Smartcards and smartcard-aware applications using application level commands (APDUs) are older than Windows and worked very well in the past, until Microsoft suddently decided that a smartcard shouldn’t be handheld directly by the applications anymore, and introduced the concept of smartcard driver software (ICC Service Provider withing the PC/SC framework). This issue sometimes occurs with our products in the SpringCard CSB6 Family (CSB6, Prox’N’Roll PC/SC, EasyFinger and CrazyWriter) and our NFC readers/encoders (H512, NFC’Roll).
With Windows Seven, Microsoft goes one step further and mandates that every smartcard has its own driver (a ‘minidriver’ actually, i.e. a DLL running in user mode and not a SYS binary running in kernel mode). Everytime you put a smartcard on a contactless reader, or in a contact reader, the system tries to locate the appropriate driver, and this generally ends up with a red mark in the tray bar and this annoying message in the tray bar : “Device driver software was not successfully installed. Click here for details.” Luckily, smartcard-aware applications keep on working as usual on top of PC/SC API, thanks to classical SCardConnect / SCardTransmit function calls.
According to Microsoft, smartcard-issuers should provide a minidriver for their cards. The point is, the ICC Service Provider architecture is meaningfull to let security-sensitive applications access security features (digital signature, secure login) in an interoperable and high-level way, but it appears useless in other cases, when only one single software has to communicate with a single smartcard. And this is the case in 99% of the systems using contactless smartcards or contactless memory cards.
A techninal article has been published in Microsoft Knowledge base (http://support.microsoft.com/kb/976832/en-us) giving different solutions to prevent the system from looking for a driver and issuing the warning message. In this article we are detailing two solution :
- 1st solution is to disable SmartCard PnP feature through a Group Policy. The side effect is that there’s not choice but to disable this feature for every cards, not only for the one that do not have a minidriver,
- 2nd solution is to write in the system registry the list of cards that will not have a minidriver. In this article we do this through a small utility that makes it easier than entering the required lines in the registry one after the other.
Using a Group Policy to disable the smartcard PnP feature
Just follow this five steps :
- Run MMC.exe (Microsoft Management Console)
- Add Group Policy snap-in to the console
- Open Local Computer
- Browse to Policy\Computer Configuration\Windows Settings\Administrative Templates\Windows Components\Smart Card
- Disable Turn On Smart Card Plug And Play Services.
Command-line utility to selectively disable some smartcard minidrivers
The principle is to register in the system registry the ATRs of every smartcard we don’t want to go through the PnP feature, and to associate them to a dummy minidriver.
Here’s the technical part (details are to be found in MS’ reference article (http://support.microsoft.com/kb/976832/en-us),
- Create a branch under HKLM\Software\Microsoft\Cryptography\Calais\Smartcards, name the branch with any clever name that will describe the related smartcard
- In this branch create a REG_BINARY entry named ATR in which you put the smartcard’s ATR
- Create a REG_SZ entry named Crypto Provider and put the value $DisableSCPnP$ in it.
You may also add a REG_BINARY entry named ATRMask to associate this entry with more than one ATR. In the ATRMask, bits set to 1 means that the bits in ATR are relevant, and bits set to 0 act as wildcards.
A sample source code to do so is provided by MS’ with the article. We’ve implemented this source code in a small command line tool, and added a lot of modifications to ease its use and to make it possible to disable smartcard PnP for any arbitrary-entered smartcard ATR, and not only for the smartcards physically inserted in the readers at the time of execution.
There are two binaries : pcsc_no_minidriver32.exe for 32-bit systems, and pcsc_no_minidriver64.exe for 64-bit systems. Invoke either software with the -h parameter to get help. With the -m parameter, the software starts monitoring all the PC/SC readers. For every card inserted, it disables the plug and play. Alternatively, the -a parameter let you specify the ATR (hexadecimal string) ; you may optionally use the -n parameter to specify a name for your smartcard (this is convenient if you want to remove it from the registry later on !).
Note, you must run this program as an administrator.
We supplied the software with 2 command line scripts (.CMD),
- pcsc_no_minidriver_memory.cmd disables every memory card (ATR constructed according to PC/SC v.2 specification for memory cards)
- pcsc_no_minidriver_well_known.cmd disables some well-known contactless cards that do not have a minidriver (NXP Desfire, NXP Mifare Plus, various Calypso cards, …).
Of course, use this software and the related scripts with care and make sure you really do understand what it does, as it may prevent your system to work correctly with your 20$-cryptographic card that do need its minidriver to work with CryptoAPI.
Here’s the link to the package : http://www.springcard.com/download/pub/pcsc_no_minidriver.zip . It comes with complete source code. Just unzip in a local folder and enjoy.