Error 0x80096002 when installing driver?

I made a cer file myself and installed it to the Trusted Root certification Authorities, I also turned on test signing mode and restart Windows 7. The driver installation looks OK, and it can work with the device, however, in the installation logs, I saw few abnormal things

  1. It says: Verifying file against specific (valid) catalog failed! (0x80096002)
    Error 0x80096002: a certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

  2. in the log, it says policy is set to make all digital signatures equal. do I have to turn it off?

I guess I must do something incorrectly when creating and installing a cer file, though I couldnt find any clue. I also heard Windows Kernel Driver would not be able to let you install your own cer file, you must have it signed by Microsoft first before the 0x80096002 would be resolved?

Thanks,

J

Have you installed into both trusted root and trusted publishers?

See https://msdn.microsoft.com/en-us/library/windows/hardware/ff553563(v=vs.85).aspx

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, February 18, 2015 12:41 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Error 0x80096002 when installing driver?

I made a cer file myself and installed it to the Trusted Root certification Authorities, I also turned on test signing mode and restart Windows 7. The driver installation looks OK, and it can work with the device, however, in the installation logs, I saw few abnormal things

  1. It says: Verifying file against specific (valid) catalog failed! (0x80096002) Error 0x80096002: a certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

  2. in the log, it says policy is set to make all digital signatures equal. do I have to turn it off?

I guess I must do something incorrectly when creating and installing a cer file, though I couldnt find any clue. I also heard Windows Kernel Driver would not be able to let you install your own cer file, you must have it signed by Microsoft first before the 0x80096002 would be resolved?

Thanks,

J


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Peter,

Have you installed into both trusted root and trusted publishers?

YES, I did.

For your information, when I ran: signtool verify MyDriver.sys , it returns an Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Any idea? I am at lost… Thanks.

J

My understanding is when you enable test signing all that is checked is if there is ANY signature. I could easily imagine if using a self-signed certificate the log still shows a verification error, but the install code ignores the error. To make things work with test signing turned off, you will need a certificate from an approved certificate authority. There have been discussions in the list in the past of the pros and cons or different CAs. You will need to install the certificate from the approved CA in the proper certificate stores if you don’t want the UI to prompt the user to store the certificate when first seen, which generally means you need a setup program. You will need a signature from Microsoft (WHQL) if you want a driver to install without preinstalling a cert in the certificate store, which gives the best UI experience (like someone plugs in your hardware and the OS just finds the correct driver by automatically searching the online Windows update driver repository).

Windows does not support production self-signed certificates for drivers.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, February 18, 2015 12:41 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Error 0x80096002 when installing driver?

I made a cer file myself and installed it to the Trusted Root certification Authorities, I also turned on test signing mode and restart Windows 7. The driver installation looks OK, and it can work with the device, however, in the installation logs, I saw few abnormal things

  1. It says: Verifying file against specific (valid) catalog failed! (0x80096002) Error 0x80096002: a certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

  2. in the log, it says policy is set to make all digital signatures equal. do I have to turn it off?

I guess I must do something incorrectly when creating and installing a cer file, though I couldnt find any clue. I also heard Windows Kernel Driver would not be able to let you install your own cer file, you must have it signed by Microsoft first before the 0x80096002 would be resolved?

Thanks,

J

Thanks, Jan.
My only problem is the driver rank is higher than inbox one and that would cause the device always be recognized by inbox driver since it has less score, and my self-signed driver has higher score which would be out bid. Microsoft has s series of articles talking about driver rank, but none of them talks about how you can make your driver rank less than inbox’s and let OS pick up 3rd party driver first. Any help from others?

J

There used to be an API that can be used by an application to force a specific driver to a specific device instance. I assume this API is still there.

The root doc page on driver ranking at https://msdn.microsoft.com/en-us/library/ff686700(v=vs.85).aspx points to lots of info. I see stuff on those doc pages I never knew about, like the FeatureScore directive you can put in an INF. It offhand looks like if you need to outrank an inbox driver you will need a WHQL signature on your driver.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, February 18, 2015 3:55 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Error 0x80096002 when installing driver?

Thanks, Jan.
My only problem is the driver rank is higher than inbox one and that would cause the device always be recognized by inbox driver since it has less score, and my self-signed driver has higher score which would be out bid. Microsoft has s series of articles talking about driver rank, but none of them talks about how you can make your driver rank less than inbox’s and let OS pick up 3rd party driver first. Any help from others?

J


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks, Jan. What microsoft said on their page is not what I see now.The key is on the signature score. If I do not have WHQL signed driver, my rank is higher than inbox’ one. I thought if I setup allsignedequal to true and sign driver with my self cer file, I would at least get same signature score that inbox has? now, it’s not the case …

>I made a cer file myself and installed it to the Trusted Root certification Authorities,

Ensure it is installed to Local Machine’s Trusted Root certification Authorities.

And not to Current User’s one.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com