32bit Win7 - FileSys Driver - Signing requirements

NTFSD
1

Everything I read says that I don't need a signature on a file system driver to run in Vista+ 32bit. It's only a requirement for 64bit or boot_start drivers.

I tried my driver as system_start and auto_start, and no luck. Any thoughts on why this may be? Have things changed in win7 and I just haven't come across it?

When I try to start manually after the install, I get this error.

[SC] StartService FAILED 577:
Windows cannot verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly or damage
d, or that might be malicious software from an unknown source.

I have been self signing, adding the cert I used to the trusted root, turned on bcdedit test signing, and then all works fine. But I would like to pass this to a few other users for testing and don't want to require them to do that. Eventually I will use a real cert before release, but don't have it yet.

Am I overlooking something simple here?

Thanks -
Chris

2

Does your driver use PsSetCreateProcessNotifyRourineEx? Are you setting the
INTEGRITYCHECK linker flag?

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, August 25, 2011 1:40 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] 32bit Win7 - FileSys Driver - Signing requirements

Everything I read says that I don't need a signature on a file system driver
to run in Vista+ 32bit. It's only a requirement for 64bit or boot_start
drivers.

I tried my driver as system_start and auto_start, and no luck. Any thoughts
on why this may be? Have things changed in win7 and I just haven't come
across it?

When I try to start manually after the install, I get this error.

[SC] StartService FAILED 577:
Windows cannot verify the digital signature for this file. A recent hardware
or software change might have installed a file that is signed incorrectly or
damage d, or that might be malicious software from an unknown source.

I have been self signing, adding the cert I used to the trusted root, turned
on bcdedit test signing, and then all works fine. But I would like to pass
this to a few other users for testing and don't want to require them to do
that. Eventually I will use a real cert before release, but don't have it
yet.

Am I overlooking something simple here?

Thanks -
Chris

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:

To unsubscribe, visit the List Server section of OSR Online at

3

> Does your driver use PsSetCreateProcessNotifyRourineEx?

Yes.

Are you setting the INTEGRITYCHECK linker flag?

No.

Are these problems? The second one should be easy enough to remedy, the first one would be trickier.

4

If you are using the Ex function and have not set the linker flag you should
be getting an ACCESS_DENIED when you call the function. When you use this
function the driver must be signed, even 32 bit drivers.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, August 25, 2011 2:06 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] 32bit Win7 - FileSys Driver - Signing requirements

Does your driver use PsSetCreateProcessNotifyRourineEx?

Yes.

Are you setting the INTEGRITYCHECK linker flag?

No.

Are these problems? The second one should be easy enough to remedy, the
first one would be trickier.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

Ahh, I am using that flag. I didn’t think to look in the sources file right away.

And now see what it does. So, sounds like there is no easy work around here, either official signing with cross cert, or the test signing that I have been doing.

Out of curiosity, is this true for any function that ends in Ex? Or just PsSetCreateProcessNotifyRourineEx and other select functions?

Thanks -
Chris

6

Just a couple of new Ex functions. The only one that I have used is the
PsSetCreateProcessNotifyRoutineEx.

Bill

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, August 25, 2011 2:20 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] 32bit Win7 - FileSys Driver - Signing requirements

Ahh, I am using that flag. I didn’t think to look in the sources file right
away.

And now see what it does. So, sounds like there is no easy work around
here, either official signing with cross cert, or the test signing that I
have been doing.

Out of curiosity, is this true for any function that ends in Ex? Or just
PsSetCreateProcessNotifyRourineEx and other select functions?

Thanks -
Chris

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

7

AFAIK currently only PsSetCreateProcessNotifyRoutineEx and
ObRegisterCallbacks require that your image be signed on 32bit.

-scott


Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Bill Wandel” wrote in message news:xxxxx@ntfsd…

Just a couple of new Ex functions. The only one that I have used is the
PsSetCreateProcessNotifyRoutineEx.

Bill

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, August 25, 2011 2:20 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] 32bit Win7 - FileSys Driver - Signing requirements

Ahh, I am using that flag. I didn’t think to look in the sources file right
away.

And now see what it does. So, sounds like there is no easy work around
here, either official signing with cross cert, or the test signing that I
have been doing.

Out of curiosity, is this true for any function that ends in Ex? Or just
PsSetCreateProcessNotifyRourineEx and other select functions?

Thanks -
Chris

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

8

Can I assume that PsSetCreateProcessNotifyRoutineEx and PsSetCreateProcessNotifyRoutine (no Ex at end) both require the integrity check which forces the signing? Or is there something special about the Ex version of the call?

Thanks -
c

9

Just the Ex version has the integrity check requirement.

  • S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Friday, August 26, 2011 13:49
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] 32bit Win7 - FileSys Driver - Signing requirements

Can I assume that PsSetCreateProcessNotifyRoutineEx and PsSetCreateProcessNotifyRoutine (no Ex at end) both require the integrity check which forces the signing? Or is there something special about the Ex version of the call?

Thanks -
c

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

10

Something is special not about Ex, but about these functions in general, since they are the great anchor points for malware.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Can I assume that PsSetCreateProcessNotifyRoutineEx and PsSetCreateProcessNotifyRoutine (no Ex at end) both require the integrity check which forces the signing? Or is there something special about the Ex version of the call?
>
> Thanks -
> c
>