WDM driver can't be installed in window server 2019 with error 0x80070002

Our product has a WDM driver for several years, it works well for all previous window version, but recently we need to upgrade to window 2019 which already opened the test mode, the setup API always failed with error message “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.”

We mainly used below cmd to sign the driver:
makecert.exe -a sha256 -r -pe -n CN=$(DDKCertName) -sv $(DDKTestCertPath).pvk $(DDKTestCertPath).cer
inf2cat.exe /driver:$(DDKOutputDir) /os:ServerRS5_$(DDKInf2CatArch) /USELOCALTIME"
SignTool.exe sign /f $(DDKTestCertPath) /p $(DDKOutputDir)$(Name).$(Ext)"

We installed the generated cert to root cert store and trust publisher store, and then call setup API to install driver to window.
We found it eventually copied the inf file to C:\Windows\System32\DriverStore folder and the driver binary to C:\Windows\System32\drivers folder after calling SetupCopyOEMInf(), but when call the INetCfgClassSetup->install method, the driver service was not created, it just return 0x80070002, however,we can create the service manually by sc create binPath=“C:\Windows\System32\drivers.sys” type=kernel,and it could start well.

We also have other two NDIS filter drivers which used the same way to sign, but they didn’t meet the issue.
Our environment is window server 2019, build 17763 which is running on a VM.
Not sure why this happened, no log or event trace could be watched, do you have any idea?

(A post by Mr. Roddy in reply to this topic was accidentally deleted when the question got snagged by the spam filters. I apologize to Mr. Roddy for the error.)

IIRC, the gist of Mr. Roddy’s post was that error 0x80070002 is STATUS_WAIT_2 and thus your problem is unlikely related to signing.

I’d add that you should check setupapi.dev.log — also that 0x80070002 can have many different meaning, depending on the facility returning the error. It can, for example, also mean “file not found.”

Peter

At the risk of correcting Mr Roddy, STATUS_WAIT_2 is just 0x00000002. According to the venerable and ancient “err” tool, 80070002 is always some form of “object not found”.

(well, tp be clear: That was MY report of what I recalled of Mr. Roddy’s post… which very well may be in error.)

Nah my old eyes probably read an 8 where only a 0 existed.

@“Peter_Viscarola_(OSR)” said:
(A post by Mr. Roddy in reply to this topic was accidentally deleted when the question got snagged by the spam filters. I apologize to Mr. Roddy for the error.)

IIRC, the gist of Mr. Roddy’s post was that error 0x80070002 is STATUS_WAIT_2 and thus your problem is unlikely related to signing.

I’d add that you should check setupapi.dev.log — also that 0x80070002 can have many different meaning, depending on the facility returning the error. It can, for example, also mean “file not found.”

Peter

I watched the setupapi.dev.log, here is the error message:
dvi: Selected driver:
dvi: INF path C:\Windows\INF\oem4.inf
dvi: INF section Install
dvi: INF version 16.1.56.921
sig: {_VERIFY_FILE_SIGNATURE} 03:12:36.262
sig: Key = dserverdriver.sys
sig: FilePath = C:\Windows\system32\DRIVERS\dserverdriver.sys
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\iodriver.inf_amd64_63835d84e79a19cb\iodriver.cat
! sig: Verifying file against catalog ‘iodriver.cat’ failed.
! sig: Error 2: The system cannot find the file specified.
sig: {_VERIFY_FILE_SIGNATURE exit(0x00000002)} 03:12:36.262

it said can’t find the file, but I checked that both the .sys and .cat files were well in place, so I wonder why prompt this message?

Do you have any experience on it?
Thanks

It’s looking for a file with a .c file extension?? Not a .sys file?

Peter

the ‘at’ pat of the cat file are wrapping over to the next line.

I’d start looking inside the cat file. It seems to not be cataloging the right stuff.

If the cat file exists at the exact path in the log, then the “cannot find the file” message means one of the files mentioned in the cat was not pre-installed in the driver store. Are you mentioning any DLLs or other files in your INF?

@Tim_Roberts said:
If the cat file exists at the exact path in the log, then the “cannot find the file” message means one of the files mentioned in the cat was not pre-installed in the driver store. Are you mentioning any DLLs or other files in your INF?

Our inf file only includes the .sys file and the cat files only mentioned two files: the .sys and .inf, I could see the .sys, inf and cat files were located in C:\Windows\System32\DriverStore\FileRepository\iodriver.inf_amd64_63835d84e79a19cb.
So I still confused what file is missing.

And you didn’t change the .SYS file or the .INF after creating the CAT? Are you willing to put the driver package somewhere we could look at it?

@Tim_Roberts said:
And you didn’t change the .SYS file or the .INF after creating the CAT? Are you willing to put the driver package somewhere we could look at it?

They were all generated by one build batch and no manually change at all, I’d like to share you the package, but it seems no attachment option in the forum, could you give me an email adress for sending it to you?
Thank in advance.

@Tim_Roberts@Mark_Roddy@Peter_Viscarola_(OSR)
Dear expert, I referred to the ndisprot630.inf in \Windows-driver-samples\network\ndis\ndisprot\6x\sys\630, it was because the Ndi installation section lacks of the two lines:
HKR,Ndi\Interfaces, UpperRange, noupper
HKR,“Ndi\Interfaces”,“LowerRange”,“ndis5,ndis4,ndis5_prot”

When added them to my inf, the install and uninstall work well.
Not sure why this is necessary but it works:)

Thank for your idea.

could you give me an email adress for sending it to you?

I see you have solved your problem, but I do need to turn on sarcastic mode, because it’s clear you aren’t reading the messages here. My email address is in every post I make here. Every single one.

@Tim_Roberts said:

could you give me an email adress for sending it to you?

I see you have solved your problem, but I do need to turn on sarcastic mode, because it’s clear you aren’t reading the messages here. My email address is in every post I make here. Every single one.

I reading your reply :stuck_out_tongue: and will ask more question in some day :smiley: