Windows Embedded Standard 7 - Windows Boot Manager: File winload.exe Status: 0xc0000428 Windows cannot verify the digital signature for this file.


  • Here is the situation:

    I have a machine running Windows Embedded Standard 7. To create an image from that system I did the following steps:

    Run Sysprep on the machine;

    After reboot I capture the image using imageX /capture d: <usb drive>\wes7.wim "Windows 7 Install"  /compress fast /verify 

    I unplugged the HD and plugged a brand new one, in the same machine, where I intend to deploy the captured image;

    Restarted the machine, booting from USB (WindowsPE);

    Used DISKPART to prepare the new HD;

    list disk

    select disk 0


    create partition primary

    select partition 1


    format fs=ntfs quick

    assign letter c


    Then I used imageX /apply <usb drive>:\wes7.wim 1 c:\ to apply the image to the new HD

    bcdboot c:\windows /s c:

    wpeutil shutdown

    Next step was to unplug the USBs and start the machine booting from the new HD.

    That's when the problem occurs.

    The screen that opens for me is:

    Windows Boot Manager

    A recent hardware or software change might have installed a file that is signed incorrectly (...) temporarily disable driver signature enforcement.

    File: \windows\system32\winload.exe

    Status: 0xc0000428

    Info: Windows cannot verify the digital signature for this file.

    I tried to use the following commands:

    bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS

    bcdedit -set TESTSIGNING ON

    But the WES7 doesn't recognize those.

    I edited the Registry, found one entry for Driver Signing = 00 and another Non-driver Signing changed to = 00

    Tried to run gpedit from command prompt, no success.

    Any lead or idea, please?!

    • Edited by OsMachadao Thursday, June 14, 2012 5:12 PM
    Thursday, June 07, 2012 11:00 PM

All replies

  • Try imagex again without  /compress fast /verify options.

    -Sean / /, Book Author - Pro Guide to WES 7, XP Embedded Advanced, Pro Guide to POS for .NET

    Friday, June 08, 2012 1:43 AM
  • I used imageX without /compress fast /verify options, but now I have another error message, attached.

    Trying to fix that I used:

    x:\windows\system32\bcdedit /set {default} device partition=c:

    x:\windows\system32\bcdedit /set {default} osdevice partition=c:

    x:\windows\system32\bcdedit /set {bootmgr} device partition=c:

    But it didn't work after all, any clue, please?!

    Wednesday, June 13, 2012 9:16 PM
  • Are you sure you sysprep'd the image before running imagex? The error is what I would expect if sysprep was not run.

    -Sean / /, Book Author - Pro Guide to WES 7, XP Embedded Advanced, Pro Guide to POS for .NET

    Wednesday, June 13, 2012 11:27 PM
  • Yes, I did!!

    Followed all the steps, including sysprep!!

    That's one of the reasons that took me forever to try all the steps again.

    I had to reinstall the system from scratch, be sure that the machine was up and running 100% again, and then run sysprep, reboot, imagex /capture, turned off, changed the HD for a new one, did all the steps and now this message.

    Wednesday, June 13, 2012 11:39 PM
  • Hm... it looks all ok for me. Some other thread about c000000e says something about diskpart but there is nothing new you haven't done.

    When does the error appear? instantly or does windows load a few seconds?

    You could try offline building from some other machine. // Format the disk with diskmgmt.msc and than apply the image with DISM or IMAGEX. I don't thinkt this will change anything but it's an alternative methode which should be tested if nothing goes forward.

    I had some weird behavior on some kind of machines/UFD because of some bootsector / format issues.

    Windows Embedded Developer and Scripting Guy //Germany (Preparing a blog about Windows Embedded Standard)

    Thursday, June 14, 2012 1:29 PM
  • At BCDEDIT and testsigning

    you might did forget to use the actual store?

    bcdedit.exe /store (TargetVolume)\boot\bcd /set nointegritychecks ON

    you also could change it from defined C: to boot like:

    bcdedit /store (TargetVolume)\boot\bcd /set {default} osdevice boot

    bcdedit /store (TargetVolume)\boot\bcd /set {default} device boot

    and just for testing and using different hardware: 

    bcdedit /store (TargetVolume)\boot\bcd /set detecthal 1

    Windows Embedded Developer and Scripting Guy //Germany (Preparing a blog about Windows Embedded Standard)

    • Edited by KNARZ Thursday, June 14, 2012 1:35 PM
    Thursday, June 14, 2012 1:33 PM
  • Hello!

    Thanks a lot for your attention.

    No, unfortunately the system presents the black screen right away, it doesn't take seconds to load the Windows.

    One thing that I found "interesting" is the presence of 2 Windows Boot Loaders, as attached.

    I run C:\Windows\System32\bcdedit /store C:\Boot\BCD /enum and I have the attached screen. I'm not able to fix the unknown on the second Windows Boot Loader.

    Althought when I reboot the machine it shows me the 2 Windows Embedded options to choose. When I choose the first one the error is 0xc0000428, if I choose the second one the error is 0xc0000000e.

    I did tried the bdcedit /store options that you shared, but the first one it doesn't work (NoIntegrityChecks ON), I was not able to run that one, the others work fine, but no success yet.

    Thursday, June 14, 2012 4:38 PM
  • i'm wondering about a few things.

    please delete your c:\boot\BCD store and create a new one with bcdboot. (i'm bot completly aware with no extra parameter and/or "/s C:" parameter)

    my win7 bcd just for compare:

    Bezeichner              {bootmgr}
    device                  partition=\Device\HarddiskVolume1 // but 'boot' should work. i edited once in a while without problems.
    description             Windows Boot Manager
    locale                  de-DE
    inherit                 {globalsettings}
    default                 {current} // you have {default} - it's not documentend from MS to use this as a identifier (afaik).
    resumeobject            {aced3fc3-2f7e-11e0-b1d2-f550db133adc}
    displayorder            {current}
    toolsdisplayorder       {memdiag}
    timeout                 10

    Bezeichner              {current}
    device                  partition=C:
    path                    \Windows\system32\winload.exe
    description             Windows 7
    locale                  de-DE
    inherit                 {bootloadersettings}
    osdevice                partition=C:
    systemroot              \Windows
    resumeobject            {aced3fc3-2f7e-11e0-b1d2-f550db133adc}
    nx                      OptIn
    detecthal               Yes

    And "bcdedit /set nointegritychecks ON" works for me.

    forget the second (6f73....) it's worthless - unknown device and unknown osdevice. - you could edit it to boot or the parameters i posted in my reference. but this would more or less copy the first one (without the bootux flag).

    Anyway i searched for the c0000428 and found some thread with this link.

    its pretty much the same i could now write over but fortunatly someone else did. :)

    Windows Embedded Developer and Scripting Guy //Germany (Preparing a blog about Windows Embedded Standard)

    Thursday, June 14, 2012 5:19 PM