Contents
1. Case Identification
1.1. Summary
During NEXThink Collector installation, I get an error message stating that NETSERVICE did not pass the Windows Logo testing certification.
1.2. More Information
When installing the Collector by double-clicking its MSI, the following warning is raised:
Note: a message announcing that the installation has been blocked may also appear.
1.3. Applies To
The case documented in the present article affects:
- NEXThink Collector 3.0.0 and higher;
- Windows 2000, XP, Vista.
2. Analysis and Resolution
2.1. Summary
This problem has been identified as being a bug in Windows signature verification process. It can be bypassed by modifying a registry key that does not affect the overall security of your system.
2.2. Analysis
This problem is very surprising because our driver shouldn't be concerned by the signature verification feature of Windows: indeed, under Windows XP, only signatures of PnP (i.e. so-called device drivers) drivers are checked. Signatures of non-PnP drivers are simply ignored.
2.2.1. Cause
This problem is caused by a Windows bug:
Under Windows 2000, it was possible to configure a machine for verifying signatures of non-PnP drivers: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\Policy. If the value of this registry entry is not 0, then a signature verification is performed.
Since Windows 2003, this feature is not supported anymore. The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\Policy registry entry cannot be modified from the Windows graphical interface anymore. Any value other than 0 is considered to have unpredictable results, but has consequences anyway, like shows our test case.
This registry entry can be set to something different than 0 by a GPO policy (inherited from Windows 2000 GPO), for example.
2.2.2. Confirmation of the Case
This theory can be validated by installing any non-PnP unsigned driver on the machine where the problem occurs. For example, the installation of the KB892130 Windows patch (Windows Genuine Advantage) raises the same problem:
2.3. Resolution
The non-PnP driver signing policy can be deactivated by modifying the registry:
Set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\Policy registry entry to 0.
- Confirm that this has actually been done after having rebooted: Windows registry protection may have recovered the initial value.
As this policy is not supported by Microsoft anymore, this change does not have implications on the target system global security level.
3. Supporting Material
3.1. Additional Documentation
External documentation:
[MSDN] Unsigned non-driver installation behavior (Windows 2000 policy): http://msdn.microsoft.com/en-us/library/ms814360.aspx
[MSDN] Release Signing Driver Packages: http://msdn.microsoft.com/en-us/library/aa906270.aspx
[Microsoft Knowledge Base] You cannot install some updates or programs: http://support.microsoft.com/kb/822798/
[Microsoft Knowledge Base] MS KB: "Digital Signature Not Found" Error Message When You Install a Driver or Update: http://support.microsoft.com/kb/269651/
3.2. Contact Information
If you require further assistance regarding the present case or if you want to contribute to the accuracy of published information, please open a case using http://support.nexthink.com.