How to force Authenticode Verification when loading a User Mode .EXE

Hi,

New here, and have a question about Authenticode verification for signed user-mode code. I know this community is all about kernel driver development, but given that you pretty much have to code sign all your drivers, I thought I would ask my question here as I am hoping that someone here has a seen a similar issue when signing their code - even though I am only dealing with a user mode application.

I must be missing something. I have a trivial hello world Windows C++ user-mode console app (.EXE) that has been compiled for Release mode with the linker /integritycheck switch. This sets the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag in the PE header. It is my understanding that this is supposed to force the Windows loader to verify the .EXE before execution.

If I attempt to run the application from the command line I get The system cannot execute the specified program as expected - since (I presume) the loader is attempting to verify an .EXE that has not been Authenticode code signed.

So I then sign the code using signtool.exe with a valid CA-acquired code signing certificate (that I paid good money for) using a command line similar to:

signtool.exe sign /f “MyCodeSignCert.pfx” /p password /t http://timestamp.digicert.com/authenticode /v /ph /fd sha256 helloworld.exe"

I verify the code is properly signed with:

signtool.exe verify /pa helloworld.exe

and I am able to see the Digital Signatures tab o the signed helloworld.exe when I right click it in Windows Explorer and view the signature details and view the certificate.

However, any attempt to run the helloworld.exe from the command line continues to result in:

The system cannot execute the specified program.

If I double-click the .EXE from Windows Explorer I get a bit more information:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be a malicious software from an unknown source.

If I recompile and relink the .EXE without the /integritycheck linker switch, the .EXE loads and runs correctly as expected, regardless of whether it is signed or not.

FYI, I built (using Microsoft Visual Studio) and tested the .EXE on 2 separate machines - Windows 8.1 and Windows Server 2016. In both of these environments Windows Defender is not running. In case it mattered (I don’t see why it should) I even installed the code signing certificate on both machines and tried rerunning the .EXE, with no difference in outcome.

Finally, I copied the helloworld.exe to a Windows 10 machine on which Windows Defender is running, and double-clicked it from Windows Explorer and received the following pop-up message:

Your organization used Windows Defender Application Control to block this App…Contact your support person for more info.

All I am trying to do is mark an .EXE in such a way as to force Windows to always verify its digital signature whenever it is loaded for execution. Any thoughts on what I might be doing wrong or how to achieve this?

Thanks,
Rod