How to permanently disable Driver Signing during Windows setup

#21 cdob

Friend of MSFN

Group: Members
Posts: 876
Joined: 29-September 05

Posted 26 September 2012 - 06:08 AM

tomasz86, on 26 September 2012 - 05:03 AM, said:

It shall be possible to avoid using SRVANY.EXE at all

Yes, that's the idea.
Does system cmd works at Windows 2000 too?

Quote

That's why I'm trying to remove the service from the registry using REG.EXE which is available by default in XP/2003 and also in 2K's SUPPORT.CAB.

HKLM,"SYSTEM\CurrentControlSet\Services\SystemCmd","ImagePath",0x20000,"cmd.exe /c start cmd.exe /c ""(ECHO \registry\machine\software\microsoft\driver signing[2]& ECHO Policy=REG_BINARY 0x00000001 00)>\dsigning.txt& REGINI.EXE \dsigning.txt& DEL \dsigning.txt& reg.exe delete HKLM\System\CurrentControlSet\Services\SystemCMD /f"""

The service is deleted itself.
However there are Enum traces still. I feel free to ignore Enum parts.

Quote

This may be necessary to suppress driver signing in the running system:

No luck with BehaviorOnFailedVerify.
Can be XP SP3. If I remember correctly, there had been some changes.

In addition:
Some driver signing hints from 2005: http://blogmal.42.or...riversign.story
Works at gui mode setup. And dosn't work at installed XP SP3 anymore.
It's the same patters, I've no explanation.

#22 tomasz86

http://www.windows2000.tk

Group: Members
Posts: 2,220
Joined: 27-November 10
OS:Windows 2000 Professional
Country:

Posted 26 September 2012 - 06:42 AM

Thank you very much for help. Actually this is everything what's required:

hivesft.inf

[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x10001,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x10001,0x1
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x20000,"cmd /c start cmd /c ""(echo \registry\machine\software\microsoft\driver signing[2]& echo policy=reg_binary 0x00000001 00)>\dsigning.txt& regini \dsigning.txt& del \dsigning.txt& for %%i in (HKLM\SYSTEM\CurrentControlSet\Services\dsigning HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSIGNING HKLM\SYSTEM\Setup\AllowStart\dsigning) do reg delete %%i /f"""
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",,"LocalSystem"
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x10

The other entries (Enum, etc.) are unnecessary. I've just tested it in 2K & XP.

I'll try to check what the problem with driver signing in a running system is about.

Edit: Fixed the script. The Enum entries are automatically created when the service is started so even though it's unnecessary to create them manually, they still have to be deleted later. The HKLM\SYSTEM\Setup\AllowStart\dsigning key also can be removed.

This post has been edited by tomasz86: 26 September 2012 - 07:27 AM

#23 jaclaz

The Finder

Group: Developers
Posts: 11,457
Joined: 23-July 04
OS:none specified
Country:

Posted 26 September 2012 - 07:11 AM

cdob, on 26 September 2012 - 06:08 AM, said:

In addition:
Some driver signing hints from 2005: http://blogmal.42.or...riversign.story
Works at gui mode setup. And dosn't work at installed XP SP3 anymore.
It's the same patters, I've no explanation.

Which brings us "back" to:
http://reboot.pro/3095/
but it can't be made in scripting (withour the third party program posted on reboot.pro) without a MD5 hash calculator (a third party in itself) :unsure:

jaclaz

#24 tomasz86

http://www.windows2000.tk

Group: Members
Posts: 2,220
Joined: 27-November 10
OS:Windows 2000 Professional
Country:

Posted 26 September 2012 - 10:01 AM

I've found the culprit.

The permissions are reset as soon as the drivers installation begin. Even though the service sets them to read only they're still somehow reset later. This doesn't happen when you deny access to them manually.

I'm talking about this moment:

Spoiler

What's important is that the Policy settings are still "00"! The problem is that they are changed again to 01 again later because the read only permissions are no longer valid.

I did a test and didn't remove the "dsigning" service so it ran twice - in the beginning of the GUI setup and during the first system start up too. It set the permissions again and I was able to install an unsigned driver without warnings. Now there's an issue with the service because it always stops with an error and, while it was invisible during the GUI setup, the error window pops up during the first system booting

#25 tomasz86

http://www.windows2000.tk

Group: Members
Posts: 2,220
Joined: 27-November 10
OS:Windows 2000 Professional
Country:

Posted 26 September 2012 - 01:11 PM

Changing "ErrorControl" to "0" fixed the problem. This is the current version:

[AddReg]
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Type",0x10001,0x10
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","Start",0x10001,0x2
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ErrorControl",0x10001,0x0
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ImagePath",0x20000,"cmd /c start cmd /c ""(echo \registry\machine\software\microsoft\driver signing[2]& echo policy=reg_binary 0x00000001 00)>\dsigning.txt& regini \dsigning.txt& del \dsigning.txt& for /f ""tokens=3"" %%i in ('reg query HKLM\SYSTEM\Setup /v SystemSetupInProgress ^| findstr/i ""systemsetupinprogress""') do if ""%%i""==""0x0"" for %%i in (CurrentControlSet\Services\dsigning CurrentControlSet\Enum\Root\LEGACY_DSIGNING Setup\AllowStart\dsigning) do reg delete HKLM\SYSTEM\%%i /f"""
HKLM,"SYSTEM\CurrentControlSet\Services\dsigning","ObjectName",,"LocalSystem"
HKLM,"SYSTEM\Setup\AllowStart\dsigning",,0x10

I've added this:

for /f "tokens=3" %%i in ('reg query HKLM\SYSTEM\Setup /v SystemSetupInProgress ^| findstr/i "systemsetupinprogress"') do (
  if "%%i"=="0x0" (
    for %%i in (CurrentControlSet\Services\dsigning CurrentControlSet\Enum\Root\LEGACY_DSIGNING Setup\AllowStart\dsigning) do reg delete HKLM\SYSTEM\%%i /f
  )
)

The script checks whether it's being run during the Windows setup and the service won't be removed if the result is positive. It will be removed on the first logon after setting the permissions once again.

There's just one more very minor issue though. The "dsigning" service is still visible in "services.msc" until the system is restarted. After that it disappears.

Edit: By the way, this is a very detailed "regini.exe" documentation I've managed to find:

http://www.tburke.ne...pics/regini.htm

(check regini.rtf at the bottom)

This post has been edited by tomasz86: 26 September 2012 - 01:22 PM

#26 tomasz86

http://www.windows2000.tk

Group: Members
Posts: 2,220
Joined: 27-November 10
OS:Windows 2000 Professional
Country:

Posted 05 October 2012 - 01:44 PM

This should be added to TXTSETUP.SIF:

[FileFlags]
regini.exe=16

It won't change anything if the setup is run from a CD but it makes a huge difference when installing it from HDD.

Adding to TXTSETUP.SIF:

[SourceDisksFiles]
regini.exe   = 1,,,,,,,2,0,0

will make regini.exe copied to %systemroot%\system32. In case of an HDD based installation the file is actually removed from the source at this point. The problem is that some system INF files will actually look for it in the source in the later part of GUI setup. Adding the line under [FileFlags] will prevent the file from being removed from source.

I'm going to update the first post in the next few days in order to summarise everything. I'm still unsure about the Driver Signing settings and driver installation in a running system. Sometimes it doesn't show any warning and sometimes it still does, and I don't know the reason yet.

This post has been edited by tomasz86: 05 October 2012 - 01:46 PM

MSFN Forum: How to permanently disable Driver Signing during Windows setup - MSFN Forum