1

Topic: Windows 10 signature enforcement - that want?

All greetings! We have a certain unit of a kernel which is not connected in any way to iron. It is signed by means of the EV-certificate received more recently together with an USB-key. Further we sent this certificate of Microsoft, signing our key their file is a new requirement for the signature of drivers. Driver setting simple - Inno setup puts a file.sys in \Windows\Syetem32\driver and registers with the help sc create. And all the same  in Windows 10 after call CreateFile - [2] The system cannot find the file specified. If to load Windows 10 with ungeared driver signature enforcement works. But only so. Otherwise still there is a message that the unsigned driver is installed. What can they want, that earned? Thanks.

2

Re: Windows 10 signature enforcement - that want?

Hello, NiJazz, you wrote: NJ> driver Setting simple - Inno setup puts a file.sys in \Windows\Syetem32\driver and registers with the help sc create. NJ> And all the same  in Windows 10 after call CreateFile - [2] The system cannot find the file specified. NJ> If to load Windows 10 with ungeared driver signature enforcement works. But only so. Otherwise still there is a message that the unsigned driver is installed. NJ> that else they can want, that earned? Very long ago I there did not look, but unless they not signed CAT ? Also it is not absolutely clear, at what here CreateFile. Means, discovery of the virtual device created by the driver, or what? To begin with not bad to look sc query at this driver, what its status. To look in an Event Viewer that there it is told on this subject.

3

Re: Windows 10 signature enforcement - that want?

Hello, NiJazz, you wrote: NJ> driver Setting simple - Inno setup puts a file.sys in \Windows\Syetem32\driver and registers with the help sc create. NJ> And all the same  in Windows 10 after call CreateFile - [2] The system cannot find the file specified. It not about the signature. Most possibly Inno Setup being a 32-bit program puts the driver in :\Windows\SysWOW64\drivers where Windows it to find not  for searches not there. It is necessary to include a 64-bit mode in , more in detail here.

4

Re: Windows 10 signature enforcement - that want?

Hello, NiJazz, you wrote: NJ> If to load Windows 10 with ungeared driver signature enforcement works. But only so. Otherwise still there is a message that the unsigned driver is installed. NJ> that else they can want, that earned? Still if Secure Boot it is included, even the EV-signed driver will not be launched. You not clearly received the driver signed MS or not. Process is called attestation sign and is described here.

5

Re: Windows 10 signature enforcement - that want?

Hello, the Black Lord, you wrote: > Process is called attestation sign and is described here. If that attestation the signature has not enough for operation Virtualization-based Security, it is required WHQL the signature

6

Re: Windows 10 signature enforcement - that want?

Hello, NiJazz, you wrote: NJ> Further we sent this certificate of Microsoft, signing our key their file is a new requirement for the signature of drivers. Be convinced that you fulfilled all necessary for signing of the driver steps. Sending in MS their file signed by your certificate is the single-valued procedure necessary for registration Developer's Account. After that it is necessary to send each assembly of the driver for the signature. Also this procedure under PnP-drivers is ground - that is, in a sent CAB-package there should be an INF-file for which MS generates and signs a CAT-file. Also they sign also SYS-files. Actually your driver is not obliged to be PnP, but syntactically it is necessary to make the correct INF-file (to use it then not mandatory). How to make such legacy an INF-file, it is written somewhere in articles on site MS. NJ> If to load Windows 10 with ungeared driver signature enforcement works. But only so. Otherwise still there is a message that the unsigned driver is installed. If at the prohibition of check of the signature all works normally - means, Inno Setup puts the driver in the correct directory (but be convinced that all works and in 64-digit systems). Well and to check driver loading really it is immediate - through sc query or debugging messages from the driver as request IRP_CREATE can not reach and the operating driver better, and you will search for a problem not there.

7

Re: Windows 10 signature enforcement - that want?

Hello, the Black Lord, you wrote: > It is necessary to include a 64-bit mode in , more in detail here. With it the order, puts where it is necessary, all inclusive.

8

Re: Windows 10 signature enforcement - that want?

Hello, Evgenie Muzychenko, you wrote: I eat> Be convinced that you fulfilled all necessary for signing of the driver steps. Sending in MS their file signed by your certificate is the single-valued procedure necessary for registration Developer's Account. After that it is necessary to send each assembly of the driver for the signature. Also this procedure under PnP-drivers is ground - that is, in a sent CAB-package there should be an INF-file for which MS generates and signs a CAT-file. Also they sign also SYS-files. To tell the truth, I (not without simplification) delegated this registration to a manager, but I too understood it as sending of each assembly by it for the additional signature, but he assured that is not necessary. Means, the circus proceeds I eat> Actually your driver is not obliged to be PnP, but syntactically it is necessary to make the correct INF-file (to use it then not mandatory). How to make such legacy an INF-file, it is written somewhere in articles on site MS. Instead of that minimum INF-file taken from examples WDK suffices? At registration through Inno setup it is not used, but used manually at testing. I eat> If at the prohibition of check of the signature all works normally - means, Inno Setup puts the driver in the correct directory (but be convinced that all works and in 64-digit systems). Well and to check driver loading really it is immediate - through sc query or debugging messages from the driver as request IRP_CREATE can not reach and the operating driver better, and you will search for a problem not there. With folders precisely all , the problem arose only in Windows 10, before both amd64 and x86 worked perfectly. Thanks!