcome Joe,

I currently am seeing alot of new apps coming through to take advantage of the base technology (WindowsXP) that we have in place now with executives wanting all of their mobile devices and "knick knacks" attached to their laptops and we really need a way to manage these installs effectively and with the least amount of pain to the users.

Thanks for the information and I urge anyone with some time available to join the beta testing group and help to bring focus to the needs we have concerning device driver installations.
Answered 07/13/2005 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
Hi
We are having the unsigned driver hell here also.
Anyone got any tips?
I am at my wits end. We would not mind allowing unsigned drivers using group policy but it does not seem to override the windows setting on the clients.
I need to be able to deploy them with AD.
Anyone know about the rules for the GP and drivers?

Cheers
Answered 10/18/2005 by: ZeroHour
Senior Yellow Belt

Please log in to comment
0
ORIGINAL: MSIMaker
I'm interested to see this "doctored" DIFXApp.dll because if you are deploying with GPO it might save a few headaches.


I don't suppose anyone could send me a copy of a patched copy of this DLL?

I tried modifying it in a disassembler but frankly my coding ability is limited to VBScript, and it is doing my head in. [&o]
Answered 03/13/2006 by: John McDermott
Senior Yellow Belt

Please log in to comment
0
I am trying to include DIFXApp.msm into the package and getting MSIdriverpackages as a new table but when i try to install it gives an error saying that package needs a Dll to complete the installation . is there any dll i have to include also or just the merge module in my package
Answered 08/24/2006 by: karan_gupta
Orange Belt

Please log in to comment
0
The DIFx dll should have everything you need. If you are having issues with DIFx app you can test the driver installation with DPInst.exe. Some people don't even bother with DIFxApp and use DPInst exclusively.
Answered 08/24/2006 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
I have found many versions of DIFx.msm and DIfx.dll and unable to decide which version to use . Can you tell me which version to use , i want to register legacy drivers for windows 2000 .

i am using the following method to add legacy drivers to my installation msi which i got from this site itself :

1) Locate the .INF file which the legacy installation uses to install the drivers. Inspect this file in notepad and work out all the files that the driver requires to be installed. This could be as little as a .SYS file, a .CAT file (assuming the driver is signed) and of course the .INF file itself. There may, however be more files (such as DLL's) that are mentioned in the .INF - the key thing here is to get a full list of the files the driver needs.

2) In the MSI package you are developing, create a separate folder named (say) DriverFilesFolder and locate this as a subfolder of the main application folder (e.g. C:\Program Files\Dymo\DriverFilesFolder).

3) Next create a new component named (say) DriverFiles. Move all the files that you listed from step 1) above into this component and set one of them as the keypath for the component - I usually mark the .SYS file as the keypath. The destination of this component should be the folder you created at step 2)

4) Next include the DIFx 2.0 Merge Module into your MSI package - it's named DIFxApp.msm

5) Incorporating this merge module will, among other things, have introduced a new table into your package, named MsiDriverPackages, you will need to edit this table directly (e.g. use Direct Editor in InstallShield, or use ORCA). In the Component column, you need to enter the name of the component you created in step 3) above. If the drivers are signed (i.e. you have a .CAT file) then you can set the Flags column to 0, otherwise you could use 8 for "legacy mode", more of which later. The Sequence column can be left blank - it's only used if you are installing several separate drivers and want to control the order they are installed in.

6) That should be all that is needed for DIFx to "do it's thing". You should now go through the rest of your snapshot package removing anything else that is driver-related this would include.

(i) any other instances of the .INF file, typically being deployed to the INF folder
(ii) any other instances of the .SYS file, typically being deployed to the System32\Drivers
folder.
(iii) any other instances of files you listed in step 1) other than those you have put into your new component.
(iv) any .PNF files that your capture picked up
(v) anything in the registry under HKLM\SYSTEM\CurrentControlSet\Enum\Root or HKLM\SYSTEM\CurrentControlSet\Enum\USB

A final word on legacy mode for DIFx 2.0. I think if your drivers are unsigned, then when a non-admin user plugs the device in for the first time, you will still get a prompt for administrator credentials - but the rest of the installation should require no further interaction if you have managed to get all the above working. With signed drivers, this isn't an issue.
Answered 08/24/2006 by: karan_gupta
Orange Belt

Please log in to comment
0
You should be using 2.01 and that can be found here.

http://www.microsoft.com/whdc/driver/install/DIFxtls.mspx


As for #3 I thought you would want to set the .inf as the key path. (it has been a while since I've done this)

If your driver has multiple inf files that must be installed in order you might have to make multiple components in multiple directories so that you can sequence the driver installations. Maybe they fixed this but the last time I tried that only DPINST would install multiple drivers.
Answered 08/25/2006 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
ORIGINAL: karan_gupta

I am trying to include DIFXApp.msm into the package and getting MSIdriverpackages as a new table but when i try to install it gives an error saying that package needs a Dll to complete the installation . is there any dll i have to include also or just the merge module in my package


Hello,

It does sound like you may have overlooked one of the DLL files that the driver itself needs. Have you checked through the .INF file(s) using an editor to see if any DLL files are referenced in there which you may have not (yet) included in the component used for the .SYS and .INF files ?


Regards,

Spartacus
Answered 08/29/2006 by: spartacus
Black Belt

Please log in to comment
Answer this question or Comment on this question for clarity