none
Problem with installation of test-signed minifilter driver on Windows 1803 with SecureBoot, SYSTEM account changes registry data after installation RRS feed

  • Question

  • Hi! I have a problem with installation of my own minifilter driver on Windows 10 1803 with Secure Boot.

    I have an application. In the process of its installation it installs in the system some drivers: file system minifilter driver, driver for disk devices, driver for other devices and some other drivers. All drivers are tested with HLK studio and test-signed through the Dashboard. Digital signatures "Microsoft Windows Hardware Compatibility Publisher" are visible in the properties of all .sys and .cat files.
    The process of installation is performed by the installator application and uses "CreateService" command for basic parameters setting and "RegSetValueEx" for additional parameters:
    DWORD tag = 4;
    wchar_t startGroup[] =  L"FSFilter Security Enhancer";
    wchar_t dependencies[] = L"FltMgr\0\0\0\0";
    hServ = CreateService(hSCM, L"DlFlt", L"DlFlt", GENERIC_EXECUTE, SERVICE_FILE_SYSTEM_DRIVER, SERVICE_BOOT_START, SERVICE_ERROR_NORMAL, L"system32\\drivers\\dlflt.sys", startGroup, &tag, dependencies, 0, 0);
    After the "CreateService" command are executed all things are going well for 10-15 seconds. After this time I see that "Start" parameter for my driver in registry are changed from 0 (SERVICE_BOOT_START) to 4 (DISABLED).

    With registry audit enabled this event looks like a special logon of SYSTEM account which changes only "Start" parameter for my driver:

    1. An account was successfully logged on.
    Subject: Security ID: SYSTEM   Account Domain: WORKGROUP   Logon ID: 0x3E7
    Logon Information: Logon Type: 5   Restricted Admin Mode: -   Virtual Account: No   Elevated Token: Yes   Impersonation Level: Impersonation
    New Logon: Security ID: SYSTEM   Account Name: SYSTEM   Account Domain: NT AUTHORITY   Logon ID: 0x3E7   Linked Logon ID: 0x0   Network Account Name: -   Network Account Domain: -   Logon GUID: {00000000-0000-0000-0000-000000000000}
    Process Information: Process ID: 0x25c   Process Name: C:\Windows\System32\services.exe
    Detailed Authentication Information: Logon Process: Advapi   Authentication Package: Negotiate   Transited Services: -   Package Name (NTLM only): -   Key Length: 0

    2. Special privileges assigned to new logon.
    Subject: Security ID: SYSTEM   Account Name: SYSTEM   Account Domain: NT AUTHORITY   Logon ID: 0x3E7
    Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege

    3. A registry value was modified.
    Subject: Security ID: SYSTEM   Account Domain: WORKGROUP   Logon ID: 0x3E7
    Object: Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dlflt   Object Value Name: Start   Handle ID: 0x9c4   Operation Type: Existing registry value modified
    Process Information: Process ID: 0x350   Process Name: C:\Windows\System32\svchost.exe
    Change Information: Old Value Type: REG_DWORD   Old Value: 0   New Value Type: REG_DWORD   New Value: 4

    There are some conditions for all these events to happen. If we change at least one option from the list then "Start" parameter in registry will stay the same. The list is:
    1. SecureBoot must be enabled
    2. Start type for the driver must be SERVICE_BOOT_START (nothing happens with SERVICE_SYSTEM_START, for example, but this start type is inappropriate for my application).
    3. Driver group must be something from "FSFilter" group or "Filter". I want to use "FSFilter Security Enhancer" value.
    4. Driver file must be copied from installer folder to Windows/System32/drivers folder. Without copying nothing happens too.
    5. Registry key "System/Services/DlFlt" must not exist. If it exists at the start of installation then nothing happens too.

    If I install the driver from .inf file I get the same behavior: "Start" parameter changes to 4 after 10 seconds. If I change "Start" parameter back to 0 after any kind of installation then all is going well. Nobody tries to change it to 4 neither instantly, nor after some reboots. If I install my driver with some changed parameters (for example, driver group), then I wait for 10 seconds and change this parameter back to the initial value, then all is going well too. All my other drivers are installed correctly, they all use SERVICE_BOOT_START start type (though they are not SERVICE_FILE_SYSTEM_DRIVER).

    Can anybody help me with this strange behavior? What is going on after installation and how can I install my driver correctly without these issues with registry?

    Thanks,
    Dmitriy

    Tuesday, December 11, 2018 2:52 PM