Most USB drivers operate in what is known as "Kernel mode" on Windows-based personal computers (PC). Kernel mode drivers have low-level access to the PC and its resources. This low-level access to the PC is normally necessary to implement the kind of functionality that the driver is intended to provide to top-level applications. 

Malicious software developers would want their software to operate, since it provides the greatest control and access to the PC. Therefore, in the interest of protecting Windows security, Windows operating systems place restrictions on what code is allowed to be operated in Kernel mode. 

Windows "trusts" drivers and executable programs that have been signed, more so than software that is unsigned. Signing a driver package is analogous to placing an embossed wax seal on an envelope. The signature/wax seal does not effect or alter the contents of the package, but it provides proof that the contents have not been modified or tampered with, since the time that the signature/wax seal was first applied. 

There are three types of USB driver signatures:

• Embedded digital signatures
• Full driver package (digital signature - Microsoft Authenticode)
• Full driver package (digital signature - WHQL

This type of signature resides inside of driver .sys files (Kernel mode driver binary files). No additional/external files are associated with this type of signature. These types of signatures only protect against tampering with the .sys file itself, and do not include other files that may be a part of the driver package (i.e., .inf and .dll files). All driver .sys files provided by Microsoft operating systems, as well as most third-party Kernel mode drivers will contain at least this level of signature.

This type of signature can be thought of as a "wrapper" over the entire driver package content files. A driver package can be as simple as a single .inf file (a plain text installation instruction file that Windows uses when installing new drivers), or may encompass additional files (such as .dll and/or .sys files). The full driver package signature comes in the form of a properly created security catalog file (.cat), which will be part of the driver package distribution. A driver package signed with an Authenticode signature is relatively easy to create; however, it less trustworthy to that of a WHQL digital signature.

This type of signature is the most trusted by Windows, and is very similar to the full driver package Microsoft Authenticode signature, but is more expensive and harder to obtain. To obtain a Windows Hardware Quality Labs (WHQL) signature, a driver package must undergo extensive testing, and passing log files and submission fees must be supplied to Microsoft. If a driver package has already previously been tested and WHQL-certified, but has since been modified, in some cases it is possible to get the driver recertified through a simpler and less expensive "Driver Update Acceptable" process with Microsoft. 

Any modifications to a driver package once the signature has been applied, including adding or deleting a single character of whitespace in the driver .inf file, will invalidate a full driver package signature. However, a driver package can have two simultaneous signatures, one covering the full driver package, and one embedded inside the driver binary file(s). Modifications to a .inf file do not invalidate an embedded digital signature inside of a driver binary file. 

Once a signature has been invalidated, Windows will no longer trust the driver package as much, and will place restrictions on its installation (or outright prevent its installation on some operating systems). The driver package can however be resigned, to restore the trustworthiness of the driver to Windows.