How to sign the driver for using it on 64-bit Windows Vista and later?

The drivers must be signed using Microsoft Dev Portal. The old approach with cross-certificates doesn't work anymore.

To sign a driver:

- Get a EV code signing certificate.

- Register on Dev Portal:

- Prepare .cab archive with the driver and some inf file.

- Upload and sign the cab on the portal using attestation signing.

To prepare the cab files required for signing via Microsoft Dev Portal it is possible to use this set of scripts:

Note that Certificate Authorities currently sell certificates signed with SHA-2 algorithm. Old versions of Windows 7, including SP1 without updates, support only SHA-1. So it is necessary to require installation of all Windows updates on Windows 7, or at least the required update:

Unable to link with the static build of nfapi.lib, the linker shows "unresolved external symbol" errors.

Define a symbol _NFAPI_STATIC_LIB in project configuration or insert the following string before including nfapi.h:

Unable to programmatically install the driver from 32-bit process on 64-bit Windows. The driver is always saved to windows\SysWOW64\drivers instead of windows\system32\drivers and can't start.

This is a feature of 64-bit Windows called virtualization. It is applied to 32-bit applications. Windows redirects file system and registry calls to different locations, used as an alternate view of the standard folders and registry keys:

The following ways can be used to install the driver properly on x64:

- Call API function Wow64DisableWow64FsRedirection from 32-bit installer before saving the driver to windows\system32\drivers:
It is possible to do this using System plug-in in NSIS, and using direct API call in other installers.

- Use 64-bit installer on x64. For example Windows Installer (MSI) allows to avoid all compatibility problems.