APO Signing and Installation

Hi Everyone,

First of all, I would like to thank this great community which helped me learn driver development and had answers to many question I couldn’t figure out. Unfortunately I’m struggling with a new problem and I couldn’t find any answers to it after searching thoroughly and hence my first question submission.

For our new project, we are designing an APO to be installed with our software. Equalizer APO helped me a lot in designing and coding our APO: https://sourceforge.net/projects/equalizerapo/
So our APO is quite similar to that.

I wanted to make our APO work in Vista and later operating systems so the APO will run as LFX/GFX APO since SFX/MFX/EFX isn’t avaiable earliear than 8.1. Everything works fine during development by using DisableProtectedAudioDG = 0 flag in registry. Only problem left now is the installation where I started to get problems. Let me summarize my installation+signing steps:

1. Build APO dll for x86 and x64 OS.
2. Sign DLLs with our company’s EV certificate, build a cab file, get the microsoft do the attestation signing. (To be honest I have no idea how that should be done, for our filter drivers these are the steps I follow, so I assumed it would be similar).
3. Now the DLL is signed, for the installation I simply copy the DLL to our program’s folder. Use regsvr32 to register the DLL.
4. In the settings of our applications, users can choose the devices they want to use the APO with. This updates MMDevice registry settings to put our APO as GFX to chosen device.

Now if I have DisableProtectedAudioDG = 0 , it works without any issues. But once I remove this flag and restart, audio engine can’t load our DLL. No sound comes for a couple of seconds and then I think it ignores APO from there on. I’ve tried to trace the problem. In the event viewer security logs, I saw an error message (6281):

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification.

I think the issue might be with the signatures or how the dll is installed. INF file of the DLL:

[Version]
Class=MEDIA
ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}
signature="$Windows NT$"
Provider = %Provider%
DriverVer=04/29/2019,1.0.0

CatalogFile=myapo32.cat

[SourceDisksNames]
1 = %DiskId1%,,,""

[SourceDisksFiles]
myapo32.dll = 1,,

[SignatureAttributes]
myapo32.dll=SignatureAttributes.PETrust
myapo32.dll=SignatureAttributes.DRM
[SignatureAttributes.DRM]
DRMLevel=1300
[SignatureAttributes.PETrust]
PETrust=true

[DestinationDirs]
DefaultDestDir = 11

[Manufacturer]
%MfgName%=testing.section

[testing.section]

[Strings]
Provider = "Testing"
MfgName="Testing"
DiskId1 = "" 

As you can see, INF file is quite simple. I only used INF file to create a submission for attestation signing. Maybe I should use it to install the DLL, but I’m not sure how. For our other kernel mode drivers, we have DDInstall etc. in the INF file which we use through SetupAPI to install. But I’m not sure how to install from Manufacturer (testing.section) by using SetupAPI functions, as the right click and choosing “Install” from INF file isn’t supported without DDInstall section or something along these lines I guess?

Any help, suggestion is much appreciated, thank you for all your time and reading my post.

Regards,
Yusuf Tas

Does your DLL have an embedded manifest? Having an embedded manifest triggers certain calls that aren’t allowed in the protected Audio Engine. You may have to adjust the project properties to disable the manifest.

Ordinarily, I would route you to the [wdmaudiodev] mailing list, which is where the cool audio guys hang out, but what you are doing is in direct contradiction to the Microsoft guidelines for APOs. You are not allowed to have “general purpose” APOs; each APO must be associated with a specific audio device, and installed with the driver package for that device.

Hi Tim,

Thank you for your response. Yes I disabled manifest embedding as it is described in Microsoft documentation.

I decided to use Setup API to install it as a driver package. After a bit testing and modification, I managed to install it with Setup API. I actually finally managed to make it work in W10. It was installed without a problem and Audio Engine didn’t complain, so it is fixed now for W10.

But once I got back to testing it in W7, it still failed to install and load. I checked setup api logs and found an error message:

Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version.

And after the error, it assumed the driver doesn’t contain a signature. So it seems, W7 failed to recognize/read the signatures. We might be doing something wrong with Windows signing part. But we have a couple of other WDM filter drivers and we followed the same signing procedures as far as I know. These signatures worked in W7,8,10 without any problems. Only noticeable difference between signatures of these filter drivers and this APO dll is we added these signature attributes to INF:

[SignatureAttributes]
myapo32.dll=SignatureAttributes.PETrust
myapo32.dll=SignatureAttributes.DRM
[SignatureAttributes.DRM]
DRMLevel=1300
[SignatureAttributes.PETrust]
PETrust=true

I followed WDK’s sysvad sample to add these attributes. I don’t think these would cause a problem in W7, as far as I know DRM was introduced with Vista. Please let me know if you know anything related to this signature problem.

And regarding your second point, we were initially unsure about it but couldn’t really find any other way to implement this. For example, if someone doesn’t like the Equalizer that comes with Microsoft, is there any way to implement a new equalizer without using a generalized APO or a filter driver to intercept audio packets and modify them. And even the filter driver won’t work for HDAudio devices I think. Please let me know if there is any official way to implement this, I would happily follow it as I really don’t want to implement an unofficial/unsupported way.

Best regards,
Yusuf Tas