Microsoft does provide a way to enable SECDRV
on 64-bit Windows.
Install a game that brings (a recent version of) SECDRV.sys
.
Start the game. It should prompt for elevation. Elevate. It won't work, but you have to do it once.
If there is an error about insufficient permissions, launch the game explicitly as Administrator, either by right-clicking the shortcut and selecting Run as Administrator or by launching the game by typing the executables path and name from an elevated command prompt.
Dismiss all errors about things not working and quit the game. Also ignore and do not accept any changes suggested by Windows to run the game in compatibility mode or as Administrator or anything else. That might still be required for the game itself, it is not required for SECDRV to work besides running it elevated just once.
Install the Windows 10 SDK from Get the standalone Windows 10 SDK.
Just install all components.
Start PowerShell as an administrator.
Make sure you are on 64-bit Windows. Going through this guide on 32-bit Windows is pretty pointless - games should work without. SECDRV
just works on 32-bit Windows.
Find makecat.exe
, makecert.exe
and signtool.exe
and add the path to your PATH in System Properties, Environment Variables.
The ones in a x86 subfolder are always OK on all Intel architecture chips. No need to match the hardware or the OS bitness.
$SdkToolsPath = dir -Path "${env:ProgramFiles(x86)}\Windows Kits\10" -Recurse -Directory | where { $n = $_.FullName; $_.BaseName -eq "x86" -and [System.IO.File]::Exists("$n\makecert.exe") -and [System.IO.File]::Exists("$n\makecat.exe") -and [System.IO.File]::Exists("$n\signtool.exe") } | sort CreationTime | select -Last 1
$env:Path = "$env:Path;$($SdkToolsPath.FullName)"
Create a new folder in your Downloads folder
$WorkingDirectory = "$env:UserProfile\Downloads\SECDRV"
if (-not (Test-Path $WorkingDirectory)) { mkdir $WorkingDirectory | Out-Null }
Run all further commands in a PowerShell prompt as Administrator in the folder you created.
cd $WorkingDirectory
Copy SECDRV.sys
in it. Match your operating system bitness.
If it's an old version, replace it with this one downloadable here. Its from September 2006.
# Using curl (Windows 10 has it inbox)
curl.exe -OL https://github.com/ericwj/PsSecDrv/raw/master/tools/SECDRV/SECDRV.sys
# Using PowerShell or PowerShell Core
iwr -Uri https://github.com/ericwj/PsSecDrv/raw/master/tools/SECDRV/SECDRV.sys -OutFile SECDRV.sys
That one is 64-bit.
Check that you have the correct bitness:
$bytes = [System.IO.File]::ReadAllBytes("$PWD\SECDRV.sys")
[int]$pe = [System.Text.Encoding]::ASCII.GetString($bytes, 0, 1KB).IndexOf("PE`0`0")
$mc = [System.BitConverter]::ToUInt16($bytes, $pe + 4)
switch ($mc) { 0x8664 { "64-bit" } 0x014c { "32-bit" } default { "Unknown" } }
This is a very opportunistic way of reading the machine type in about as few lines as possible by simply finding the first occurrence of
PE\0\0
in the file. So use with caution.
The even more opportunistic way is to simply do type SECDRV.sys | more
, make sure the first two letters are MZ
and look for PE
usually all by itself on a line about a screen down of This program cannot be run in DOS mode.
and see if you can find L
or d
two lines down from it.
L
then the PE file is probably 32-bit (L
is 0x4c
in ASCII).d
then the PE file is probably 64-bit (d
is 0x64
in ASCII).
Enable test signing boot mode.
bcdedit /set "{current}" testsigning on
Pick a subject - any subject, but include the text "SECDRV" in it
$Subject = "SECDRV.sys Published by \\$env:ComputerName\$env:UserName on $("{0:yyyy-MM-dd HH:mm}" -f [datetimeoffset]::Now)"
Create a root certificate.
# try this
makecert -r -sr LocalMachine -ss My -n $Subject
# if it doesn't work, use this
makecert -r -sr LocalMachine -ss My -n "CN=$Subject"
Open Local Machine Certificates.
certlm.msc
Go to Personal, Certificates and select the certificate created, there usually is only one, or match the subject, right click Copy.
Go to Trusted Root Certification Authorities, Certificates. Paste.
Go to Trusted Publishers, Certificates. Paste.
Make a text file called SECDRV.cdf
in the folder and put the text between @" and "@ in it.
Set-Content -Path SECDRV.cdf -Value @"
[CatalogHeader]
Name=SECDRV.cat
PublicVersion=0x1
EncodingType=0x00010001
CATATTR1=0x10010001:OSAttr:2:6.0
[CatalogFiles]
<hash>SECDRV=SECDRV.sys
"@
Make a driver catalog file in the folder.
makecat -o SECDRV.txt -r SECDRV.cdf
Get the thumbprint of the certificate you created. The thumbprint is shown in certlm
for the certificate created, just double click it and look around, without spaces. Or get it in PowerShell with dir:
$Publishers = dir Cert:\LocalMachine\TrustedPublisher | where HasPrivateKey | sort NotAfter
$Publishers | select Thumbprint, NotBefore, NotAfter, Subject
$Publisher = $Publishers | select -Last 1
Sign the driver.
signtool sign /sm /s TrustedPublisher /sha1 "$($Publisher.Thumbprint)" /t http://timestamp.digicert.com secdrv.cat
If you get SignTool Error: No file digest algorithm specified. (...) use the /fd certHash option.
, run this instead
signtool sign /sm /s TrustedPublisher /sha1 "$($Publisher.Thumbprint)" /fd SHA256 /t http://timestamp.digicert.com secdrv.cat
Install the driver. This adds it to the driver catalog on your system, but does not copy files or create driver services.
signtool catdb /u secdrv.cat
Just to be sure, overwrite the SECDRV.sys
referred to by the kernel driver service with the exact version that you signed and installed.
sc.exe qc secdrv
If the output has something like \??\C:\Windows\system32\drivers\SECDRV.sys
, copy that path excluding \??\
and use it in the next command:
copy .\SECDRV.sys "C:\Windows\system32\drivers\SECDRV.sys"
Reboot.
Test if it works.
sc.exe start secdrv
If it doesn't work, check these reasons.
SECDRV.sys
is too old. Then the driver doesn't start. Right click it, hit Properties, go to Details and check Product version. It contains a date as a string. If you downloaded it from the link above, the version is "SECURITY Driver 4.03.086 2006/09/13".SECDRV.sys
is 32-bit and your Windows is 64-bit. Download SECDRV.sys
from the link given.SECDRV.sys
is 64-bit and your Windows is 32-bit. Then don't download the driver from the link given, but use whichever version came with the game you installed. Also you shouldn't have started following this guide in the first place.SECDRV
as Administrator. The driver might not be installed and the driver services might not be present until you have tried this.bcdedit
again after disabling it.Now play games.