Jump to content











Photo
* * * * * 1 votes

How to circumvent Driver Signing Policy elevation?


  • Please log in to reply
67 replies to this topic

#1 thunn

thunn

    Silver Member

  • .script developer
  • 531 posts
  • Location:Brooklyn, New York
  • Interests:computers<br />mechanics<br />distortion<br /><br />
  •  
    United States

Posted 20 September 2007 - 03:04 AM

That annoying popup you never want to handle manually, the Driver Signing Policy reminder.

Driver Signing Policy has been tackled by a handfull of savy programers. When the issue has presented itself, I tried timed registry modifications on startup, and have even hacked at a few files, but the system detects attempts to tamper with the value post boot. The question I have is..
Do we need an external program to handle the problem, or, can it be solved with stock and/or oem tools from MS?

Some of my projects do handle unsigned drivers fine, but they either contain a tool from Sherpya or Holger. I would really like insite into how either of these tools handles this issue. :loleverybody:

Any thoughts on the subject are most welcome.
thanks, -t

--edit--

This problem was solved. Huge thanks to Psc for honing in on the answer.
Please read on to gather some details, or, if you would rather skip that..
A script to suppress driver signing prompts for all wb projects ( during the build ) may be found here. Enjoy.

#2 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,754 posts

Posted 20 September 2007 - 11:04 AM

thunn have a look here

:loleverybody:

#3 paraglider

paraglider

    Gold Member

  • .script developer
  • 1,615 posts
  • Location:NC,USA
  •  
    United States

Posted 21 September 2007 - 03:13 AM

hwpnp disables the driver signing popup. I am however not allowed to say how.

#4 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 21 September 2007 - 08:38 AM

That annoying popup you never want to handle manually, the Driver Signing Policy reminder.

Driver Signing Policy has been tackled by a handfull of savy programers. When the issue has presented itself, I tried timed registry modifications on startup, and have even hacked at a few files, but the system detects attempts to tamper with the value post boot. The question I have is..
Do we need an external program to handle the problem, or, can it be solved with stock and/or oem tools from MS?

Some of my projects do handle unsigned drivers fine, but they either contain a tool from Sherpya or Holger. I would really like insite into how either of these tools handles this issue. :loleverybody:

Any thoughts on the subject are most welcome.
thanks, -t

I think, this is the way to solve it.

Peter

#5 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10,122 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 21 September 2007 - 09:02 AM

Interesting reading, thanks for the link Peter - the page you've mentioned also contains a few handy tools to check in a near future.. :loleverybody:

#6 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 21 September 2007 - 09:46 AM

Using the above link's knowledge about the 'seed' it was easy to write a script preventing the 'Unsigned Driver' warning during build time.

You can find driverSigning.Script on the nativeEx server.

The direkt link is this.

I need it tested by many users. Maybe the hashes are valid on my system only.

Peter

#7 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 21 September 2007 - 10:29 AM

There is a small typo in the script which prevents that any test brings the warning, independent from the check marks:

If,%pCheckBox1%,Equal,True,Run,%ScriptFile%,no-warn
If,%pCheckBox1%,Equal,True,CopyOrExpand,%source_win%\RSAENH.DLL,%target_sys%

The first #1 has to have #2.

I've fixed this.

Those who already did a download: Please redo.

Peter

#8 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10,122 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 21 September 2007 - 11:23 AM

blazing fast solution! :w00t:

Will test it with smartFTP script.. :loleverybody:

#9 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,754 posts

Posted 21 September 2007 - 12:06 PM

blazing fast solution! :w00t:

Will test it with smartFTP script.. :loleverybody:

But you will need an old version of the script. The latest one is already fixed to not cause the popup dialog, even without Peters fix.

:w00t:

#10 paraglider

paraglider

    Gold Member

  • .script developer
  • 1,615 posts
  • Location:NC,USA
  •  
    United States

Posted 21 September 2007 - 12:25 PM

There is also an undocumented function in setupapi that achieves the same effect.

#11 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 21 September 2007 - 01:42 PM

There is also an undocumented function in setupapi that achieves the same effect.

What about a link?

Peter :loleverybody:

#12 thunn

thunn

    Silver Member

  • .script developer
  • 531 posts
  • Location:Brooklyn, New York
  • Interests:computers<br />mechanics<br />distortion<br /><br />
  •  
    United States

Posted 21 September 2007 - 03:50 PM

I had looked into rsaenh.dll, but adding the entries without the file is a good idea (thanks Medevil!). I'll pull the entries from my system for testing, hopfully it will fix my new TrueImage retail for pe reduction.
Also, big thx. to Peter and Paraglider for their suggestions.

thanks to all!
.
I've been reading on the subject this evening after not much success..
Now some oems are using autoit type stunts to bypass the dialogues, rediculous.

Tuesday, August 16, 2005 10:28 AM by Dejan Jelovic
Even worse, my new Dell laptop came with an usigned bluetooth driver whose setup automatically clicks on the Continue button of the dialogs while installing the driver.

:loleverybody:

The quality control issue is very real, drivers running in memory must not crash or else we get bsods. But there should be an undocumented function that switches it OFF. :w00t:
This is an investigation that's taken me to some far out corners of the net.

Thankfully wb can replace a string of data when a universal solution or patch is found. After I changed DriverSigningPolicy to DriverSigningPolice in setupapi.dll, I couldn't find the string again, it's only found once in the file.
I could try something like adding a new reg data value using Police instead of Policy and then set it to reg bin 00 at hklm and dword 0 at hkcu.
Hacking setupapi.dll most likely won't work though, it's time to locate the other files containing the strings DriverSigning or Driver Signing to point us towards better sollutions. G'night all.. :w00t:

Attached Thumbnails

  • setupapi.png


#13 paraglider

paraglider

    Gold Member

  • .script developer
  • 1,615 posts
  • Location:NC,USA
  •  
    United States

Posted 22 September 2007 - 12:09 PM

Unfortunately I promised B... that I would not reveal details. But information is out there about the function on some of the russian forums.

#14 thunn

thunn

    Silver Member

  • .script developer
  • 531 posts
  • Location:Brooklyn, New York
  • Interests:computers<br />mechanics<br />distortion<br /><br />
  •  
    United States

Posted 22 September 2007 - 01:19 PM

Unfortunately I promised B... that I would not reveal details. But information is out there about the function on some of the russian forums.

I assume you speak of the ru shell designer. (explorer mock-up aka b's explorer)
ok, I'll do 'setupapi' searches later. Your HWPnP.exe utility did not fix this issue either, however. :loleverybody:

#15 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 22 September 2007 - 04:39 PM

Here's the revised driversigning script :loleverybody: ..
http://nativeex.boot...rSigning.Script

I changed the driverSigning.Script (link see above).
Now you have the choice to either write to registry at build time or to execute a small prog at boot time.

Here the code:
program DriverSigning;{$APPTYPE CONSOLE}uses  SysUtils,  Windows,  Wcrypt2;const  cPNP = &#39;System\WPA\PnP&#39;;  cPolicy = &#39;Policy&#39;;  cPrivate = &#39;PrivateHash&#39;;  cSeed = &#39;seed&#39;;  cSetup = &#39;Software\Microsoft\Windows\CurrentVersion\Setup&#39;;  cSigning = &#39;Software\Microsoft\Driver Signing&#39;;function hashIt(const Input: DWORD; var res: array of Byte): boolean;var  cryptProvider: HCRYPTPROV;  handleHash: HCRYPTHASH;  dataHash: array[0..15] of Byte;  lenHash: DWORD;  nulls: DWORD;  i: Integer;begin  Result := false;  lenHash := 16;  nulls := 0;  if CryptAcquireContext(@cryptProvider, nil, nil, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT or CRYPT_MACHINE_KEYSET) then  begin    if CryptCreateHash(cryptProvider, CALG_MD5, 0, 0, @handleHash) then    begin      if CryptHashData(handleHash, @nulls, sizeof(nulls), 0) then      begin        if CryptHashData(handleHash, @input, sizeof(input), 0) then        begin          if CryptGetHashParam(handleHash, HP_HASHVAL, @dataHash[0], @lenHash, 0) then          begin            for i := 0 to lenHash - 1 do            begin              res[i] := dataHash[i];            end;            Result := true;          end;        end;      end;      CryptDestroyHash(handleHash);    end;    CryptReleaseContext(cryptProvider, 0);  end;end;var  len: DWORD;  seed: DWORD;  regKey: HKEY;  res: integer;  hash: array[0..15] of Byte;  nulls: Byte;begin  nulls := 0;  seed := 0;  res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cPNP, 0, KEY_READ, regKey);  if res = ERROR_SUCCESS then  begin    res := RegQueryValueEx(regKey, cSeed, nil, nil, @seed, @len);    RegCloseKey(regKey);// build hash    if hashIt(seed, hash) = true then    begin// write &#39;privateHash&#39;      res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cSetup, 0, KEY_WRITE, regKey);      if res = ERROR_SUCCESS then      begin        res := RegSetValueEx(regKey, cPrivate, 0, REG_BINARY, @hash[0], sizeof(hash));        RegCloseKey(regKey);// write policy        res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cSigning, 0, KEY_WRITE, regKey);        if res = ERROR_SUCCESS then        begin          res := RegSetValueEx(regKey, cPolicy, 0, REG_BINARY, @nulls, sizeof(nulls));          RegCloseKey(regKey);        end;      end;    end;  end;end.


#16 thunn

thunn

    Silver Member

  • .script developer
  • 531 posts
  • Location:Brooklyn, New York
  • Interests:computers<br />mechanics<br />distortion<br /><br />
  •  
    United States

Posted 23 September 2007 - 04:15 AM

& Just for kicks, I've compiled the C code for the original driver signing program that Peter pointed us to. The concept is quite sound, but..
So far, no dice, nothing has worked to suppress the problem 100% The little prog. needs a dll to run and still has an issue or two.

I seem to remember a program, 'Click that freakin button' .. :loleverybody::thumbup:

Attached Files



#17 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 23 September 2007 - 07:41 AM

& Just for kicks, I've compiled the C code for the original driver signing program that Peter pointed us to. The concept is quite sound, but..
So far, no dice, nothing has worked to suppress the problem 100% The little prog. needs a dll to run and still has an issue or two.

I seem to remember a program, 'Click that freakin button' .. :loleverybody: :w00t:

On my system both methods are working.
We have to find out what's different at yours.
I need a couple of tests.
Should we do it here or by e-mail (since the tests maybe boring for a couple of users)?

Peter

#18 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10,122 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 23 September 2007 - 12:10 PM

Please open a new topic - I would really like to keep reading your progress on this matter.. :loleverybody:

#19 thunn

thunn

    Silver Member

  • .script developer
  • 531 posts
  • Location:Brooklyn, New York
  • Interests:computers<br />mechanics<br />distortion<br /><br />
  •  
    United States

Posted 23 September 2007 - 10:27 PM

@Nuno, please suggest a new topic title if you like, I'll could start a new thread later this evening.
(Do you want to keep these threads short?)

Peter,
With regards to some tests ..
1st things 1st, if you really want to help, I suggest you re-create the environment I'm testing under.
Please try this..

* dl NativePE from wb,
It's using a 'longhand' version of your base scripts, no api.scrpt, we could inspect this for any issue, but I do not want to use the api.script, in the ultimate interest of portability.

* Email me and I'll send you my networking script, I don't want to post it until I solve this, but that's a big part of the picture, I want to be able to use Opk tools for networking in hopes of someday soon finalizing an Opk based project for wb. :cheers:

* If you want to do a preliminary test, see if you can suppress the driver signing prompt when using my TrueImage91 Lite script, the ti drivers are doing something and in VMWare, the networking driver is flagged. Get the scripts, Acronis-TrueImageServer91-Lite.sript and Acronis-TrueImageServer91-Lite-Bin.script (sfx) from bartPEcore,

EDIT by psc: removed one line of text here.

In the mean time, I'll test your latest nativeEx.
--edit--
this is odd,
nativeEX and Main servers DOWN @ 6:45 PM EST

#20 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10,122 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 23 September 2007 - 11:47 PM

How about "Testing ways to disable driver signing Policy Elevation"? :cheers:

Having separate topics helps to keep a thread focused on a single matter (better than browsing from memory to find a needed piece of information lost amongst pages and pages..)

This thread has already taught me a lot, keep it up! :cheers:

#21 thunn

thunn

    Silver Member

  • .script developer
  • 531 posts
  • Location:Brooklyn, New York
  • Interests:computers<br />mechanics<br />distortion<br /><br />
  •  
    United States

Posted 24 September 2007 - 01:36 AM

How about this ..

I just solved the problem.

Utimatelty what worked was the C code that Peter found. Other files and reg entries just needed fine tuning with respect to what was loaded when on startup.

Peter, thx. so much for your work on this, and furthermore, encouraging me to continue testing ideas for implementing a solution. Knowing someone else had some success kept me going on this.
Also, Upxing your exe was not the issue, it works fine packed.
I should point out that your script did not work as currently configured, I'd like to help you with the startup entry in your script so that the driversigning exe does it's job a little earlier.
here is your startup entry:
RegWrite,&#34;HKLM&#34;,0x1,&#34;WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\800&#34;,&#34;999&#34;,

&#34;DriverSigning.exe&#34;
Please use this..
RegWrite,HKLM,0x1,&#34;WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\100&#34;,

&#34;DriverSigning&#34;,&#34;hiderun /w DriverSigning.exe&#34;
It will work much better like that. :cheers:
~~
** except use 000 not 100 ( The editor won't let me put it, it winds up looking like this: \RunOnceEx00 )

~~~~~~~~~~
I want to run another series of tests, then I'll be back with some scripts including one for networking that uses the new penetcfg. :cheers: -t

#22 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 24 September 2007 - 09:06 AM

RegWrite,&#34;HKLM&#34;,0x1,&#34;WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\800&#34;,&#34;999&#34;,

&#34;DriverSigning.exe&#34;
Please use this..
RegWrite,HKLM,0x1,&#34;WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\100&#34;,

&#34;DriverSigning&#34;,&#34;hiderun /w DriverSigning.exe&#34;

Does that mean that DriverSigning.exe with your proposed config surely works?
In this case I could create a third option (which after successful tests shold be the only option)
"Run this program to change registry, just before building the ISO".

(When I'm back from vacation)

Peter

#23 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,754 posts

Posted 24 September 2007 - 10:34 AM

Could one of you explain to me why we need a exe which fixes this at boot time?
Can't we create the registry settings at build time?

:cheers:

#24 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 24 September 2007 - 10:38 AM

Could one of you explain to me why we need a exe which fixes this at boot time?
Can't we create the registry settings at build time?

:cheers:

My current knowledge:

Changes at build time are overwritten (by rsaenh.dll) during very early boot.
The exe fixes that at early boot.

I'm working on 'Build Time', but until now w/o sussecc.

Peter

#25 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,309 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 24 September 2007 - 11:07 AM

There is version 005 of driverSigning.Script on the nativeEx server.

It has the new option to set necessary registry values during build time by the program 'DriverSigning.exe'.

Peter




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users