Created a storage adapter for windows biometric framework but unable to install and load.

I have created a storage adapter for windows biometric framework. Added related keys and parameters in the registry at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_1162&PID_2200\5&376aba2d&0&9\Device Parameters\WinBio\Configurations and Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc\Databases. Copied the dll of my storage adapter in C:\WINDOWS\SYSTEM32\WINBIOPLUGINS directory. Tried to load the storage adapter in the biometric session using winbio.dll’s WinBioOpenSession method. Getting the following errors:

  1. In biometric event log= “The Windows Biometric Service failed to load an adapter binary: C:\WINDOWS\SYSTEM32\WINBIOPLUGINS\STORAGEADAPTER.DLL.The module was not properly signed”.

  2. In codeintegrity event log=“Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\WinBioPlugIns\StorageAdapter.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.”.

Searched some information on the internet about above errors and found that the dll must be signed to install and load. So tried the test-signing and release-signing(with godaddy’s driver signing certificate) both but still getting the same errors. The only thing I failed to do is to sign my dll with a cross certificate and its because I am unable to find the appropriate cross certificate for my driver signing certificate.

Query: Is it necessary to sign the dll with cross certificate and a driver signing certificate both or signing with only a driver signing certificate is sufficient to install it on windows?

Note: Please suggest me if I have missed something here or not following the correct process to load a custom storage adapter in the biometric session.

If your computer has “secure boot” set in the BIOS, then you cannot sign your own kernel drivers. You must submit them to Microsoft for their signature, either through the WHQL/HCK/HLK process or through the simpler “attestation signing” process.

If this is your own computer for testing, then you can turn off “secure boot”. Once you do that, drivers signed and cross-signed the traditional way will work.

2 Likes

@Tim_Roberts Thank you for quick reply. I will definitely try these options.