tomasz86

How to permanently disable Driver Signing during Windows setup

26 posts in this topic

I've found a very simple way to completely disable Driver Signing during Windows setup without using hacked DLLs or any other 3rd party tools. It still has to be polished and made more automated as at the moment you need to have another working Windows to apply the required settings.

This guide is written for Windows 2000 but you should be able to do the same in XP/2003:

  1. Open I386\hivesft.inf, scroll it to the bottom and add:
    [AddReg]
    HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x00000001,00


  2. Prepare your boot media (CD, HDD, USB flash disk, etc.) and start the installation.
  3. After the first part of partitioning and file copying has finished don't continue with the GUI part but rather boot to another working Windows installation or move the media to another computer.
  4. Go to X:\WINNT\system32\config (X being the letter of the partition / drive where you've just started the installation), open a commandline window and type:
    reg load hku\custom software


    The M$ tool REG.EXE is required to do this step. It's available by default in XP/2003 and it's located in SUPPORT.CAB on the Windows 2000 CD (it's also possible to use the XP version in 2K but not the one from 2003).

  5. Open REGEDT32.EXE, go to HKU\custom\Microsoft, select "Driver Signing", open Security -> Permissions and deny Full Control for both Administrators and SYSTEM (not sure yet whether both of them are absolutely necessary; maybe only one of them would be enough).
  6. Once again go to X:\WINNT\system32\config and type in commandline:
    reg unload hku\custom


  7. Reboot / move the media back and continue with the Windows installation. You won't see any prompts concerning unsigned drivers any more :) If you check the setuperr.log you will see something like this:
    Warning:
    Setup was unable to configure the policy for verification of drivers during system installation. The error code is 5.
    ***
    but you can safely ignore it.

At the moment I'm working on setting the permissions automatically so that everything would be done inside Windows setup without the need to boot to another Windows in order to configure them.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

I am not sure to understand.

Why one cannot use the UNattended setting:

http://technet.microsoft.com/en-us/library/cc977156.aspx

and later fix the permision issue? :unsure:

In case you need to do it "before install", the usual approach to reset/set permissions is changing setupreg.hiv, similar to this:

http://www.911cd.net/forums//index.php?showtopic=15138&st=29

jaclaz

0

Share this post


Link to post
Share on other sites

I need to use a universal method because I'm going to add new drivers to driver.cab in USP5.2 and in order to so it's necessary to modify their INF files. Doing so will break the signatures. Therefore using [unattended] is out of question here :whistle: and I'd like to avoid disabling SFC if possible.

Isn't SETUPREG.HIV only for HKLM\SYSTEM entries? I need to change the ones under HKLM\SOFTWARE. I've already tried to use the NT4.0 approach and prepare a pre-compiled "%SystemRoot\system32\config\software" file (NT4.0 doesn't use hive*.inf files) with the permissions defined but unfortunately all registry files are automatically reseted at the end of the text setup just before the hive files are applied.

I know how to set the permissions from commandline using SubInACL (even though it's an MSI file you can just unpack it using 7-Zip and use subinacls.exe):

subinacls.exe /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing" /deny=Administrator
subinacls.exe /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing" /deny=SYSTEM

Now the problem is how to run these two commands either at the very end of the text setup or in the very beginning of the GUI setup. It has to be done before the GUI setup replaces the modified Driver Signing Policy value with its default one.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Isn't SETUPREG.HIV only for HKLM\SYSTEM entries? I need to change the ones under HKLM\SOFTWARE.

Yes, my bad, overlooked that. :(

Usual semi-random idea :w00t:

Mixing *somehow* runonce-ex:

http://gosh.msfn.org/using_runonceex.htm

with setup security.inf?

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scedefaultpols.mspx?mfr=true

jaclaz

0

Share this post


Link to post
Share on other sites

I've already tried:

RunOnce
RunOnce\setup
RunOnceEx

but the problem is that all of them are executed too late (at the famous T-13 stage) so they can't be used in this particular case. I don't know too much about security.inf but it's stated that those settings are for NTFS only (FAT's not supported).

I've found one interesting thing and I'm looking at it at the moment. Several services are started during the GUI setup and I'm going to try adding a batch script with the lines mentioned above (#3) as service. I'm talking about the list under HKLM\SYSTEM\Setup\AllowStart which looks like this in Win2k:

AFD
EventLog
PlugPlay
ProtectedStorage
Rpcss
SamSs
Seclogon
WS2IFSL

Edit: http://support.microsoft.com/kb/q243486 & http://support.microsoft.com/kb/137890

Edited by tomasz86
0

Share this post


Link to post
Share on other sites
Now the problem is how to run these two commands either at the very end of the text setup or in the very beginning of the GUI setup.

The classic approach uses a third party fake setup.exe

WatchDriverSigningPolicy.exe has to run at PNP part always.

Post #837

describe a example to fix driver signing state.

Run dsigning.exe first and continue.

Contrary XP bth.inf list a registry security example [bthPort.NT.Setup.AddReg.Security]

Can security settings added to hivesft.inf ?

INF AddReg Directive

An add-registry-section can have any number of entries, each on a separate line. An INF can also contain one or more optional add-registry-section.security sections, each specifying a security descriptor that is applied to all registry values described within a named add-registry-section.
0

Share this post


Link to post
Share on other sites

I want to do this without using any 3rd party tools ;) and I've almost managed to do it by running subinacls.exe as a service... but this AddReg security thing looks very promising. I knew that secedit.exe can be used to modify permissions but didn't know that you can do it directly from INF. I wonder whether it's supported in Win2k too. I'll give it a try and report the results.

0

Share this post


Link to post
Share on other sites

This is getting way more difficult than I initially though it would be...

  1. Contrary XP bth.inf list a registry security example [bthPort.NT.Setup.AddReg.Security]
    Can security settings added to hivesft.inf ?
    I've tried adding this to TXTSETUP.SIF:
    [HiveInfs.Fresh]
    AddReg = hivesft.inf,AddReg.DrvSign


    and this to HIVESFT.INF:

    [AddReg.DrvSign]
    HKLM,"SOFTWARE\Microsoft\Driver Signing",,0x00000010
    HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x00000001,00

    [AddReg.DrvSign.Security]
    "D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)"


    Frankly speaking, I'm completely confused about the security settings here. The above example is taken from http://msdn.microsoft.com/en-gb/library/aa377450.aspx and is supposed to do this:

    the meaning of the string is that administrators have full control, system has full control, and access is inheritable to all subkeys
    I just took it as an example. By default there are no permissions defined for the registry key (empty boxes next to Administrators and SYSTEM). Unfortunately there is no effect of such settings. I don't know if it's me doing it wrongly or maybe these settings can't be applied from TXTSETUP.SIF. I'd be very thankful for more information about this from someone more knowledgeable than myself.
  2. I've been trying to run "subinacl.exe" as a service but it doesn't work either. I've tried to run it directly by using SHIFT+F10 to open a CMD window at the beginning of the GUI setup but typing "subinacl.exe" doesn't produce any output. Maybe it's too early to support this kind of tool or there are some unfixed dependencies (the system used for testing is a clean Win2k SP4 with no other updates integrated).
    This is how I added the service using HIVESYS.INF:
    [AddReg]

    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","Type",0x00010001,10,00,00,00
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","Start",0x00010001,02,00,00,00
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","ErrorControl",0x00010001,01,00,00,00
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","ImagePath",0x00020000,"%SystemRoot%\system32\srvany.exe"
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","DisplayName",0x00000000,"subinacl"
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl","ObjectName",0x00000000,"LocalSystem"
    HKLM,"SYSTEM\CurrentControlSet\Services\subinacl\Parameters","Application",0x000000000,"subinacl.exe /keyreg ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing"" /deny=Administrators"

    HKLM,"SYSTEM\Setup\AllowStart\subinacl",,0x00000010


    This does work in a running system.

At the moment I still need to do more tests related to the service because I don't know whether it runs but fails or rather doesn't run at all. This is a "standard" list of services which are started at the beginning of the GUI setup:

T4Crn.png

I've also found out that (most of?) system files are not registered yet at this stage so it's necessary to always use full paths, ex. "%systemroot%\regedit" instead of just "regedit".

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Try to set Start = 1 (system) or even 0 (boot), instead of 2 (automatic). It's a longshot, but may work.

0

Share this post


Link to post
Share on other sites

The service does start. I've just checked it once again. The problem is that "subinacl.exe" doesn't want to work at this stage of the Windows setup :} I'm now going to try settings the permissions though an INF file launched from commandline run as a service.

I've finally managed to find this:

IC454033.gif

http://msdn.microsoft.com/en-us/library/windows/hardware/gg487483.aspx

This is the REG file:

[version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=AddReg.DrvSign

[AddReg.DrvSign]
HKLM,"SOFTWARE\Microsoft\Driver Signing",,0x00000010
HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x00000001,00

[AddReg.DrvSign.Security]
"D:P(D;;GA;;;SY)"

Would running

rundll32 setupapi,InstallHinfSection DefaultInstall 132 drvsign.inf

be enough? I've just tried to run it but it hasn't affected the permissions...

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

By "3rd party" tools I meant the ones not coming from M$ ;) but of course I'll try them if there's no other way to get it done.

"Regini.exe" is kind of interesting. I've already seen it mentioned before but (like listed here) I thought that it was only able to add new permissions but not "deny" any access. Now I'm seeing this:

When you use Regini in this way, it actually replaces all permissions with those specified in the script, so to change "Everyone-Read" to "Everyone-Full Control," the new permission (number 7) must be applied, along with the other existing permissions

so it seems that setting "Administrators" to read-only may actually work. I need to try using it during the GUI setup. Regini.exe itself is kind of primitive when compared to subinacl.exe so there's probably higher probability that it will work.

Now I'm really curious why the security settings added through INF don't work (see #10). For testing purposes I've even tried applying the already mentioned BTH.INF from XP (after removing all other unrelated entries) and still the permissions didn't change after doing it :unsure: I'm talking about a running system, not only the GUI setup.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites
I want to do this without using any 3rd party tools ;) and I've almost managed to do it by running subinacls.exe

Well, subincals is not not a default application. Created by OS manufactuer

Does this refer as 1st, 2nd or 3rd party tool?

this AddReg security thing looks very promising.

Try at XP first:

txtsetup.sif

[SourceDisksFiles]
dSigning.inf = 1,,,,,,_x,,3,3

[HiveInfs.Fresh]
AddReg = dSigning.inf,DriverSigning.AddReg

[HiveInfs.Upgrade]
AddReg = dSigning.inf,DriverSigning.AddReg

dosnet.inf

[Files]
D1,dSigning.inf

dSigning.inf

[Version]
Signature="$CHICAGO$"

[DefaultInstall]
DelReg=DriverSigning.DelReg
AddReg=DriverSigning.AddReg

[DriverSigning.DelReg]
HKLM,"SOFTWARE\Microsoft\Driver Signing"
HKLM,"SOFTWARE\Microsoft\Driver Signing debug"

[DriverSigning.AddReg]
HKLM,"SOFTWARE\Microsoft\Driver Signing","Policy",0x1,00
HKLM,"SOFTWARE\Microsoft\Driver Signing debug","Policy",0x1,00

[DriverSigning.AddReg.Security]
"D:P(A;;GR;;;SY)(A;;GR;;;WD)"

Example inf file Un-grpconv.inf

http://technet.microsoft.com/en-gb/security/bulletin/ms04-037

Driver Signing policy is set to 00 at end of textmode.

And is available at full installed XP stil.

No idea about 2000.

Added:

Driver Signing policy is set to 00. However driver has to be signed still.

Added2:

Driver Signing policy is at strange state:

A edited usbstor.inf added

GUI mode PNP does install USB storage device without a message.

Full installed XP ask for drivers, if a new USB device attached.

Seems to be nice work around as for GUI mode PNP.

Correction:

I apologize: winnt.sif DriverSigningPolicy=Ignore was set in adddition.

That's nonsese of course.

dSigning.inf is added at end of textmode, security settings are set.

However system is owner still.

System PNP part does reset the Driver Signing setting.

Driver Signing is required at PNP part.

Edited by cdob
0

Share this post


Link to post
Share on other sites

@cdob

It seems that setting DriverSigningPolicy=Ignore in WINNT.SIF changes the registry value to 00. That's why the signing policy had been first disabled during the GUI setup but available later after the system was started for the first time. I've found out that there are two checks for the policy during the GUI setup - one at the very beginning and another one near the end. This would explain how the policy is turned off (due to the WINNT.SIF settings) and then turned on after the setup has finished.

I've done some testing with XP but I couldn't manage to make the AddReg Security settings through TXTSETUP.SIF work. On the other hand, REGINI.EXE does work and it's possible to adjust the permission settings when it's run as a service. I set "Administrators" to read only and the system was unable to change it :) It remained switched off from the beginning till the end. Now I only need to prepare a script which would add all the necessary settings automatically - add/change lines in TXTSETUP.SIF, HIVESYS.INF and DOSNET.INF. Actually, the only required tool which is not available in Windows by default is SRVANY.EXE because REGINI.EXE is actually present in all Windows 2000/XP/2003. The only problem is that it's not copied to the Windows folder by default (it's just available on the CD) so it's necessary to change the line in TXTSETUP.SIF so that it will be copied to %SystemRoot%\system32.

In order to use REGINI.EXE it's necessary to create a text file (regini.txt here) with the following info:

"\registry\machine\software\microsoft\driver signing" [2]

and then run:

regini regini.txt

Later after I've finished testing and preparing the scripts I'll post a detailed guide about what's got to be done in details.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.