Driver Signing changes between Windows XP and Vista...

  • Article

In XP the driver rankings were determined in the following way as discussed in the "Windows Vista Resource Kit":

  1. In-box drivers are given first preference.
  2. Windows Hardware Quality Labs (WHQL) signed drivers next.
  3. Unsigned drivers are given lowest preference.

In Vista this algorithm was extended to include eight levels of digital signing:

  1. Microsoft signed WHQL Certified Drivers.
  2. Microsoft signed in-box drivers (NT Build Lab Certified).
  3. Microsoft signed Windows Sustained Engineering Certified drivers.
  4. Drivers that have been signed using Authenticode (Enterprise CA).
  5. Drivers that have been signed using Authenticode (Class 3 CA Certified).
  6. Drivers that have been signed using Authenticode (MAKECERT.EXE Certified).
  7. Microsoft signed WHQL Certified drivers for a down level Windows Operating system.
  8. Unsigned Drivers.

This behavior is illustrated in setupapi.dev.log when determining which driver to install for a device. Further considerations for which version of a driver should be installed for a particular device is:

  • How closely the PNPID of the device matches the PNPID of the driver.
  • How recent the driver is compared to other suitable drivers.
  • The driver version.
  • According to this link, we also use driver feature to help rank a driver for best match.

(Note: Date and Version are only considered if every other aspect of the driver rank is equal. Setup assigns the best signature score (lowest signature score value) to drivers that have a Microsoft signature for Windows Vista. All Microsoft signatures are assigned this best signature score. All else being equal in a driver rank, Setup will select the driver that is the best match from among those that have a Microsoft signature for Windows Vista.)

Knowing these algorithms can help you troubleshoot device driver issues regardless of how the driver was installed (i.e. in-box, third party). The best source of data for which driver was chosen as the "best match" is by reading the setupapi.dev.log file.

A good article on troubleshooting using the setupapi.dev.log can be found here:
https://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/SetupAPILog.doc

Best Regards,
Chris Taylor