Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Problems with Win7 Signing

SystemSystem Member Posts: 3
This discussion was created from comments split from: Microsoft: No More Updates Allowed for Drivers on Win 7, Win 8, Win 8.1.

Comments

  • Gabe_JonesGabe_Jones Member Posts: 83

    @Tim_Roberts said:
    Well, attestation-signed driver BINARIES will load just fine, as long as they don't need an INF. Filter drivers and "legacy" service-based drivers are good. If you need an INF, then you're screwed, because you can't INSTALL the driver -- the CAT file that attestation signing creates lists only Windows 10. The installation will fail with "this driver was not designed for this version of Windows".

    This was always my understanding, but I wanted to go back to confirm it for the INF case. (I didn't bother testing the legacy case, as I see no reason why it wouldn't work. It's just a standard WHQL signature with the one additional EKU.) On Windows 8.1, it is entirely the case that a driver with an INF completely fails installation. The relevant snippets from setupapi.dev.log:

    !    sig:                Verifying file against specific (valid) catalog failed! (0xe0000244)
    !    sig:                Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version.
         sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 11:42:56.102
         sig:           {_VERIFY_FILE_SIGNATURE} 11:42:56.102
         sig:                Key      = mydriver.inf
         sig:                FilePath = C:\Windows\System32\DriverStore\Temp\{6a9b5cc6-b1dd-f340-835d-c46d4af6a0be}\mydriver.inf
         sig:                Catalog  = C:\Windows\System32\DriverStore\Temp\{6a9b5cc6-b1dd-f340-835d-c46d4af6a0be}\mydriver.cat
    !    sig:                Verifying file against specific (valid) catalog failed! (0xe0000244)
    !    sig:                Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version.
         sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 11:42:56.102
    !!!  sig:           An unexpected error occurred while validating driver package. Catalog = mydriver.cat, Error = 0xE0000244
    !!!  sig:           Driver package is considered unsigned, and Code Integrity is enforced.
    !!!  sig:           Driver package failed signature validation. Error = 0xE0000244
         sto:      {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000244)} 11:42:56.112
    !!!  sig:      Driver package failed signature verification. Error = 0xE0000244
    !!!  sto:      Failed to import driver package into Driver Store. Error = 0xE0000244
    


    On Windows 7, though, you get the wonderful red dialog box which allows you to proceed if you wish.





    Proceeding seems to work. The driver loads. The "Digital Signer" field in the Driver pane of the device properties shows "Not digitally signed." It's exceedingly ugly, but it looks like an attested signed driver may work on Win7 in a pinch.

    !    sig:                Verifying file against specific (valid) catalog failed! (0xe0000244)
    !    sig:                Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version.
         sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 09:11:18.836
         sig:           {_VERIFY_FILE_SIGNATURE} 09:11:18.836
         sig:                Key      = mydriver.inf
         sig:                FilePath = C:\Windows\System32\DriverStore\Temp\{30dd0941-8794-34a7-1271-ed27f9fe4059}\mydriver.inf
         sig:                Catalog  = C:\Windows\System32\DriverStore\Temp\{30dd0941-8794-34a7-1271-ed27f9fe4059}\mydriver.cat
    !    sig:                Verifying file against specific (valid) catalog failed! (0xe0000244)
    !    sig:                Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version.
         sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 09:11:18.836
    !!!  sto:           An unexpected error occurred while validating driver package. Assuming that driver package is unsigned. Catalog = mydriver.cat, Error = 0xE0000244
    !    sto:           Driver package is considered unsigned, but user wants to install driver package anyway.
    
  • DavidXanatosDavidXanatos Member Posts: 16

    I'm running into this problem right now as well...

    I ran the HCK and HLK tests on my driver and got a signed file back from MSFT but the file does not load on windows 7.
    I don't need an inf file my tool sets up the service entry and voila, but windows still refuses to load the signed driver.
    I tried booth 64 and 32 bit versions of my driver.

    Any help would be greatly appriciated.

    Also are you saying that a attestation signed w10 driver binary would be loaded on w7?
    In that case I should try just attestation signing and no tests...

  • Gabe_JonesGabe_Jones Member Posts: 83

    @DavidXanatos said:
    I ran the HCK and HLK tests on my driver and got a signed file back from MSFT but the file does not load on windows 7.
    I don't need an inf file my tool sets up the service entry and voila, but windows still refuses to load the signed driver.
    I tried booth 64 and 32 bit versions of my driver.

    Also are you saying that a attestation signed w10 driver binary would be loaded on w7?
    In that case I should try just attestation signing and no tests...

    I think you'd be better served figuring out why the Microsoft-signed driver that passed the HCK does not load on Windows 7. Does the same driver work on Win8.1 or Win10? When you say it refuses to load it, what happens? Yellow bang in device manager? Anything interesting in setupapi.dev.log or Event Viewer?


    Have you installed all Windows Updates? In particular, is KB3033929 installed?

  • DavidXanatosDavidXanatos Member Posts: 16

    Yes KB3033929 was installed, I haven't try windows 8
    when i try to start it i just get an error:
    net start sbiedrv
    Systemfehler 577 aufgetreten.
    and a text in german as my os is german that the signature of the driver is not correct.

    Its a software only driver no hardware attached and it hence does not appear in device manager.

  • Gabe_JonesGabe_Jones Member Posts: 83

    Anything in the Windows Application or System event logs? The CodeIntegrity log?

    Just to make sure: No INF or CAT file, correct? If you look at the Digital Signatures under properties for the .sys file, is there anything interesting? Does this sys file have any other dependencies that may not have been signed properly?

  • DavidXanatosDavidXanatos Member Posts: 16

    The system log just says that it failed to load a driver with the error 577
    the app log does nto show anything
    the code integrity log says event 3002 integrity couldn't be verifyed
    yes no cat no inf

    Digital Signatures under properties for the .sys file

    There is the msft signature and it says valid,
    strangely there is still also the test signing signature as well.

    the driver does nto have any dependencies other than ntdll.dll

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,393
    via Email
    Win7 has to have the updates installed to support sha-2, you did that,
    right?

    Mark Roddy
  • DavidXanatosDavidXanatos Member Posts: 16

    @Mark_Roddy said:
    Win7 has to have the updates installed to support sha-2, you did that,
    right?

    Mark Roddy

    Yes and I double checked that its on, and i can see the sha246 cert in the file properties, IIRC without that update it wouldn't show them only the sha1 once

  • Gabe_JonesGabe_Jones Member Posts: 83

    @DavidXanatos said:
    There is the msft signature and it says valid,
    strangely there is still also the test signing signature as well.

    Is the test signature listed first? I suspect that Win7 is finding the test signature first in the list, trying it, and failing because you aren't in test signing mode. Try signing it with a production signature (or, better, no signature at all) and resubmitting for the Microsoft signature.

  • DavidXanatosDavidXanatos Member Posts: 16
    edited December 2020

    @Gabe_Jones said:

    @DavidXanatos said:
    There is the msft signature and it says valid,
    strangely there is still also the test signing signature as well.

    Is the test signature listed first? I suspect that Win7 is finding the test signature first in the list, trying it, and failing because you aren't in test signing mode. Try signing it with a production signature (or, better, no signature at all) and resubmitting for the Microsoft signature.

    Yes that may in deed be a problem although on 10 it it wasn't one, can I remove the test signature or will that than break the MSFT one?

    Can I remove the signature from the original sys and submit it without running all the tests?
    Do I need to rerun all the tests to submit the driver without the test sig? I mean I cant run tests it without a test sig so it should be possible to get the test signed driver after testing strip the test sig ans submit it right?

  • DavidXanatosDavidXanatos Member Posts: 16

    Where do I find the attestation signign option? There is a checkbox called so when I normally upload the hlk results but i thought attestation is without any testing so there should be an option to just upload the sys?

  • DavidXanatosDavidXanatos Member Posts: 16

    I have released the driver for windows 10 only: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v0.5.0
    but no solution for windows 7,
    does anyone here actually managed to get a windows 7 driver using the WHQL route instead of crisscrossing?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,253

    I think what Mr. Jones said earlier is right:

    I think you'd be better served figuring out why the Microsoft-signed driver that passed the HCK does not load on Windows 7.

    This can’t just “not work.” Drivers passed WHQL and were signed and loaded properly... even after the release of Win7.

    If you passed the HCK for Win7, and the driver is signed by WHQL for Win 7, and the driver does not load on Win 7... that’s the problem for you to figure out. At the very least you coild open a case with WDK support.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • DavidXanatosDavidXanatos Member Posts: 16

    At the very least you coild open a case with WDK support.

    Peter

    And how do I do that?
    I tried emailing [email protected] but that email seams not longer valid.
    Do I need to open a busyness support ticket? Ist that free of charge?

  • DavidXanatosDavidXanatos Member Posts: 16

    That page sends me to a page that sends me no were where I could reach a human being at MSFT.
    What options should I select to get my issue seen by a real person at MSFT?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,253

    It sends me to "Support for Business" which will eventually get you to the WDK Support Group... which is who you need to deal with.

    I mean... what are you expecting? You want somebody you can call on the phone who'll listen to you and walk you through possible solutions? I'm thinkiin' that's not likely... unless your company has Premier Support, in which case you can call your TAM who's basically paid to listen to your problems, empathize, and perhaps even route an email to the appropriate support team.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • DavidXanatosDavidXanatos Member Posts: 16

    @Peter_Viscarola_(OSR) said:
    I mean... what are you expecting?

    Peter

    An email address or contact form that is read directly by the WDK Support Group would be appropriate.

    I don't even know what to select in this "Support for Business" form,
    developer tools don't sem right,
    Windows when I select windows 7 tels me no support without an ESU,
    And when I select partner center I don't get anything that even remotely looks likeit may lead to the WDK Support.

  • Dan_TowerDan_Tower Member Posts: 17

    I'm having the same issue on Win7. My driver passed all the hck tests, then merged into the hlk package and submitted to whql. Passed and it installs on 8.1 and 10. On 7 it initially says the driver is signed when I select it via dev manager but get the same driver not signed error.
    I opened a support ticket through the hlk support portal. It's been almost a month now with no real status update.
    When QA first reported it asking them to make sure all updates were applied was the first thing I tried.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,253

    Interesting. Keep us posted, please.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • david_mk85david_mk85 Member Posts: 8

    https://community.osr.com/discussion/292466/microsoft-no-more-updates-allowed-for-drivers-on-win-7-win-8-win-8-1/

    Is there any update on this? is the decision final? if so, Is Microsoft actively trying to push companies towards Linux or ..?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,253

    The battle continues...

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE