Fully unattended win7 x64 install with integrated (not injected) unsigned drivers...

...i have a tested and working solution for RTM, but need help with SP1, skip to second post for disabling driver signing checking, and third for my question

First we integrate drivers so that they can be still used manually or with dpinst tool directly from dvd, in 3 different ways (preferably second):

METHOD 1 (vista/2008 without sp1 or sp2)

dism boot critical drivers (chipset, storage and lan) into boot.wim (2nd index), they are passed along to windows too

injected drivers are automaticaly expanded within image, and duplicates are made if there are more than one .inf files per folder (or .inf contains multiple entries), so if you add too many of them the image may not fit back on a dvd/usb or you can actualy run out of ram when booting from it

mount image (must be writable first):
Dism /Mount-Wim /WimFile:C:\boot.wim /Index:2 /MountDir:C:\offline

remove old drivers (skip if first time):
Dism /Image:C:\offline /Remove-Driver /Driver:OEM1.inf /Driver:OEM2.inf ... /Driver:OEM99.inf
(how ever many there are third party drivers in C:\offline\Windows\Inf folder, you cant uninstall default ones)

inject all the drivers, including subfolders and unsigned ones:
Dism /Image:C:\offline /Add-Driver /Driver:C:\D /Recurse /ForceUnsigned

dismount image (and then replace boot.wim in sources folder):
Dism /Unmount-Wim /MountDir:C:\offline /Commit

create $OEM$\$$\Inf\D folder INSIDE sources folder and add all drivers there (dvd:\sources\$OEM$\$$\Inf\D), they get automaticaly copied to C:\Windows\Inf\D folder after install.wim expands, but before windows first boots (and it searches for drivers in inf folder on its own, including subfolders) - only needed ones get copied to windows driverstore, so you can safely delete D folder in dvd:\sources\$OEM$\$$\setup\scripts\setupcomplete.cmd batch



METHOD 2 (vista/2008 with integrated service pack, or 7 and 2008 R2):

winpe automaticaly searches all available drives for $WinPEDriver$ folder (not $WinPEDriverS$) in their roots, so copy boot critical drivers there (dvd:\$WinPEDriver$), they can be in subfolders too and are passed on to windows

you can still run out of memory, cause winpe keeps driverstore on ramdisk

if a driver fails to inject into boot.wim (as in first method) the setup will abort if you put it in $WinPEDriver$ folder, so i suggest that you test all of them with dism first (check C:\Windows\Logs\DISM\dism.log) and move the bad ones with the rest of non-boot critical to dvd:\sources\$OEM$\$$\Inf\D folder

winpe supports MSZIP/LZX cabbed drivers, but if one fails expand it first and then try again, and make sure you didnt remove any "unnesecary" files from it



METHOD 3 (takes too much time/space):

in the answer file for install.wim image, under Microsoft-Windows-Setup in WinPE pass just change UseConfigurationSet to true - now you have a system variable %configsetroot% which always points to the drive containing autounattend.xml in its root (doesnt necesseraly need to be the install drive)

add the %configsetroot%\your_drivers_path to Microsoft-Windows-PnpCustomizationWinPE as a device driver path, but mind the ram as always

ALL the files from %configsetroot% drive WILL be automaticaly copied to C:\Windows\configsetroot folder, but which can safely be deleted afterwards



batch file to makecab (with best compression) all the usual driver files (just not *.exe, for manuall install) left uncompressed in ALL subfolders under it - it deletes originals and writes a log file too (but use wordpad not notepad)

there must be NO spaces in folder names (files are ok), its a bug in makecab

Code:

echo %date% %time% > MakeCab.log

FOR /R %%i IN (*.bin;*.cpl;*.dat;*.dll;*.sys;*.vxd) DO MakeCab.exe /D CompressionType=LZX /D CompressionMemory=21 /L %%~dpi "%%i" >> MakeCab.log& DEL "%%i" /F /Q

batch file to expand all cabbed files in ALL subfolders under it, name them back to their original names and delete temp archives, writes log too

Code:

echo %date% %time% > Expand.log

FOR /R %%i IN (*.??_) DO Expand.exe -r "%%i" >> Expand.log& DEL "%%i" /F /Q

dpinst.ex_ file in some nvidia drivers is NOT cabbed but actualy just renamed, and expand just renames it too but not to its original name (so check the logs)

 

here is a fix for unsigned drivers in win7 x64 RTM ONLY (doesnt work in sp1 rc1, didnt test rc0 and beta), so you dont have to use f8 on every startup anymore AND you dont get test mode message on desktop (without even patching user32.dll or its mui)

Code:

fyyre.ivory-tower.de/projects/disable_pg_ds.rar

all credits go to fyyre, just follow his instructions, or use one of my alternative methods below:

1.) dont run 1.bat but manualy copy ntoskrnl.exe and winload.exe from windows\system32 to patch_temp folder (create it where you extracted the files), run 2.exe and 3.bat as normal and then this batch below (you skip the new f8 option this way)

Code:

SC.exe stop peauth
SC.exe config peauth start= demand

BCDEdit.exe /set {default} path \Windows\System32\osload.exe
BCDEdit.exe /set {default} kernel ntkrnlmp.exe
BCDEdit.exe /set {default} TESTSIGNING ON
BCDEdit.exe /set {default} NOINTEGRITYCHECKS ON
BCDEdit.exe /set {default} loadoptions DDISABLE_INTEGRITY_CHECKS

2.) do everything from above BUT dont run 3.bat and rename patched files to their original names, and run this batch instead:

Code:

SC.exe stop peauth
SC.exe config peauth start= demand

BCDEdit.exe /set {default} TESTSIGNING ON
BCDEdit.exe /set {default} NOINTEGRITYCHECKS ON
BCDEdit.exe /set {default} loadoptions DDISABLE_INTEGRITY_CHECKS

now overwrite original files with patched ones from dual boot, recovery console, livecd, usb boot... (when they are not in use)



UNATTENDED INSTALL:

add patched files from second alternative to dvd:\sources\$OEM$\$$\System32 folder (yes, they overwrite the originals)

boot store is automatically created during setup from windows\system32\config\bcd-template (no extension, its a registry hive) file inside install.wim (extract it with 7zip), and since {default} entry doesnt exist there yet - you just edit its {globalsettings} so that all new entries (guids, so cant guess) will inherit from that, and add it to dvd:\sources\$OEM$\$$\system32\config folder

BCDEdit /store C:\BCD-template /set {globalsettings} TestSigning On
BCDEdit /store C:\BCD-template /set {globalsettings} NoIntegrityChecks On
BCDEdit /store C:\BCD-template /set {globalsettings} loadoptions DDisable_Integrity_Checks
(i know the last command is not needed at all, and doesnt even work at that, its just nostalgia)

boot record must be changed prior to first restart or windows throws an unsigned security error for patched winload.exe so you cant even access f8 anymore, but in winpe pass it doesnt exist yet and offlineservicing pass doesnt support adding commands,
so this is the only method and we are going to do the same to SYSTEM (no extension, its a registry hive too) file in same folder, cause PEAUTH service needs to be stoped before first reboot also - or you get a BSOD and setup hangs and CANT be continued

extract it too, mount/open it as a "registry hive" (important) in any registry viewer/editor, go to CurentControlSet001/services/peauth and change "start" from 2 to 3 (hex or dec, nvm), do the same in CurentControlSet002 and now its on manuall (no need to disable it with 4), save SYSTEM back as "registry hive" (important) and put it together with BCD-Template in same folder

P.S. you can also add a edited bcd file from already installed windows to dvd:\sources\$OEM$\$1\Boot folder, just delete "Windows 7", "Windows Resume Application", "Windows Recovery Environment", "Ramdisk Options" to avoid duplicate entries



TIP: if you dont want to end up with a 100MB bitlocker partition (boot store is then in c:\boot), first create all the partitions you need in windows setup, then delete the one you wish to be C: and just EXPAND the hidden partition and install windows on it

i made a tutorial too on how to manually slipstream with dism (not reverse integrate) win7 sp1 rc1:

Code:

forums.mydigitallife.net/threads/22807-DVD-with-SP1-integrated-into-Windows-7?p=337159#post337159

 

now, i dont want to spam fyyre for a new patch (he's on twitter if somebody else doesnt have a problem with that ;-), but on his site is a very detailed step by step explanation on how he did it (which is beyond my scope), so maybe somebody more knowledgable and experienced here can expand on it?

but that is not my real question of course, i used microsofts test certificate kit, and made a batch to sign all usual driver files in ALL subdirectories under it (new signature is just added, not replaced, so already signed drivers with .cat files still pass verification - signtool.exe /c file.cat file.sys), with log file too

all you need then is just the first bcdedit command from batches in previous post to put windows in test signing mode, and a created .cer file for other computers (use ImportCert.bat from my attachement, or right click -> install certificate, but select "Trusted Root Certification Authorities" as store for it)

for unattended install just do the same with BCD-Template from last post (only first bcdedit command), and sysprep a image with the test certificate installed

P.S. now you have a working, and most importantly, completely legit workaround for driver signing enforcement - plus, test certificate lasts 30 years, and payed ones are valid for only 1 year ?! (old drivers ARE unsigned)

what i really want to know is this - how ELSE can you import a .cer file into windows before first reboot during setup? Can you export it as a .reg file? Or in any other way inject it in offline image, and does winpe pass on its certs?

(MakeCert.bat only once, ImportCert.bat once for that and every other computer, SignTool.bat to sign already EXPANDED usual driver files in all subdirectories under it - edit: removed .bin and .dat extensons from signing)

 

i already implied that in the title AND also the conclusion of the method, and using other drive than the install one is suggested too, so i really do not see the point of your reply - maybe i wasnt concise enough? anyway, here is something i DID forgot the mention about it:

in %configsetroot%\your_drivers_path keep only boot critical drivers, and in %configsetroot%\your_OTHER_drivers_path all the rest

now add the %configsetroot%\your_OTHER_drivers_path to Microsoft-Windows-PnpCustomizationNonWinPE as a device driver path, pay attention that Microsoft-Windows-PnpCustomizationWinPE goes in WinPE pass and Microsoft-Windows-PnpCustomizationNonWinPE in offlineServicing pass - also all drivers added to winpe get reflected automatically to windows too so no need for duplicates...

 

sorry, was little irritated that nobody still posted nothing helpful to me, that method is mentioned mostly for completenes sake anyway...

 

so... no one knows how to import a certificate into offline image? at least a reason why it cant be done? anything at all?

 

are you the same guy from driverpacks forum? if so, first check if the ghost image contains your drivers at all in windows\system32\driverstore folder - there is a setting in unattend.xml which deletes all device drivers after generalize pass (cant recall its name)

btw, do post your unattend.xml if you expect anyone to be able to see it (and be more specific/less vague if you want anyone to invest their time in helping you)...

 

only drivers for found hardver during setup are added to driverstore, so yes, you should have used pnp utility afterwards - but if you didnt delete windows\configsetroot folder then use ghost explorer and just move it to windows\inf folder inside image, thats it... (or simply add it the same way if you did delete it)