Driver Signing Policy

[MadBoy]

Hej, I'm not sure if it will be the best forum to ask for this, but a lot of ppl probably have experience in this issue. Driver signing. I used RegMon to monitor what registry changes happens when you Turn it On or Off thru My Computer -> Properties -> Hardware - > Driver Signing.

Everywhere i looked those 3 keys are always mentioned as supposed to work for Driver Signing OFF.

Func DriverSigningOff(); Sets Driver Singning to OFF.
    If @ProcessorArch = "X86" Then $HKLM = "HKEY_LOCAL_MACHINE"
    If @ProcessorArch = "X64" Then $HKLM = "HKEY_LOCAL_MACHINE64"
    RegWrite($HKLM & "\SOFTWARE\Microsoft\Driver Signing", "Policy", "REG_BINARY", "00")
    RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Driver Signing", "Policy", "REG_DWORD", "0")
    RegWrite("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing", "BehaviorOnFailedVerify", "REG_DWORD", "00000000")
EndFunc

Problem is.. they don't. I noticed that besides those 2 first keys.. (3rd key doesn't get set at all) when i set: Driver Signing to OFF private Hash changed to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\PrivateHash 01 32 A3 68 55 C2 D2 00 ...

Driver Signing to ON private Hash changed to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\PrivateHash 15 CA EF C3 34 E8 C8 78 ...

Of course on each computer Private Hash is diffrent. Question is how that private hash is generated. Some ppl said on diffrent forums it's Windows version dependant but I have 2 Windows XP Sp2 PL version and those keys are diffrent. Any help would be appreciated

[big_daddy]

This is what Microsoft has to say about it.

http://support.microsoft.com/?kbid=298503

Also if you don't actually need to turn it off, but just have it ignore when the driver isn't signed try this.

http://www.winguides.com/registry/display.php/1298/

Edited April 3, 2006 by big_daddy

[CyberSlug]

Might work--unless your computers are on a domain:

$title = "System Properties"

Run("control.exe sysdm.cpl")
WinWait($title)

ControlCommand($title, "", "SysTabControl321", "TabRight", "")
ControlCommand($title, "", "SysTabControl321", "TabRight", "")
ControlClick($title, "", "Driver &Signing")

ControlClick("Driver Signing Options", "", "&Ignore - Install the software anyway and don't ask for my approval")
ControlClick("Driver Signing Options", "", "OK")

ControlClick($title, "", "OK")

[MadBoy]

Tnx, seems bad news for me. It can be done manually in Windows thought it can be done by registry but like they said in one of the articles it can be used by malware i guess. Maybe it can be done by some DllCall? I haven't yet played with that at all besides seeing ppl using it sometimes? Can that be solution in that case.. for fastest way to change that policy settings. I wouldn't like user or anyone that will use the script to see the process of AutoIT clicking My Computer waiting for next GUI to open and doing all the things on by one?

[MadBoy]

@cyberslug - problem in case of your script is that it's language related, domain related I'm trying to prepare multi language, driver installing program for all administrators out there and it's preety much needed to be totally unattended + language independant.

[MadBoy]

This is what Microsoft has to say about it.

http://support.microsoft.com/?kbid=298503

Also if you don't actually need to turn it off, but just have it ignore when the driver isn't signed try this.

http://www.winguides.com/registry/display.php/1298/

As you might have noticed in my script i have added:

RegWrite("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing", "BehaviorOnFailedVerify", "REG_DWORD", "00000000")

which is exactly what they suggest in that post :/ But it doesn't seems to work, at least not in case using SetupCopyOemInf. Haven't had problem with DevicePath registry entries.. but maybe just drivers i used were signed.