How to circumvent Driver Signing Policy elevation?
#1
Posted 20 September 2007 - 03:04 AM
Driver Signing Policy has been tackled by a handfull of savy programers. When the issue has presented itself, I tried timed registry modifications on startup, and have even hacked at a few files, but the system detects attempts to tamper with the value post boot. The question I have is..
Do we need an external program to handle the problem, or, can it be solved with stock and/or oem tools from MS?
Some of my projects do handle unsigned drivers fine, but they either contain a tool from Sherpya or Holger. I would really like insite into how either of these tools handles this issue.
Any thoughts on the subject are most welcome.
thanks, -t
--edit--
This problem was solved. Huge thanks to Psc for honing in on the answer.
Please read on to gather some details, or, if you would rather skip that..
A script to suppress driver signing prompts for all wb projects ( during the build ) may be found here. Enjoy.
#3
Posted 21 September 2007 - 03:13 AM
#4
Posted 21 September 2007 - 08:38 AM
I think, this is the way to solve it.That annoying popup you never want to handle manually, the Driver Signing Policy reminder.
Driver Signing Policy has been tackled by a handfull of savy programers. When the issue has presented itself, I tried timed registry modifications on startup, and have even hacked at a few files, but the system detects attempts to tamper with the value post boot. The question I have is..
Do we need an external program to handle the problem, or, can it be solved with stock and/or oem tools from MS?
Some of my projects do handle unsigned drivers fine, but they either contain a tool from Sherpya or Holger. I would really like insite into how either of these tools handles this issue.
Any thoughts on the subject are most welcome.
thanks, -t
Peter
#5
Posted 21 September 2007 - 09:02 AM
#6
Posted 21 September 2007 - 09:46 AM
You can find driverSigning.Script on the nativeEx server.
The direkt link is this.
I need it tested by many users. Maybe the hashes are valid on my system only.
Peter
#7
Posted 21 September 2007 - 10:29 AM
The first #1 has to have #2.If,%pCheckBox1%,Equal,True,Run,%ScriptFile%,no-warn
If,%pCheckBox1%,Equal,True,CopyOrExpand,%source_win%\RSAENH.DLL,%target_sys%
I've fixed this.
Those who already did a download: Please redo.
Peter
#8
Posted 21 September 2007 - 11:23 AM
Will test it with smartFTP script..
#9
Posted 21 September 2007 - 12:06 PM
But you will need an old version of the script. The latest one is already fixed to not cause the popup dialog, even without Peters fix.blazing fast solution!
Will test it with smartFTP script..
#10
Posted 21 September 2007 - 12:25 PM
#11
Posted 21 September 2007 - 01:42 PM
What about a link?There is also an undocumented function in setupapi that achieves the same effect.
Peter
#12
Posted 21 September 2007 - 03:50 PM
Also, big thx. to Peter and Paraglider for their suggestions.
thanks to all!
.
I've been reading on the subject this evening after not much success..
Now some oems are using autoit type stunts to bypass the dialogues, rediculous.
Tuesday, August 16, 2005 10:28 AM by Dejan Jelovic
Even worse, my new Dell laptop came with an usigned bluetooth driver whose setup automatically clicks on the Continue button of the dialogs while installing the driver.
The quality control issue is very real, drivers running in memory must not crash or else we get bsods. But there should be an undocumented function that switches it OFF.
This is an investigation that's taken me to some far out corners of the net.
Thankfully wb can replace a string of data when a universal solution or patch is found. After I changed DriverSigningPolicy to DriverSigningPolice in setupapi.dll, I couldn't find the string again, it's only found once in the file.
I could try something like adding a new reg data value using Police instead of Policy and then set it to reg bin 00 at hklm and dword 0 at hkcu.
Hacking setupapi.dll most likely won't work though, it's time to locate the other files containing the strings DriverSigning or Driver Signing to point us towards better sollutions. G'night all..
#13
Posted 22 September 2007 - 12:09 PM
#14
Posted 22 September 2007 - 01:19 PM
I assume you speak of the ru shell designer. (explorer mock-up aka b's explorer)Unfortunately I promised B... that I would not reveal details. But information is out there about the function on some of the russian forums.
ok, I'll do 'setupapi' searches later. Your HWPnP.exe utility did not fix this issue either, however.
#15
Posted 22 September 2007 - 04:39 PM
http://nativeex.boot...rSigning.Script
I changed the driverSigning.Script (link see above).
Now you have the choice to either write to registry at build time or to execute a small prog at boot time.
Here the code:
program DriverSigning;{$APPTYPE CONSOLE}uses SysUtils, Windows, Wcrypt2;const cPNP = 'System\WPA\PnP'; cPolicy = 'Policy'; cPrivate = 'PrivateHash'; cSeed = 'seed'; cSetup = 'Software\Microsoft\Windows\CurrentVersion\Setup'; cSigning = 'Software\Microsoft\Driver Signing';function hashIt(const Input: DWORD; var res: array of Byte): boolean;var cryptProvider: HCRYPTPROV; handleHash: HCRYPTHASH; dataHash: array[0..15] of Byte; lenHash: DWORD; nulls: DWORD; i: Integer;begin Result := false; lenHash := 16; nulls := 0; if CryptAcquireContext(@cryptProvider, nil, nil, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT or CRYPT_MACHINE_KEYSET) then begin if CryptCreateHash(cryptProvider, CALG_MD5, 0, 0, @handleHash) then begin if CryptHashData(handleHash, @nulls, sizeof(nulls), 0) then begin if CryptHashData(handleHash, @input, sizeof(input), 0) then begin if CryptGetHashParam(handleHash, HP_HASHVAL, @dataHash[0], @lenHash, 0) then begin for i := 0 to lenHash - 1 do begin res[i] := dataHash[i]; end; Result := true; end; end; end; CryptDestroyHash(handleHash); end; CryptReleaseContext(cryptProvider, 0); end;end;var len: DWORD; seed: DWORD; regKey: HKEY; res: integer; hash: array[0..15] of Byte; nulls: Byte;begin nulls := 0; seed := 0; res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cPNP, 0, KEY_READ, regKey); if res = ERROR_SUCCESS then begin res := RegQueryValueEx(regKey, cSeed, nil, nil, @seed, @len); RegCloseKey(regKey);// build hash if hashIt(seed, hash) = true then begin// write 'privateHash' res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cSetup, 0, KEY_WRITE, regKey); if res = ERROR_SUCCESS then begin res := RegSetValueEx(regKey, cPrivate, 0, REG_BINARY, @hash[0], sizeof(hash)); RegCloseKey(regKey);// write policy res := RegOpenKeyEx(HKEY_LOCAL_MACHINE, cSigning, 0, KEY_WRITE, regKey); if res = ERROR_SUCCESS then begin res := RegSetValueEx(regKey, cPolicy, 0, REG_BINARY, @nulls, sizeof(nulls)); RegCloseKey(regKey); end; end; end; end;end.
#16
Posted 23 September 2007 - 04:15 AM
So far, no dice, nothing has worked to suppress the problem 100% The little prog. needs a dll to run and still has an issue or two.
I seem to remember a program, 'Click that freakin button' ..
Attached Files
#17
Posted 23 September 2007 - 07:41 AM
On my system both methods are working.& Just for kicks, I've compiled the C code for the original driver signing program that Peter pointed us to. The concept is quite sound, but..
So far, no dice, nothing has worked to suppress the problem 100% The little prog. needs a dll to run and still has an issue or two.
I seem to remember a program, 'Click that freakin button' ..
We have to find out what's different at yours.
I need a couple of tests.
Should we do it here or by e-mail (since the tests maybe boring for a couple of users)?
Peter
#18
Posted 23 September 2007 - 12:10 PM
#19
Posted 23 September 2007 - 10:27 PM
(Do you want to keep these threads short?)
Peter,
With regards to some tests ..
1st things 1st, if you really want to help, I suggest you re-create the environment I'm testing under.
Please try this..
* dl NativePE from wb,
It's using a 'longhand' version of your base scripts, no api.scrpt, we could inspect this for any issue, but I do not want to use the api.script, in the ultimate interest of portability.
* Email me and I'll send you my networking script, I don't want to post it until I solve this, but that's a big part of the picture, I want to be able to use Opk tools for networking in hopes of someday soon finalizing an Opk based project for wb.
* If you want to do a preliminary test, see if you can suppress the driver signing prompt when using my TrueImage91 Lite script, the ti drivers are doing something and in VMWare, the networking driver is flagged. Get the scripts, Acronis-TrueImageServer91-Lite.sript and Acronis-TrueImageServer91-Lite-Bin.script (sfx) from bartPEcore,
EDIT by psc: removed one line of text here.
In the mean time, I'll test your latest nativeEx.
--edit--
this is odd,
nativeEX and Main servers DOWN @ 6:45 PM EST
#20
Posted 23 September 2007 - 11:47 PM
Having separate topics helps to keep a thread focused on a single matter (better than browsing from memory to find a needed piece of information lost amongst pages and pages..)
This thread has already taught me a lot, keep it up!
#21
Posted 24 September 2007 - 01:36 AM
I just solved the problem.
Utimatelty what worked was the C code that Peter found. Other files and reg entries just needed fine tuning with respect to what was loaded when on startup.
Peter, thx. so much for your work on this, and furthermore, encouraging me to continue testing ideas for implementing a solution. Knowing someone else had some success kept me going on this.
Also, Upxing your exe was not the issue, it works fine packed.
I should point out that your script did not work as currently configured, I'd like to help you with the startup entry in your script so that the driversigning exe does it's job a little earlier.
here is your startup entry:
RegWrite,"HKLM",0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\800","999", "DriverSigning.exe"Please use this..
RegWrite,HKLM,0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\100", "DriverSigning","hiderun /w DriverSigning.exe"It will work much better like that.
~~
** except use 000 not 100 ( The editor won't let me put it, it winds up looking like this: \RunOnceEx00 )
~~~~~~~~~~
I want to run another series of tests, then I'll be back with some scripts including one for networking that uses the new penetcfg. -t
#22
Posted 24 September 2007 - 09:06 AM
Does that mean that DriverSigning.exe with your proposed config surely works?RegWrite,"HKLM",0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\800","999", "DriverSigning.exe"Please use this..RegWrite,HKLM,0x1,"WB-Software\Microsoft\Windows\CurrentVersion\RunOnceEx\100", "DriverSigning","hiderun /w DriverSigning.exe"
In this case I could create a third option (which after successful tests shold be the only option)
"Run this program to change registry, just before building the ISO".
(When I'm back from vacation)
Peter
#23
Posted 24 September 2007 - 10:34 AM
Can't we create the registry settings at build time?
#24
Posted 24 September 2007 - 10:38 AM
My current knowledge:Could one of you explain to me why we need a exe which fixes this at boot time?
Can't we create the registry settings at build time?
Changes at build time are overwritten (by rsaenh.dll) during very early boot.
The exe fixes that at early boot.
I'm working on 'Build Time', but until now w/o sussecc.
Peter
#25
Posted 24 September 2007 - 11:07 AM
It has the new option to set necessary registry values during build time by the program 'DriverSigning.exe'.
Peter
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users