Lesson 1: Managing Device Drivers and Devices CHAPTER 4 213 FIGURE 4-16 MSinfo32 displays general system information. FIGURE 4-17 MSinfo32 displays conflicts/sharing information. 2 1 4 CHAPTER 4 Managing Devices and Disks You can access information about specific devices (CD-ROM, sound device, display, and so on) by expanding Components. Arguably the most useful of the selections available as far as diagnosis is concerned is Problem Devices, which lists devices that cannot start, have no drivers installed, or have other problems. When you expand Software Environment, you can click System Drivers. This displays a list of kernel drivers, and you can determine whether a driver has started. You can use the Find What: box to find a driver by its file name or description. Testing Drivers with Driver Verifier Monitor Not all driver problems are due to conflicts. Sometimes devices do not work properly or STOP errors occur, but no conflict information is shown and disabling other drivers does not resolve the problems. As with any software installation, you can use Reliability Monitor to determine when the installation occurred and whether reliability was affected adversely, but this tool does not diagnose device driver problems specifically. Windows 7 provides the Driver Verifier Monitor command-line tool, which lets you monitor device drivers to detect illegal function calls or actions that might corrupt the system. It can subject the drivers to various stresses and tests to find incorrect behavior. Figure 4-18 shows the Driver Verifier Monitor tool and the verifier command. The /volatile flag lets you start verification of any driver without rebooting, even if Driver Verifier Monitor is not already running, and you can start the verification of a driver that is already loaded. These improvements, introduced in Windows Vista, significantly reduce the number of reboots required. This saves time and lets you use Driver Verifier Monitor to monitor a driver while you attach and remove devices. FIGURE 4-18 The Driver Verifier Monitor tool Lesson 1: Managing Device Drivers and Devices CHAPTER 4 215 You can query settings and add and remove drivers, but the main functionality is provided by the /faults flag that lets you inject stress tests of configurable severity to determine whether the driver is working properly in all situations. You can, for example, simulate a low-resources situation or a wait situation that returns an unexpected result. You can monitor resource usage (pool allocation) and keep a record of the number of faults injected into a system. Driver Verifier Monitor is primarily a stress tool that, for example, informs you that a device driver will fail if disk or memory usage is above a certain limit. You can use more general tools, such as Performance Monitor and Task Manager, to monitor resource usage and diagnose low-resource situations. More Info DRIVER VERIFIER MONITOR For more information about Driver Verifier Monitor, download the white paper “Driver Verifier in Windows Vista,” at http://www.microsoft.com/whdc/devtools/tools/vistaverifier.mspx. This document describes the use of the tool in Windows Vista, but the information also is relevant to Windows 7. Driver Signing and Digital Certificates Digital signatures allow administrators and users who are installing Windows-based software to know whether a legitimate publisher has provided the software package. Administrator privilege is required to install unsigned kernel-mode features such as device drivers. Drivers must be signed by certificates that Windows 7 trusts. Certificates that identify trusted signatories are stored in the Trusted Publishers certificate store. As an administrator, you can authorize the installation of a driver that is unsigned or is not in the Trusted Publisher store. Provided you are installing the driver on a test computer to evaluate it rather than distributing it to a large number of client computers, this is a valid thing to do. Many drivers come from reputable sources (for example, the device manufacturer) but have not yet gone through the validation process that results in a digital signature. Even some Microsoft drivers are unsigned. When you or other administrators are installing drivers, authorization is not typically a problem. However, you might have a driver that you want ordinary users to install. Even if you stage the driver, users cannot install it because only administrators can approve installation of a driver that does not have a valid signature. You can obtain a self-signed certificate that is valid within your organization only from a certificate authority (CA) server running Windows Server and Certificate Services. The certificate is not trusted by other organizations where no trust relationship exists. Even within your organization, Microsoft recommends that you use this procedure only on a test network and that only drivers with valid signatures are installed in the production environment. If you want to sign a device driver so that it can be used by other organizations, you need a certificate issued by a trusted external CA such as VeriSign. This is much more difficult to obtain. 2 1 6 CHAPTER 4 Managing Devices and Disks To enable non-administrators to install a driver that does not have a trusted signature, you need to sign the device driver package with a digital certificate, and then place that certificate on client computers so that users do not have to determine whether a device driver or its publisher is “trusted.” You then need to stage the device driver package in the protected driver store of a client computer (as described previously in this lesson) so that a standard user can install the package without requiring administrator rights. Typically, you would use Group Policy to deploy the certificate to client computers. Group Policy allows you to have the certificate automatically installed to all managed computers in a domain, organizational unit, or site. A digital signature guarantees that a package came from its claimed source (authenticity) and it is 100 percent intact and unmodified (integrity). A digital certificate identifies an organization, and it is trustworthy because it can be checked electronically by a CA. The high-level procedure to sign a device driver is as follows: 1. Create a digital certificate for signing. You do this on the Certificates console on the Certificate Server (CA). You can also use the MakeCert utility. 2. Add the certificate to the Trusted Root CA Certification Authorities store. This is a copy-and-paste operation that you perform in the Certificates Console, from which you can access the Trusted Root CA Certification Authorities store. 3. Add the certificate to the Trusted Publishers store. You can do this also in the Certificates snap-in. 4. Sign the device driver package with the certificate. To do this, you prepare the driver package .inf file, create a catalog file for the driver package, and sign the catalog file by using the Signtool utility. eXaM tIP The procedure to sign a device driver digitally has been deliberately given as a high- level procedure. You typically would do this in a domain, organizational unit, or site. The examination is most unlikely to test this procedure in any detail. It is sufficient to know that it is possible and to know why you would do it. note DISABLE DRIVER SIGNATURE ENFORCEMENT If you want to test new drivers that are being developed by your organization but do not want to sign these drivers every time they are revised, you can restart your computer, press F8 during reboot, and select Disable Driver Signature Enforcement. This permits you to run unsigned drivers until the computer is again rebooted. This workaround is particularly useful in 64-bit versions of Windows 7, where unsigned drivers cannot by default be installed even if you supply administrator credentials. Lesson 1: Managing Device Drivers and Devices CHAPTER 4 217 More Info DISABLE DRIVER SIGNATURE ENFORCEMENT For more information about the Disable Driver Signature Enforcement function, see http://msdn.microsoft.com/en-us/library/aa906338.aspx. Checking Digital Signatures with the DirectX Diagnostic Tool You can use the DirectX Diagnostic (DXdiag) tool to troubleshoot DirectX-related issues. One of these issues is whether a device driver for a DirectX device (for example your video driver) has passed Microsoft’s Windows Hardware Quality Labs (WHQL) testing regimen and has been digitally signed. You start the DXdiag tool by entering dxdiag in the Start search box, the Run command box, or the command prompt. You do not need to open an elevated command prompt to run DXdiag. When DXdiag starts, it displays the System tab. This provides system information and specifies the version of DirectX that is installed on your computer. The first time you use the tool, select the Check For WHQL Digital Signatures check box, as shown in Figure 4-19. This option remains selected if you close and reopen the tool, so the tool will check for digital signatures each time you run it. FIGURE 4-19 Enabling the DXdiag tool to check for WHQL digital signatures The Display tab provides details about your display hardware and driver. It also lists available memory for your video hardware and tells you if your video driver has passed the WHQL testing regime. As shown in Figure 4-20, you can check whether WHQL Logo’d is set to Yes or No. 2 1 8 CHAPTER 4 Managing Devices and Disks FIGURE 4-20 The DXdiag Display tab note YOUR HARDWARE MIGHT HAVE MORE AVAILABLE MEMORY THAN IS INDICATED The Dxdiag tool cannot report memory that is in use at the time that it starts. Therefore, you might see less memory reported than your video card actually has. If DXdiag detects a problem with your display settings, a warning message appears in the Notes box. Otherwise, the box displays No Problems Found. The Sound tab displays details about your sound hardware and device driver and reports any problems in the Notes box. It also tells you whether WHQL Logo’d is set to Yes or No for that driver. If you have more than one sound card installed, you have more than one Sound tab. Default Device on each tab indicates whether the device described on the tab is the default. The Input tab lists the input devices connected to your computer and related devices classified as USB devices and PS/2 devices. It reports any problems it finds with these devices but does not list the device drivers or say whether they are signed. You can obtain this information by accessing the devices in Device Manager. Checking Digital Signatures with the File Signature Verification Tool The Dxdiag tool identifies problems with DirectX hardware and tells you whether that hardware has passed the WHQL testing regimen and has been signed digitally. However, it does not test the device drivers that are not associated with DirectX devices. To scan your Lesson 1: Managing Device Drivers and Devices CHAPTER 4 219 computer and identify any unsigned drivers, you should use the File Signature Verification (Sigverif) tool. You start the Sigverif tool by entering sigverif in the Start search box, the Run command box, or the command prompt. You do not need to open an elevated command prompt to run Sigverif. The Sigverif tool is shown in Figure 4-21. FIGURE 4-21 The Sigverif tool You start the scan by clicking Start. Clicking Advanced lets you configure logging before a scan and view the log file when a scan is complete. Figure 4-22 shows the Sigverif log. Even if no unsigned device drivers are detected, Sigverif provides a useful method for listing every device driver on your computer. FIGURE 4-22 The Sigverif log 2 2 0 CHAPTER 4 Managing Devices and Disks Practice Configuring Computer Policy and Driver Search By default, only local administrators can install devices on a computer unless these devices are authorized and their drivers are in the driver store. You can configure computer policy on a computer running Windows 7 to permit ordinary users to install devices from specific device setup classes. You can also permit these users to stage drivers on the computer. These procedures would be suitable if you had a small number of client computers in a workgroup. In an enterprise environment, you would perform the configurations in Group Policy Editor on a domain controller and apply them to client computers. However, the procedure would be similar to that described here. You also configure a computer running Windows 7 to search other directories for drivers that are not in the driver store. exercise 1 Configuring Computer Policy to Allow Non-Administrators to Install Specific Device Setup Classes This exercise permits a non-administrative user to install any imaging device (such as a webcam) that has a signed driver on the Canberra computer. You first determine the GUID of the Imaging Devices setup class and then configure computer policy to permit non-administrators to install this class of device. The exercise requires that at least one device of that setup class is installed on your computer. If not, use another setup class. You need to know the procedure— the actual device setup class you choose is not important. To permit non-administrators to install a specific type of hardware device, perform the following procedure: 1. Log on to the Canberra computer with the Kim_Akers account. 2. If the Don Hall non-administrator (ordinary user) account does not already exist, create it. 3. Open Device Manager. 4. Expand Imaging Devices in the Device Manager tree. Select a device (such as a webcam). 5. Right-click the device and choose Properties. 6. On the Details tab, in the Property list, click Device Class Guid, as shown in Figure 4-23. 7. The GUID is displayed, as shown in Figure 4-24. Right-click the GUID and choose Copy. Paste the GUID into Microsoft Notepad so you do not lose it. 8. Click Start. Enter mmc gpedit.msc in the Start Search box and press Enter. This starts Local Group Policy Object Editor. 9. In Local Group Policy Object Editor, under Local Computer Policy, double-click Computer Configuration, double-click Administrative Templates, double-click System, and select Driver Installation. Lesson 1: Managing Device Drivers and Devices CHAPTER 4 221 FIGURE 4-23 Determining a device class GUID FIGURE 4-24 Monitor device type GUID 222 CHAPTER 4 Managing Devices and Disks 10. In the details pane, double-click Allow Non-Administrators To Install Drivers For These Device Setup Classes, as shown in Figure 4-25. FIGURE 4-25 Accessing the Allow Non-Administrators To Install Drivers For These Device Setup Classes policy 11. In the Allow Non-Administrators To Install Drivers For These Device Setup Classes dialog box, shown in Figure 4-26, select Enabled. FIGURE 4-26 Enabling the Allow Non-Administrators To Install Drivers For These Device Setup Classes policy . Classes, as shown in Figure 4-2 5. FIGURE 4-2 5 Accessing the Allow Non-Administrators To Install Drivers For These Device Setup Classes policy 11. In the Allow Non-Administrators To Install Drivers. tool in Windows Vista, but the information also is relevant to Windows 7. Driver Signing and Digital Certificates Digital signatures allow administrators and users who are installing Windows- based. Right-click the device and choose Properties. 6. On the Details tab, in the Property list, click Device Class Guid, as shown in Figure 4-2 3. 7. The GUID is displayed, as shown in Figure 4-2 4.