As with any software installation, you can use Reliability Monitor to determine when the installation occurred and whether reliability was affected adversely, but this tool does not diag
Trang 1FIgUre 4-16 MSinfo32 displays general system information
FIgUre 4-17 MSinfo32 displays conflicts/sharing information
Trang 2You can access information about specific devices (CD-ROM, sound device, display, and
so on) by expanding Components Arguably the most useful of the selections available as far
as diagnosis is concerned is Problem Devices, which lists devices that cannot start, have no drivers installed, or have other problems
When you expand Software Environment, you can click System Drivers This displays a list
of kernel drivers, and you can determine whether a driver has started You can use the Find What: box to find a driver by its file name or description
Testing Drivers with Driver Verifier Monitor
Not all driver problems are due to conflicts Sometimes devices do not work properly or STOP errors occur, but no conflict information is shown and disabling other drivers does not resolve the problems As with any software installation, you can use Reliability Monitor to determine when the installation occurred and whether reliability was affected adversely, but this tool does not diagnose device driver problems specifically
Windows 7 provides the Driver Verifier Monitor command-line tool, which lets you monitor device drivers to detect illegal function calls or actions that might corrupt the system It can subject the drivers to various stresses and tests to find incorrect behavior
Figure 4-18 shows the Driver Verifier Monitor tool and the verifier command The /volatile
flag lets you start verification of any driver without rebooting, even if Driver Verifier Monitor
is not already running, and you can start the verification of a driver that is already loaded These improvements, introduced in Windows Vista, significantly reduce the number of reboots required This saves time and lets you use Driver Verifier Monitor to monitor a driver while you attach and remove devices
Trang 3You can query settings and add and remove drivers, but the main functionality is provided
by the /faults flag that lets you inject stress tests of configurable severity to determine whether
the driver is working properly in all situations You can, for example, simulate a low-resources
situation or a wait situation that returns an unexpected result You can monitor resource usage
(pool allocation) and keep a record of the number of faults injected into a system
Driver Verifier Monitor is primarily a stress tool that, for example, informs you that a device
driver will fail if disk or memory usage is above a certain limit You can use more general
tools, such as Performance Monitor and Task Manager, to monitor resource usage and
diagnose low-resource situations
More Info DrIVer VerIFIer MONItOr
For more information about Driver Verifier Monitor, download the white paper “Driver Verifier
in Windows Vista,” at http://www.microsoft.com/whdc/devtools/tools/vistaverifier.mspx This
document describes the use of the tool in Windows Vista, but the information also is relevant
to Windows 7.
Driver Signing and Digital Certificates
Digital signatures allow administrators and users who are installing Windows-based software to
know whether a legitimate publisher has provided the software package Administrator privilege
is required to install unsigned kernel-mode features such as device drivers Drivers must be signed
by certificates that Windows 7 trusts Certificates that identify trusted signatories are stored in the
Trusted Publishers certificate store
As an administrator, you can authorize the installation of a driver that is unsigned or is
not in the Trusted Publisher store Provided you are installing the driver on a test computer
to evaluate it rather than distributing it to a large number of client computers, this is
a valid thing to do Many drivers come from reputable sources (for example, the device
manufacturer) but have not yet gone through the validation process that results in a digital
signature Even some Microsoft drivers are unsigned
When you or other administrators are installing drivers, authorization is not typically
a problem However, you might have a driver that you want ordinary users to install Even
if you stage the driver, users cannot install it because only administrators can approve
installation of a driver that does not have a valid signature
You can obtain a self-signed certificate that is valid within your organization only from
a certificate authority (CA) server running Windows Server and Certificate Services The
certificate is not trusted by other organizations where no trust relationship exists Even within
your organization, Microsoft recommends that you use this procedure only on a test network
and that only drivers with valid signatures are installed in the production environment
If you want to sign a device driver so that it can be used by other organizations, you need
a certificate issued by a trusted external CA such as VeriSign This is much more difficult to
obtain
Trang 4To enable non-administrators to install a driver that does not have a trusted signature, you need to sign the device driver package with a digital certificate, and then place that certificate
on client computers so that users do not have to determine whether a device driver or its publisher is “trusted ”
You then need to stage the device driver package in the protected driver store of a client computer (as described previously in this lesson) so that a standard user can install the package without requiring administrator rights
Typically, you would use Group Policy to deploy the certificate to client computers Group Policy allows you to have the certificate automatically installed to all managed computers in
a domain, organizational unit, or site
A digital signature guarantees that a package came from its claimed source (authenticity) and it is 100 percent intact and unmodified (integrity) A digital certificate identifies an organization, and it is trustworthy because it can be checked electronically by a CA
The high-level procedure to sign a device driver is as follows:
1 Create a digital certificate for signing You do this on the Certificates console on the
Certificate Server (CA) You can also use the MakeCert utility
2 Add the certificate to the Trusted Root CA Certification Authorities store This is a copy-and-paste operation that you perform in the Certificates Console, from which you can access the Trusted Root CA Certification Authorities store
3 Add the certificate to the Trusted Publishers store You can do this also in the
Certificates snap-in
4 Sign the device driver package with the certificate To do this, you prepare the driver package inf file, create a catalog file for the driver package, and sign the catalog file
by using the Signtool utility
eXaM tIP
The procedure to sign a device driver digitally has been deliberately given as a
high-level procedure You typically would do this in a domain, organizational unit, or site
The examination is most unlikely to test this procedure in any detail It is sufficient to know that it is possible and to know why you would do it.
note DISaBLe DrIVer SIgNatUre eNFOrCeMeNt
If you want to test new drivers that are being developed by your organization but do not want to sign these drivers every time they are revised, you can restart your computer, press F8 during reboot, and select Disable Driver Signature Enforcement This permits you to run unsigned drivers until the computer is again rebooted This workaround is particularly useful in 64-bit versions of Windows 7, where unsigned drivers cannot by default be
installed even if you supply administrator credentials.
Trang 5More Info DISaBLe DrIVer SIgNatUre eNFOrCeMeNt
For more information about the Disable Driver Signature Enforcement function,
see http://msdn.microsoft.com/en-us/library/aa906338.aspx
Checking Digital Signatures with the DirectX Diagnostic Tool
You can use the DirectX Diagnostic (DXdiag) tool to troubleshoot DirectX-related issues
One of these issues is whether a device driver for a DirectX device (for example your video
driver) has passed Microsoft’s Windows Hardware Quality Labs (WHQL) testing regimen and
has been digitally signed You start the DXdiag tool by entering dxdiag in the Start search
box, the Run command box, or the command prompt You do not need to open an elevated
command prompt to run DXdiag
When DXdiag starts, it displays the System tab This provides system information and
specifies the version of DirectX that is installed on your computer The first time you use the
tool, select the Check For WHQL Digital Signatures check box, as shown in Figure 4-19 This
option remains selected if you close and reopen the tool, so the tool will check for digital
signatures each time you run it
FIgUre 4-19 Enabling the DXdiag tool to check for WHQL digital signatures
The Display tab provides details about your display hardware and driver It also lists available
memory for your video hardware and tells you if your video driver has passed the WHQL testing
regime As shown in Figure 4-20, you can check whether WHQL Logo’d is set to Yes or No
Trang 6FIgUre 4-20 The DXdiag Display tab
note YOUr harDWare MIght haVe MOre aVaILaBLe MeMOrY thaN IS INDICateD
The Dxdiag tool cannot report memory that is in use at the time that it starts Therefore,
you might see less memory reported than your video card actually has
If DXdiag detects a problem with your display settings, a warning message appears in the Notes box Otherwise, the box displays No Problems Found
The Sound tab displays details about your sound hardware and device driver and reports any problems in the Notes box It also tells you whether WHQL Logo’d is set to Yes or No for that driver If you have more than one sound card installed, you have more than one Sound tab Default Device on each tab indicates whether the device described on the tab is the default
The Input tab lists the input devices connected to your computer and related devices classified as USB devices and PS/2 devices It reports any problems it finds with these devices but does not list the device drivers or say whether they are signed You can obtain this information by accessing the devices in Device Manager
Checking Digital Signatures with the File Signature Verification Tool
The Dxdiag tool identifies problems with DirectX hardware and tells you whether that hardware has passed the WHQL testing regimen and has been signed digitally However, it does not test the device drivers that are not associated with DirectX devices To scan your
Trang 7computer and identify any unsigned drivers, you should use the File Signature Verification
(Sigverif) tool
You start the Sigverif tool by entering sigverif in the Start search box, the Run command
box, or the command prompt You do not need to open an elevated command prompt to run
Sigverif The Sigverif tool is shown in Figure 4-21
FIgUre 4-21 The Sigverif tool
You start the scan by clicking Start Clicking Advanced lets you configure logging before
a scan and view the log file when a scan is complete Figure 4-22 shows the Sigverif log Even
if no unsigned device drivers are detected, Sigverif provides a useful method for listing every
device driver on your computer
FIgUre 4-22 The Sigverif log
Trang 8Practice Configuring Computer policy and Driver Search
By default, only local administrators can install devices on a computer unless these devices are authorized and their drivers are in the driver store You can configure computer policy on
a computer running Windows 7 to permit ordinary users to install devices from specific device setup classes You can also permit these users to stage drivers on the computer
These procedures would be suitable if you had a small number of client computers in
a workgroup In an enterprise environment, you would perform the configurations in Group Policy Editor on a domain controller and apply them to client computers However, the procedure would be similar to that described here
You also configure a computer running Windows 7 to search other directories for drivers that are not in the driver store
exercise 1 Configuring Computer Policy to Allow Non-Administrators
to Install Specific Device Setup Classes
This exercise permits a non-administrative user to install any imaging device (such as a webcam) that has a signed driver on the Canberra computer You first determine the GUID of the
Imaging Devices setup class and then configure computer policy to permit non-administrators
to install this class of device The exercise requires that at least one device of that setup class is installed on your computer If not, use another setup class You need to know the procedure— the actual device setup class you choose is not important To permit non-administrators to install a specific type of hardware device, perform the following procedure:
1 Log on to the Canberra computer with the Kim_Akers account
2 If the Don Hall non-administrator (ordinary user) account does not already exist, create it
3 Open Device Manager
4 Expand Imaging Devices in the Device Manager tree Select a device (such as a
webcam)
5 Right-click the device and choose Properties
6 On the Details tab, in the Property list, click Device Class Guid, as shown in Figure 4-23
7 The GUID is displayed, as shown in Figure 4-24 Right-click the GUID and choose Copy Paste the GUID into Microsoft Notepad so you do not lose it
8. Click Start Enter mmc gpedit.msc in the Start Search box and press Enter This starts
Local Group Policy Object Editor
9 In Local Group Policy Object Editor, under Local Computer Policy, double-click
Computer Configuration, double-click Administrative Templates, double-click System, and select Driver Installation
Trang 9FIgUre 4-23 Determining a device class GUID
FIgUre 4-24 Monitor device type GUID
Trang 1010 In the details pane, double-click Allow Non-Administrators To Install Drivers For These Device Setup Classes, as shown in Figure 4-25
FIgUre 4-25 Accessing the Allow Non-Administrators To Install Drivers For These Device Setup Classes policy
11 In the Allow Non-Administrators To Install Drivers For These Device Setup Classes dialog box, shown in Figure 4-26, select Enabled
FIgUre 4-26 Enabling the Allow Non-Administrators To Install Drivers For These Device Setup Classes policy