How do i manually deploy or register a Windows filter driver?

Warning: There's a lot of "proof of research effort" ahead. You don't have to read any more if you don't want to. I just point out, in detail, that i've tried what you're supposed to, i've tried what MSDN says, and i've tried everything anyone anywhere on the Internet has ever suggested.

tl;dr: What's the intended way?

Background

I'm testing deploying a 64-bit driver developed in Visual Studio 2013 to a 64-bit Windows machine. I want to register the driver service with Windows, and start it.

What have you tried

Visual Studio 2013 Driver Deployment feature

Ideally you would use the Visual Studio's capability to automatically deploy to a remote machine. Unfortunately it just doesn't work ("An extended error has occurred")
Using the Add New Hardware Wizard

Ideally you would use the Windows Add New Hardware Wizard (see the MSDN page Using the Add Hardware Wizard to Install a Driver Package. Fortunately, starting with Windows 7, Microsoft removed the Add New Hardware Wizard from the Control Panel; requiring you to manually run Hdwwiz.exe from an elevated command prompt. Unfortunately you cannot use the Add New Hardware Wizard to add install a driver package, because the Add New Hardware Wizard only works with hardware (i.e. it doesn't work for filter drivers):

The wizard knows this, so doesn't offer to let you install any driver services.
SC Command line utility

Ideally you would register the driver service manually with the Service Control Manager with sc.exe tool from an elevated command prompt:
```
>sc create MyDriver binPath="C:\Drop\Driver\MyDriver.sys" type=kernel
>[SC] CreateService SUCCESS
```
Unfortunately, even with a valid digital signature on the driver file:

Windows will refuse to install the driver:
OSR's Driver Loader Utility

Ideally one would use OSR's Driver Loader utility. But even with a validly digitally signed driver file, the driver will not install:
.INF setup file

Ideally you would deploy the Driver Package and install it by installing from the .inf. Then i could just right-click the INF, select Install. But it just doesn't work - it doesn't register any new driver service.
.INF setup with with DefaultInstall section

Ideally you would just use a .INF file a DefaultInstall section. Windows would just execute the DefaultInstall section. Unfortunately, MSDN warns that you're not allowed to use that for for drivers:

Note The INF file of a driver package must not contain an INF DefaultInstall section

The reason you can't do it is because DefaultInstall has no AddService directive. Even if we ignore the warning and try anyway it just doesn't work - it doesn't register any new driver service.
.INF setup with DefaultInstall.Services section

While MSDN warns you against using DefaultInstall to register driver services, we can ignore them and use the [DefaultInstall.Services] section. Fortunately, it actually tries to install the driver service:

but Windows then claims the driver is unsigned:

no driver service is actually registered.
SetupAPI InstallHinfSection function

Ideally i could use the SetupAPI to run the command line equivalent of the above:
```
>RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Drop\Driver\ipfw.inf
```
Except the driver doesn't install. The function returns successfully; but Windows thinks the driver is unsigned:
Use BCDEDIT to enable TESTSIGNING

Ideally i would follow the instructions from The TESTSIGNING Boot Configuration Option, which says to run from an elevated command prompt:
```
>Bcdedit.exe -set TESTSIGNING ON
```
Except that fails with the error:
```
>Bcdedit.exe -set TESTSIGNING ON
An error has occurred setting the element data.
The value is protected by Secure Boot policy and cannot be modified or deleted.
```
Use BCDEDIT to turn DEBUG on

Ideally i would follow the instructions on Installing an Unsigned Driver during Development and Test, which says to run from an elevated command prompt:
```
>bcdedit -debug on
```
Except that fails with an error:
```
>bcdedit -debug on
An error occurred while attempting to modify the debugger settings.
The value is protected by Secure Boot policy and cannot be modified or deleted.
```
Use advanced recovery options to disable driver signing enforcement

Ideally i would use the advanced recovery options to disable driver signature enforcement:

Except after Windows starts driver signing is still enabled:
Disable SecureBoot in the BIOS

Ideally in this virtual Hyper-V computer i would disable SecureBoot in its virtual BIOS:

and then try disabling the driver signing policy.

And oh my god three days on this. I'd like someone from Microsoft to explain:

not only the correct way to test drivers during development
but to explain, in detail, why each of the above attempts failed

What's the proper way

Rather than me trying random things, over, and over (and over, and over. And over), what is the right way to install a filter driver service?

Bonus Question

Why does Microsoft refuse to make life easier for developers?

Bonus Chatter

The driver file is signed with a valid, trusted, certificate.

enter image description here

The certificate that signs the .sys driver file is also located in the Local Machine Trusted Root Certificates store:

enter image description here

That is why the driver file's signature is valid and trusted.

A throwaway comment on a random page on MSDN says that test certificates must be added to two locations in the local machine store:

The test certificates that are used to embed signatures in driver files and to sign a driver package's catalog file must be added to

the Trusted Root Certification Authorities certificate store

and the Trusted Publishers certificate store.

Which explains why i added the certificate to another store:

enter image description here

Windows 10 Technical Preview, 64-bit

Background

What have you tried

What's the proper way

Bonus Question

Bonus Chatter

Bonus Reading

Recommended topics

Hot tags