I classified this as Windows 7 since Chris from this week’s 6292 class was asking about it’s use, so here it goes. Also can be used on any OS vista / Server 2008 and up!
The contents below have been taken from a few sources, most notably THIS technet document
Device installation
A device is a piece of hardware with which Windows interacts to perform some function. Windows can communicate with a device only by using a piece of software called a device driver. Device and device driver installation in Windows Vista and Windows Server 2008 operate as shown in the following diagram. "PnP" in the diagram refers to the Plug and Play service running in Windows. If any of the described security checks fail, or if Windows cannot find an appropriate device driver package, then the process stops.
Now how can we use PNPUtil to add drivers into that #3 step??
Steps for staging a device driver package in the driver store
Staging a device driver package in the driver store on the client computer ensures the smoothest user experience. After the signed driver package is in the driver store, Windows considers the package trusted. As long as you do not have a device installation restriction policy in effect for a specific device, the user can simply plug in the device and Windows silently installs the device driver.
Windows includes a tool called PnPUtil that you can use to manage the driver store, including adding driver packages, removing driver packages, and listing the driver packages that are in the store.
Important
You can only run the PnPUtil tool from a command prompt that is running with elevated permissions. The tool cannot invoke the User Account Control dialog box. If you attempt to use the PnPUtil tool to add or remove packages from a command prompt that is not running as administrator, the command will fail.
Steps Outline: staging a device driver package in the driver store
Step 1: Attempt to stage an unsigned driver package
Step 2: Attempt to stage a signed, but improperly modified driver package
Step 3: Attempt to stage the properly signed driver package.
Step 4: Test installation of the staged driver package.
Step 1: Attempt to stage an unsigned driver package
Windows interrupts an attempt to install an improperly signed driver package.
To attempt staging of an unsigned driver package
-
At the Build Environment command prompt with elevated permissions, temporarily rename the .cat file to effectively remove the signature from the driver package. Type the following command:
ren toaster.cat toaster.nosig
-
Attempt to stage the unsigned package. At the command prompt running with elevated permissions, type the command:
Copy Code
pnputil.exe -a toastpkg.inf
The Windows Security dialog box appears because the .inf file is not signed. Windows cannot match it against the certificates that are trusted by the computer.
-
Click Don’t Install.
The PnPUtil tool indicates that the staging operation failed:
Copy Code
Adding the driver package failed : A file could not be verified because it does not have an associated catalog signed via Authenticode(tm). Adding at least one driver package failed!
-
Rename the catalog file back to its correct name. At the command prompt, type:
Copy Code
Ren toaster.nosig toaster.cat
Step 2: Attempt to stage a signed, but improperly modified driver package
Windows will also interrupt an attempt to install a driver package that has been modified after it was signed. Because the signature includes thumbprints for each file, making a change to any of the files in the package causes the validity check for the signature to fail.
To attempt staging a signed, but modified driver package
-
Save a copy of the correct toastpkg.inf file. At the command prompt type:
Copy Code
Copy toastpkg.inf toastpkg.orig
-
Modify toastpkg.inf so that its thumbprint is no longer valid. Open it in Notepad:
Copy Code
notepad toastpkg.inf
-
With the cursor at the very beginning of the file, press Enter to add a blank line, and then save your changes and close Notepad.
-
Attempt to stage the modified package. At the command prompt, type:
Copy Code
pnputil.exe -a toastpkg.inf
Because the package was modified after being signed, the Windows Security dialog box appears, warning you that the signature is invalid.
-
Click Don’t Install.
-
Overwrite the modified .inf with the original. At the command prompt, type:
Copy Code
Copy /y toastpkg.orig toastpkg.inf
Step 3: Attempt to stage the properly signed driver package
To attempt staging a properly signed package
-
Attempt to stage the package. At the command prompt, type:
Copy Code
pnputil.exe -a toastpkg.inf
Because the signature attached to the package is valid, the files are unmodified, and the file thumbprints match the signature, Windows successfully stages the package, with no prompts. The output includes the published name with the OEM number that you can use to remove the driver package from the store later, if needed.
-
Make note of the number assigned to your package.
Copy Code
Processing inf : toastpkg.inf Driver Package added successfully. Published name : oem4.inf
Note
The number assigned to your package might be different due to the number of driver packages that are already installed on your computer.
You can view the package in the store by running the PnPUtil tool with the -e (for ‘enumerate’) parameter.
To examine the package in the driver store
-
At the command prompt, type:
Copy Code
pnputil.exe -e
-
Look for the package with your OEM## listed in the output. Make note of this number because you might need it later. You can also see the version number and date that you entered in the .inf file.
Copy Code
Published name : oem4.inf Driver package provider : Toast´R´Us Class : Unknown driver class Driver verstion and date : 04/01/2006 9.9.9.9 Signer name : MyCompany - for test use only