In a recent discussion about moving Windows Vista’s graphics
subsystem out of the operating system kernel and into its own area, called the
Windows Presentation Foundation, the Windows Vista infrastructure architects revealed
that in the new operating system most drivers, including graphics, will run in
user mode rather that in kernel mode. According to Microsoft, the main reason for
the move to user mode is that when a driver runs at the kernel level, it can
basically do anything it wants–including overwriting memory that doesn’t
belong to it. The result of such an action is more often than not a system
crash. In fact, it was revealed that about 90 percent of all system crashes in
Windows XP are caused by problems with drivers–namely unsigned drivers.

As such, when you’re troubleshooting strange behavior with a
Windows XP system, the first things you should put under the microscope are the
drivers currently installed on the system. To do so, you can use the File Signature
Verification Utility and configure it to search for and identify any unsigned drivers
currently installed in the operating system.

In this article, I’ll show you how to use the File Signature
Verification Utility as troubleshooting aid. As I do, I’ll go into more detail
on the significance of signed verses unsigned drivers in Windows XP.

Signed drivers

As you know, all of the system files and device driver files
provided on the Windows XP CD and added to the system by Windows Update have an
official Microsoft digital signature attached to them. This digital signature indicates
that the files are original, unaltered system and driver files from Microsoft or
that they are third-party driver files that have been approved by Microsoft for
use with Windows XP.

You probably also know that software and drivers for
hardware products that carry the Designed for Microsoft Windows XP logo, shown
in Figure A, have a digital signature from Microsoft, indicating that the
product was tested for compatibility with the Windows XP operating system using
official testing procedures provided by Microsoft.

Figure A

This logo ensures that the software and drivers for hardware products are digitally signed by Microsoft.

The logo also indicates that if the driver is ever updated,
the hardware manufacturer should have the updated driver tested, signed, and
made readily available either on the manufacturer’s Web site or on the Windows
Update Web site.

Unsigned
drivers

While the goals proposed by Designed for Microsoft Windows
XP logo program and signed drivers are designed to improve overall system
stability, not all hardware manufactures choose to participate in the program. On
the other hand, some hardware may have been manufactured and shipped before
Windows XP was released and the manufactures have not gone back and created
signed drivers for what they consider their legacy devices.

Regardless of the situation, chances are good that at one
time or another you’ve been installing a piece of hardware and encountered the
Hardware Installation dialog box shown in Figure B. In the case of new
hardware, chances are that the accompanying installation guide instructed you to
click the Continue Anyway button with the assurance that the functionality of
the driver is sound and that the warning can safely be ignored.

Figure B

By default, Windows XP will warn you before allowing the installation of
unsigned drivers.

Because you need or really want to use the hardware, you go
ahead and click the button. In many cases, an unsigned driver seems to work
fine, so you go about our business and eventually forget all about the fact
that the driver was unsigned.

But what happens to the functionality of an unsigned driver
over time as you add other hardware and drivers to the system or update the
operating system? Will an unsigned driver continue to play nice or will it be
the instigator of strange problems or crashes?

Investigating Windows XP’s Drivers settings

When it comes to device drivers, Windows XP has two built in
settings that are designed to ensure signed drivers are used in the system.
First, when you begin a driver installation procedure, Windows XP will by
default check to see if the driver has been signed. Second, when you connect a
new device to your system without first installing the drivers, Windows XP is
configured to prompt you to allow the operating system to check the Windows
Update site for a signed driver.

You can alter or investigate these settings on the Hardware
tab of the System Properties dialog box. To do so, press [Windows]-Break to
display the System Properties dialog box and then select the Hardware tab. As
you can see in Figure C, the Drivers panel on the Hardware tab contains two
buttons titled Driver Signing and Windows Update.

Figure C

On the Hardware tab, the Drivers panel contains buttons titled Driver
Signing and Windows Update.

When you click the Driver Signing button, you’ll see the Driver
Signing Options dialog box, which provides you with three levels of digital
signature verification, as shown in Figure D. As you can see, the default
setting is to warn you when an unsigned driver is detected. This is the setting
that will generate the Hardware Installation dialog box shown earlier in Figure
B.

Figure D

By default, Windows XP is configured to warn you when an unsigned driver is
detected.

As you can see, you can either lower or raise the digital
signature verification level. For example, if you don’t ever want to install
unsigned drivers on your Windows XP system, you’d select the Block-Never
Install Unsigned Driver Software option. You should also verify that the Make
This Action The System Default check box is selected. When you do so, rather
than a dialog box like the one shown in Figure B, you’ll see a Hardware
Installation dialog box like the one shown in Figure E, anytime you attempt to
install a device with an unsigned driver.

Figure E

If you block unsigned drivers, you won’t be able to install any hardware
unless it has a signed driver.

Returning to the Drivers panel on the Hardware tab, if you
click the Windows Update button you’ll see the Connect to Windows Update dialog
box, as shown in Figure F. As you can see, the available settings allow you to
select one of three levels of control over how the operating system is to
access the Windows Update site when looking for signed drivers.

Figure F

There are three levels when it comes to searching the Windows Update site
for signed drivers.

The default setting is to prompt you to search the Windows
Update site for a signed driver. However, if you really want to enforce the
policy, you can select the first option in order to make Windows XP immediately
go to the Windows Update site.

The File Signature Verification Utility

Now that you have a good idea of how Windows XP’s driver
signing features work and how they can be configured, let’s take a look at how
you can use the File Signature Verification Utility, as shown in Figure G, to
troubleshoot driver problems. The official access point for the File Signature
Verification Utility is on the Tools menu in System Information. However, you
can launch the utility much quicker from the Run command. To do so, press
[Windows]+R, type Sigverif.exe in the
Open text box, and click OK.

Figure G

The File Signature Verification Utility provides a very straightforward
interface.

In order to configure the Signature Verification Utility to
track down unsigned drivers, click the Advanced button. When the Advanced File
Signature Verification Settings dialog box appears, you’ll notice that the
default setting is to scan for unsigned system files. In order to scan for
unsigned drivers, you need to select the Look For Other Files That Are Not
Digitally Signed option, as shown in Figure H. You can click the Browse button
adjacent to the Look In This Folder text box to drill down to the C:\Windows\System32\Drivers
folder.

Figure H

In order to track down unsigned drivers, you need to choose the other files
option.

To continue with the configuration option, select the
Logging tab and make sure that the Save The File Signature Verification Results
To A Log File check box is selected, as shown in Figure I. You can leave the
default Logging options set to Overwrite Existing Log File and the Log File
Name set to Sigverif.txt. To complete the configuration operation, click OK.

Figure I

You’ll want to make sure that the File Signature Verification Utility is
configured to save the results to a log file.

When you return to the File Signature Verification window, click
Start. As soon as you do, the File Signature Verification window will begin
building a file list and then start scanning all the files in the Drivers
folder for unsigned drivers, as shown in Figure J.

Figure J

The File Signature Verification Utility uses a progress bar to keep you
apprised of its scan operation.

When the utility finishes its scan operation, you’ll see the
Signature Verification Results window, as shown in Figure K. As you can see,
the window lists all of the unsigned drivers that the utility found installed
on the system. In addition, there is a mini report in the status area the
provides a total and breakdown of all the files scanned.

Figure K

The File Signature Verification provides detailed information about all
of the unsigned drivers installed on the system.

While looking over the preliminary information provided in
this window is helpful, the working copy of the report is in the Sigverif.txt log
file, which can be found in the Windows folder and viewed in Notepad, as shown
in Figure L. Don’t be alarmed that the report identifies the operating system
as Windows 2000–this utility is a carry over from the previous operating system
and through an oversight Windows 2000 is still listed in the log file header.

Figure L

The Sigverif.txt log file lists all of the driver files, both signed and
unsigned, and is sorted alphabetically.

While the report is comprehensive, it lists all of the
driver files and is sorted alphabetically rather than by status. As such, it
can be a bit unwieldy for use as a map for a troubleshooting expedition.
However, with a bit of manipulation via Excel’s Text Import Wizard, the report can be imported into a
spreadsheet, where you can easily sort the data by the status, as shown in
Figure M. As you can see, in the Sigverif log file drivers that are unsigned
are displayed as Not Signed.

Figure M

Using Excel’s Text Import Wizard, the report can be imported into a
spreadsheet and sorted by status.

Disabling unsigned drivers

Once you’ve identified the unsigned drivers on the system,
you can use the report as a map for your troubleshooting expedition. Basically,
what you’ll want to do is disable the unsigned drivers one-by-one to see if one
of the unsigned drivers is the cause of the problem.

There are several ways that you can disable an unsigned
driver. Probably the easiest way to do so, is to launch Windows Explorer,
access the Windows\System32\Drivers folder, locate the driver file, and rename
it. If you can recognize the hardware via the driver file name, you can launch
Device Manager from the Hardware tab of the System Properties dialog box, access
the device’s properties dialog box, and disable the device.

After you disable a device, use the system as you normally
would and see if the problem persists. If it does, re-enable the device, and
then disable the next driver in your list.

If after disabling a driver, the problem appears to be
resolved, you can be fairly certain that you’ve isolated the problem driver. At
this point, you’ll want to contact manufacturer and see if you can download an
updated version of the driver that is designed to run with Windows XP.