Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, December 10, 2008

Vista Forced Driver Signature Signing

In 64-bit Windows Vista (x64 edition), Microsoft enforces requirement for loading of kernel-mode software such as device drivers, filter drivers and services to have Kernel Mode Code Signing (KMCS), especially driver binaries that load at boot time (”boot start drivers”) which must contain an embedded signature. Failing so, user will encounter various error messages below, for example:

  • This driver has been blocked from loading.
  • Can not connect to low level driver. Please reinstall The Driver under Local system administrator account or try to start driver manually using “Low Level Driver Installation” shortcut.
  • Can not load low level device driver. Please restart application.
  • Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
  • Windows failed to start. A recent hardware or software change might be the cause.
  • Error code 0xc0000428.

Windows failed to start and cannot verify the digital signature

Worse still, the original command to disable the driver signature integrity check permanently from within Windows command prompt, “bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS” has been muted in Windows Vista SP1 (prior to SP1 has also been removed via various hotfixes), which returns “an error occurred while attempting to reference the specified entry. The system cannot find the file specified” error message instead. Thus, most modified system files, such as patched tcpip.sys to increase concurrent half-open TCP/IP connection limit can be applied and used.

One way of workaround and resolution to the requirements of code signing with digital signature or certificate that Microsoft trusts problem is by pressing F8 during initial boot of the Windows Vista system, and then select Disable Driver Signature Enforcement in the “Advanced Boot Options” menu. However, the selection only good for the session, and user have to repetitively do the same thing (pressing F8 to disable signed driver enforcement) again and again on every system reboot. If the user forget the disable or turn off the forced driver signing ‘feature’, the system will probably crashes, or simply can’t use.

To make the task of turning off digital certificate signed driver mandatory requirement in x32 and x64 Windows Vista (yes, 32-bit Windows Vista has such security enforcement too, although less strict than 64-bit version) easier, Mr. Orange Sunshine has created ReadyDriver Plus which will allow user to automate the boot up Windows Vista process without driver singing enforcement. ReadyDriver Plus is based on ReadyDriver boot image by Uhlik which has to boot up from CD, floppy drive or USB drive. ReadyDriver Plus improves from original Ready Driver by allowing local hard disk installation, eliminating the need to boot from another device.

ReadyDriver Plus install itself as boot.bin file, and then modifies Windows Vista Boot Configuration Data (BCD), which is then read by Windows Boot Manager (the bootloader for Vista) to load ReadyDriver. When Windows Vista boot loader reads BCD, it loads ReadyDriver which will then makes the appropriate selection to disable Signed Driver Signature Enforcement, based on what user choose to install. So in a way, ReadyDriver Plus manages to permanently disable driver signing enforcement in Windows Vista, both x32 and x64, by automatically select “Disable Driver Signature Enforcement” option in the “Advanced Boot Options” menu on system startup.

Download ReadyDriver Plus 1.1.

ReadyDriver Plus

There are a few options that user can select during installation of ReadyDriver Plus. However, it’s recommended to leave all options as it’s (especially the /BOOT path, but must be the correct drive letter which Vista is installed), else it defeats the purpose to install ReadyDriver Plus. Dual-boot or multi-boot system should change the keystroke setting accordingly (ReadyDriver Plus will be installed as additional ‘OS’ item under Windows Vista, so you require 1 up stroke to reach Windows Vista OS. If you’re dual-boot, depending on location of Windows Vista on operating system selection menu, the automatic process may need 2 keystrokes to reach the item). Most user should be able to complete the setup by simply clicking “Next”.

ReadyDriver Plus supports both 32-bit and 64-bit (x86 and x64) versions of Windows Vista, including Windows Vista SP1 (Service Pack 1). Ready Driver Plus can be uninstall from Control Panel Programs and Features.

No comments: