Unable to start service (Windows 10 x64)

[halmartin]

I am trying to use procfilter v1.0.0-beta.5 on Windows 10 1903 x64 (OS Build 18362.30).

Windows 10 was installed in a VM from Microsoft provided media, the version used was "Windows 10 May 2019 Update"

The procfilter service installed successfully from the binary ProcFilter.x64.Release.exe, but I am unable to start the service.

The following output is found in the log file (C:\Program Files\ProcFilter\fatal):

umdriver.cpp(174): Unable to start driver service 577: Error verifying driver signature. Unpatched Windows 7 require the hotfix at Microsoft Security Advisory 3033929 in order to load SHA-2 signed drivers. It can be downloaded from https://technet.microsoft.com/en-us/library/security/3033929.

According to Microsoft KB4472027, Windows 10 supports SHA-2 driver signing without further action:

Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.

It is possible to start the procfilter service by enabling test-signing and rebooting:

bcdedit /set TESTSIGNING ON

This is not ideal, as it means that procfilter cannot be used in certain scenarios (e.g. when Secure Boot is enabled, as test-signing mode is prohibited in Secure Boot environments).

---

Questions:

1. Is Windows 10 compatibility a known issue? error while attempting to start service #1 is the same problem, but on Windows 7 not Windows 10.
2. Can the driver signing be fixed to allow loading on Windows 10 without enabling test-signing mode?

---

Is this just an issue of the certificate having expired in January 2019?

[ewil]

Thanks for the detailed info and nice bug report. You are correct, the message in the fatal log is now inaccurate. When it was written the only driver load failures we encountered were due to the missing hotfix that enables Windows 7 to validate SHA256 signatures. But now, Windows 10 with Secure Boot enabled will also prevent a driver from loading, even if signed with an EV certificate using SHA256.

Windows 10 with Secure Boot enabled requires that loaded drivers are signed directly by Microsoft and an Extended Validation driver signing certificate as part of their Attestation Signing process.

https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/

Getting that done is, unfortunately, not as straightforward as that article describes.

This will be done in a subsequent update, but I can't give a timeline for it. Right now the driver that comes with the current ProcFilter build is only signed with an EV cert but did not go through the Attestation Signing process. It's still validly signed and you can load it anywhere, except Windows 10 when Secure Boot is enabled.

The workarounds to get ProcFilter to run for Windows 10 are to 1) disable secure boot or 2) enable test signing or 3) build and sign the driver yourself if you have an EV certificate and can do the attestation signing.

In the coming months there will be a ProcFilter update that adds some features and includes a driver signed through the attestation process, but I can't be more specific than that due to time constraints & availability. I will see about prioritizing it since it seems others such as yourself have encountered this issue.

Thanks again for the nice bug report.

[halmartin]

This will be done in a subsequent update, but I can't give a timeline for it.

I know asking for updates is taboo, but it's been a while and I was curious if you have any more information on this.