FAQ

How to sign the driver for using it on 64-bit Windows Vista and later?

The drivers must be signed by two certificates:

- Code signing certificate from one of the supported authorities:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
 
- Cross-certificate from Microsoft, which can be downloaded from the same page.

- signtool.exe utility must be used with /ac option specifying the appropriate cross-certificate. The utility is included in Windows SDK and WDK.

The latest version of Windows 10 requires signing with EV certificate using Microsoft Dev Portal:
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/

To make WFP driver work on a clean installation of Windows 10 build 1607 and later it is necessary to get a EV code signing certificate, register on Dev Portal, prepare .cab archive with the driver and some inf file and sign the driver on the portal.

For previous versions of Windows it is possible to use the old approach, signing the driver with signtool and cross-certificate. It is easier, because the binaries signed via Dev Portal work only on Windows 10, and don't work on Windows 7/8 without HLK test.

Note that Certificate Authorities currently sell certificates signed with SHA-2 algorithm. Old versions of Windows 7, including SP1 without updates, support only SHA-1. So it is necessary to require installation of all Windows updates on Windows 7, or at least the required update:
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2015/3033929

To prepare the cab files required for signing via Microsoft Dev Portal it is possible to use this set of scripts:
http://netfiltersdk.com/download/dist_sign.zip

Unable to link with the static build of nfapi.lib, the linker shows "unresolved external symbol" errors.

Define a symbol _NFAPI_STATIC_LIB in project configuration or insert the following string before including nfapi.h:
#define _NFAPI_STATIC_LIB 1

Unable to programmatically install the driver from 32-bit process on 64-bit Windows. The driver is always saved to windows\SysWOW64\drivers instead of windows\system32\drivers and can't start.

This is a feature of 64-bit Windows called virtualization. It is applied to 32-bit applications. Windows redirects file system and registry calls to different locations, used as an alternate view of the standard folders and registry keys:
http://msdn.microsoft.com/en-us/library/aa384249%28VS.85%29.aspx

The following ways can be used to install the driver properly on x64:

- Call API function Wow64DisableWow64FsRedirection from 32-bit installer before saving the driver to windows\system32\drivers:
http://msdn.microsoft.com/en-us/library/aa365743(VS.85).aspx
It is possible to do this using System plug-in in NSIS, and using direct API call in other installers.

- Use 64-bit installer on x64. For example Windows Installer (MSI) allows to avoid all compatibility problems.

I found a bug in drivers.

The drivers support generating debug logs. Please use the following steps:

- Install a suitable version of the driver from bin\driver\tdi\wpp, bin\driver\wfp\windows8\wpp, bin\driver\wfp\windows7\wpp. The folder also contains scripts and a tracing utility tracelog.exe.

- Reboot the system.

- Stop your filtering application.

- Execute tracelog_start.bat

- Start your filtering application and reproduce the issue.

- Execute tracelog_stop.bat

The driver log will be saved to LogFile.Etl in the same folder with scripts. Send it with a description of the issue to support@netfiltersdk.com. Also include your builds of the driver sys and pdb files if you build the driver from sources.