67 replies to this topic

[thunn]

That annoying popup you never want to handle manually, the Driver Signing Policy reminder.

Driver Signing Policy has been tackled by a handfull of savy programers. When the issue has presented itself, I tried timed registry modifications on startup, and have even hacked at a few files, but the system detects attempts to tamper with the value post boot. The question I have is..
Do we need an external program to handle the problem, or, can it be solved with stock and/or oem tools from MS?

Some of my projects do handle unsigned drivers fine, but they either contain a tool from Sherpya or Holger. I would really like insite into how either of these tools handles this issue.

Any thoughts on the subject are most welcome.
thanks, -t

--edit--

This problem was solved. Huge thanks to Psc for honing in on the answer.
Please read on to gather some details, or, if you would rather skip that..
A script to suppress driver signing prompts for all wb projects ( during the build ) may be found here. Enjoy.

[MedEvil]

thunn have a look here

[paraglider]

hwpnp disables the driver signing popup. I am however not allowed to say how.

[pscEx]

That annoying popup you never want to handle manually, the Driver Signing Policy reminder.

Driver Signing Policy has been tackled by a handfull of savy programers. When the issue has presented itself, I tried timed registry modifications on startup, and have even hacked at a few files, but the system detects attempts to tamper with the value post boot. The question I have is..
Do we need an external program to handle the problem, or, can it be solved with stock and/or oem tools from MS?

Some of my projects do handle unsigned drivers fine, but they either contain a tool from Sherpya or Holger. I would really like insite into how either of these tools handles this issue.

Any thoughts on the subject are most welcome.
thanks, -t

I think, this is the way to solve it.

Peter

[Brito]

Interesting reading, thanks for the link Peter - the page you've mentioned also contains a few handy tools to check in a near future..

[pscEx]

Using the above link's knowledge about the 'seed' it was easy to write a script preventing the 'Unsigned Driver' warning during build time.

You can find driverSigning.Script on the nativeEx server.

The direkt link is this.

I need it tested by many users. Maybe the hashes are valid on my system only.

Peter

[pscEx]

There is a small typo in the script which prevents that any test brings the warning, independent from the check marks:

If,%pCheckBox1%,Equal,True,Run,%ScriptFile%,no-warn
If,%pCheckBox1%,Equal,True,CopyOrExpand,%source_win%\RSAENH.DLL,%target_sys%

The first #1 has to have #2.

I've fixed this.

Those who already did a download: Please redo.

Peter

[Brito]

blazing fast solution!

Will test it with smartFTP script..

[MedEvil]

blazing fast solution!

Will test it with smartFTP script..

But you will need an old version of the script. The latest one is already fixed to not cause the popup dialog, even without Peters fix.

[paraglider]

There is also an undocumented function in setupapi that achieves the same effect.

[pscEx]

There is also an undocumented function in setupapi that achieves the same effect.

What about a link?

Peter

[thunn]

I had looked into rsaenh.dll, but adding the entries without the file is a good idea (thanks Medevil!). I'll pull the entries from my system for testing, hopfully it will fix my new TrueImage retail for pe reduction.
Also, big thx. to Peter and Paraglider for their suggestions.

thanks to all!
.
I've been reading on the subject this evening after not much success..
Now some oems are using autoit type stunts to bypass the dialogues, rediculous.

Tuesday, August 16, 2005 10:28 AM by Dejan Jelovic
Even worse, my new Dell laptop came with an usigned bluetooth driver whose setup automatically clicks on the Continue button of the dialogs while installing the driver.

The quality control issue is very real, drivers running in memory must not crash or else we get bsods. But there should be an undocumented function that switches it OFF.
This is an investigation that's taken me to some far out corners of the net.

Thankfully wb can replace a string of data when a universal solution or patch is found. After I changed DriverSigningPolicy to DriverSigningPolice in setupapi.dll, I couldn't find the string again, it's only found once in the file.
I could try something like adding a new reg data value using Police instead of Policy and then set it to reg bin 00 at hklm and dword 0 at hkcu.
Hacking setupapi.dll most likely won't work though, it's time to locate the other files containing the strings DriverSigning or Driver Signing to point us towards better sollutions. G'night all..

Attached Thumbnails

• 

[paraglider]

Unfortunately I promised B... that I would not reveal details. But information is out there about the function on some of the russian forums.

[thunn]

Unfortunately I promised B... that I would not reveal details. But information is out there about the function on some of the russian forums.

I assume you speak of the ru shell designer. (explorer mock-up aka b's explorer)
ok, I'll do 'setupapi' searches later. Your HWPnP.exe utility did not fix this issue either, however.

[pscEx]

Here's the revised driversigning script ..
http://nativeex.boot...rSigning.Script

I changed the driverSigning.Script (link see above).
Now you have the choice to either write to registry at build time or to execute a small prog at boot time.

Here the code:

program DriverSigning;{$APPTYPE CONSOLE}uses  SysUtils,  Windows,  Wcrypt2;const  cPNP = 'System\WPA\PnP';  cPolicy = 'Policy';  cPrivate = 'PrivateHash';  cSeed = 'seed';  cSetup = 'Software\Microsoft\Windows\CurrentVersion\Setup';  cSigning = 'Software\Microsoft\Driver Signing';function hashIt(const Input: DWORD; var res: array of Byte): boolean;var  cryptProvider: HCRYPTPROV;  handleHash: HCRYPTHASH;  dataHash: array[0..15] of Byte;  lenHash: DWORD;  nulls: DWORD;  i: Integer;begin  Result := false;  lenHash := 16;  nulls := 0;  if CryptAcquireContext(@cryptProvider, nil, nil, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT or CRYPT_MACHINE_KEYSET) then  begin    if CryptCreateHash(cryptProvider, CALG_MD5, 0, 0, @handleHash) then    begin      if CryptHashData(handleHash, @nulls, sizeof(nulls), 0) then      begin        if CryptHashData(handleHash, @input, sizeof(input), 0) then        begin          if CryptGetHashParam(handleHash, HP_HASHVAL, @dataHash[0], @lenHash, 0) then          begin            for i := 0 to lenHash - 1 do            begin              res[i] := dataHash[i];            end;            Result := true;          end;        end;      end;      CryptDestroyHash(handleHash);    end;    CryptReleaseContext(cryptProvider, 0);  end;end;var  len: DWORD;  seed: DWORD;  regKey: HKEY;  res: integer;  hash: array[0..15] of Byte;  nulls: Byte;begin  nulls := 0;  seed := 0;  res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cPNP, 0, KEY_READ, regKey);  if res = ERROR_SUCCESS then  begin    res := RegQueryValueEx(regKey, cSeed, nil, nil, @seed, @len);    RegCloseKey(regKey);// build hash    if hashIt(seed, hash) = true then    begin// write 'privateHash'      res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cSetup, 0, KEY_WRITE, regKey);      if res = ERROR_SUCCESS then      begin        res := RegSetValueEx(regKey, cPrivate, 0, REG_BINARY, @hash[0], sizeof(hash));        RegCloseKey(regKey);// write policy        res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cSigning, 0, KEY_WRITE, regKey);        if res = ERROR_SUCCESS then        begin          res := RegSetValueEx(regKey, cPolicy, 0, REG_BINARY, @nulls, sizeof(nulls));          RegCloseKey(regKey);        end;      end;    end;  end;end.

[thunn]

& Just for kicks, I've compiled the C code for the original driver signing program that Peter pointed us to. The concept is quite sound, but..
So far, no dice, nothing has worked to suppress the problem 100% The little prog. needs a dll to run and still has an issue or two.

I seem to remember a program, 'Click that freakin button' ..

Attached Files

•  drvsignsup.rar   20.86KB   183 downloads

[pscEx]

& Just for kicks, I've compiled the C code for the original driver signing program that Peter pointed us to. The concept is quite sound, but..
So far, no dice, nothing has worked to suppress the problem 100% The little prog. needs a dll to run and still has an issue or two.

I seem to remember a program, 'Click that freakin button' ..

On my system both methods are working.
We have to find out what's different at yours.
I need a couple of tests.
Should we do it here or by e-mail (since the tests maybe boring for a couple of users)?

Peter

[Brito]

Please open a new topic - I would really like to keep reading your progress on this matter..

[thunn]

@Nuno, please suggest a new topic title if you like, I'll could start a new thread later this evening.
(Do you want to keep these threads short?)

Peter,
With regards to some tests ..
1st things 1st, if you really want to help, I suggest you re-create the environment I'm testing under.
Please try this..

* dl NativePE from wb,
It's using a 'longhand' version of your base scripts, no api.scrpt, we could inspect this for any issue, but I do not want to use the api.script, in the ultimate interest of portability.

* Email me and I'll send you my networking script, I don't want to post it until I solve this, but that's a big part of the picture, I want to be able to use Opk tools for networking in hopes of someday soon finalizing an Opk based project for wb.

* If you want to do a preliminary test, see if you can suppress the driver signing prompt when using my TrueImage91 Lite script, the ti drivers are doing something and in VMWare, the networking driver is flagged. Get the scripts, Acronis-TrueImageServer91-Lite.sript and Acronis-TrueImageServer91-Lite-Bin.script (sfx) from bartPEcore,

EDIT by psc: removed one line of text here.

In the mean time, I'll test your latest nativeEx.
--edit--
this is odd,
nativeEX and Main servers DOWN @ 6:45 PM EST

[Brito]

How about "Testing ways to disable driver signing Policy Elevation"?

Having separate topics helps to keep a thread focused on a single matter (better than browsing from memory to find a needed piece of information lost amongst pages and pages..)

This thread has already taught me a lot, keep it up!

[thunn]

How about this ..

I just solved the problem.

Utimatelty what worked was the C code that Peter found. Other files and reg entries just needed fine tuning with respect to what was loaded when on startup.

Peter, thx. so much for your work on this, and furthermore, encouraging me to continue testing ideas for implementing a solution. Knowing someone else had some success kept me going on this.
Also, Upxing your exe was not the issue, it works fine packed.
I should point out that your script did not work as currently configured, I'd like to help you with the startup entry in your script so that the driversigning exe does it's job a little earlier.
here is your startup entry:

RegWrite,"HKLM",0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\800","999",

"DriverSigning.exe"

Please use this..

RegWrite,HKLM,0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\100",

"DriverSigning","hiderun /w DriverSigning.exe"

It will work much better like that.
~~
** except use 000 not 100 ( The editor won't let me put it, it winds up looking like this: \RunOnceEx00 )

~~~~~~~~~~
I want to run another series of tests, then I'll be back with some scripts including one for networking that uses the new penetcfg. -t

[pscEx]

RegWrite,"HKLM",0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\800","999",

"DriverSigning.exe"

Please use this..

RegWrite,HKLM,0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\100",

"DriverSigning","hiderun /w DriverSigning.exe"

Does that mean that DriverSigning.exe with your proposed config surely works?
In this case I could create a third option (which after successful tests shold be the only option)
"Run this program to change registry, just before building the ISO".

(When I'm back from vacation)

Peter

[MedEvil]

Could one of you explain to me why we need a exe which fixes this at boot time?
Can't we create the registry settings at build time?

[pscEx]

Could one of you explain to me why we need a exe which fixes this at boot time?
Can't we create the registry settings at build time?

My current knowledge:

Changes at build time are overwritten (by rsaenh.dll) during very early boot.
The exe fixes that at early boot.

I'm working on 'Build Time', but until now w/o sussecc.

Peter

[pscEx]

There is version 005 of driverSigning.Script on the nativeEx server.

It has the new option to set necessary registry values during build time by the program 'DriverSigning.exe'.

Peter