Failed on load EV Code Signed file system mini-filter drivers on Windows Test Mode.

SeongchilLee · November 24, 2023, 7:49am

Hi, everyone

I can’t load my file system mini-filter drivers on Windows Test Mode.
driver is signed as EV Code Signing Certificates correctly.
test mode is set correctly and secure boot is disabled.

I can load test signed driver and MS signed driver.
Just EV Code Signing driver is problem only.

I’ve got the 0x80070241 error.

This error means that

"Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. "

yeah, we can see this error also on Windows normal mode when signing is problem.

But it is test mode. As I think, it should be loaded if driver is signed as whatever.
Plz let me know, if I don’t know some policy of driver signing on Windows Test mode.

To sum up, on Windows Test Mode

EV Code Signed driver - Failed Loading
test signed driver - Succeed Loading
MS signed driver - Succeed Loading

Thanks in advance.

Alan_Adams · November 29, 2023, 1:58am

One question that sounds relevant is “What does the Digital Signatures tab in the file Properties show regarding signature validity?” on the same machine where the driver is failing to load. Since the Windows machine simply not trusting the issuing certificate authority of your EV certificate is something that could align with the results being described. In that case the Digital Signatures tab should also show that the signature could not be verified.

Unfortunately I haven’t signed drivers using literally our EV certificate, and do not have any direct comparison. It’s been an either “test signed” (in Test Mode) otherwise “Microsoft signed” situation for us. Given that an EV-signed driver can no longer be shipped to customers since Microsoft cross-signing support has been deprecated, we just haven’t bothered to sign the drivers that way.

Advance_J · December 30, 2023, 9:19am

AFAIK, an EV code certificate is not gurantee to sign a driver that can pass signtool /kp verification by itself, it depends on the certificate vendor. You may still need to go for attestation signing to get loadable drivers.

Dejan_Maksimovic · December 30, 2023, 10:49am

Even old ones (certs) won’t work on Secure Boot, without Attestation at the
least.
Drivers signed before cca June 2015 should though.

Dejan.

Mark_Roddy · December 30, 2023, 2:18pm

You can do one of three things:

test sign your driver.
attestation sign your driver with microsoft.
whql sign your driver with microsoft.

Your EV cert is basically only good for setting up access to the msft signing system. It cannot be used for self-signing drivers.

wc2023 · January 3, 2024, 8:52am

The kernel driver has to be code signed by Microsoft. You need to create an account with them, for which you will need your EV certificate, and then upload your signed drivers to them for the attestation. And if your driver passes it, then they will send you a code-signed copy of it that will load into Windows without the test mode being on. Here’s a longer form for you.

Peter_Viscarola_OSR · January 3, 2024, 7:58pm

your driver passes

to be clear, “passing” here means “you submit a driver package that’s in the right format”… nothing more than that. There are no tests involved.