• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

[Test Build] Improved Driver Signing Options

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
This build adds an option to use an EAC-compatible signing method. Please test and feedback

 

Attachments

  • NVCleanstall.exe
    3.3 MB · Views: 1,115
Joined
Aug 20, 2007
Messages
20,674 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Works perfect here.
 
Joined
Aug 22, 2010
Messages
745 (0.15/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel
Tested random DELL driver on ASUS with EAC compatible method.
GPU-Z flags signature as unknown.

 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Last edited:
Joined
Aug 22, 2010
Messages
745 (0.15/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel
Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.

You can force installation of new drivers by removing the build check:

[Manufacturer]
%NVIDIA_A% = NVIDIA_Devices,NTamd64.10.0...17098

[NVIDIA_Devices.NTamd64.10.0...17098]
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Joined
Aug 22, 2010
Messages
745 (0.15/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel
any idea why they added this limitation? have you tested it on older windows builds?
They cannot advertise RTX features under old Windows 10 versions.

Under Windows 7-8.1 there is some inconsistency:
INF contains RTX desktop GPUs, but most mobile RTX are missing (i guess they overlooked the few remaining ones in the OEM INFs)

I did not test with old versions, guinea pigs are welcome...
Actually i came up with the idea after i had to help some guy who assembled a new rig with RTX, installed Windows from a 2016 DVD and then went nuts trying to install the GeForce driver.
 
Joined
Mar 1, 2017
Messages
1,157 (0.45/day)
Location
Rio de Janeiro, Brazil
System Name NEW AAF OPTIMUS RIG
Processor AMD Ryzen 5 5600X (6C/12T)
Motherboard ASUS TUF Gaming B550M-Plus
Cooling DEEPCOOL Gammax L120T
Memory CRUCIAL Pro Gaming 32GB DDR4-3200 (@3733) (2x16GB)
Video Card(s) NVIDIA GeForce RTX 3060 12GB MSI Ventus 2X OC LHR
Storage ADATA Legend 700 PCIe Gen3 x4 256GB; ADATA Legend 800 PCIe Gen4 x4 2TB; GoldenFir SSD 1TB
Display(s) AOC VIPER 27" 165Hz 1ms (27G2SE)
Case DarkFlash DK100-BK
Audio Device(s) REALTEK S1200A (ALC1200) with AAF DCH Optimus Audio
Power Supply REDRAGON RGPS 600W 80 PLUS Bronze Full Modular
Mouse CLAHM CL-MM386 7200DPI
Software Windows 11 Pro x64 23H2
Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.

You can force installation of new drivers by removing the build check:

[Manufacturer]
%NVIDIA_A% = NVIDIA_Devices,NTamd64.10.0...17098

[NVIDIA_Devices.NTamd64.10.0...17098]
Exactly!
 
Joined
Aug 22, 2010
Messages
745 (0.15/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel

So, do you (or anyone else) have an older Windows installation handy?
If so, edit INF manually.
Then in NVCleanstall tick expert tweaks and disable driver telemetry to trigger rebuilding the signature.
 

JackCY

New Member
Joined
May 30, 2021
Messages
3 (0.00/day)
The compatible method works, tried it before last weekend. But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled :( That also means my monitor settings got wiped and that is always a giant pain to setup again because Nvidia's adaptive sync code is a joke and black screens all connected monitors whether they are adaptive sync capable or not be it on DP or HDMI.

And yes the file that EAC complained about is indeed 2 years expired certificate signed. Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever. But that would be a dream come true if they had quality control or fixed issues reported via their own system (when it could still be found) wouldn't it.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled
First time I hear this, anyone else?

Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever.
I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior. Engineering has reported the issue to Microsoft."
I wrote back explaining that their answer is bs (with nicer words) and haven't heard from them since.

Try opening your own ticket, maybe you'll have more luck

expired certificate signed
What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that
 

JackCY

New Member
Joined
May 30, 2021
Messages
3 (0.00/day)
First time I hear this, anyone else?

Try opening your own ticket, maybe you'll have more luck

What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that
Well I don't remember the exact setup menu listing details anymore after installation, if it said driver not installed there or nothing, one of those. The fact that EAC kept on complaining after system restart the same way as it did before the reinstall, my conclusion was that the driver itself was not changed. I also don't remember loosing monitor settings either, I use CRU to clean up the entries and raise refresh.

After uninstalling driver via regular modern Win10 add/remove program "control panel" and installing v1.9.2 modified driver, system restart, the CRU changes were lost and driver was now reinstalled with EAC stopping to complain.

I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.

I bet it detected no driver version upgrade and refused to reinstall/overwrite the files. Which I find understandable in modern applications as being more common though a bit annoying when the setup is launched by user to perform an action and then the setup itself decides it knows better than the user and does not perform what it was made for as if someone launched it by mistake. This is probably normal behavior of the NV setup and I don't expect it to be caused by NVCleanstall.

I tried to find the Nvidia bug/issue report page again but could not, anyone got a link? I know it existed because years ago I did report adaptive sync problems there. Nowadays all I found was that people should go to their forum and no link to the actual reporting page.

There is definitely some problem in the chain of trust when expired (invalid) certificates continue to be used. Normally I would expect the regular unmodified NV driver installer to fail when Windows tells it: no, go away, your certificate is invalid. But neither Windows nor MS's own driver certification seems to catch it.
When I search this, all I find is Virtualbox added hardening and does catch these Nvidia certificate shenanigans. One such report that also says that MS signed over the expired NV cert. And the sign over should somehow make it OK? I don't think so. #19743 (Hardening rejects DLL because of expired certificate nvldumdx.dll) – Oracle VM VirtualBox
The expired certificate problem definitely seems to be going a long while now. For the driver itself, one doesn't even have to use NVCleanstall to run into problems.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.
That's pretty much what I've been using for testing dozens of times, just with non-DCH

I tried to find the Nvidia bug/issue report page again but could not, anyone got a link?
Include msinfo32's .nfo file in the initial submit, this will save you one round-trip with their 1st level support

Virtualbox
Nice find, I wasn't aware anyone else encountered this problem before. Unfortunately no solution and doesn't look like NVIDIA is planning to fix this. And I agree, this is probably human error
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.02/day)
Oh nice, but will I need to reinstall the driver from scratch then?
Will I be able to just select the graphic driver and avoid touching the HD audio part? (because this resets its setting every time)
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.02/day)
Doesn't anyone know this? I'd like to install the new version, but I'd like to avoid having to config everything again :\
Or maybe someone knows where the settings are stored?
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I was talking about my post above, I meant the HD audio settings. They always get resetted in the normal installation.
Where do you change those settings? I didn't even know there was something to be configured :)
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.02/day)
Where do you change those settings? I didn't even know there was something to be configured :)
In Control Panel->Sound or right-clik on the sound icon in the taskbar.
Each capable device (mobo, GPU, soundcard, headphones, mic, etc) has its playback & recording input\outputs here.
The settings are in both Configure & Properties.

(I actually forgot to write down my previous config before the new installation, so I may have lost something :shadedshu:)
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,937 (3.72/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
and when you install a new driver version (install over, no ddu), these options get reset?
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.02/day)
and when you install a new driver version (install over, no ddu), these options get reset?
They got reset with the HD audio, I don't know if I can leave the current one alone.

Btw I wonder if avoiding a clean install would even work, since, when testing NVCleanstall, the setup reported that the same graphic driver version was already installed..
 
Last edited:
Joined
Mar 11, 2019
Messages
282 (0.15/day)
any idea why they added this limitation? have you tested it on older windows builds?

1803 is the minimum version where a driver vendor can sideload an appx package included within the driver package where the system is set to not permit it otherwise.

In the case below, a user cannot sideload an appx package themselves, however the driver is capable of doing so after 1803.


1654432206535.png


I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior. Engineering has reported the issue to Microsoft."

Explorer.exe cannot validate these signatures as the trusted authority does not exist within the user visible security store provided by the MMC snapin, these root authorities are embedded in Kernel DLL's (CI.dll to be exact)

The full chain is double time stamped by having both the vendor cert and the whck cert, so nvidia can continue using their expired certificate without any concerns, applications that need a valid trust chain should take all signatures on the file into account, it is fundamentally impossible to validate nvidia's own certificate chain at the user level even if it was within its validity period thanks to the chain breaking at "Microsoft Digital Media Authority 2005" which is embedded in CI.dll.
 
Last edited:
Joined
Aug 3, 2022
Messages
30 (0.05/day)
Location
ur dads house
System Name Oh wow it's actually good now
Processor AMD Ryzen 9 5950X
Motherboard MSI Prestige X570 Creation
Cooling Scythe Fuma 2
Memory Patriot Viper Steel 64GB @ 3800MHz
Video Card(s) EVGA GeForce RTX 2080 Ti Black
Storage 2TB Kingsman KP800, 2TB WD Black SN750, 2TB WD Blue SATA SSD
Display(s) Viotek GNV27DB, Acer CB271HU, Acer G247HL
Case Fractal Design Pop Air
Audio Device(s) Integrated ALC1220 (temporarily)
Power Supply EVGA SuperNOVA 850 G6
Mouse Logitech G700
Keyboard EVGA Z20 (Linear)
Software Windows 8.1
What does NVCleanstall resign? Is it the main driver .sys file? Is it just the inf? is it something else?
 
Top