The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I have the latest Windows 10 with March 2021 updates. Microsoft Windows [Version 10.0.19042.867]
Edition doesn't matter, it happens on Home, Pro N. Bitness doesn't matter either, x86 or x64.
It's a stock Windows installed from official ISO, no other programs installed.
I have a simple exe-file, it basically does nothing and just an empty stub. It's signed with GlobalSign EV SHA-256 code signature.
When I try to start the file the aforementioned Windows shows "Your organization used Windows Defender Application Control to block this app" screen.
In Event Viewer->Windows Logs->Security I can see a message "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error."
signtool verify /v /pa states that everything is OK. Signature in file properties is also OK.
It's a simple file, user-mode, console, does nothing. Old versions like Windows 7, 8, the first 10 - they all start the file OK. But this new Windows 10 refuses to run it.
Disabling Windows Defender or Secure Boot doesn't help. Signing with /ph option doesn't help either. The only thing that helps is disabling /INTEGRITYCHECK linker option. But some files in my product require this option. Besides I couldn't find anywhere that having this flag set enforces some extra/more strict checks than just a mandatory standard signature check.
Debugging the kernel didn't show much, CiEvaluatePolicyInfo is the one failing and failing quite early. I suspect that this INTEGRITYCHECK enforces not a standard signature check, but a heavy one like for drivers that require DevPortal MS signature. But I couldn't find this behavior documented anywhere. Maybe it's some kind of WDAC policy, but everything is default and I couldn't find any default policy that could explain this.
Has anyone faced a similar issue?
I can upload the signed file, just not sure that doesn't break any rules.
Thank you for your time and help.
P.S. I do realize it's not exactly a driver question, but code sign questions discussed here are one of the best on the Internet. So I silently hope this one will slide
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Developing Minifilters||24 May 2021||Live, Online|
|Writing WDF Drivers||14 June 2021||Live, Online|
|Internals & Software Drivers||2 August 2021||Live, Online|
|Kernel Debugging||27 Sept 2021||Live, Online|