Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
Any modifications to a driver package once the signature has been applied, including adding or deleting a single character of
whitespace in the driver .inf file, will invalidate a full driver package signature. A driver package can however have two
simultaneous signatures, one covering the full driver package, and one embedded inside the driver binary file(s). Inf file
modifications do not invalidate an embedded digital signature inside of a driver binary file.
Once a signature has been invalidated, Windows will no longer trust the driver package as much, and will place restrictions
on its installation (or outright prevent its installation on some OSes). The driver package can however be re-signed, to
restore the trustworthiness of the driver to Windows.
1.7.5.2 Minimum Driver Signature Requirements
Minimum Driver Signature Requirements
Full driver package WHQL signatures are the best and most trusted by all versions of Windows. Windows allows the
installation of properly WHQL signed drivers, without producing a prompt warning the user about the driver’s trustworthiness.
However, current Windows versions do not require WHQL signatures to allow installation. Lesser signatures (or no
signatures in some cases) are allowed, but will generate user dialogs/warnings during the installation process.
Operating System Minimum Signature to Allow Installation
Windows 2000 None
Windows XP 32-bit None
Windows XP 64-bit None
Windows Vista 32-bit None
Windows Vista 64-bit Embedded
Windows 7 32-bit Embedded
Windows 7 64-bit Embedded
Windows 8 32-bit Embedded
Windows 8 64-bit Embedded + Full package authenticode
Windows RT (ARM) Third party drivers and driver packages are not currently allowed. All
USB devices for this OS must use Microsoft supplied drivers.
1.7.5.3 Using Older Drivers with Windows 8
Using Older Drivers with Windows 8
In general, USB driver packages that are designed for Windows 7 and prior OS versions will also work in Windows 8, but
there is one important exception to this.
Starting with Windows 8 64-bit, all drivers must contain a proper “full driver package” digital signature (prior OSes only
required an embedded signature in the .sys file, rather than the entire driver package including the .inf file). The driver
package signature exists as a .cat file that comes with the driver package, and needs to be correctly referenced from within
1.7 Appendix (FAQs, Important MLA - USB Library Help Driver Signing and Windows 8
295
Protego_Release_01_05-Related-OEM-Documentation-MLA_v2013_12_20-help_mla_usb.pdf