Kernel Driver Signing

Previous Next


Kernel mode drivers and Windows 7, the short version

With a recent policy change, Microsoft requires software developers to purchase new code signing certificates. Those certificates are needed to digitally sign kernel mode drivers (otherwise a driver won't run) and are now only available with a hash algorithm called SHA-2 (instead of the perviously used and cryptographically weaker SHA-1).

Sadly, older operating systems like Windows 7 had no support for SHA-2 and will report SHA-2 signed kernel mode drivers like the one Argus Monitor now uses as 'not digitally signed', even tough they are. In turn, the operating system will refuse to load the driver.

Because software developers are now forced to use the new certificates, the only way on Windows 7 to keep software relying on those drivers working is to add support for SHA-2 based certificates by installing the so called "Security Update for Windows 7 for x64-based Systems (KB3033929)". For the download links, please see the bottom of this page.


Some more in-depth background information

Since the release of Windows 7 / 64-Bit, all kernel drivers must be digitally signed with a trusted certificate, otherwise the kernel driver will just not load and run. For this, software developers like us have to purchase a certificate from a Microsoft trusted Certificate Authority (CA). Those certificates are only valid for a limited amount of time before they have to be renewed. We have been doing this since 2009, the certificate signature being of type SHA-1.

Because of security concerns, Microsoft announced in 2015 the end of SHA-1 effective from January 1, 2016. This means that any Certificate Authorities (CA) that participate in Microsoft's Authenticode code signing program will be required to issue SHA-2 certificates exclusively. Starting in 2016, certificates using the old SHA-1 hash algorithm are no longer available, because all new certificates will now have to use SHA-2 as the hash algorithm. Because our own code signing certificate expired and is no longer valid to be used to sign our software we had to purchase a new certificate in April 2016, which also has to use the SHA-2 hash algorithm.

This is no problem at all for users of Windows 8/10 as these operating systems support SHA-2 out of the box.

Things are different in Windows 7. This OS does not support SHA-2 by default. To get the SHA-2 support there, the user has to install the security update KB3033929. Because of the new SHA-2 certificate, all versions of Argus Monitor released since April 2016 require this Microsoft security update on Windows 7 to run.


Download

Please download the update in the language of your operating system. Run the installation file by a double-click and install the update.

The download site on the Microsoft server may place a Windows 10 advertisement at the top of the page. Nevertheless, this is the right update for Windows 7. Below the Windows 10 advertisement, it says

"Security Update for Windows 7 for x64-based Systems (KB3033929)"


Download link for Windows 7 64-Bit


Download link for Windows 7 32-Bit