Windows 11 25h2 install non-WHQL WIFI driver report code 39 error

Question

Windows 11 25h2 install non-WHQL WIFI driver report code 39 error

Peng DENG 0

We are encountering an Error Code 39 when attempting to install an unsigned (non-WHQL) Wi-Fi driver for a Senscomm SCM2625 Wi-Fi6 Network Adapter on a Windows 11 25H2 debug machine.

User's image

Key Background

This is a brand-new, clean OS installation with no additional software or third-party tools installed, eliminating interference from other applications.

-This is a dedicated debug environment, so we intentionally need to use an unsigned driver for testing purposes.

We have already disabled Secure Boot and enabled Test Signing Mode via bcdedit /set testsigning on, which allows us to load unsigned drivers.
The driver installation process appears to complete, but the device manager reports: "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing."

Troubleshooting Steps Already Attempted

Driver Cleanup: Uninstalled the driver completely (including deleting driver software) and cleared UpperFilters/LowerFilters in the registry.
System File Repair: Ran sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth to fix any corrupted system files.
Force Installation: Tried installing the driver via .inf file, devcon, and in Safe Mode.
PnP Reset: Reset the Plug and Play service and removed all hidden network devices.
Kernel Isolation: Disabled "Memory Integrity" in Windows Security to rule out kernel-level blocking.

We need help identifying why the driver is failing to load despite all signature bypass measures on a clean OS, and how to resolve this error on our debug machine

0 comments

5 answers

Your answer

Answer 1

Hello VPHAN:

Thanks a lot for your answer.

According your guide, i have tried below method. There are all don't work

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config VulnerableDriverBlocklistEnable DWORD to 0
(gpedit.msc) and navigate to Computer Configuration > Administrative Templates > System > Device Guard. Locate the "Turn on Virtualization Based Security" policy and set it to "Disabled."
bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKS and reboot

Check the setupapi.dev.log:

setupapi.dev.log

I have added test certificate to the machine's Trusted Root store

User's image

The log returns Error 0x800b0109 and Error 0xe0000241.

User's image

But Advanced Boot Options (F8) to "Disable Driver Signature Enforcement", it worked.

What additional steps can I take to make the non-WHQL driver load stably on this machine?

Answer 2

VPHAN 34,230 Independent Advisor

Hi Peng DENG,

How are you? Has your issue been resolved yet? If it has, please consider accepting the answer so that others sharing the same problem would benefit too. If not, please get me updated. Thanks

VP

Peng DENG 0 Reputation points

2026-02-27T01:44:44.9633333+00:00
Hi VPHAN:

I have followed all the steps below , but Code 39 still appears.

Regenerate a Compliant Certificate

Embed the Signature

Verify Against Kernel Policy

Clear Previous State

Now I found one workaround, when installed clean OS and don't install windows update, open OS test mode then install non-WHQL driver, it's successfully.

Thank you!

Answer 3

VPHAN 34,230 Independent Advisor

Hi Peng DENG,

The 0x800b0109 error in your logs (CERT_E_UNTRUSTEDROOT) is the smoking gun. It indicates that while the certificate is physically present in the store, the kernel does not trust it for code signing purposes. This commonly happens when a self-signed certificate is generated with "All" purposes in the UI, but lacks the specific Code Signing OID (1.3.6.1.5.5.7.3.3) in the certificate's internal "Enhanced Key Usage" (EKU) field. The Kernel loader ignores certificates that do not explicitly declare this capability.

Please perform these precise steps:

1. Regenerate a Compliant Certificate: Do not rely on the previous certificate. Generate a new one that explicitly flags itself for Code Signing.

PowerShell Command: New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=SCM_Debug_Cert" -CertStoreLocation Cert:\LocalMachine\My
Export this new certificate (with public key) and import it into both the Trusted Root Certification Authorities and Trusted Publishers stores on the Local Computer.

2. Embed the Signature: While PnP installs use the catalog file (.cat), the Kernel Loader (which throws Code 39) often fails if the .sys file itself is not embedded-signed in test scenarios.

Command: Use SignTool to sign both the catalog and the driver binary (.sys). signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.sys" signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.cat"

3. Verify Against Kernel Policy: Before attempting installation, you must verify if the driver passes the Kernel Policy check. Running this command will tell you exactly why the loader is failing:

Command: signtool verify /v /kp /c "C:\Path\To\scmwlan.cat" "C:\Path\To\scmwlan.sys"

If this returns any error other than "Success," the driver will trigger Code 39. The /kp flag simulates the kernel's strict verification.

4. Clear Previous State

Run pnputil /delete-driver oem#.inf /uninstall /force to remove the old driver package.
Reboot the machine to flush the kernel's certificate cache.
Install the newly signed driver.

VP

Peng DENG 0 Reputation points

2026-02-24T08:14:32.8833333+00:00

Hello VPHAN:

I have generated a new one sign file. But when Verify Against Kernel Policy, it returns below error.

SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.

Follow below steps:

Step1: New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=SCM_Debug_Cert" -CertStoreLocation Cert:\LocalMachine\My

Step2: signtool sign /v /s /sm MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.sys" signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /t http://timestamp.digicert.com "C:\Path\To\scmwlan.cat"

Step3: signtool verify /v /kp /c "C:\Path\To\scmwlan.sys". Return error.

What additional steps can I take to make the non-WHQL driver load stably on this machine?
VPHAN 34,230 Reputation points Independent Advisor

2026-02-24T08:28:46.4333333+00:00

Hi Peng DENG,

From your screenshots we can isolate the root cause of the Error Code 39 to missing page hashes within the driver binary.

You must re-sign the driver binary and force the inclusion of page hashes while omitting the public timestamping server. Begin with a clean, unsigned copy of your driver binary and catalog file. Execute the signing command targeting the driver binary using the syntax signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 /ph "C:\Path\To\scmwlan.sys". The /ph switch is the critical component here, generating and embedding the page hashes required by the Windows 11 memory manager. Then, sign the catalog file using signtool sign /v /s MY /n "SCM_Debug_Cert" /fd sha256 "C:\Path\To\scmwlan.cat". The catalog file does not require the page hash flag, as it is only applicable to executable binaries.

After applying the signatures, bypass the kernel policy verification entirely. Instead, use the Default Authenticode Verification Policy flag by running signtool verify /v /pa "C:\Path\To\scmwlan.sys" to confirm the signature is structurally intact and trusted locally without erroneously enforcing the Microsoft Root chain. Finally, completely purge the existing driver package from the system using pnputil /delete-driver oem#.inf /uninstall /force (identifying the correct published name via pnputil /enum-drivers), reboot the debug machine to clear the Code Integrity cache, and install your newly signed package.

Hope you found something useful in the answer.

VP
Peng DENG 0 Reputation points

2026-02-24T11:10:51.3+00:00

I have signed driver with clean ,unsigned your driver binary and catalog file. And verify kernel policy verification, it's passed. But when install no-WHQL driver, it still report code39 error.

The test steps as below:

Step1: check driver

Step2: sign driver

Step3: verify kernel policy verification

Step4: install WIFI driver

check the setupapi.dev, there is no any usefully info

What additional steps can I take to make the non-WHQL driver load stably on this machine?
VPHAN 34,230 Reputation points Independent Advisor

2026-02-24T13:30:11.0733333+00:00

Code 39 error means the kernel rejected the image at load time, and the fact that signtool verify /pa succeeds does not guarantee load acceptance—/pa only checks that the file’s signature chains to a trusted root in the system’s certificate stores, whereas the kernel’s CI policy under testsigning requires the signing certificate to be explicitly trusted in the local machine stores and to contain the proper Enhanced Key Usage (Code Signing). Your self-signed certificate “SCM_Debug_Cert” likely lacks either the correct EKU or the necessary cross‑certificate linkage to the Microsoft Test Root Authority, causing the kernel to treat it as untrusted despite the presence of a valid chain.

you must add your test certificate to the Local Machine stores, not just the current user’s, using the following commands from an elevated command prompt:

certutil -addstore Root "path\to\SCM_Debug_Cert.cer"

certutil -addstore TrustedPublisher "path\to\SCM_Debug_Cert.cer"

Then verify that your .inf file contains a CatalogFile=scmwlan.cat directive so Windows uses the signed catalog during installation. After rebooting, attempt the driver update again.

If the error persists, open the complete setupapi.dev.log (located in %SystemRoot%\INF) and search for your device’s hardware ID PCI\VEN_1EB9&DEV_2020. Immediately above the line “Device not started: Device has problem: 0x27” you will find a specific Win32 or NTSTATUS code, such as 0xc0000428 (signature verification failed) or 0xc0000045 (invalid image hash). This code pinpoints the exact reason for the load failure. A status of 0xc0000428 confirms a trust issue, while 0xc0000045 often indicates a missing dependency or corrupted binary.

Another common cause of Code 39 in network adapters is a corrupted UpperFilters or LowerFilters registry value under the network class GUID {4d36e972-e325-11ce-bfc1-08002be10318}. Inspect each subkey under that path for any filter that points to a non‑existent or mismatched driver, and if found, delete the offending filter entry and reboot.

Since this is a debug machine, the most definitive method is to attach a kernel debugger (WinDbg) and set a breakpoint on the driver’s load path. This will immediately reveal whether the failure is cryptographic or occurs inside the driver’s DriverEntry routine. If you prefer not to use a debugger, recreate your test certificate using the Windows Driver Kit tools, for example, using PowerShell’s New-SelfSignedCertificate with the -Type CodeSigningCert and -KeyUsage DigitalSignature parameters, and install that certificate into the Local Machine stores. This ensures the certificate meets all the attributes required by the testsigning policy.

Finally, confirm that the firmware file scm2020.bin is being copied to the correct system directory (usually C:\Windows\System32\drivers) as specified in the .inf's CopyFiles section; a missing firmware file can cause the driver to fail during start, also manifesting as Code 39.

Hope this answer brought you some useful information...

VP

Answer 4

Hello again Peng DENG,

Just following up. Refining the previous troubleshooting path regarding the Vulnerable Driver Blocklist and VBS, it is crucial to address the architectural distinction between "test-signing mode" and using a completely unsigned driver. While your BCD configuration (testsiging on) tells the Windows kernel to trust non-production certificates, it does not disable Kernel Mode Code Signing (KMCS) entirely on 64-bit builds of Windows 11. The operating system still mandates that the driver binary contains a valid signature blob and page hash, even if that signature chains to a self-generated test root. Error Code 39 in this context indicates that the kernel loader is rejecting the Senscomm binary because it is either malformed or, more likely, lacks the digital signature structure required to verify its integrity against the memory manager’s requirements. If you are attempting to install a "naked" driver with absolutely no catalog file or embedded signature, testsigning will not resolve this; that command is specifically designed to validate test-signed binaries, not unsigned ones.

To provide the most accurate resolution for your debug environment, I need to evaluate the precise state of the driver package. Please confirm if you have generated a catalog file (.cat) and signed it with a self-created certificate using SignTool, or if you are relying solely on the boot configuration to bypass checks. If the goal is to permanently load a driver without any signature, this is not supported by the standard BCD stack on Windows 11 25H2; you would temporarily need to use the Advanced Boot Options (F8) to "Disable Driver Signature Enforcement" for that specific session. However, the Microsoft recommended best practice for a stable debug environment is to use Inf2Cat to generate the catalog and then sign it with a local test certificate added to the machine's Trusted Root store. Please also review %windir%\inf\setupapi.dev.log for error 0xE000024B or 0xC0000428 to confirm if the rejection is purely signature-based or related to a deeper NDIS compatibility issue with the 25H2 kernel.

If the issue has been successfully resolved, please consider accepting the answer as it helps other people sharing the same question benefit too. Thank you!

VP

Answer 5

Hello Peng DENG,

To resolve this on a dedicated debug machine, you must ensure that the Microsoft Vulnerable Driver Blocklist is explicitly disabled, as it can override test-signing parameters if the driver's hash matches known vulnerable patterns. You can do this by navigating to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config and setting the VulnerableDriverBlocklistEnable DWORD to 0. If the key does not exist, creating it and setting it to zero will ensure the kernel doesn't block the SCM2625 driver based on its blocklist telemetry.

Additionally, ensure that you have fully disabled Virtualization-Based Security (VBS), which can remain active even if "Memory Integrity" is toggled off in the UI. Open the Group Policy Editor (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > System > Device Guard. Locate the "Turn on Virtualization Based Security" policy and set it to "Disabled." After applying this, run bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKS and reboot. This ensures the kernel loader bypasses the integrity check of the driver's import table, which is a common failure point for unsigned Wi-Fi 6 adapters that rely on specific NDIS wrapper versions.

If the error persists, check the C:\Windows\inf\setupapi.dev.log file. Look specifically for the dvi: and cpy: entries during the driver installation timestamp. If you see a "Signature verification failed" or "Class installer denied" message despite your current bcdedit settings, it indicates the driver's .sys file might be missing a required NT header entry for the architecture of your 25H2 build, or the CatalogFile entry in your .inf is pointing to a non-existent or malformed .cat file. In a test-signing environment, creating a self-signed certificate and manually signing the .cat file using inf2cat and signtool is often more reliable than attempting to load a completely "naked" unsigned driver.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

VP

Share via

Windows 11 25h2 install non-WHQL WIFI driver report code 39 error

Key Background

Troubleshooting Steps Already Attempted

5 answers

Your answer