Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

How to permanently disable Driver Signing during Windows setup

- - - - -

  • Please log in to reply
25 replies to this topic

#1
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
I've found a very simple way to completely disable Driver Signing during Windows setup without using hacked DLLs or any other 3rd party tools. It still has to be polished and made more automated as at the moment you need to have another working Windows to apply the required settings.

This guide is written for Windows 2000 but you should be able to do the same in XP/2003:

  • Open I386\hivesft.inf, scroll it to the bottom and add:

    [AddReg]
    HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x00000001,00
  • Prepare your boot media (CD, HDD, USB flash disk, etc.) and start the installation.
  • After the first part of partitioning and file copying has finished don't continue with the GUI part but rather boot to another working Windows installation or move the media to another computer.
  • Go to X:\WINNT\system32\config (X being the letter of the partition / drive where you've just started the installation), open a commandline window and type:

    reg load hku\custom software
    The M$ tool REG.EXE is required to do this step. It's available by default in XP/2003 and it's located in SUPPORT.CAB on the Windows 2000 CD (it's also possible to use the XP version in 2K but not the one from 2003).
  • Open REGEDT32.EXE, go to HKU\custom\Microsoft, select "Driver Signing", open Security -> Permissions and deny Full Control for both Administrators and SYSTEM (not sure yet whether both of them are absolutely necessary; maybe only one of them would be enough).
  • Once again go to X:\WINNT\system32\config and type in commandline:

    reg unload hku\custom
  • Reboot / move the media back and continue with the Windows installation. You won't see any prompts concerning unsigned drivers any more :) If you check the setuperr.log you will see something like this:

    Warning:

    Setup was unable to configure the policy for verification of drivers during system installation. The error code is 5.

    ***

    but you can safely ignore it.
At the moment I'm working on setting the permissions automatically so that everything would be done inside Windows setup without the need to boot to another Windows in order to configure them.

Edited by tomasz86, 21 September 2012 - 10:24 PM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages


How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,077 posts
  • OS:none specified
  • Country: Country Flag
I am not sure to understand.
Why one cannot use the UNattended setting:
http://technet.micro...y/cc977156.aspx
and later fix the permision issue? :unsure:
In case you need to do it "before install", the usual approach to reset/set permissions is changing setupreg.hiv, similar to this:
http://www.911cd.net...pic=15138&st=29

jaclaz

#3
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
I need to use a universal method because I'm going to add new drivers to driver.cab in USP5.2 and in order to so it's necessary to modify their INF files. Doing so will break the signatures. Therefore using [Unattended] is out of question here :whistle: and I'd like to avoid disabling SFC if possible.

Isn't SETUPREG.HIV only for HKLM\SYSTEM entries? I need to change the ones under HKLM\SOFTWARE. I've already tried to use the NT4.0 approach and prepare a pre-compiled "%SystemRoot\system32\config\software" file (NT4.0 doesn't use hive*.inf files) with the permissions defined but unfortunately all registry files are automatically reseted at the end of the text setup just before the hive files are applied.

I know how to set the permissions from commandline using SubInACL (even though it's an MSI file you can just unpack it using 7-Zip and use subinacls.exe):

subinacls.exe /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing" /deny=Administrator
subinacls.exe /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing" /deny=SYSTEM
Now the problem is how to run these two commands either at the very end of the text setup or in the very beginning of the GUI setup. It has to be done before the GUI setup replaces the modified Driver Signing Policy value with its default one.

Edited by tomasz86, 22 September 2012 - 04:16 AM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,077 posts
  • OS:none specified
  • Country: Country Flag

Isn't SETUPREG.HIV only for HKLM\SYSTEM entries? I need to change the ones under HKLM\SOFTWARE.

Yes, my bad, overlooked that. :(

Usual semi-random idea :w00t:
Mixing *somehow* runonce-ex:
http://gosh.msfn.org...g_runonceex.htm
with setup security.inf?
http://www.microsoft...s.mspx?mfr=true

jaclaz

#5
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
I've already tried:

RunOnce
RunOnce\setup
RunOnceEx
but the problem is that all of them are executed too late (at the famous T-13 stage) so they can't be used in this particular case. I don't know too much about security.inf but it's stated that those settings are for NTFS only (FAT's not supported).

I've found one interesting thing and I'm looking at it at the moment. Several services are started during the GUI setup and I'm going to try adding a batch script with the lines mentioned above (#3) as service. I'm talking about the list under HKLM\SYSTEM\Setup\AllowStart which looks like this in Win2k:

AFD
EventLog
PlugPlay
ProtectedStorage
Rpcss
SamSs
Seclogon
WS2IFSL

Edit: http://support.micro....com/kb/q243486 & http://support.microsoft.com/kb/137890

Edited by tomasz86, 22 September 2012 - 09:58 AM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#6
cdob

cdob

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 963 posts

Now the problem is how to run these two commands either at the very end of the text setup or in the very beginning of the GUI setup.

The classic approach uses a third party fake setup.exe
http://www.msfn.org/...rivers-from-cd/
WatchDriverSigningPolicy.exe has to run at PNP part always.

Post #837 http://www.msfn.org/...i/page__st__825
describe a example to fix driver signing state.
Run dsigning.exe first and continue.


Contrary XP bth.inf list a registry security example [BthPort.NT.Setup.AddReg.Security]
Can security settings added to hivesft.inf ?

INF AddReg Directive

An add-registry-section can have any number of entries, each on a separate line. An INF can also contain one or more optional add-registry-section.security sections, each specifying a security descriptor that is applied to all registry values described within a named add-registry-section.



#7
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
I want to do this without using any 3rd party tools ;) and I've almost managed to do it by running subinacls.exe as a service... but this AddReg security thing looks very promising. I knew that secedit.exe can be used to modify permissions but didn't know that you can do it directly from INF. I wonder whether it's supported in Win2k too. I'll give it a try and report the results.
post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#8
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
This is getting way more difficult than I initially though it would be...


  • Contrary XP bth.inf list a registry security example [BthPort.NT.Setup.AddReg.Security]
    Can security settings added to hivesft.inf ?

    I've tried adding this to TXTSETUP.SIF:

    [HiveInfs.Fresh]
    AddReg = hivesft.inf,AddReg.DrvSign
    and this to HIVESFT.INF:

    [AddReg.DrvSign]
    HKLM,"SOFTWARE\Microsoft\Driver Signing",,0x00000010
    HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x00000001,00
    
    [AddReg.DrvSign.Security]
    "D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)"
    Frankly speaking, I'm completely confused about the security settings here. The above example is taken from http://msdn.microsof...y/aa377450.aspx and is supposed to do this:

    the meaning of the string is that administrators have full control, system has full control, and access is inheritable to all subkeys

    I just took it as an example. By default there are no permissions defined for the registry key (empty boxes next to Administrators and SYSTEM). Unfortunately there is no effect of such settings. I don't know if it's me doing it wrongly or maybe these settings can't be applied from TXTSETUP.SIF. I'd be very thankful for more information about this from someone more knowledgeable than myself.
  • I've been trying to run "subinacl.exe" as a service but it doesn't work either. I've tried to run it directly by using SHIFT+F10 to open a CMD window at the beginning of the GUI setup but typing "subinacl.exe" doesn't produce any output. Maybe it's too early to support this kind of tool or there are some unfixed dependencies (the system used for testing is a clean Win2k SP4 with no other updates integrated).

    This is how I added the service using HIVESYS.INF:

    [AddReg]
    
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","Type",0x00010001,10,00,00,00
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","Start",0x00010001,02,00,00,00
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","ErrorControl",0x00010001,01,00,00,00
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","ImagePath",0x00020000,"%SystemRoot%\system32\srvany.exe"
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","DisplayName",0x00000000,"subinacl"
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","ObjectName",0x00000000,"LocalSystem"
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl\Parameters","Application",0x000000000,"subinacl.exe /keyreg ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing"" /deny=Administrators"
    
    HKLM,"SYSTEM\Setup\AllowStart\subinacl",,0x00000010
    This does work in a running system.
At the moment I still need to do more tests related to the service because I don't know whether it runs but fails or rather doesn't run at all. This is a "standard" list of services which are started at the beginning of the GUI setup:

Spoiler

I've also found out that (most of?) system files are not registered yet at this stage so it's necessary to always use full paths, ex. "%systemroot%\regedit" instead of just "regedit".

Edited by tomasz86, 23 September 2012 - 05:23 AM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#9
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,793 posts
  • OS:98SE
  • Country: Country Flag

Donator

Try to set Start = 1 (system) or even 0 (boot), instead of 2 (automatic). It's a longshot, but may work.

#10
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
The service does start. I've just checked it once again. The problem is that "subinacl.exe" doesn't want to work at this stage of the Windows setup :} I'm now going to try settings the permissions though an INF file launched from commandline run as a service.

I've finally managed to find this:

Posted Image

http://msdn.microsof...e/gg487483.aspx

This is the REG file:

[version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=AddReg.DrvSign

[AddReg.DrvSign]
HKLM,"SOFTWARE\Microsoft\Driver Signing",,0x00000010
HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x00000001,00

[AddReg.DrvSign.Security]
"D:P(D;;GA;;;SY)"

Would running

rundll32 setupapi,InstallHinfSection DefaultInstall 132 drvsign.inf
be enough? I've just tried to run it but it hasn't affected the permissions...

Edited by tomasz86, 23 September 2012 - 06:18 AM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#11
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,077 posts
  • OS:none specified
  • Country: Country Flag
Unless I am mistaken, subinacl.exe is anyway a "third-party tool in the sense that it is in the Resource Kit.

Just for the record:
http://sourceforge.n...ource=directory
http://sourceforge.n.../aclutil/files/

http://www.windowsne...ommandLine.html
http://helgeklein.com/setacl/examples/
http://web.archive.o...~micro/regperm/
http://www.softpedia...egSecEdit.shtml

Maybe some of these can run "earlier" :unsure:

Also, maybe useful, maybe not :unsure: :
http://www.msfn.org/...rack-passwords/


jaclaz

Edited by jaclaz, 23 September 2012 - 07:54 AM.


#12
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
By "3rd party" tools I meant the ones not coming from M$ ;) but of course I'll try them if there's no other way to get it done.

"Regini.exe" is kind of interesting. I've already seen it mentioned before but (like listed here) I thought that it was only able to add new permissions but not "deny" any access. Now I'm seeing this:

When you use Regini in this way, it actually replaces all permissions with those specified in the script, so to change "Everyone-Read" to "Everyone-Full Control," the new permission (number 7) must be applied, along with the other existing permissions

so it seems that setting "Administrators" to read-only may actually work. I need to try using it during the GUI setup. Regini.exe itself is kind of primitive when compared to subinacl.exe so there's probably higher probability that it will work.

Now I'm really curious why the security settings added through INF don't work (see #10). For testing purposes I've even tried applying the already mentioned BTH.INF from XP (after removing all other unrelated entries) and still the permissions didn't change after doing it :unsure: I'm talking about a running system, not only the GUI setup.

Edited by tomasz86, 23 September 2012 - 10:33 AM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#13
cdob

cdob

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 963 posts

I want to do this without using any 3rd party tools ;) and I've almost managed to do it by running subinacls.exe

Well, subincals is not not a default application. Created by OS manufactuer
Does this refer as 1st, 2nd or 3rd party tool?


this AddReg security thing looks very promising.


Try at XP first:
txtsetup.sif
[SourceDisksFiles]
dSigning.inf = 1,,,,,,_x,,3,3

[HiveInfs.Fresh]
AddReg = dSigning.inf,DriverSigning.AddReg

[HiveInfs.Upgrade]
AddReg = dSigning.inf,DriverSigning.AddReg

dosnet.inf
[Files]
D1,dSigning.inf

dSigning.inf
[Version]
Signature="$CHICAGO$"

[DefaultInstall]
DelReg=DriverSigning.DelReg
AddReg=DriverSigning.AddReg

[DriverSigning.DelReg]
HKLM,"SOFTWARE\Microsoft\Driver Signing"
HKLM,"SOFTWARE\Microsoft\Driver Signing debug"

[DriverSigning.AddReg]
HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x1,00
HKLM,"SOFTWARE\Microsoft\Driver Signing debug","Policy",0x1,00

[DriverSigning.AddReg.Security]
"D:P(A;;GR;;;SY)(A;;GR;;;WD)"
Example inf file Un-grpconv.inf
http://technet.micro...lletin/ms04-037

Driver Signing policy is set to 00 at end of textmode.
And is available at full installed XP stil.

No idea about 2000.


Added:
Driver Signing policy is set to 00. However driver has to be signed still.

Added2:
Driver Signing policy is at strange state:
A edited usbstor.inf added
GUI mode PNP does install USB storage device without a message.
Full installed XP ask for drivers, if a new USB device attached.
Seems to be nice work around as for GUI mode PNP.

Correction:
I apologize: winnt.sif DriverSigningPolicy=Ignore was set in adddition.
That's nonsese of course.

dSigning.inf is added at end of textmode, security settings are set.
However system is owner still.
System PNP part does reset the Driver Signing setting.
Driver Signing is required at PNP part.

Edited by cdob, 23 September 2012 - 10:56 PM.


#14
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
@cdob

It seems that setting DriverSigningPolicy=Ignore in WINNT.SIF changes the registry value to 00. That's why the signing policy had been first disabled during the GUI setup but available later after the system was started for the first time. I've found out that there are two checks for the policy during the GUI setup - one at the very beginning and another one near the end. This would explain how the policy is turned off (due to the WINNT.SIF settings) and then turned on after the setup has finished.

I've done some testing with XP but I couldn't manage to make the AddReg Security settings through TXTSETUP.SIF work. On the other hand, REGINI.EXE does work and it's possible to adjust the permission settings when it's run as a service. I set "Administrators" to read only and the system was unable to change it :) It remained switched off from the beginning till the end. Now I only need to prepare a script which would add all the necessary settings automatically - add/change lines in TXTSETUP.SIF, HIVESYS.INF and DOSNET.INF. Actually, the only required tool which is not available in Windows by default is SRVANY.EXE because REGINI.EXE is actually present in all Windows 2000/XP/2003. The only problem is that it's not copied to the Windows folder by default (it's just available on the CD) so it's necessary to change the line in TXTSETUP.SIF so that it will be copied to %SystemRoot%\system32.

In order to use REGINI.EXE it's necessary to create a text file (regini.txt here) with the following info:

"\registry\machine\software\microsoft\driver signing" [2]
and then run:

regini regini.txt
Later after I've finished testing and preparing the scripts I'll post a detailed guide about what's got to be done in details.
post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#15
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,077 posts
  • OS:none specified
  • Country: Country Flag
Humble :w00t: suggestion (replacements for SRVANY):
http://nssm.cc/
http://www.softpedia...BC-SrvAny.shtml
More:
http://www.msfn.org/...m-as-a-service/
(cannot say if it any will do in your setup)

I still see a Reskit only tool as "third party" as "anything else", but additionally NOT redistributable :ph34r: .

jaclaz

#16
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
Well, if possible I'd still prefer to use M$ tools in this case. Anyone can download Windows Server 2003 Resource Kit Tools and extract SRVANY.EXE from there.

By the way, REGINI.EXE itself is quite interesting. This works:

  • regini.txt

    \registry\machine\software\microsoft\driver signing[2]
    Policy=REG_BINARY 0x00000001 00
    No quotes are required, some spaces can be omitted and it still works properly. The above configuration sets the Policy value to 00 and sets permissions for "Administrators" to read only.
  • regini regini.txt

At the moment I'm testing something like this as service:

cmd.exe /c "CD/D %SystemRoot%\system32& (ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>dsigning.txt& REGINI.EXE dsigning.txt& NET.EXE STOP dsigning& REG.EXE DELETE HKLM\SYSTEM\CurrentControlSet\Services\dsigning /F& DEL dsigning.txt"
so that the TXT file will be created on the fly and later the service will be automatically stopped and removed.

HIVESYS.INF settings:

[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x00010001,10,00,00,00
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x00010001,02,00,00,00
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x00010001,01,00,00,00
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x00020000,"%SystemRoot%\system32\srvany.exe"
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","DisplayName",0x00000000,"dsigning"
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",0x00000000,"LocalSystem"
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning\Parameters","Application",0x000000000,"cmd.exe /c "CD/D %SystemRoot%\system32& (ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>dsigning.txt& REGINI.EXE dsigning.txt& NET.EXE STOP dsigning& REG.EXE DELETE HKLM\SYSTEM\CurrentControlSet\Services\dsigning /F& DEL dsigning.txt""
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x00000010

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#17
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,077 posts
  • OS:none specified
  • Country: Country Flag

Well, if possible I'd still prefer to use M$ tools in this case. Anyone can download Windows Server 2003 Resource Kit Tools and extract SRVANY.EXE from there.

Until the good MS guys decide to remove it..... :whistle: :ph34r:
If possible it is always better (iMHO) to use freely redistributable tools.

jaclaz

#18
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag

Until the good MS guys decide to remove it..... :whistle: :ph34r:
If possible it is always better (iMHO) to use freely redistributable tools.

In this particular case I'm going to use this method in the future USP5.2 and even though it's an unofficial SP I still think that sticking to M$ tools is preferable. Of course everyone can use different applications to run the script as service if you wish ;) I'm not going to provide any files in this topic as it's just informative. If someone's interested then he can do everything himself basing on the instructions.

After testing I can confirm that this script can be launched as a service:

cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>%SystemRoot%\system32\dsigning.txt& REGINI.EXE %SystemRoot%\system32\dsigning.txt& DEL %SystemRoot%\system32\dsigning.txt""

It's not possible to stop & remove the service from the same commandline when it's launched as the same service so I'm going to stop & remove it using RunOnce or maybe svcpack.inf.
post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#19
cdob

cdob

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 963 posts

I've done some testing with XP but I couldn't manage to make the AddReg Security settings through TXTSETUP.SIF work.

Yes, I've no success too after testing. Setup seems not to set AddReg security at textmode.

]REGINI.EXE does work and it's possible to adjust the permission settings

That's nice.

At XP: Running CMD.EXE as Local System http://blogs.msdn.co.../27/271063.aspx

Running cmd as system and driver signing set:
[SourceDisksFiles]
regini.exe   = 1,,,,,,,2,0,0
[DriverSigning.AddReg]
HKLM,"SYSTEM\Setup\AllowStart\SystemCmd",,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","Type",0x10001,0x110
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ErrorControl",0x10001,0x1
;HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ImagePath",0x20000,"cmd.exe /k start cmd.exe"
;debug: &pause
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ImagePath",0x20000,"cmd.exe /c start cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>\dsigning.txt& REGINI.EXE \dsigning.txt& pause& DEL \dsigning.txt"""
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ObjectName",0x0,"LocalSystem"

HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd\Enum","0",0x0,"Root\LEGACY_SYSTEMCMD\0000"
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd\Enum","Count",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd\Enum","NextInstance",0x10001,0x1

HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD","NextInstance",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","Service",0x0,"SystemCmd"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","Legacy",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","ConfigFlags",0x10001,0x0
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","Class",0x0,"LegacyDriver"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","ClassGUID",0x0,"{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","DeviceDesc",0x0,"SystemCmd"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000\Control","*NewlyCreated*",0x10001,0x1
A cleaning "sc.exe delete SystemCmd" would be nice in addition.

Driver Signing is set to 0. And disabled at GUI mode setup.
No question at PNP unsigned *.inf files.

However driver Signing is required at full installed XP, despide Driver Signing state 0x0 still.

#20
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
This is very interesting. It shall be possible to avoid using SRVANY.EXE at all :)

I'd like not to rely on SC.EXE because it's not available in 2K. That's why I'm trying to remove the service from the registry using REG.EXE which is available by default in XP/2003 and also in 2K's SUPPORT.CAB.

This may be necessary to suppress driver signing in the running system:

hivedef.inf
[AddReg]
HKCU,"SOFTWARE\Policies\Microsoft\Windows NT\Driver Signing","BehaviorOnFailedVerify",0x00010001,0

Edit: Actually NET STOP works too:

cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>\dsigning.txt& REGINI.EXE \dsigning.txt& DEL \dsigning.txt& NET STOP dsigning""
so it is possible to stop the service but not possible to remove it at once.

Edit 2: But it seems that there's no need to use NET STOP in case of a cmd.exe service because it's always terminated automatically.

Edited by tomasz86, 26 September 2012 - 05:17 AM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#21
cdob

cdob

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 963 posts

It shall be possible to avoid using SRVANY.EXE at all :)

Yes, that's the idea.
Does system cmd works at Windows 2000 too?

That's why I'm trying to remove the service from the registry using REG.EXE which is available by default in XP/2003 and also in 2K's SUPPORT.CAB.

HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ImagePath",0x20000,"cmd.exe /c start cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>\dsigning.txt& REGINI.EXE \dsigning.txt& DEL \dsigning.txt& reg.exe delete HKLM\System\CurrentControlSet\Services\SystemCMD /f"""
The service is deleted itself.
However there are Enum traces still. I feel free to ignore Enum parts.

This may be necessary to suppress driver signing in the running system:

No luck with BehaviorOnFailedVerify.
Can be XP SP3. If I remember correctly, there had been some changes.

In addition:
Some driver signing hints from 2005: http://blogmal.42.or...riversign.story
Works at gui mode setup. And dosn't work at installed XP SP3 anymore.
It's the same patters, I've no explanation.

#22
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
Thank you very much for help. Actually this is everything what's required:

hivesft.inf
[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x10001,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x20000,"cmd /c start cmd /c ""(echo \registry\machine\software\microsoft\driver signing[2]& echo policy=reg_binary 0x00000001 00)>\dsigning.txt& regini \dsigning.txt& del \dsigning.txt& for %%i in (HKLM\SYSTEM\CurrentControlSet\Services\dsigning HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSIGNING HKLM\SYSTEM\Setup\AllowStart\dsigning) do reg delete %%i /f"""
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",,"LocalSystem"
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x10
The other entries (Enum, etc.) are unnecessary. I've just tested it in 2K & XP.

I'll try to check what the problem with driver signing in a running system is about.

Edit: Fixed the script. The Enum entries are automatically created when the service is started so even though it's unnecessary to create them manually, they still have to be deleted later. The HKLM\SYSTEM\Setup\AllowStart\dsigning key also can be removed.

Edited by tomasz86, 26 September 2012 - 07:27 AM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#23
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,077 posts
  • OS:none specified
  • Country: Country Flag

In addition:
Some driver signing hints from 2005: http://blogmal.42.or...riversign.story
Works at gui mode setup. And dosn't work at installed XP SP3 anymore.
It's the same patters, I've no explanation.

Which brings us "back" to:
http://reboot.pro/3095/
but it can't be made in scripting (withour the third party program posted on reboot.pro) without a MD5 hash calculator (a third party in itself) :unsure:

jaclaz

#24
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
I've found the culprit.

The permissions are reset as soon as the drivers installation begin. Even though the service sets them to read only they're still somehow reset later. This doesn't happen when you deny access to them manually.

I'm talking about this moment:

Spoiler

What's important is that the Policy settings are still "00"! The problem is that they are changed again to 01 again later because the read only permissions are no longer valid.

I did a test and didn't remove the "dsigning" service so it ran twice - in the beginning of the GUI setup and during the first system start up too. It set the permissions again and I was able to install an unsigned driver without warnings. Now there's an issue with the service because it always stops with an error and, while it was invisible during the GUI setup, the error window pops up during the first system booting :}
post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#25
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,510 posts
  • OS:XP Pro x86
  • Country: Country Flag
Changing "ErrorControl" to "0" fixed the problem. This is the current version:

[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x10001,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x10001,0x0
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x20000,"cmd /c start cmd /c ""(echo \registry\machine\software\microsoft\driver signing[2]& echo policy=reg_binary 0x00000001 00)>\dsigning.txt& regini \dsigning.txt& del \dsigning.txt& for /f ""tokens=3"" %%i in ('reg query HKLM\SYSTEM\Setup /v SystemSetupInProgress ^| findstr/i ""systemsetupinprogress""') do if ""%%i""==""0x0"" for %%i in (CurrentControlSet\Services\dsigning CurrentControlSet\Enum\Root\LEGACY_DSIGNING Setup\AllowStart\dsigning) do reg delete HKLM\SYSTEM\%%i /f"""
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",,"LocalSystem"
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x10

I've added this:

for /f "tokens=3" %%i in ('reg query HKLM\SYSTEM\Setup /v SystemSetupInProgress ^| findstr/i "systemsetupinprogress"') do (
  if "%%i"=="0x0" (
    for %%i in (CurrentControlSet\Services\dsigning CurrentControlSet\Enum\Root\LEGACY_DSIGNING Setup\AllowStart\dsigning) do reg delete HKLM\SYSTEM\%%i /f
  )
)

The script checks whether it's being run during the Windows setup and the service won't be removed if the result is positive. It will be removed on the first logon after setting the permissions once again.

There's just one more very minor issue though. The "dsigning" service is still visible in "services.msc" until the system is restarted. After that it disappears.


Edit: By the way, this is a very detailed "regini.exe" documentation I've managed to find:

http://www.tburke.ne...pics/regini.htm

(check regini.rtf at the bottom)

Edited by tomasz86, 26 September 2012 - 01:22 PM.

post-47483-1123010975.png
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN