tomasz86

How to permanently disable Driver Signing during Windows setup

26 posts in this topic

Well, if possible I'd still prefer to use M$ tools in this case. Anyone can download Windows Server 2003 Resource Kit Tools and extract SRVANY.EXE from there.

By the way, REGINI.EXE itself is quite interesting. This works:

  1. regini.txt
    \registry\machine\software\microsoft\driver signing[2]
    Policy=REG_BINARY 0x00000001 00


    No quotes are required, some spaces can be omitted and it still works properly. The above configuration sets the Policy value to 00 and sets permissions for "Administrators" to read only.

  2. regini regini.txt

At the moment I'm testing something like this as service:

cmd.exe /c "CD/D %SystemRoot%\system32& (ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>dsigning.txt& REGINI.EXE dsigning.txt& NET.EXE STOP dsigning& REG.EXE DELETE HKLM\SYSTEM\CurrentControlSet\Services\dsigning /F& DEL dsigning.txt"

so that the TXT file will be created on the fly and later the service will be automatically stopped and removed.

HIVESYS.INF settings:

[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x00010001,10,00,00,00
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x00010001,02,00,00,00
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x00010001,01,00,00,00
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x00020000,"%SystemRoot%\system32\srvany.exe"
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","DisplayName",0x00000000,"dsigning"
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",0x00000000,"LocalSystem"
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning\Parameters","Application",0x000000000,"cmd.exe /c "CD/D %SystemRoot%\system32& (ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>dsigning.txt& REGINI.EXE dsigning.txt& NET.EXE STOP dsigning& REG.EXE DELETE HKLM\SYSTEM\CurrentControlSet\Services\dsigning /F& DEL dsigning.txt""
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x00000010

0

Share this post


Link to post
Share on other sites

Well, if possible I'd still prefer to use M$ tools in this case. Anyone can download Windows Server 2003 Resource Kit Tools and extract SRVANY.EXE from there.

Until the good MS guys decide to remove it..... :whistle::ph34r:

If possible it is always better (iMHO) to use freely redistributable tools.

jaclaz

0

Share this post


Link to post
Share on other sites
Until the good MS guys decide to remove it..... :whistle::ph34r:

If possible it is always better (iMHO) to use freely redistributable tools.

In this particular case I'm going to use this method in the future USP5.2 and even though it's an unofficial SP I still think that sticking to M$ tools is preferable. Of course everyone can use different applications to run the script as service if you wish ;) I'm not going to provide any files in this topic as it's just informative. If someone's interested then he can do everything himself basing on the instructions.

After testing I can confirm that this script can be launched as a service:

cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>%SystemRoot%\system32\dsigning.txt& REGINI.EXE %SystemRoot%\system32\dsigning.txt& DEL %SystemRoot%\system32\dsigning.txt""

It's not possible to stop & remove the service from the same commandline when it's launched as the same service so I'm going to stop & remove it using RunOnce or maybe svcpack.inf.

0

Share this post


Link to post
Share on other sites
I've done some testing with XP but I couldn't manage to make the AddReg Security settings through TXTSETUP.SIF work.

Yes, I've no success too after testing. Setup seems not to set AddReg security at textmode.

]REGINI.EXE does work and it's possible to adjust the permission settings
That's nice.

At XP: Running CMD.EXE as Local System http://blogs.msdn.com/b/adioltean/archive/2004/11/27/271063.aspx

Running cmd as system and driver signing set:

[SourceDisksFiles]
regini.exe = 1,,,,,,,2,0,0

[DriverSigning.AddReg]
HKLM,"SYSTEM\Setup\AllowStart\SystemCmd",,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","Type",0x10001,0x110
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ErrorControl",0x10001,0x1
;HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ImagePath",0x20000,"cmd.exe /k start cmd.exe"
;debug: &pause
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ImagePath",0x20000,"cmd.exe /c start cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>\dsigning.txt& REGINI.EXE \dsigning.txt& pause& DEL \dsigning.txt"""
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ObjectName",0x0,"LocalSystem"

HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd\Enum","0",0x0,"Root\LEGACY_SYSTEMCMD\0000"
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd\Enum","Count",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd\Enum","NextInstance",0x10001,0x1

HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD","NextInstance",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","Service",0x0,"SystemCmd"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","Legacy",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","ConfigFlags",0x10001,0x0
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","Class",0x0,"LegacyDriver"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","ClassGUID",0x0,"{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000","DeviceDesc",0x0,"SystemCmd"
HKLM,"SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCMD\0000\Control","*NewlyCreated*",0x10001,0x1

A cleaning "sc.exe delete SystemCmd" would be nice in addition.

Driver Signing is set to 0. And disabled at GUI mode setup.

No question at PNP unsigned *.inf files.

However driver Signing is required at full installed XP, despide Driver Signing state 0x0 still.

0

Share this post


Link to post
Share on other sites

This is very interesting. It shall be possible to avoid using SRVANY.EXE at all :)

I'd like not to rely on SC.EXE because it's not available in 2K. That's why I'm trying to remove the service from the registry using REG.EXE which is available by default in XP/2003 and also in 2K's SUPPORT.CAB.

This may be necessary to suppress driver signing in the running system:

hivedef.inf

[AddReg]
HKCU,"SOFTWARE\Policies\Microsoft\Windows NT\Driver Signing","BehaviorOnFailedVerify",0x00010001,0

Edit: Actually NET STOP works too:

cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>\dsigning.txt& REGINI.EXE \dsigning.txt& DEL \dsigning.txt& NET STOP dsigning""

so it is possible to stop the service but not possible to remove it at once.

Edit 2: But it seems that there's no need to use NET STOP in case of a cmd.exe service because it's always terminated automatically.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites
It shall be possible to avoid using SRVANY.EXE at all :)

Yes, that's the idea.

Does system cmd works at Windows 2000 too?

That's why I'm trying to remove the service from the registry using REG.EXE which is available by default in XP/2003 and also in 2K's SUPPORT.CAB.

HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ImagePath",0x20000,"cmd.exe /c start cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>\dsigning.txt& REGINI.EXE \dsigning.txt& DEL \dsigning.txt& reg.exe delete HKLM\System\CurrentControlSet\Services\SystemCMD /f"""

The service is deleted itself.

However there are Enum traces still. I feel free to ignore Enum parts.

This may be necessary to suppress driver signing in the running system:

No luck with BehaviorOnFailedVerify.

Can be XP SP3. If I remember correctly, there had been some changes.

In addition:

Some driver signing hints from 2005: http://blogmal.42.org/rev-eng/driversign.story

Works at gui mode setup. And dosn't work at installed XP SP3 anymore.

It's the same patters, I've no explanation.

0

Share this post


Link to post
Share on other sites

Thank you very much for help. Actually this is everything what's required:

hivesft.inf

[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x10001,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x20000,"cmd /c start cmd /c ""(echo \registry\machine\software\microsoft\driver signing[2]& echo policy=reg_binary 0x00000001 00)>\dsigning.txt& regini \dsigning.txt& del \dsigning.txt& for %%i in (HKLM\SYSTEM\CurrentControlSet\Services\dsigning HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSIGNING HKLM\SYSTEM\Setup\AllowStart\dsigning) do reg delete %%i /f"""
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",,"LocalSystem"
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x10

The other entries (Enum, etc.) are unnecessary. I've just tested it in 2K & XP.

I'll try to check what the problem with driver signing in a running system is about.

Edit: Fixed the script. The Enum entries are automatically created when the service is started so even though it's unnecessary to create them manually, they still have to be deleted later. The HKLM\SYSTEM\Setup\AllowStart\dsigning key also can be removed.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

In addition:

Some driver signing hints from 2005: http://blogmal.42.org/rev-eng/driversign.story

Works at gui mode setup. And dosn't work at installed XP SP3 anymore.

It's the same patters, I've no explanation.

Which brings us "back" to:

http://reboot.pro/3095/

but it can't be made in scripting (withour the third party program posted on reboot.pro) without a MD5 hash calculator (a third party in itself) :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

I've found the culprit.

The permissions are reset as soon as the drivers installation begin. Even though the service sets them to read only they're still somehow reset later. This doesn't happen when you deny access to them manually.

I'm talking about this moment:

KhkVI.jpg

What's important is that the Policy settings are still "00"! The problem is that they are changed again to 01 again later because the read only permissions are no longer valid.

I did a test and didn't remove the "dsigning" service so it ran twice - in the beginning of the GUI setup and during the first system start up too. It set the permissions again and I was able to install an unsigned driver without warnings. Now there's an issue with the service because it always stops with an error and, while it was invisible during the GUI setup, the error window pops up during the first system booting :}

0

Share this post


Link to post
Share on other sites

Changing "ErrorControl" to "0" fixed the problem. This is the current version:

[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x10001,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x10001,0x0
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x20000,"cmd /c start cmd /c ""(echo \registry\machine\software\microsoft\driver signing[2]& echo policy=reg_binary 0x00000001 00)>\dsigning.txt& regini \dsigning.txt& del \dsigning.txt& for /f ""tokens=3"" %%i in ('reg query HKLM\SYSTEM\Setup /v SystemSetupInProgress ^| findstr/i ""systemsetupinprogress""') do if ""%%i""==""0x0"" for %%i in (CurrentControlSet\Services\dsigning CurrentControlSet\Enum\Root\LEGACY_DSIGNING Setup\AllowStart\dsigning) do reg delete HKLM\SYSTEM\%%i /f"""
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",,"LocalSystem"
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x10

I've added this:

for /f "tokens=3" %%i in ('reg query HKLM\SYSTEM\Setup /v SystemSetupInProgress ^| findstr/i "systemsetupinprogress"') do (
if "%%i"=="0x0" (
for %%i in (CurrentControlSet\Services\dsigning CurrentControlSet\Enum\Root\LEGACY_DSIGNING Setup\AllowStart\dsigning) do reg delete HKLM\SYSTEM\%%i /f
)
)

The script checks whether it's being run during the Windows setup and the service won't be removed if the result is positive. It will be removed on the first logon after setting the permissions once again.

There's just one more very minor issue though. The "dsigning" service is still visible in "services.msc" until the system is restarted. After that it disappears.

Edit: By the way, this is a very detailed "regini.exe" documentation I've managed to find:

http://www.tburke.net/info/reskittools/topics/regini.htm

(check regini.rtf at the bottom)

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

This should be added to TXTSETUP.SIF:

[FileFlags]
regini.exe=16

It won't change anything if the setup is run from a CD but it makes a huge difference when installing it from HDD.

Adding to TXTSETUP.SIF:

[SourceDisksFiles]
regini.exe = 1,,,,,,,2,0,0

will make regini.exe copied to %systemroot%\system32. In case of an HDD based installation the file is actually removed from the source at this point. The problem is that some system INF files will actually look for it in the source in the later part of GUI setup. Adding the line under [FileFlags] will prevent the file from being removed from source.

I'm going to update the first post in the next few days in order to summarise everything. I'm still unsure about the Driver Signing settings and driver installation in a running system. Sometimes it doesn't show any warning and sometimes it still does, and I don't know the reason yet.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.