Windows 7 claims driver is not digitally signed, but it is

digital-signaturedriverswindows 7

On this system the WLAN AutoConfig service will not start:

In error log/system:

"The WLAN AutoConfig service depends on the NativeWiFi Filter service
which failed to start because of the following error:
Windows cannot verify the digital signature for this file. A recent
hardware or software change might have installed a file that is signed
incorrectly or damaged, or that might be malicious software from an
unknown source."

In error/log security:

"Code integrity determined that the image hash of a file is not
valid. The file could be corrupt due to unauthorized modification or
the invalid hash could indicate a potential disk device error.
C:\Windows\system32\drivers\nwifi.sys"

I ran sfc /scannow and it found no errors.

I ran sigverif and it says that this file, along with vwififlt.sys are not signed.

Next I uploaded nwifi.sys and vwififlt.sys to virustotal, which says they are signed and Ok.

Finally I directly compared these files with the same files on another Windows 7 machine. They have identical sha256 and md5 sums, and the other machine thinks that they are signed.

What is happening?

Best Answer

Windows drivers often do not contain the digital signature within the actual file. Instead, all the signatures for a group of drivers are bundled into a single file called a catalog. If this file becomes damaged, all the files which it authenticates will be marked as unsigned. Windows will not tell you that it is really the catalog that is damaged, you just have to guess. It also won't tell you which catalog is damaged. The catalogs are stored in c:\windows\system32\catroot\.

You have to go to a working machine and run sigverif and then look at the log. You'll see a line like this for the file:

nwifi.sys 14/07/2009 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-ClMicrosoft Windows

Microsoft-Windows-Cl is part of the name of the catalog containing this file's signature. Windows doesn't bother to tell us the whole file name and there are 11 catalog files which begin with this string. In order to find which one it really is you must install the Windows SDK to get the program signtool.exe. In the catroot folder, under a long CLSID, you will find a bunch of files which begin with this string. In order to figure out which one is damaged, use signtool to try to verify nwifi.sys. Eventually you'll find it:

signtool verify /a /c c:\windows\system32\catroot\{F...}\Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat c:\windows\system32\drivers\nwifi.sys

This command will succeed on a normal Windows 7 machine (with wifi). On the problem machine it fails. After comparing the catalog files I found they were different, and indeed Windows would refuse to open the damaged one if I double clicked it directly. Of course it would offer no clue at all what the problem was until I already figured it out.

So at this point to fix the machine you simply copy the catalog from the working machine to the broken one.

Related Solutions

Windows – Use an unsigned driver in Windows 7 x64

This forum topic has multiple solutions, although the only one that has been confirmed to work by at least one person and has upvotes is this:

Open a command prompt as an admin and type

bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON

See security risk warning.

If it doesn't work for whatever reason you can just remove loadoptions with bcedit and switch testsigning off.

bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF

If this breaks something for whatever reason sorry, good-luck.

EDIT: Other sources seem to also provide this as a solution, such as this (albeit for Windows Vista) and this

How to digitally sign a 64-bit kernel mode driver

Yes, you need to purchase a certificate from a Trusted Certificate Authority. If anyone could make a certificate, there'd be countless certificates claiming to be "Microsoft Corporation" and it would be virus heaven.

That document you mention is what I used to learn how to sign drivers. I highly recommend you set aside a few days and run through it start to finish. I spent a good part of the week going through it.

All I can offer on top of that is the following batch file which I execute from VS2010 in post-build. It uses a certificate from the computer's certificate store, not a file. The reason it's so complex is I use it in many different circcumstances for many different projects.

Sign.bat

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Signs the project output.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Usage
:: 
:: Post-build event command line:
:: Call "$(ProjectDir)..\..\Sign.bat" "$(ConfigurationName)" "$(TargetPath)"
:: 
:: Run the post-build event:
:: When the build updates the project output

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Input Parameters
:: 
:: %~1   $(ConfigurationName)    The file's configuration.  This function will
::                               use a different certificate for "Debug"
::                               configurations.
:: %~2   $(TargetPath)           The full path of the first file to sign.
:: %~3+  FileName                The names of the remaining files to sign.
::                               These files must reside in the same directory
::                               as %2.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Validate the parameters.
If "%~1"=="Debug" Exit /B 0
If "%~1"=="" Goto Error
If "%~2"=="" Goto Error
Goto Valid

:Error
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Report that the syntax is incorrect.
Echo One or more parameters are missing.
Echo.
Echo %~nx0 configuration filename1 [filename2 ...]
Echo.
Echo configuration      The project configuration.  Usually "Debug" or "Release".
Echo filename1          The full path of the first file to sign.
Echo filename2          The names of addition files to sign.  These files must
Echo                    reside in the same folder as "filename1".
Echo.
Exit /B 1

:Valid
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change to the assembly's folder.
%~d2
CD %~dp2

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Prepare the list of files to sign.
Set FileList=
:CreateFileList
Set FileList=%FileList% %~snx2
Shift /2
If Not "%~2"=="" Goto CreateFileList

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Sign the assembly files.
Set Store=my
Set Certificate=type the name of your certificate here
Set TimeStampUrl=http://timestamp.verisign.com/scripts/timestamp.dll
C:\WinDDK\7600.16385.1\bin\x86\SignTool.exe Sign /s "%Store%" /n "%Certificate%" /t "%TimeStampUrl%" %FileList%
If %ErrorLevel%==1 Exit /B 1

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Verify the digital signature is valid.
C:\WinDDK\7600.16385.1\bin\x86\SignTool.exe Verify /pa %FileList%

Best Answer

Related Solutions

Windows – Use an unsigned driver in Windows 7 x64

How to digitally sign a 64-bit kernel mode driver

Related Question