Hi Peng DENG,
How are you? Has your issue been resolved yet? If it has, please consider accepting the answer so that others sharing the same problem would benefit too. If not, please get me updated. Thanks
VP
Windows 11 25h2 install non-WHQL WIFI driver report code 39 error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 43%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
Peng DENG
0
Reputation points
We are encountering an Error Code 39 when attempting to install an unsigned (non-WHQL) Wi-Fi driver for a Senscomm SCM2625 Wi-Fi6 Network Adapter on a Windows 11 25H2 debug machine.
Key Background
- This is a brand-new, clean OS installation with no additional software or third-party tools installed, eliminating interference from other applications.
-This is a dedicated debug environment, so we intentionally need to use an unsigned driver for testing purposes.
- We have already disabled Secure Boot and enabled Test Signing Mode via
bcdedit /set testsigning on, which allows us to load unsigned drivers. - The driver installation process appears to complete, but the device manager reports: "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing."
Troubleshooting Steps Already Attempted
- Driver Cleanup: Uninstalled the driver completely (including deleting driver software) and cleared
UpperFilters/LowerFiltersin the registry. - System File Repair: Ran
sfc /scannowandDISM /Online /Cleanup-Image /RestoreHealthto fix any corrupted system files. - Force Installation: Tried installing the driver via
.inffile,devcon, and in Safe Mode. - PnP Reset: Reset the Plug and Play service and removed all hidden network devices.
- Kernel Isolation: Disabled "Memory Integrity" in Windows Security to rule out kernel-level blocking.
We need help identifying why the driver is failing to load despite all signature bypass measures on a clean OS, and how to resolve this error on our debug machine
Windows for business | Windows Client for IT Pros | Devices and deployment | Set up, install, or upgrade
5 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VPHAN 25,000 Reputation points Independent Advisor2026-02-26T16:47:20.9+00:00 -
Peng DENG 0 Reputation points
2026-02-27T01:44:44.9633333+00:00 Hi VPHAN:
I have followed all the steps below , but Code 39 still appears.
- Regenerate a Compliant Certificate
- Embed the Signature
- Verify Against Kernel Policy
- Clear Previous State
Now I found one workaround, when installed clean OS and don't install windows update, open OS test mode then install non-WHQL driver, it's successfully.
Thank you!
Sign in to comment -
-
VPHAN 25,000 Reputation points Independent Advisor
2026-02-08T10:49:21.7633333+00:00 Hi Peng DENG,
The
0x800b0109error in your logs (CERT_E_UNTRUSTEDROOT) is the smoking gun. It indicates that while the certificate is physically present in the store, the kernel does not trust it for code signing purposes. This commonly happens when a self-signed certificate is generated with "All" purposes in the UI, but lacks the specific Code Signing OID (1.3.6.1.5.5.7.3.3) in the certificate's internal "Enhanced Key Usage" (EKU) field. The Kernel loader ignores certificates that do not explicitly declare this capability.Please perform these precise steps:
1. Regenerate a Compliant Certificate: Do not rely on the previous certificate. Generate a new one that explicitly flags itself for Code Signing.
- PowerShell Command:
New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=SCM_Debug_Cert" -CertStoreLocation Cert:\LocalMachine\My - Export this new certificate (with public key) and import it into both the Trusted Root Certification Authorities and Trusted Publishers stores on the Local Computer.
2. Embed the Signature: While PnP installs use the catalog file (
.cat), the Kernel Loader (which throws Code 39) often fails if the.sysfile itself is not embedded-signed in test scenarios.Command: Use SignTool to sign both the catalog and the driver binary (.sys).
signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.sys"signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.cat"3. Verify Against Kernel Policy: Before attempting installation, you must verify if the driver passes the Kernel Policy check. Running this command will tell you exactly why the loader is failing:
Command:
signtool verify /v /kp /c "C:\Path\To\scmwlan.cat" "C:\Path\To\scmwlan.sys"- If this returns any error other than "Success," the driver will trigger Code 39. The
/kpflag simulates the kernel's strict verification.
4. Clear Previous State
- Run
pnputil /delete-driver oem#.inf /uninstall /forceto remove the old driver package. - Reboot the machine to flush the kernel's certificate cache.
- Install the newly signed driver.
VP
-
Peng DENG 0 Reputation points
2026-02-24T08:14:32.8833333+00:00 Hello VPHAN:
I have generated a new one sign file. But when Verify Against Kernel Policy, it returns below error.
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
Follow below steps:
Step1: New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=SCM_Debug_Cert" -CertStoreLocation Cert:\LocalMachine\My
Step2:
signtool sign /v /s /sm MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.sys"signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.cat"Step3: signtool verify /v /kp /c "C:\Path\To\scmwlan.sys". Return error.
What additional steps can I take to make the non-WHQL driver load stably on this machine?
-
VPHAN 25,000 Reputation points Independent Advisor
2026-02-24T08:28:46.4333333+00:00 Hi Peng DENG,
From your screenshots we can isolate the root cause of the Error Code 39 to missing page hashes within the driver binary.
You must re-sign the driver binary and force the inclusion of page hashes while omitting the public timestamping server. Begin with a clean, unsigned copy of your driver binary and catalog file. Execute the signing command targeting the driver binary using the syntax
signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /ph "C:\Path\To\scmwlan.sys". The/phswitch is the critical component here, generating and embedding the page hashes required by the Windows 11 memory manager. Then, sign the catalog file usingsigntool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 "C:\Path\To\scmwlan.cat". The catalog file does not require the page hash flag, as it is only applicable to executable binaries.After applying the signatures, bypass the kernel policy verification entirely. Instead, use the Default Authenticode Verification Policy flag by running
signtool verify /v /pa "C:\Path\To\scmwlan.sys"to confirm the signature is structurally intact and trusted locally without erroneously enforcing the Microsoft Root chain. Finally, completely purge the existing driver package from the system usingpnputil /delete-driver oem#.inf /uninstall /force(identifying the correct published name viapnputil /enum-drivers), reboot the debug machine to clear the Code Integrity cache, and install your newly signed package.Hope you found something useful in the answer.
VP
-
Peng DENG 0 Reputation points
2026-02-24T11:10:51.3+00:00 I have signed driver with clean ,unsigned your driver binary and catalog file. And verify kernel policy verification, it's passed. But when install no-WHQL driver, it still report code39 error.
The test steps as below:
Step1: check driver
Step2: sign driver
Step3: verify kernel policy verification
Step4: install WIFI driver
check the setupapi.dev, there is no any usefully info
What additional steps can I take to make the non-WHQL driver load stably on this machine?
-
VPHAN 25,000 Reputation points Independent Advisor
2026-02-24T13:30:11.0733333+00:00 Code 39 error means the kernel rejected the image at load time, and the fact that signtool verify /pa succeeds does not guarantee load acceptance—/pa only checks that the file’s signature chains to a trusted root in the system’s certificate stores, whereas the kernel’s CI policy under testsigning requires the signing certificate to be explicitly trusted in the local machine stores and to contain the proper Enhanced Key Usage (Code Signing). Your self-signed certificate “SCM_Debug_Cert” likely lacks either the correct EKU or the necessary cross‑certificate linkage to the Microsoft Test Root Authority, causing the kernel to treat it as untrusted despite the presence of a valid chain.
you must add your test certificate to the Local Machine stores, not just the current user’s, using the following commands from an elevated command prompt:
certutil -addstore Root "path\to\SCM_Debug_Cert.cer"
certutil -addstore TrustedPublisher "path\to\SCM_Debug_Cert.cer"
Then verify that your .inf file contains a CatalogFile=scmwlan.cat directive so Windows uses the signed catalog during installation. After rebooting, attempt the driver update again.
If the error persists, open the complete setupapi.dev.log (located in %SystemRoot%\INF) and search for your device’s hardware ID PCI\VEN_1EB9&DEV_2020. Immediately above the line “Device not started: Device has problem: 0x27” you will find a specific Win32 or NTSTATUS code, such as 0xc0000428 (signature verification failed) or 0xc0000045 (invalid image hash). This code pinpoints the exact reason for the load failure. A status of 0xc0000428 confirms a trust issue, while 0xc0000045 often indicates a missing dependency or corrupted binary.
Another common cause of Code 39 in network adapters is a corrupted UpperFilters or LowerFilters registry value under the network class GUID {4d36e972-e325-11ce-bfc1-08002be10318}. Inspect each subkey under that path for any filter that points to a non‑existent or mismatched driver, and if found, delete the offending filter entry and reboot.
Since this is a debug machine, the most definitive method is to attach a kernel debugger (WinDbg) and set a breakpoint on the driver’s load path. This will immediately reveal whether the failure is cryptographic or occurs inside the driver’s DriverEntry routine. If you prefer not to use a debugger, recreate your test certificate using the Windows Driver Kit tools, for example, using PowerShell’s New-SelfSignedCertificate with the -Type CodeSigningCert and -KeyUsage DigitalSignature parameters, and install that certificate into the Local Machine stores. This ensures the certificate meets all the attributes required by the testsigning policy.
Finally, confirm that the firmware file scm2020.bin is being copied to the correct system directory (usually C:\Windows\System32\drivers) as specified in the .inf's CopyFiles section; a missing firmware file can cause the driver to fail during start, also manifesting as Code 39.
Hope this answer brought you some useful information...
VP
Sign in to comment - PowerShell Command:
-
Peng DENG 0 Reputation points
2026-02-07T08:37:19.4466667+00:00 Hello VPHAN:
Thanks a lot for your answer.
According your guide, i have tried below method. There are all don't work
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config
VulnerableDriverBlocklistEnableDWORD to0 - (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > System > Device Guard. Locate the "Turn on Virtualization Based Security" policy and set it to "Disabled."
-
bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKSand reboot
Check the setupapi.dev.log:
I have added test certificate to the machine's Trusted Root store
The log returns Error 0x800b0109 and Error 0xe0000241.
But Advanced Boot Options (F8) to "Disable Driver Signature Enforcement", it worked.
What additional steps can I take to make the non-WHQL driver load stably on this machine?
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config
-
VPHAN 25,000 Reputation points Independent Advisor
2026-02-07T06:28:03.06+00:00 Hello again Peng DENG,
Just following up. Refining the previous troubleshooting path regarding the Vulnerable Driver Blocklist and VBS, it is crucial to address the architectural distinction between "test-signing mode" and using a completely unsigned driver. While your BCD configuration (
testsiging on) tells the Windows kernel to trust non-production certificates, it does not disable Kernel Mode Code Signing (KMCS) entirely on 64-bit builds of Windows 11. The operating system still mandates that the driver binary contains a valid signature blob and page hash, even if that signature chains to a self-generated test root. Error Code 39 in this context indicates that the kernel loader is rejecting theSenscommbinary because it is either malformed or, more likely, lacks the digital signature structure required to verify its integrity against the memory manager’s requirements. If you are attempting to install a "naked" driver with absolutely no catalog file or embedded signature,testsigningwill not resolve this; that command is specifically designed to validate test-signed binaries, not unsigned ones.To provide the most accurate resolution for your debug environment, I need to evaluate the precise state of the driver package. Please confirm if you have generated a catalog file (
.cat) and signed it with a self-created certificate usingSignTool, or if you are relying solely on the boot configuration to bypass checks. If the goal is to permanently load a driver without any signature, this is not supported by the standard BCD stack on Windows 11 25H2; you would temporarily need to use the Advanced Boot Options (F8) to "Disable Driver Signature Enforcement" for that specific session. However, the Microsoft recommended best practice for a stable debug environment is to useInf2Catto generate the catalog and then sign it with a local test certificate added to the machine's Trusted Root store. Please also review%windir%\inf\setupapi.dev.logfor error0xE000024Bor0xC0000428to confirm if the rejection is purely signature-based or related to a deeper NDIS compatibility issue with the 25H2 kernel.If the issue has been successfully resolved, please consider accepting the answer as it helps other people sharing the same question benefit too. Thank you!
VP
-
VPHAN 25,000 Reputation points Independent Advisor
2026-02-06T11:27:22.5566667+00:00 Hello Peng DENG,
To resolve this on a dedicated debug machine, you must ensure that the Microsoft Vulnerable Driver Blocklist is explicitly disabled, as it can override test-signing parameters if the driver's hash matches known vulnerable patterns. You can do this by navigating to the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Configand setting theVulnerableDriverBlocklistEnableDWORD to0. If the key does not exist, creating it and setting it to zero will ensure the kernel doesn't block the SCM2625 driver based on its blocklist telemetry.Additionally, ensure that you have fully disabled Virtualization-Based Security (VBS), which can remain active even if "Memory Integrity" is toggled off in the UI. Open the Group Policy Editor (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > System > Device Guard. Locate the "Turn on Virtualization Based Security" policy and set it to "Disabled." After applying this, run
bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKSand reboot. This ensures the kernel loader bypasses the integrity check of the driver's import table, which is a common failure point for unsigned Wi-Fi 6 adapters that rely on specific NDIS wrapper versions.If the error persists, check the
C:\Windows\inf\setupapi.dev.logfile. Look specifically for thedvi:andcpy:entries during the driver installation timestamp. If you see a "Signature verification failed" or "Class installer denied" message despite your current bcdedit settings, it indicates the driver's.sysfile might be missing a requiredNTheader entry for the architecture of your 25H2 build, or theCatalogFileentry in your.infis pointing to a non-existent or malformed.catfile. In a test-signing environment, creating a self-signed certificate and manually signing the.catfile usinginf2catandsigntoolis often more reliable than attempting to load a completely "naked" unsigned driver.I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
VP