$theTitle=wp_title(" - ", false); if($theTitle != "") { ?>
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
11 Nov // php the_time('Y') ?>
Today I was tested my unattended Citrix installation (XenApp 5 on Windows 2003) and I noticed that the install was taking longer than expected.
This was because of a popup:
I am not sure if this popup is shown because I ran MsiExec with /Qb- (I usually do that when testing) but if the Popup is not shown it means that at least the installation of this driver (probably Citrix Universal Print driver) fails.
So this means I needed to script turning off Driver Signature Warnings. A quick search led me to kb article kb298503 which is titled “Driver signing registry values cannot be modified directly in Windows“. As you may guess that title drew my attention.So I modified with Regedit, expecting an error message (I assumed there was simply a Deny permission) but it succeeded. But after a little while the value is reset back to the original value.
When making the change in the GUI and observing this with Process Monitor it’s clear that the REG_BINARY Value PrivateHash under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup is also changed.
I played around in the GUI with the possible values and noticed that the PrivateHash key is always the same when setting the same value.
I searched which component(s) refer to PrivateHash in Windows\System32 and the only result I got was setupapi.dll and when I openend it with Ida it clearly showed that an MD5 Hash is calculated based on a Seed and the Value of the Policy key.
The seed comes from a REG_DWORD called seed in HKLM\SYSTEM\WPA\PnP.
I wrote a small commandline tool that changes the Driver Signing Policy
DriverSignPolicy.exe
DriverSignPolicy (c) 2010 Remko Weijnen (www.remkoweijnen.nl)
Sets the Driver Signing Option for Server 2003 by commandlinethe following paramater values can be used:
0 (Ignore)
1 (Warn)
2 (Block)
Downloads are below (executable and source).
As usual have fun and please leave a comment if you think it’s usefull. Usage Example:
DriverSignPolicySource.zip (2519 downloads )
5 Responses for "Programmatically Changing the Driver Signing options"
Thankxxx for this tool, very nice one 🙂
Actually it’s somewhat more complicated. If you install a driver the good old way, i.e. by copying it into the proper folder and pointing to it from a Services subkey, it should not complain. However, when you go through the Setup API you will get this pop-up.
Oh, … and the Setup API is the underlying mechanism of DIFx.
In Vista SP1 and later (specifically on x64), things get more complicated because they introduced the Kernel Signing Policy.
And this code (DriverSignPolicySource) won’t work uder Vista/7.
@AlexD: Yes, this is only applicable to Windows 2003/XP
Nice tool, but under winXp sp3 i get a error message:
die ntvdm-cpu hat einen ungĂĽltigen befehl entdeckt.
CS0745 IP:0120 OP:63 65 6e 73 65.
Can you help me?
Leave a reply