Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 10  
22 May 18 08:46
Jhon Doe
xxxxxx@gmail.com
Join Date: 22 May 2018
Posts To This List: 4
Signature enforcement in windows 10

Hi all, I've installed a driver, signed with a new certificate (issued a month ago), on a fresh windows 10 machine (version 1803). Since this is a non-pnp driver, by installing I mean copying files to machine and registering under Services key in registry. I've enabled secureboot in the machine (and checked with powershell that it is indeed enabled). It was my expectation that the driver will not load, due to new restrictions on windows 10 regarding signature. But it load just fine. What am I missing ? (I've also looked through the eventlog to see if there was a registered event about the driver not being properly signed or something like that, but didn't see that either). Am I missing something ? Are there any more specific cases I need to answer to, in order for the driver not to load ? I'm basing my data on this : https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-cod e-signing-policy--windows-vista-and-later- Thanks
  Message 2 of 10  
22 May 18 10:10
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10209
Signature enforcement in windows 10

Did you embed sign the driver? Bent from my phone _____________________________ From: xxxxx@gmail.com <xxxxx@lists.osr.com> Sent: Tuesday, May 22, 2018 5:46 AM Subject: [ntdev] Signature enforcement in windows 10 To: Windows System Software Devs Interest List <xxxxx@lists.osr.com> Hi all, I've installed a driver, signed with a new certificate (issued a month ago), on a fresh windows 10 machine (version 1803). Since this is a non-pnp driver, by installing I mean copying files to machine and registering under Services key in registry. I've enabled secureboot in the machine (and checked with powershell that it is indeed enabled). It was my expectation that the driver will not load, due to new restrictions on windows 10 regarding signature. But it load just fine. What am I missing ? (I've also looked through the eventlog to see if there was a registered event about the driver not being properly signed or something like that, but didn't see that either). Am I missing something ? Are there any more specific cases I need to answer to, in order for the driver not to load ? I'm basing my data on this : https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.c om%2Fen-us%2Fwindows-hardware%2Fdrivers%2Finstall%2Fkernel-mode-code-signing-poli cy--windows-vista-and-later-&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cd8e6452 48646471f605208d5bfe1f8b1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6366258996 20881313&sdata=5adYfU%2Fpu0ILBKOsz8Z1kyLlGm3he%2Bj1X9UdPn8cdZg%3D&reserved=0 Thanks --- NTDEV is sponsored by OSR Visit the list online at: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fshowlists.cfm%3Flist%3Dntdev&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cd8e 645248646471f605208d5bfe1f8b1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636625 899620891322&sdata=RgsJ24r3Vq2so1xyaOlZm4SkZDgXSZl7pLLOFqaEn7w%3D&reserved=0> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fse minars&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cd8e645248646471f605208d5bfe1f 8b1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636625899620891322&sdata=rsgbHEW lhdsAb5fZAqIjW7ZCZRL1QZw9Obbk8WgwOQU%3D&reserved=0> To unsubscribe, visit the List Server section of OSR Online at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fpage.cfm%3Fname%3DListServer&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cd8e 645248646471f605208d5bfe1f8b1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636625 899620891322&sdata=BXexwppPQmD40Vf6WtXJ9%2F4cAeHqa88WdrFtiMjR%2B5A%3D&reserved=0> --
  Message 3 of 10  
22 May 18 12:57
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11955
Signature enforcement in windows 10

xxxxx@gmail.com wrote: > I've installed a driver, signed with a new certificate (issued a month ago), on a fresh windows 10 machine (version 1803). Since this is a non-pnp driver, by installing I mean copying files to machine and registering under Services key in registry. > I've enabled secureboot in the machine (and checked with powershell that it is indeed enabled). > It was my expectation that the driver will not load, due to new restrictions on windows 10 regarding signature. But it load just fine. What am I missing ? That would also be my expectation. > (I've also looked through the eventlog to see if there was a registered event about the driver not being properly signed or something like that, but didn't see that either). I'm not sure what log to ask for.   A service driver doesn't post to \windows\inf\setupapi.dev.log.  Can anyone else confirm this?  Anyone with a driver service or a PnP filter ought to be able to test this.  My test systems do not yet have Secure Boot. > I'm basing my data on this : > https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-cod e-signing-policy--windows-vista-and-later- Yes, I just helped them rework that page to fix up the known issues.  I thought it was all correct now.  Your scenario here is disturbing. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 4 of 10  
23 May 18 07:04
Gabe Jones
xxxxxx@ni.com
Join Date: 19 Mar 2012
Posts To This List: 47
Signature enforcement in windows 10

Is it a boot start driver? Currently, enforcement doesn't occur for a boot start driver. Check Event Viewer->Applications and Services Logs->Microsoft->Windows->CodeIntegrity->Operational.
  Message 5 of 10  
23 May 18 12:18
Peter Viscarola
xxxxxx@osr.com
Join Date:
Posts To This List: 6183
List Moderator
Signature enforcement in windows 10

<quote> Is it a boot start driver? Currently, enforcement doesn't occur for a boot start driver. </quote> Good idea. To be clear: "enforcement" here means, "the requirement that the executable be signed by Microsoft and not just embedded signed" -- If it's not embedded signed a driver will not load at boot start (without boot debugging enabled). Peter OSR @OSRDrivers
  Message 6 of 10  
23 May 18 20:19
Thanos Titan
xxxxxx@gmail.com
Join Date: 04 May 2018
Posts To This List: 7
Signature enforcement in windows 10

Hi guys In order to install my Unsigned driver on my host machine i had issues with the Windows 10 enfrorcement mechanism; I found a workaround to disable it on boot time through BCDEDIT bcdedit /set {GUID} nointegritychecks on bcdedit /set {GUID} testsigning on afterwhat i was able to load my driver at boot time without any issues I hope this helps. Regards Valar Morghulis ! On Wed, May 23, 2018 at 5:17 PM, xxxxx@osr.com <xxxxx@lists.osr.com> wrote: > <quote> > Is it a boot start driver? Currently, enforcement doesn't occur for a > boot > start driver. > </quote> > > Good idea. To be clear: "enforcement" here means, "the requirement that > the executable be signed by Microsoft and not just embedded signed" -- If > it's not embedded signed a driver will not load at boot start (without boot > debugging enabled). <...excess quoted lines suppressed...> --
  Message 7 of 10  
24 May 18 03:30
Jhon Doe
xxxxxx@gmail.com
Join Date: 22 May 2018
Posts To This List: 4
Signature enforcement in windows 10

Hi all, A few answers : 1. Yes, the driver is embeddedly signed with the SHA2 signature 2. The driver is of start type = SERVICE_SYSTEM_START (and not BOOT_START). Also, I stopped and restarted theh service (through sc stop/sc start), and it still works. I even tried to change the type to SERVICE_DEMAND_START , and restarted the machine and started the driver. It still loaded properly. 3. I am attaching here the output from powershell : (as if, to show that secure boot is on) Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> Confirm-SecureBootUEFI True PS C:\Windows\system32> Get-CimInstance ?ClassName Win32_DeviceGuard ?Namespace root\Microsoft\Windows\DeviceGuard AvailableSecurityProperties : {1, 2, 3} CodeIntegrityPolicyEnforcementStatus : 1 InstanceIdentifier : 4ff40742-2649-41b8-bdd1-e80fad1cce80 RequiredSecurityProperties : {1, 2} SecurityServicesConfigured : {1, 2} SecurityServicesRunning : {1, 2} UsermodeCodeIntegrityPolicyEnforcementStatus : 1 Version : 1.0 VirtualizationBasedSecurityStatus : 2 PSComputerName : 4. @Thanos Titan, I am having the opposite problem. I *want* the driver not to load :-) 5. I've looked through the suggested logs, but there's no mention of a problem loading the driver. I do see a bunch of problems mentioned about loading dlls. I'm posting an example : - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-CodeIntegrity" Guid="{4EE76BD8-3CF4-44A0-A0AC-3937643E37A3}" /> <EventID>3076</EventID> <Version>2</Version> <Level>4</Level> <Task>18</Task> <Opcode>118</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2018-05-24T07:08:35.805164700Z" /> <EventRecordID>39463</EventRecordID> <Correlation ActivityID="{D4C6ECA0-F0F6-0001-DC9A-C7D4F6F0D301}" /> <Execution ProcessID="9804" ThreadID="1616" /> <Channel>Microsoft-Windows-CodeIntegrity/Operational</Channel> <Computer>DESKTOP-SKRBIFU</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="FileNameLength">51</Data> <Data Name="File Name">\Device\HarddiskVolume4\Windows\SysWOW64\rpcnet.dll</Data> <Data Name="ProcessNameLength">52</Data> <Data Name="Process Name">\Device\HarddiskVolume4\Windows\SysWOW64\svchost.exe</Data> <Data Name="Requested Signing Level">2</Data> <Data Name="Validated Signing Level">4</Data> <Data Name="Status">3236495362</Data> <Data Name="SHA1 Hash Size">20</Data> <Data Name="SHA1 Hash">D032BA8EB8F0E62AD53F7412ACD5DC9BB41E21D2</Data> <Data Name="SHA256 Hash Size">32</Data> <Data Name="SHA256 Hash">EA0BD8041C904A54514CD9483EB0E7AFFF53883F74550D27A8BA06AB99F6DD22</Data> <Data Name="USN">744392416</Data> <Data Name="SI Signing Scenario">1</Data> <Data Name="PolicyNameLength">7</Data> <Data Name="PolicyName">Default</Data> <Data Name="PolicyIDLength">7</Data> <Data Name="PolicyID">Default</Data> <Data Name="PolicyHashSize">64</Data> <Data Name="PolicyHash">5CAF2E26ABD726B293937F0092883B3B04C0DB80EF854454297C3DC686FC8CD 10000000000000000000000000000000000000000000000000000000000000000</Data> </EventData> </Event> Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SysWOW64\svchost.exe) attempted to load \Device\HarddiskVolume4\Windows\SysWOW64\rpcnet.dll that did not meet the Enterprise signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load. 6. Thanks for everyone who tried helping. Does anyone have any other suggestions ?
  Message 8 of 10  
24 May 18 03:31
Jhon Doe
xxxxxx@gmail.com
Join Date: 22 May 2018
Posts To This List: 4
Signature enforcement in windows 10

Also, forgot to mention, that my driver doesn't specify a load order group, if that matters.
  Message 9 of 10  
24 May 18 17:37
Alan Adams
xxxxxx@novell.com
Join Date: 20 Dec 2010
Posts To This List: 31
Signature enforcement in windows 10

If I embed-sign a SERVICE_SYSTEM_START non-PnP SERVICE_KERNEL_DRIVER using just my post-July 2015-issued SHA256 certificate (no Microsoft embedded signature), indeed that driver will not load on a Windows 10 Pro 1803 x64 clean (non-upgrade) installation where Secure Boot is enabled. As expected, and seemingly opposite of what you're seeing. There are no details in the regular System event log when this happens; just a generic non-Error "Information" from Service Control Manager saying that "The following boot-start or system-start driver(s) did not load". I do also happen to have additional non-PnP drivers with DependOnService configurations against this driver, and Service Control Manager reports Event 7001 errors for being unable to resolve those dependencies, but the details are simply "A device on the system is not functioning." The CodeIntegrity event log that Gabe Jones pointed to was more helpful, and has an Event 3004 error citing "Windows is unable to verify the image integrity of the file <path> because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source." Your original assertion was "on a fresh windows 10 machine (version 1803)." Is it clear that the Microsoft documentation you linked to is saying that "upgrade" installations are exempt from this enforcement, and that by "fresh" you mean a bare-metal installation of 1803? Meaning it might subjectively be a "clean" installation of Windows, but if you upgraded to 1803 from any pre-1607 version of Windows 10, or upgraded to 1803 on a post-1607 version of Windows which itself originally had been upgraded from a pre-1607 version of Windows, Microsoft is intentionally allowing the Secure Boot requirement to remain un-enforced on that machine. Alan Adams Client for Open Enterprise Server Micro Focus xxxxx@microfocus.com
  Message 10 of 10  
24 May 18 17:46
Alan Adams
xxxxxx@novell.com
Join Date: 20 Dec 2010
Posts To This List: 31
Signature enforcement in windows 10

> Microsoft is intentionally allowing the Secure Boot requirement to > remain un-enforced on that machine. I do mean "the driver signature requirement related to having Secure Boot enabled", of course. I should have also mentioned that on this Windows 10 Pro 1803 x64 non-upgrade installation, the CodeIntegrity log starts with an informational Event 3084, "Code Integrity will enable WHQL driver enforcement for this boot session. Settings 0x0. Exemption 1." Alan Adams Client for Open Enterprise Server Micro Focus xxxxx@microfocus.com
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 23:37.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license