{
	"id": "bfb50505-a425-4542-94cd-2a66b660b715",
	"created_at": "2026-04-06T00:17:29.415317Z",
	"updated_at": "2026-04-10T03:30:33.42625Z",
	"deleted_at": null,
	"sha1_hash": "411e5faf0701880e2a2331705e10b1c877bd0a7a",
	"title": "Catalog Files and Digital Signatures - Windows drivers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45492,
	"plain_text": "Catalog Files and Digital Signatures - Windows drivers\r\nBy EliotSeattle\r\nArchived: 2026-04-05 22:25:40 UTC\r\nA digitally signed catalog file (.cat) can be used as a digital signature for an arbitrary collection of files. A catalog\r\nfile contains a collection of cryptographic hashes, or thumbprints. Each thumbprint corresponds to a file that is\r\nincluded in the collection.\r\nPlug and Play (PnP) device installation recognizes the signed catalog file of a driver package as the digital\r\nsignature for the driver package. Each thumbprint in the catalog file corresponds to a file that the driver package\r\ninstalls. Regardless of the intended operating system, cryptographic technology is used to digitally sign the catalog\r\nfile.\r\nPnP device installation considers the digital signature of a driver package to be invalid if any file in the driver\r\npackage is altered after the driver package was signed. Such files include the INF file, the catalog file, and all files\r\nthat are copied by INF CopyFiles directives. For example, even a single-byte change to correct a misspelling\r\ninvalidates the digital signature. If the digital signature is invalid, you must either resubmit the driver package to\r\nthe Windows Hardware Dev Center for a new signature, or generate a new Authenticode signature for the driver\r\npackage.\r\nSimilarly, changes to a device's hardware or firmware require a revised device ID value so that the system can\r\ndetect the updated device and install the correct driver. Because the revised device ID value must appear in the\r\nINF file, you must either resubmit the package to the Windows Hardware Dev Center for a new signature or\r\ngenerate a new Authenticode signature for the driver package. You must get a new device ID even if the driver\r\nbinaries don't change.\r\nThe CatalogFile directive in the INF Version section of the driver's INF file specifies the name of the catalog file\r\nfor the driver package. During driver installation, the operating system uses the CatalogFile directive to identify\r\nand validate the catalog file. The system installs the catalog file to the CatRoot directory under the system\r\ndirectory returned by GetSystemDirectory, for example, %SystemRoot%\\System32\\CatRoot. Catalog files\r\nshouldn't be added to or removed from that directory manually. For driver packages, the catalog file is\r\nautomatically installed to the CatRoot when the driver package is staged to the Driver Store. The catalog file is\r\nautomatically uninstalled from the CatRoot when the driver package is removed from the Driver Store. If you\r\nneed to install a catalog file to the CatRoot for reasons outside of a driver package, see Installing a Catalog File by\r\nusing SignTool and Installing a Catalog File by using CryptCATAdminAddCatalog.\r\nStarting with Windows 2000, if the driver package installs the same binaries on all versions of Windows, the INF\r\nfile can contain a single, undecorated CatalogFile directive. However, if the package installs different binaries for\r\ndifferent versions of Windows, the INF file should contain decorated CatalogFile directives. For more\r\ninformation about the CatalogFile directive, see INF Version Section.\r\nhttps://docs.microsoft.com/windows-hardware/drivers/install/catalog-files\r\nPage 1 of 2\n\nIf you have more than one driver package, you should create a separate catalog file for each driver package and\r\ngive each catalog file a unique file name. Two unrelated driver packages can't share a single catalog file. However,\r\na single driver package that serves multiple devices requires only one catalog file.\r\nSource: https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files\r\nhttps://docs.microsoft.com/windows-hardware/drivers/install/catalog-files\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files"
	],
	"report_names": [
		"catalog-files"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/411e5faf0701880e2a2331705e10b1c877bd0a7a.pdf",
		"text": "https://archive.orkl.eu/411e5faf0701880e2a2331705e10b1c877bd0a7a.txt",
		"img": "https://archive.orkl.eu/411e5faf0701880e2a2331705e10b1c877bd0a7a.jpg"
	}
}