Lesson 4: Configuring, Monitoring, and Troubleshooting Driver Signing

The source of many system problems can be traced to inappropriate drivers being installed. To reduce the occurrence of such problems, Windows 2000 drivers and operating system files have been digitally signed by Microsoft to ensure their quality. In Device Manager, you can look at the Driver tab to verify that the digital signer of the installed driver is correct. Some applications overwrite existing operating files as part of their installation process. These files can cause system errors that are difficult to troubleshoot. Microsoft has greatly simplified the tracking and troubleshooting of altered files by signing the original operating system files and allowing you to easily verify these signatures.


After this lesson, you will be able to

  • Configure driver signing
  • Describe the System File Checker (SFC) utility and how to use it to verify and troubleshoot driver signing
  • Use the Windows Signature Verification utility (sigverif) to monitor and troubleshoot driver signing

Estimated lesson time: 20 minutes


Configuring Driver Signing

You can configure how the system responds to unsigned files by opening System in Control Panel and clicking the Hardware tab. On the Hardware tab, in the Device Manager box, click Driver Signing to display the Driver Signing Options dialog box (see Figure 6.9).

Figure 6.9 Configuring driver signing

The following three settings are available to configure driver signing:

  • Ignore. This option allows any files to be installed regardless of their digital signature or the lack thereof.
  • Warn. This option displays a warning message before allowing the installation of an unsigned file. This is the default option.
  • Block. This option prevents the installation of unsigned files.

If you are logged on as Administrator or as a member of the Administrators group, you can select Apply Setting As System Default to apply the driver signing configuration you set up to all users who log on to this computer.

Monitoring and Troubleshooting Driver Signing

You can use Device Manager to track the digital signature of files. Windows 2000 also provides System File Checker (SFC), a command-line utility you can use to check the digital signature of files. The syntax of the SFC utility is as follows:

 Sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/quiet]  [/enable] [/purgecache] [/cachesize=x] 

Table 6.6 describes System File Checker's optional parameters.

Table 6.6 SFC's Parameters

ParameterDescription
/scannowCauses the SFC utility to scan all protected system files immediately
/scanonceCauses the SFC utility to scan all protected system files at the next system restart
/scanbootCauses the SFC utility to scan all protected system files every time the system restarts
/cancelCancels all pending scans of protected system files
/quietReplaces all incorrect system file versions without prompting the user
/enableReturns Windows File Protection to default operation, prompting the user to restore protected system files when files with incorrect versions are detected
/purgecachePurges the file cache and scans all protected system files immediately
/cachesize=xSets the file cache size

Using the File Signature Verification Utility

Windows 2000 also provides a File Signature Verification utility. To use this utility, click Start, point to Run, type sigverif and press Enter. Once the File Signature Verification utility starts, you can click the Advanced button to configure it. The File Signature Verification utility allows you to view the file's name, its location, its modification date, its type, and its version number.

Practice: Using the Windows Signature Verification Utility

In this practice, you use the File Signature Verification utility (sigverif) to monitor and troubleshoot driver signing on your system.

Exercise 1: Using the Signature Verification Utility

  1. Click Start, point to Run, type sigverif and then press Enter.

    The File Signature Verification dialog box appears.

  2. Click Advanced.

    The Advanced File Signature Verification Settings dialog box appears with the Search tab active. Notice that, by default, you are notified if any system files are not signed. Notice also that you can select Look For Other Files That Are Not Digitally Signed. This setting has the File Signature Verification utility verify nonsystem files to see whether they are digitally signed. If you select this option, you can specify the search parameters for the files you want checked.

  3. Leave the default setting Notify Me If Any System Files Are Not Signed selected, and then click the Logging tab.

    Notice that, by default, the File Signature Verification utility saves the file signature verification to a log file, named Sigverif.txt.

  4. Leave the default settings and click OK to close the Advanced File Signature Verification Settings dialog box.
  5. Click Start.

    When the File Signature Verification utility completes its check, a Signature Verification Results window appears if there are files that are not signed. Otherwise you see a message box telling you that your files have been scanned and verified as being digitally signed.

  6. If you get a Signature Verification Results window, review the results and then click Close to close the Signature Verification Results window. Otherwise, click OK to close the message box.
  7. Click Close to exit the File Signature Verification utility.

Lesson Summary

In this lesson, you learned about the two utilities that verify the digital signatures of system files. One is a command-line utility, System File Checker (SFC). It has a number of optional parameters that let you control how and when it will run. The second utility is a Windows utility, File Signature Verification (sigverif). You practiced monitoring and troubleshooting digital signatures using the sigverif utility.



MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net