Getting your unprivileged drivers and services to work

Currently, you need a privileged cerificate to get your driver or service to load at boot-time, even on Pocket PC 2005 or on a one-tier Smartphone.

The reason for this inconsistency is that at early boot time, the device hasn't yet finished processing the configuration information. The security policies might still be queued to change, so the device must assume it is in the most secure configuration. So we assume we're in two-tier mode, meaning your driver will load as unprivileged if it's unsigned or signed with an unprivileged cert. Since device.exe and services.exe are privileged, they won't be able to load your binary.

But there is a workaround!

If you can delay the loading of your driver or service until the device has booted, then the security model will be totally initialized. This means your code will run as trusted, so it will load fine. One way to do that would be to put a program in the startup folder that loads your service/driver.

This workaround is only applicable on devices where your code will be able to run fully trusted. (typical Pocket PC devices, or Smartphones configured as one-tier) To distribute a driver or service for a typical two-tier Smartphone, you will still need a real privileged development certificate.

Comments (12)

  1. William Gunaratne says:

    So by using the priviledged test certificate included with the CE5 SDK, our application can be configured to replace the WM shell?

  2. Rob says:

    What is the method of loading for the workaround (loadlibrary or RegisterDevice)?

    I have an i-mate jasjar (ppc?) which exhibits two-tier behavior but I think it’s a PPC so it should be a one-tier.

    A couple of other devices I have exhibit no-tier behavior because my unsigned device driver is loaded at boot time. One of these, I can call RegisterDevice without rebooting the device.

    Do you have an example of the workaround?

  3. scyost says:

    To load a after the boot process you’d just call ActivateDevice() or ActivateService().

    The "no-tier" behavior you describe should only happen on PPC 2003 – I can’t think of a way you could see that behavior on the 2005 OS.

  4. Ajay Agrawal says:

    I could not load my NDIS driver the way you mentioned neither on WM5.0 emulator nor on HP Pocket PC device.

    I think it is as simple as calling ActivateDevice() to load the driver, but it does not work.


  5. ramond says:

    In my experience ActivateDevice fails with a 2 (FILE_NOT_FOUND) if there isnt enough memory available to device.exe to load the driver. Since we cant load the driver at boot each I think we are now stuck.

  6. So you have a DLL that you’ve written for services.exe and it’s not loading?  The list below deal…

  7. So you have a DLL that you’ve written for services.exe and it’s not loading? The list below deal with

  8. Kenny Goers says:

    I’ve seen a number of issues where the Notification API fails to run a program at start up and generates an error, especially for unsigned applications or even signed apps with a certificate installed.  

    Could this be related?

  9. KRushna says:

    Hi scott,

    Your blog is informative. I am too facing the same problem and stuck up in between. I have created service dll by implementing XXX_init and XXX_IOCTL functions. I am registering in in setup.dll install_Exit function.

    when I try to install the cab it is showing messagebox that is placed in install_Exit function but not showing the message boxes that is placed in XXX_init function of service.dll

    I think service.exe is not loading the dll? after reading your article i came to know that my service dll has to has trusted dll. How to make my service dll  as trusted dll? can you please help me in that?



  10. tommyclee says:

    I am trying to load my NDIS51 IM Driver on VerizonWireless XV6700 PDA at Boot Time. I have not succeeded in this loading work yet. I build my driver using the VS2006/WM5SDKPPC IDE. Following are my driver project configuration and the XV6700 Registry settings:

    Project Configuration



    Debugging->Remote Executable – %CSIDL_PROGRAM_FILES%cttunimcttunim.dll

    Deployment->Deployment Device – Windows Mobile 5.0 Pocket PC Device

    Deployment->Remote Directory – Windows


    Build Events – all three events are empty now


    Authenticode Signature – Yes

    Certificate – SHA-1 Hash=1049B790EDA3C369E9C206B44AF16B2657CC1555

    Provision Device – No

    XV6700 Registry Settings















    00001001=1 ; changed from 2




    I successfully installed my with only SDKSamplePrivDeveloper.pfx in it. The "RapiConfig /p CertStoreQuery.xml" can confirm the installation success.

    I hope you would tell me why my loading process still has problem.

    I will be very much grateful to have your comment on my work.


  11. Irepitan says:


    I am trying to make my service to run even if the device is at sleep mode, (as a matter of fact that is one of the reasons i maded it as a service) but one it goes to sleep mode the timer won’t work, when i get back from idle then the service will work again, is there any Registry value i need to set?, os something i need to program on my service DLL?

  12. Roger says:

    Problem related ActivateService() on WM6.1

    Hi, All.

    I want to activate my unprivileged service when system start up. So I writed a small startup progrom to load coredll.dll, get ActivateService() address, then use this function.  And I put the shortchut to windowswindowsstartup.

    This method works fine on WM5 devices andd most of wm6.1 devices. But on HTC Diamond(WM6.1), it may cause services.exe crash.  The reason may be function ActivateServices() is used by sytem when I try to use it.

    After search in internet,  I got another method that use services.exe command line to activate service. I tried but nothing happend.

    if the services registry info is :








    how to activate by using services.exe command line?

Skip to main content