Drivers marked as unsigned in Windows 7 - windows-7

I have a problem with my Windows 7 Professional 64-bit laptop. I rebooted a few days ago and the system would not start. I received this BSOD:
c000021a The session manager failed to create protected prefixes
System process terminated unexpectedly with a status of 0xc000003a
I could not boot into any Safe Mode or Command Prompt. But when I selected Disable Driver Signature Enforcement, I could boot into Windows.
Once in Windows, I opened a command prompt and ran SIGVERIF. This listed 39 driver files that it thought were not signed. I am not sure about this, because I performed a binary file compare (FC /B) on a couple of the files against a fresh install of Windows 7. Specifically, drivers BATT.DLL and MMCICO.DLL were identical.
This is what I have tried:
ran a full Sophos anti-virus scan with latest virus catalog (no issues detected)
uninstalled any Windows Updates that were applied between the last successful boot (5/10/2018) and the failed boot (15/11/2018). These were KB4457144, KB2952664, KB4457038.
uninstalled any software that was installed between the last successful boot and the failed boot.
applied KB4467107 and rebooted.
applied KB4457918 and rebooted.
But the system still gets the BSOD and will only boot when I select the Disable Driver Signing Verification boot option.
Is this a fault with whatever Windows uses to determine whether a driver is signed or not? Or is this a problem with the driver files themselves becoming corrupted?
Any assistance and suggestions welcome.
The 39 driver files that SIGVERIF flags as unsigned are:
batt.dll
mmcico.dll
agilevpn.sys
asyncmac.sys
blbdrive.sys
cmbatt.sys
compositebus.sys
discache.sys
hdaudbus.sys
i8042prt.sys
lltdio.sys
monitor.sys
mskssrv.sys
mspclock.sys
mspqm.sys
mstee.sys
ndisuio.sys
ndiswan.sys
rasl2tp.sys
raspppoe.sys
raspptp.sys
rassstp.sys
rdpbus.sys
rdpcdd.sys
rdpencdd.sys
rdprefmp.sys
rspndr.sys
serenum.sys
serial.sys
sermouse.sys
tap0901.sys
tpm.sys
tunnel.sys
umbus.sys
vga.sys
vwifibus.sys
vwififlt.sys
vwifimp.sys
wfplwf.sys

Related

Delphi 10.4.2 unable to run debugging

If I try to run a program in debugging mode I get "Cannot create process: cannot find the specified file", while it works without problems in released mode. I found the same problem discussed here several years ago. Carefully I followed all the suggestions of that old case but without any good result. Of course I checked all the security staff and compatibilities. I run the Delphi 10.4.2 on a Dell 9510 with windows 11 and Microsoft defender only. I checked also the firewall and open ports.
Can someone give me an hint. Thankyou
More of what I wrote before I have reinstalled Delphi and made a run of Dell diagnostics for what the Laptop OS and HW is concerned.
The program, in the present and actual version works without problem but I need to modify it and I cannot do that if I cannot get debugging info and step by step running.

Windows 10 Service Start Error 2 (The system cannot find the path specified)

I am developing a kernel mode driver for Windows 10 and I am stuck on the service start it always gave me this error:
"0x2 The system cannot find the path specified"
to install it I have tried by the following ways:
Using "sc create svname binpath="pathtodriver" type=kernel".
Creating a service from my c++ a`` with CreateService API and Kernel Mode flag.
Both return the same error for me, but here's the most stranger thing looks I have a desktop (from I am writing this and I develop my apps, study etc) in this desktop I can install the driver without any problem using both ways, Now on my laptop what I use to test some of my software it installed the first time and after that I couldn't start anymore the driver service, the path is correct
I have checked it a lot of times and tried almost everything.
Also I have other Kernel Mode driver which loads on both computers anytime without any problem its stranger really i have been trying all...
What I have tried to solve this problem:
Deleting the service from sc using "sc delete svname".
Deleting the service directly from registry.
Restoring registry.
Repairing windows.
Installing almost every Visual C++ Runtimes.
Install the driver with another service name, file name and different path.
Nothing of the list solves my problem.
(I am on Test Signing to test my driver without DSE)
EDIT: Solved was my DriverEntry it was returning 0x2 cause it was not compatible with all optical devices.

Disable signature enforcement

I know that this problem has been stated multiple times, but I cannot seem to find any solution. The issue is that I compiled in release mode the kmdf hello world example from Microsoft's website, but I am not able to run it. The reason is that when I try to launch the service, I get the following error: "The driver has been blocked from loading". I Obviously get this error because I have not signed the driver, but even though I have disabled signature enforcement on my updated Windows 10 machine (as stated here) I still cannot launch the driver, and I get exact the same message. So basically the option for temporarily deactivating signature enforcement, seems to serve a completely decorative purpose. So, is there any other way to launch my unsigned driver on my Windows 10 Virtual Machine, or I need to pay $100 to run my code on my own computer ?
The tutorial that you're using mentions that you need to provision your target machine for driver deployment, and leads to the "Provision a computer for driver deployment and testing" page which (among other things) has the following instructions:
On the target computer, run the WDK Test Target Setup MSI that matches
the platform of the target computer. You can find the MSI in the
Windows Driver Kit (WDK) installation directory under Remote.
Example: C:\Program Files (x86)\Windows Kits\10\Remote\x64\WDK Test
Target Setup x64-x64_en-us.msi
If you want to deploy your driver manually (for example, if you're testing your driver on your development machine or in a VM), instead of running the aforementioned MSI you can manually enable test signing mode by running bcdedit -set TESTSIGNING ON from the elevated command prompt. You would need to reboot the machine for the changes to take effect.
See "The TESTSIGNING Boot Configuration Option" on MSDN for additional details.

netfilter2.sys driver automatically unregistered during reboot in WinVista/Win10

During install of our software package (NSIS as Admin), I write netfilter2.sys (which has been digitally signed) to c:\Windows\system32\drivers and register it for analyzing http packets. It then returns when executing "driverquery" from cmd with all other registered drivers. All functionality works fine, and seems to be all good.
However, after a reboot in WinVista(x86) and Win10 (x64), sporadically it will be unregistered, and no functionality will work. It will still be present in c:\Windows\system32\drivers, but will no longer be returned when executing "driverquery".
After a reboot where it is unregistered, in Event Viewer, Windows Logs\System, we see a reference to netfilter2.sys, saying that "Windows Defender Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software."
I then look at Windows Defender History log, and see that it was "permitted", but do not see it under either allowed programs or quarantined programs.
Any idea why this driver is being unregistered, and how to prevent it from being unregistered in the future?
The issue stemmed from unregistering (-u tag) the driver and registering it directly after in the same batch file.
Apparently, when you unregister a driver like that it marks it for deletion.
Try a clean reinstall of Windows 10 to fix this issue we.

Unable to start applications from network "0xc0000006"

I can't start applications from a network share or drive. An error Appears saying that the application was unable to start 0xc0000006. If I copy the .exe on my desktop it works fine.
I tried to start Windows in safe mode and it works too.
My machine run on an HP laptop core i5 with Windows 7 SP1.
Any idea?
EDIT:
I found my problem: It's a bug that append sometimes with Kaspersky endpoint Security v.10. I just uninstall this version and install an older version (v.8). I hate Kaspersky...
Hope it will help someone!
0xc0000006 is an NTSTATUS code. Specifically it is STATUS_IN_PAGE_ERROR.
It is not uncommon to see these errors when you attempt to run an executable from a network volume. For whatever reason, if there is any even intermittent problem accessing the network volume, then you may see this error. When a module is loaded, the code is not physically loaded until it is needed. A memory mapped file is created, and when a particular page is needed, it is brought into physical memory on demand. If your network fails to meet this demand, your application stops with STATUS_IN_PAGE_ERROR.
The common ways to deal with this include:
Getting a more robust connection to your network volumes.
Copying the executable file to a local drive and running it from there.
Adding the IMAGE_FILE_NET_RUN_FROM_SWAP flag to your PE file options.
Thank you for your replies.
I solved the problem by uninstalling Kaspersky end point 10.
My colleges have the version 10 of kasperky and it works but not for me.
I will install an older version waiting for kaspersky v 11.

Resources