I was Dynamic load virtual driver(no substance device) on Vista64. I have an question that run StartService fail, Error 0x241:ERROR_INVALID_IMAGE_HASH (Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.) but, I had signed this driver,Who can help me to solve this problem.
Thanks
On x64 driver MUST be signed. End of subject. No workaround. Forget it. Don’t ask again. (Sure you will, though…).
On the other hand if you have an Authenticode SPC from MS-acceptable authority you can self-sign your x64 driver and that should allow it to run. You must use signing tools provided in the WDK to do the signing.
For debugging there are some BCDEDIT options that provide a one-boot override to this policy, but I have never used them.
Good luck,
Thomas F. Divine
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-319706-
xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com.tw
Sent: Wednesday, April 02, 2008 10:31 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] StartService fail on Vista64I was Dynamic load virtual driver(no substance device) on Vista64. I
have an question that run StartService fail, Error
0x241:ERROR_INVALID_IMAGE_HASH (Windows cannot verify the digital
signature for this file. A recent hardware or software change might
have installed a file that is signed incorrectly or damaged, or that
might be malicious software from an unknown source.) but, I had signed
this driver,Who can help me to solve this problem.Thanks
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Maybe you have signed the driver incorrectly?
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> I was Dynamic load virtual driver(no substance device) on Vista64. I have an
question that run StartService fail, Error 0x241:ERROR_INVALID_IMAGE_HASH
(Windows cannot verify the digital signature for this file. A recent hardware
or software change might have installed a file that is signed incorrectly or
damaged, or that might be malicious software from an unknown source.) but, I
had signed this driver,Who can help me to solve this problem.
>
> Thanks
>
I have signed the driver correctly and I have get digital signature for following method.
signtool.exe sign /v /f xxxxxxx.pfx /p xxxxxxx /t http://timestamp.verisign.com/scripts/timestamp.dll xxxxxx.sys
Who can tell me what I can to do?
Thanks
The binary needs to be signed and cross-signed with the cross-certificates
available at the URL below, otherwise the driver won’t load on Vista 64. You
need to add parameter /ac <crosscert.cer> to signtool.exe
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
Hope it helps
GV
—
Gianluca Varenni, Windows DDK MVP
CACE Technologies
http://www.cacetech.com
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, April 09, 2008 6:29 PM
Subject: RE:[ntdev] StartService fail on Vista64
>I have signed the driver correctly and I have get digital signature for
>following method.
>
> signtool.exe sign /v /f xxxxxxx.pfx /p xxxxxxx /t
> http://timestamp.verisign.com/scripts/timestamp.dll xxxxxx.sys
>
> Who can tell me what I can to do?
>
> Thanks
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</crosscert.cer>
Dear GV:
Could you direct tell me detail command for signtools.
Thanks
Brian
Brian:
You might wish to take a look at this document from MSFT:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
It doesn’t contain everything you might need, but it covers the common
cases, and most importantly is only about fifty pages.
I don’t recall exactly what it is you are after here, but if you’re just
looking to get something that you are developing running on x64 Vista
for development purposes, then I would definitely check out the part
about test signing, because it’s pretty simple, and you should be up and
running in about ten minutes.
I know nothing about Driver Signing beyond the test signing case, and I
desperately hope that always remains the case, so this is about all I
can offer on the subject.
Good luck,
mm
xxxxx@yahoo.com.tw wrote:
Dear GV:
Could you direct tell me detail command for signtools.
Thanks
Brian
I have the command line for signtool in the office, tomorrow morning i’ll be
able to send you the exact string that i use. In any case it’s something
like
signtool.exe sign /v /ac <crosscert.cer> /p my /n “name of the cert” /t
http://timestamp.verisign.com/scripts/timestamp.dll binary.sys
As Martin suggested you, I would have a look at the document available at
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
Hope it helps
GV
–
Gianluca Varenni, Windows DDK MVP
CACE Technologies
http://www.cacetech.com
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, April 09, 2008 8:35 PM
Subject: RE:[ntdev] StartService fail on Vista64
> Dear GV:
>
> Could you direct tell me detail command for signtools.
>
> Thanks
>
> Brian
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</crosscert.cer>
Listen to what people have suggested, and READ THE KERNEL MODE SIGNING WALKTHROUGH. It will tell you what you need to know.
See:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
It’s wordy, it’s boring, it’s too detailed, it’s kinda dumb. But it’s the only place that actually explains this stuff. You need to be sure you have a proper class-3 code signing cert, and you need a cross-signing cert. Read the walkthrough.
The command lines are as follows:
Embedded sign:
signtool sign /v /ac d:\signing\mscv-vsclass3.cer /s my /n your-cert-name-here /t http://timestamp.verisign.com/scripts/timestamp.dll amd64\xxxxx.sys
CAT Sign:
signtool sign /v /ac d:\signing\mscv-vsclass3.cer /s my /n your-cert-name-here /t http://timestamp.verisign.com/scripts/timestamp.dll xxxxx.cat
Obviously, the name of and path to the cross signing cert (d:\signing\mscv-vsclass3.cer in the above command lines) will be specific to your system and certificate. But, of course, what you really want to do is read the walkthrough.
Peter
OSR
(answering questions like this because it’s almost 70 degrees F outside for the first time this year, and I don’t feel like working today)
xxxxx@osr.com wrote:
Listen to what people have suggested, and READ THE KERNEL MODE SIGNING WALKTHROUGH. It will tell you what you need to know.
See:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspxIt’s wordy, it’s boring, it’s too detailed, it’s kinda dumb. But it’s the only place that actually explains this stuff. You need to be sure you have a proper class-3 code signing cert, and you need a cross-signing cert. Read the walkthrough.
As someone who once was an unbeliever, I can verify that following those
instructions really does work. After I got the code signing
certificate, it all went like clockwork.
(answering questions like this because it’s almost 70 degrees F outside for the first time this year, and I don’t feel like working today)
Lucky you. We here in Portland, OR, are supposed to hit 70F on
Saturday. It has literally been six months since we broke 70. This has
truly been a cold, wet, miserable winter.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I can also confirm it. After the initial frustrating experience with bad
procedures and tools which didn’t work, mentioned paper and current WDK
tools solved problems.
However, selecting certificate using /n may not be quite safe. We use
-sha1, instead, because it is the only method which can’t accidentally
select different certificate.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@osr.com
Sent: Thursday, April 10, 2008 6:10 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] StartService fail on Vista64Listen to what people have suggested, and READ THE KERNEL
MODE SIGNING WALKTHROUGH. It will tell you what you need to know.See:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspxIt’s wordy, it’s boring, it’s too detailed, it’s kinda dumb.
But it’s the only place that actually explains this stuff.
You need to be sure you have a proper class-3 code signing
cert, and you need a cross-signing cert. Read the walkthrough.The command lines are as follows:
Embedded sign:
signtool sign /v /ac d:\signing\mscv-vsclass3.cer /s my /n
your-cert-name-here /t
http://timestamp.verisign.com/scripts/timestamp.dll amd64\xxxxx.sysCAT Sign:
signtool sign /v /ac d:\signing\mscv-vsclass3.cer /s my /n
your-cert-name-here /t
http://timestamp.verisign.com/scripts/timestamp.dll xxxxx.catObviously, the name of and path to the cross signing cert
(d:\signing\mscv-vsclass3.cer in the above command lines)
will be specific to your system and certificate. But, of
course, what you really want to do is read the walkthrough.Peter
OSR
(answering questions like this because it’s almost 70 degrees
F outside for the first time this year, and I don’t feel like
working today)
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer