• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

[Test Build] Improved Driver Signing Options

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
24,201 (3.65/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
This build adds an option to use an EAC-compatible signing method. Please test and feedback

 

Attachments

  • NVCleanstall.exe
    3.3 MB · Views: 766
Joined
Aug 20, 2007
Messages
17,876 (3.29/day)
System Name Pioneer
Processor Ryzen R9 5950X
Motherboard GIGABYTE X570 Aorus Elite
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory Crucial Ballistix 64GB (4 x 16GB) @ DDR4-3600 (Micron E-Die, dual rank sticks)
Video Card(s) EVGA GeForce RTX 3090 Ti FTW3
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply EVGA SuperNova T2 Titanium 850W
Mouse Razer Deathadder v2
Keyboard WASD CODE Mechanical KB w/ Cherry MX Green switches
Software Windows 11 Enterprise (yes, it's legit)
Works perfect here.
 
Joined
Aug 22, 2010
Messages
607 (0.14/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel
Tested random DELL driver on ASUS with EAC compatible method.
GPU-Z flags signature as unknown.

 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
24,201 (3.65/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Last edited:
Joined
Aug 22, 2010
Messages
607 (0.14/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel
Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.

You can force installation of new drivers by removing the build check:

[Manufacturer]
%NVIDIA_A% = NVIDIA_Devices,NTamd64.10.0...17098

[NVIDIA_Devices.NTamd64.10.0...17098]
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
24,201 (3.65/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Joined
Aug 22, 2010
Messages
607 (0.14/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel
any idea why they added this limitation? have you tested it on older windows builds?
They cannot advertise RTX features under old Windows 10 versions.

Under Windows 7-8.1 there is some inconsistency:
INF contains RTX desktop GPUs, but most mobile RTX are missing (i guess they overlooked the few remaining ones in the OEM INFs)

I did not test with old versions, guinea pigs are welcome...
Actually i came up with the idea after i had to help some guy who assembled a new rig with RTX, installed Windows from a 2016 DVD and then went nuts trying to install the GeForce driver.
 
Joined
Mar 1, 2017
Messages
1,040 (0.53/day)
Location
Rio de Janeiro, Brazil
System Name Home PC/Work PC/Lenovo IdeaPad S145-15API
Processor AMD Phenom II X4 960T (Quad-Core)/AMD Athlon II X2 220 (Dual-Core)/AMD Ryzen 5 3500U (4C/8T)
Motherboard Gigabyte GA-880GM-UD2H (Rev 1.3)/HP Motherboard/Lenovo Motherboard
Cooling DeepCool Gammaxx L120T/Stock/Stock
Memory 8GB/7GB/8GB
Video Card(s) GT 730 1GB/ATI Radeon HD 4200 (Onboard)/AMD Radeon RX Vega 8 (Onboard)
Audio Device(s) Realtek Audio Chips with AAF DCH Optimus Sound - Generic
Benchmark Scores Mikrotik RB760iGS with 1Gb/s Up/Down
Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.

You can force installation of new drivers by removing the build check:

[Manufacturer]
%NVIDIA_A% = NVIDIA_Devices,NTamd64.10.0...17098

[NVIDIA_Devices.NTamd64.10.0...17098]
Exactly!
 
Joined
Aug 22, 2010
Messages
607 (0.14/day)
Location
Germany
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel

So, do you (or anyone else) have an older Windows installation handy?
If so, edit INF manually.
Then in NVCleanstall tick expert tweaks and disable driver telemetry to trigger rebuilding the signature.
 

JackCY

New Member
Joined
May 30, 2021
Messages
3 (0.01/day)
The compatible method works, tried it before last weekend. But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled :( That also means my monitor settings got wiped and that is always a giant pain to setup again because Nvidia's adaptive sync code is a joke and black screens all connected monitors whether they are adaptive sync capable or not be it on DP or HDMI.

And yes the file that EAC complained about is indeed 2 years expired certificate signed. Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever. But that would be a dream come true if they had quality control or fixed issues reported via their own system (when it could still be found) wouldn't it.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
24,201 (3.65/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled
First time I hear this, anyone else?

Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever.
I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior. Engineering has reported the issue to Microsoft."
I wrote back explaining that their answer is bs (with nicer words) and haven't heard from them since.

Try opening your own ticket, maybe you'll have more luck

expired certificate signed
What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that
 

JackCY

New Member
Joined
May 30, 2021
Messages
3 (0.01/day)
First time I hear this, anyone else?

Try opening your own ticket, maybe you'll have more luck

What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that
Well I don't remember the exact setup menu listing details anymore after installation, if it said driver not installed there or nothing, one of those. The fact that EAC kept on complaining after system restart the same way as it did before the reinstall, my conclusion was that the driver itself was not changed. I also don't remember loosing monitor settings either, I use CRU to clean up the entries and raise refresh.

After uninstalling driver via regular modern Win10 add/remove program "control panel" and installing v1.9.2 modified driver, system restart, the CRU changes were lost and driver was now reinstalled with EAC stopping to complain.

I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.

I bet it detected no driver version upgrade and refused to reinstall/overwrite the files. Which I find understandable in modern applications as being more common though a bit annoying when the setup is launched by user to perform an action and then the setup itself decides it knows better than the user and does not perform what it was made for as if someone launched it by mistake. This is probably normal behavior of the NV setup and I don't expect it to be caused by NVCleanstall.

I tried to find the Nvidia bug/issue report page again but could not, anyone got a link? I know it existed because years ago I did report adaptive sync problems there. Nowadays all I found was that people should go to their forum and no link to the actual reporting page.

There is definitely some problem in the chain of trust when expired (invalid) certificates continue to be used. Normally I would expect the regular unmodified NV driver installer to fail when Windows tells it: no, go away, your certificate is invalid. But neither Windows nor MS's own driver certification seems to catch it.
When I search this, all I find is Virtualbox added hardening and does catch these Nvidia certificate shenanigans. One such report that also says that MS signed over the expired NV cert. And the sign over should somehow make it OK? I don't think so. #19743 (Hardening rejects DLL because of expired certificate nvldumdx.dll) – Oracle VM VirtualBox
The expired certificate problem definitely seems to be going a long while now. For the driver itself, one doesn't even have to use NVCleanstall to run into problems.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
24,201 (3.65/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.
That's pretty much what I've been using for testing dozens of times, just with non-DCH

I tried to find the Nvidia bug/issue report page again but could not, anyone got a link?
Include msinfo32's .nfo file in the initial submit, this will save you one round-trip with their 1st level support

Virtualbox
Nice find, I wasn't aware anyone else encountered this problem before. Unfortunately no solution and doesn't look like NVIDIA is planning to fix this. And I agree, this is probably human error
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.05/day)
Oh nice, but will I need to reinstall the driver from scratch then?
Will I be able to just select the graphic driver and avoid touching the HD audio part? (because this resets its setting every time)
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.05/day)
Doesn't anyone know this? I'd like to install the new version, but I'd like to avoid having to config everything again :\
Or maybe someone knows where the settings are stored?
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
24,201 (3.65/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I was talking about my post above, I meant the HD audio settings. They always get resetted in the normal installation.
Where do you change those settings? I didn't even know there was something to be configured :)
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.05/day)
Where do you change those settings? I didn't even know there was something to be configured :)
In Control Panel->Sound or right-clik on the sound icon in the taskbar.
Each capable device (mobo, GPU, soundcard, headphones, mic, etc) has its playback & recording input\outputs here.
The settings are in both Configure & Properties.

(I actually forgot to write down my previous config before the new installation, so I may have lost something :shadedshu:)
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
24,201 (3.65/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
and when you install a new driver version (install over, no ddu), these options get reset?
 

phaolo

New Member
Joined
Jun 24, 2021
Messages
18 (0.05/day)
and when you install a new driver version (install over, no ddu), these options get reset?
They got reset with the HD audio, I don't know if I can leave the current one alone.

Btw I wonder if avoiding a clean install would even work, since, when testing NVCleanstall, the setup reported that the same graphic driver version was already installed..
 
Last edited:
Joined
Mar 11, 2019
Messages
119 (0.10/day)
any idea why they added this limitation? have you tested it on older windows builds?

1803 is the minimum version where a driver vendor can sideload an appx package included within the driver package where the system is set to not permit it otherwise.

In the case below, a user cannot sideload an appx package themselves, however the driver is capable of doing so after 1803.


1654432206535.png


I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior. Engineering has reported the issue to Microsoft."

Explorer.exe cannot validate these signatures as the trusted authority does not exist within the user visible security store provided by the MMC snapin, these root authorities are embedded in Kernel DLL's (CI.dll to be exact)

The full chain is double time stamped by having both the vendor cert and the whck cert, so nvidia can continue using their expired certificate without any concerns, applications that need a valid trust chain should take all signatures on the file into account, it is fundamentally impossible to validate nvidia's own certificate chain at the user level even if it was within its validity period thanks to the chain breaking at "Microsoft Digital Media Authority 2005" which is embedded in CI.dll.
 
Last edited:
Top