Secret driver cross sign registry key?? 1607-Anniversary update

Discussion in 'Windows 10' started by ST33LDI9ITAL, Sep 2, 2016.

  1. ST33LDI9ITAL

    ST33LDI9ITAL MDL Novice

    Dec 22, 2013
    3
    2
    0
    Hey guys,

    So, I'm late to the party and been putting off Win10 long as I can. However, I'm gonna be making the jump next week and am curious about this kernel signing issue myself. I run Bitlocker with TPM and Secureboot on my system but still have need for unsigned/cross-signed kernel drivers. I caught this post elsewhere but it's relevant:

    So... what's the deal? Any info would be appreciated.
     
  2. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,540
    60
    Wow, WTF. Guess we'll have to ask the disassembler then.
     
  3. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,796
    6,750
    270
    #3 EFA11, Sep 2, 2016
    Last edited by a moderator: Apr 20, 2017
    I wouldn't suppose its this old setting lol

    Code:
    User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing]
    Value Name: BehaviorOnFailedVerify
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = Ignore, 1 = Warn, 2 = Block)
     
  4. yomoma2

    yomoma2 MDL Member

    Feb 27, 2010
    207
    46
    10
    There's no "BehaviorOnFailedVerify" key on a upgraded W10, so that might not be it.
     
  5. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,796
    6,750
    270
    #5 EFA11, Sep 3, 2016
    Last edited: Sep 3, 2016
    if its secret, I would assume its a nulled key. These keys cannot be made, seen, deleted or changed, by normal Windows API, so they are not accessible by regedit or most registry editors.

    Just running a searched on vanilla 14393.105 Pro returns no hidden keys.
     
  6. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,273
    1,859
    90
    Is there any tool available with which one could scan for potential hidden/nulled keys? The subject sounds interesting...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. ST33LDI9ITAL

    ST33LDI9ITAL MDL Novice

    Dec 22, 2013
    3
    2
    0
    #7 ST33LDI9ITAL, Sep 3, 2016
    Last edited: Sep 3, 2016
    (OP)
    Ok, well I'm not too familiar with "nulled key" but any hidden keys will still be part of the hive and could be analyzed with an external dump. What we do know, is that it is a "hidden registry key" supposedly, and that it causes a fresh 1607 install to mimic an upgrade install.

    I'm going to spend some time diffing hives from fresh install and upgrade to see if I can find anything. I think it's at least worth a bit of research... hoping others will continue to look into this as well as there is a lot to cover.

    As for my install... I'll just be sticking with an upgrade to 1607 as that seems to be the easiest solution for now. Although, I'm curious about forging certs to different dates or other workarounds. If anyone has any info or advice I'd love to hear it.
     
  8. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,796
    6,750
    270
    #9 EFA11, Sep 3, 2016
    Last edited by a moderator: Apr 20, 2017
  9. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,540
    60