从Windows服务安装/更新驱动程序 [英] Install/update driver from Windows service
问题描述
要安装驱动程序,通常发送以下命令:
To install a driver, you typically send the command:
DefaultInstall 128 {inf path}
DefaultInstall 128 {inf path}
通过直接调用或RunDLL到InstallHinfSection。
to the InstallHinfSection via direct call or RunDLL.
这很好用。我可以在任何地方安装驱动程序(包括64位Win 2008 R2,这意味着我也已正确完成所有代码签名)。
This works wonderfully. I can install my driver anywhere (including 64-bit Win 2008 R2, which means I've got all the code signing right too).
但是,上述操作在以下情况下会失败从Windows服务启动。我已经阅读了有关服务与客户端安装的信息,并希望我满足无提示服务安装的所有要求(构建了.CAT文件,该文件与驱动程序一起签名,等等)。
HOWEVER, the above fails when launched from a Windows service. I've read about service vs client installs, and hoped I had met all the requirements for a silent service install (built a .CAT file, it is signed along with the driver, etc).
但是没有骰子-它只会失败。比较交互式安装与从服务安装之间的SetupAPI.log中的错误,没有发现任何区别(交互式操作采用复制驱动程序文件的步骤并成功执行,而其他操作则不行)。
But no dice - it just fails. Comparing the errors in SetupAPI.log between an interactive install and the install from the service doesn't show any differences (other than the interactive takes the steps of copying the driver file and succeeds, where the other doesn't).
驱动程序本身未使用(我的服务是唯一使用它的服务)。服务是否可以通过任何方式静默更新驱动程序而无需用户交互?
The driver itself is not in use (my service is the only one that uses it). Is there ANY way for a service to silently update a driver without requiring user interaction?
推荐答案
我打电话给Microsoft,并与支持工程师。
I called Microsoft and discussed this with a support engineer.
结果是,将DefaultInstall与InstallHinfSection一起使用已经过时了,但仍然可以使用。而且,由于DefaultInstall是'dumb',它只是在工作时不提示用户是否使用了他们认可的证书对驱动程序进行了签名。但是,由于驱动程序本身已与Microsoft证书交叉签名,因此仍然可以启动。我猜是一个不错的小漏洞。诀窍是必须通过设置为与桌面互动的服务来安装它(一项要求)。如果您的服务当前未以这种方式运行,则可以使用PsExec或RemCom之类的方法。
Turns out that using DefaultInstall with InstallHinfSection is somewhat obsolete, but still works. And it just happens to work without prompting the user if the driver is signed by a certificate that they recognize because DefaultInstall is 'dumb'. Yet the driver itself is still allowed to launch because it's cross-signed with the Microsoft cert. A nice little loop-hole I guess. The trick is it has to be installed by a service that is set to Interact with Desktop (a requirement). Using something like PsExec or RemCom is a way to do this if your service isn't currently running in that way.
将来,这种方法可能无法继续工作。那时,将驱动程序的.cat文件放入Windows\System32\Catroot {F7 ...文件夹中,但不能直接将其复制到-有一个API。
In the future, this might not continue to work. At that point, get the driver's .cat file into the Windows\System32\Catroot{F7... folder but it can't just be copied directly in -- there is an API.
如果首先放入.cat,那么从理论上讲,驱动程序不需要提示询问用户的驱动程序证书,因为catroot是证书和驱动程序的可接受的用户列表。
If the .cat was put in first, then the driver theoretically shouldn't need to prompt to ask if the certificate for the driver is acceptable to the user, because catroot is the 'acceptable to the user' list of certs and drivers.
此外,在尝试安装驱动程序之前安装目录文件可能会有所帮助,因为目录包含安全证书驱动程序将显示的内容(尽管在这种情况下不一定)-但将来可能会有所帮助(并可能在Win 2003中使用)
Also, having the catalog file installed before attempting the driver install might help since the catalog contains the security certificate that the driver will present (though not necessarily in this case -- but it might help in the future (and possibly with Win 2003)
基本上,支持工程师对此感到惊讶根本没有工作,我们反复研究了它可能如何工作……希望这对其他人有帮助。
Basically the support engineer was surprised this worked at all and we went around and around on how it might be working... Hopefully this helps someone else.
这篇关于从Windows服务安装/更新驱动程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
