locked
Application failed to register in Windows Security Center (Windows 7) RRS feed

  • Question

  • Hi, guys!

    I need to register antivirus app in Windows Security Center. For this purpose I am using application (SCPI.EXE) that implements WSC API IWscAVStatus inteface. For some reason, when application is started from the command line, I get the following error:

    The system cannot execute the specified program.

    Expecting Windows event log, I found error (event ID 3002) from CodeIntegrity:

    Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Shield Antivirus\scpi.exe because the set of per-page image hashes could not be found on the system.

    I am using Windows 7 Ultimate with Service Pack 1 (x64).

    SCPI.EXE is sign with valid certificate with both SHA1 and SHA256 digest, all is validated fine with signtool and it works fine on Win8 & Win10.

    Can you give me some hint about what's going on? Is this some special Win7 issue? I see that many others had the same trouble, but with system drivers and dlls, however, this is completely user-made application and has nothing to do with the system, so any system cleanup/repair is out of the question.

    Thank you!


    Friday, February 3, 2017 1:41 PM

Answers

  • We have found the reason for this behavior. The reason is the same as described in this post:

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/113895b8-f60b-4890-bdb8-6e4646e17d06/driver-signed-properly-but-still-getting-driver-code-integrity-determined-that-the-hash-image-of-a?forum=wdk

    SHA2 cert works perfectly on applications on windows 7 and 8 and also with drivers in windows 8, but a signed "with SHA2 cert" driver does not work in windows 7, because of the signature is being rejected. Unfortunately, the Symantec/VeriSign request form proposed to use SHA2 because being better.

    We used sha256 certificate for signing, and the machine was not updated. After all updates were installed, and applied, everything was working. Microsoft fixed this with this KB:

    https://technet.microsoft.com/en-us/library/security/3033929?f=255&MSPPError=-2147217396

    So the problem was that Windows was not updated.


    • Marked as answer by lordstanius Tuesday, February 14, 2017 7:37 AM
    • Edited by lordstanius Tuesday, February 14, 2017 7:38 AM
    Tuesday, February 14, 2017 7:37 AM

All replies

  • Here you can find the document that describes implementation of Windows Security Center API: " http://149.210.169.43/WscApi_VistaSP1.doc "
    Friday, February 3, 2017 2:52 PM
  • Hi lordstanius,

    The validation compares the page hashes stored in the system security catalog files to the page hashes of the user-mode files themselves. If the page hashes in the system security catalog files do not match the page hashes from the system file, the system file is not loaded by the operating system.

    Please refer to the link below about event ID 3002.

    https://technet.microsoft.com/en-us/library/cc734001%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Third party anti-virus, anti-malware use an API call to register with the Windows Management Instrumentation (WMI) service. Action center receives notifications from WMI. Please make sure all the messages are turned on in Action Center settings. If the Action Center cannot detect your anti-virus program, you may need to do something that makes the anti-virus program register with WMI.

    Windows Security Center does not detect the antivirus application that is installed on a Windows Vista-based computer.

    https://support.microsoft.com/en-us/help/952923/windows-security-center-does-not-detect-the-antivirus-application-that-is-installed-on-a-windows-vista-based-computer

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 6, 2017 7:03 AM
  • Hi, Carl!

    Thank you for your answer. Still it doesn't help solve the issue. We are aware that (for some reason) page hashes stored in the system catalog doesn't match page hash in our application. But still, we cannot figure out the reason why, what's wrong with the code. It's not the problem that Windows Security Center doesn't register the application, but the application itself fails to load. It didn't have a chance to run in order to perform registration.

    I thought it might be an issue with signing, so I have studied deeply the following article:

    https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx

    I have checked every single line from this article and couldn't find the problem with the signing. I have also checked this one:

    https://social.technet.microsoft.com/wiki/contents/articles/251.how-to-fix-signature-verification-failures-caused-by-invalid-pointertorawdata-field-values.aspx

    And I have run signtool to verify if it satisfies kernel driver policy, and it goes without trouble. Here is the output:

    -------------------------------------------------

    Verifying: D:\Projects\AvSolution\WinAPI\Release\scpi.exe
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): 7422D773851ECAA776C3133189A93BACE129C82A
    Signing Certificate Chain:
        Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
        Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
        Expires:   Thu Jul 17 00:59:59 2036
        SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
            Issued to: Symantec Class 3 SHA256 Code Signing CA
            Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
            Expires:   Sun Dec 10 00:59:59 2023
            SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
                Issued to: Shieldapps
                Issued by: Symantec Class 3 SHA256 Code Signing CA
                Expires:   Thu Sep 07 00:59:59 2017
                SHA1 hash: 3FE7C1C3ADCF58D5F4DEBC64EE500ED031D80E6D

    The signature is timestamped: Wed Feb 08 08:37:57 2017
    Timestamp Verified by:
        Issued to: Thawte Timestamping CA
        Issued by: Thawte Timestamping CA
        Expires:   Fri Jan 01 00:59:59 2021
        SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
            Issued to: Symantec Time Stamping Services CA - G2
            Issued by: Thawte Timestamping CA
            Expires:   Thu Dec 31 00:59:59 2020
            SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
                Issued to: Symantec Time Stamping Services Signer - G4
                Issued by: Symantec Time Stamping Services CA - G2
                Expires:   Wed Dec 30 00:59:59 2020
                SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

    Cross Certificate Chain:
        Issued to: Microsoft Code Verification Root
        Issued by: Microsoft Code Verification Root
        Expires:   Sat Nov 01 14:54:03 2025
        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
            Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
            Issued by: Microsoft Code Verification Root
            Expires:   Mon Feb 22 20:35:17 2021
            SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
                Issued to: Symantec Class 3 SHA256 Code Signing CA
                Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
                Expires:   Sun Dec 10 00:59:59 2023
                SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
                    Issued to: Shieldapps
                    Issued by: Symantec Class 3 SHA256 Code Signing CA
                    Expires:   Thu Sep 07 00:59:59 2017
                    SHA1 hash: 3FE7C1C3ADCF58D5F4DEBC64EE500ED031D80E6D

    File has page hashes.
    Successfully verified: D:\Projects\AvSolution\WinAPI\Release\scpi.exe
    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    -----------------------------------------------

    I have used WinDDK 7 version of signtool to sign with primary certificate, but with any other version it goes fine and still doesn't work with Win7. As you can see from the output, page hashes are generated.

    Nothing I can find on the net and many forums cannot solve the issue. It might be that the cause is something small and trivial, maybe some missing switch or whatever, but I am unable to hunt it down.

    I will appreciate any other hint you might have. Thanks.

    Wednesday, February 8, 2017 8:00 AM
  • We have found the reason for this behavior. The reason is the same as described in this post:

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/113895b8-f60b-4890-bdb8-6e4646e17d06/driver-signed-properly-but-still-getting-driver-code-integrity-determined-that-the-hash-image-of-a?forum=wdk

    SHA2 cert works perfectly on applications on windows 7 and 8 and also with drivers in windows 8, but a signed "with SHA2 cert" driver does not work in windows 7, because of the signature is being rejected. Unfortunately, the Symantec/VeriSign request form proposed to use SHA2 because being better.

    We used sha256 certificate for signing, and the machine was not updated. After all updates were installed, and applied, everything was working. Microsoft fixed this with this KB:

    https://technet.microsoft.com/en-us/library/security/3033929?f=255&MSPPError=-2147217396

    So the problem was that Windows was not updated.


    • Marked as answer by lordstanius Tuesday, February 14, 2017 7:37 AM
    • Edited by lordstanius Tuesday, February 14, 2017 7:38 AM
    Tuesday, February 14, 2017 7:37 AM
  • Hi lordstanius,

    I would like to apologize for the late reply.

    As you provided, Windows 8, Windows 8.1, Windows Server 2012 do not require this update because SHA-2 signing and verification functionality is already included in these operating systems. It is added support for SHA-2 signing and verification functionality for Windows 7 and Windows Server 2008 R2.

    Glad to hear that you have found a solution and thank you for sharing it here, it will be helpful to other community members who have same questions.

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 16, 2017 1:50 AM