Getting your minifilter signed from Microsoft

Illustration by @Megha. Edited by @Freya Fannie.

This document outlines the steps to get a minifilter signed by Microsoft, including registering for the Windows Hardware Dev Center program, purchasing an EV code signing certificate, and using the Windows Hardware Certification Kit (HCK) or Windows Hardware Lab kit (HLK) to run tests and submit a test report.

Starting with Windows 10, version 1607, Microsoft requires all new kernel-mode drivers to be cross-signed. To get your minifilter signed, you’ll need to go through a few steps. Here’s a summary of what you need to do:

  1. Register for the Windows Hardware Dev Center program. You’ll need an EV code signing certificate to register. You can purchase an EV code signing certificate from one of the recommended vendors. You can use the same certificate to sign your driver’s package.
  2. Put your minifilter through a suite of tests designed by Microsoft. You will have to submit the test report to a portal managed by Microsoft.

We know getting a code signing certificate isn’t as simple as getting an SSL certificate😑, but it is *necessary*.

VHLK | Windows Virtual Hardware Lab Kit

The Windows Hardware Certification Kit (HCK) is a test framework to run a suite of standard tests against the minifilter. To qualify for a Windows certification, your product must pass all the tests.

There are two test suits from Microsoft. Use Windows Hardware Certification Kit (HCK) for Windows 8.1 and older versions. If you are creating hardware or drivers for Windows 10, we require the new Windows Hardware Lab kit (HLK). We mostly work with Windows HLK. It is a test framework for hardware devices and drivers for Windows 11, Windows 10, and Windows servers starting from Windows 2016.

The Virtual HLK (VHLK) is the entire Hardware Lab Kit pre-installed and pre-configured on a VHDX, ready to boot as a virtual machine. Use the VHLK to save setup time, quickly set up a  controller, and run Windows Hardware Certification from a Virtual Machine.

  1. After booting the VHLK, do not change the auto-generated computer name (i.e. WIN-xxxx).
  2. Generation 2 VMs are not supported by the VHLK.
  3. The default login credentials are HLKAdminUser with password Testpassword,1

💡 Download the correct VHLK version for the devices you wish to test from here. Install HLK-Controller and HLK-Client only on Virtual Machines.

Requirements

Physical (Host) Machine Specification

Recommended:

  • 8-core, 64-bit processor with SLAT
  • 8 GB RAM
  • Virtualization support turned on in BIOS/UEFI
  • 120Gb HDD free space

Virtual Machine Settings

Recommended :

  • Memory : 4096 MB
  • Processor : 2 Virtual processors

Installation

Enable Hyper-V

  1. From Programs and Features go to ‘Turn Windows Feature on or off’
  2. Select ‘Hyper-V’ and click ‘OK’

Create a virtual switch

  1. Open ‘Hyper-V manager’, and select the Hyper-V host computer name.
  2. Select ‘Virtual Switch Manager’ under ‘Action’


c. Select ‘Create Virtual Switch’.

d. Select ‘External Network’, and choose the network adapter that you want to use.

e. Click ‘OK’.

f. Click ‘Yes’.

Create a new virtual machine in Hyper-V

  • Name virtual machine
    • Go on to select ‘Next’
    • Select ‘Generation 1′ and select ‘Next’
    • Use 4096MB or more of startup memory and select ‘Next’
    • Select a network adapter and select ‘Next’ (This is generally the virtual switch created above)
    • Select "Use an existing virtual hard disk" and browse for the local HLK VHDX
    • Click on ‘Finish
  • Edit Virtual Machine settings
    • Change the processor to use at least 2 virtual processors
    • Modify other settings as needed
  • Start the machine
  • Windows will boot up and automatically create an Administrator user named HLKAdminUser with password ‘Testpassword,1’.
  • Log in

💡 When starting with Windows HLK for Windows Server 2022 and higher, users will be prompted on the first boot to change the HLKAdminUser password. The catch is that the previous password is blank (not established), so if you enter the password mentioned (‘Previous password’), a message about the previous password being incorrect will be displayed. Clearing out the ‘Previous Password’ box and setting the new password should get you going.

  • The virtual machine will then run an HLK setup on its first boot
  • Please wait for all cmd windows to finish before using the HLK

💡 Occasionally the screen will be all black before this. The virtual machine is still running, it sometimes takes time for the desktop to load if the virtual machine is not using the recommended settings.

Warning: Do not rename the VM. If you change the computer name, you will not be able to connect to the HLK Controller.

  • Once all the cmd windows are finished, you can change the date/time settings as you wish.

    • By default, the server is set to "(UTC) Coordinated Universal Time", with "Set time zone automatically" and "Adjust for daylight savings time automatically" turned OFF. This may cause confusion when trying to align time stamps of various client / controller logs. To change it :

      1. Click on the ‘Date/Time’ section of the taskbar.
      2. Select ‘Date and Time Settings’ from the bottom of the flyout
      3. Specify the time zone you are in from the dropdown.
      4. Turn on "Adjust for daylight savings time automatically" (if you wish)

      The time will now be synchronized with the various client devices and host machines.

  • The VHLK is now ready to use.

Network Configuration Settings for VHLK

  • Make sure that you choose the ‘External Switch’ you created for the network connections.
  • Turn on ‘Network Discovery’ and ‘File Sharing’.

💡 After Setting up the VHLK Virtual machine. This VHLK machine should be visible on network sharing. The VHLK machine should be accessible. If VHLK machine is not visible on network sharing. Check for the network adapter settings.

Windows HLK Client setup

Installing the VM

  • Download the Windows ISO image.
  • From Microsoft’s site, you will get a setup file
  • Run the file, and it will create an ISO image.
  • Create a new virtual machine in Oracle VM
  • Start the VM
  • Select the Windows version.
  • If it is not working without license upgrade, select custom installation.
  • Agree to the terms and conditions. Windows will install and restart it in a couple of minutes.
  • Create a Microsoft account to login.
  • Turn on ‘Network Sharing’.

Install the driver

  • Install the driver you want to test.

    • To install the test driver, the PC should be in test-signing mode.
    • To enable the test-signing mode run the following command in PowerShell with administrator mode.
    # Enable test signing mode 
    bcdedit.exe -set testsingning on
    • Reboot the PC. You will see the Test Mode On watermark on the down right corner of the desktop.

  • Run the following command to install the driver

    # install driver 
    rundll32.exe setupapi.dll, InstallHinfSection DefaultInstall 132 \path\to\inf_file.inf
    # load driver
    fltmc load driver_name
    # Run flt command 
    fltmc
  • After executing the above command, you will see your driver name in the list of filters.

  • Install your driver. Ours is named SubconsciousShield.

  • Turn off ‘Windows firewall’

Installing HLK Client

  • Install the HLK client from the HLK controller through the network shared folder. Make sure the VHLK virtual machine is running, and it is accessible through the network sharing.

  • Double-click on the VHLK-vm and provide the credentials if required.

  • Run the file HLKInstall\Client\Setup.cmd
  • Create the partitions required for the testing: Create partitions on the test / client system.
  • Open the HLK controller PC
    • Run HLK studio
    • Go to **the ‘Configuration’** tab
    • In the default pool, check if the ‘Test Client’ is visible.
    • Move the Test Client from the default pool to the New pool (drag to new pool)
    • Right-click on the ‘Test Client’ and change status to ‘Ready’.
  • The VM is now ready to test with HLK studio

Create disk partitions

  • Run ‘Create and format hard disk partition’

  • Right click on C drive and choose the option to shrink volume.

  • Shrink a volume of 15000 MB from the C: drive

  • Create partitions for NTFS, CNTFS, FAT and FAT32.

  • For ExFAT create an NTFS partition and then run the following command in the command prompt with admin rights and provide the volume label name when it is prompted.

    format M: /fs:ExFAT 
  • Similarly, for UDF format make an NTFS partition and run the following command

    format N: /fs:UDF

    Here are some references

Testing and creating package

  • To ensure the HLK controller and HLK clients are installed and that they are communicating with each other.
  • In the HLK Studio, click on the Configuration tab

  • Select the client machine and change the machine status to ‘Ready’

For testing, you need to

  • Open the HLK studio on the controller machine
  • Create a project :
    • Click on ‘Project’ and select ‘Create Project’
    • Then enter a proper name for the project

  • Select the ‘System’ to test from the pool you have created.

Testing SubconsciousShield driver

  • Click on the ‘Selection’ tab
    • Go to software devices. From there, chose your software device (SUBCONSCIOUSSHIELD.SYS DEVICE\HARDDISK\VOLUME2)

  • From the ‘Test’ tab go to ‘Select all the tests’ and ‘Run’ all selected

Test report HLKx package

  • Click on ‘Package’

  • Here, choose ‘Do Not Sign’ so that we can sign the package with a singing tool using ‘Safenet’ token. If creating a package failed:

  • Remove the added drivers folder
  • Create another package
  • Add the application (Eg. “SubconsciousShield-0.2.2-AMD64.exe”) as file location, select your logo as symbol and select English as Locale.
  • Check the signing results

  • The error here is INF file not found.
  • So install the application (Eg. SubconsciousShield) and provide the installation path.
  • The package is now successfully created🥳

Signing the package

💡The criteria for signing a driver is different from signing a package.

  • Signing a package for an official submission must be done on the .hlkx package or verify the owner of the package.
  • The criteria for signing a driver checks whether the driver content added to the package is acceptable for submission.
  • Install HLK studio on your local computer. You can learn more about it on this portal.
  • Run the HLK studio.
  • Browse for the HLKx package.
  • Select the “package” tab and click on ‘create package’.
  • Select the certificate from the certificate store.
  • Select ‘OK’.
  • Provide the token ****password, when it is prompted.
  • You will get a message as Successfully packaged

Submit the package to Microsoft for signing

Test signing

  • Perform ‘Test signing’ from the Microsoft dashboard
  • Select Windows server 2008 and Windows server 2008 x64
  • Click on ‘Submit’

It will normally take a couple of hours for the signing to be completed. Wait it out

Attestation signing

  • Submit the same package for Attestation signing by not clicking the check mark.

  • Signing is now complete.
  • You have now installed the drives in the Windows 10 virtual machine without enabling the machine in Test Sign mode.

Verify Signature and Certificate

  • Download the signed file
  • Extract the files
  • Right click on the ‘System files’ and view ‘Properties’

Certification report

You can download your certificate from the Dashboard of the Microsoft partner center. Congrats!!!.

References

  1. https://learn.microsoft.com/en-us/windows-hardware/drivers/develop/signing-a-driver-for-public-release

Leave a Reply

Scroll to Top
%d bloggers like this: