This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 65%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEJ%3C/text%3E%3C/svg%3E)
Hi Experts,
I am running WinVerifyTrust to verify signature of binaries. But it returned ERROR_NOT_ENOUGH_MEMORY under impersonate account S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415. While WinVerifyTrust returned success under normal user. This issue is running under ASP.NET web service project. It is managed by IIS. The C# code will invoke a C++ implemented native DLL. The DLL will create a process. At the beginning of the new process it will verify binaries' signature via WinVerifyTrust. Below attach the usage of WinVerifyTrust. Can you help to give some advice for solving this issue?
LONG lStatus = ERROR_SUCCESS;
wchar_t errorMsg[1000];
ZeroMemory(errorMsg, sizeof(WCHAR) * 1000);
const LPCWSTR wfilename = filename.c_str();
// Initialize the WINTRUST_FILE_INFO structure.
WINTRUST_FILE_INFO fileData;
ZeroMemory(&fileData, sizeof fileData);
fileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
fileData.pcwszFilePath = wfilename;
fileData.hFile = NULL;
fileData.pgKnownSubject = NULL;
/*
WVTPolicyGUID specifies the policy to apply on the file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:
1) The certificate used to sign the file chains up to a root
certificate located in the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.
2) In cases where user interface is displayed (which this example
does not do), WinVerifyTrust will check for whether the
end entity certificate is stored in the trusted publisher store,
implying that the user trusts content from this publisher.
3) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU or no
EKU.
*/
GUID wvtPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_DATA winTrustData;
// Initialize the WinVerifyTrust input data structure.
// Default all fields to 0.
ZeroMemory(&winTrustData, sizeof(winTrustData));
winTrustData.cbStruct = sizeof(winTrustData);
// Use default code signing EKU.
winTrustData.pPolicyCallbackData = NULL;
// No data to pass to SIP.
winTrustData.pSIPClientData = NULL;
// Disable WVT UI.
winTrustData.dwUIChoice = WTD_UI_NONE;
// No revocation checking.
winTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;
// Verify an embedded signature on a file.
winTrustData.dwUnionChoice = WTD_CHOICE_FILE;
// Verify action.
winTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
// Verification sets this value.
winTrustData.hWVTStateData = NULL;
// Not used.
winTrustData.pwszURLReference = NULL;
// This is not applicable if there is no UI because it changes
// the UI to accommodate running applications instead of
// installing applications.
winTrustData.dwUIContext = 0;
// Set pFile.
winTrustData.pFile = &fileData;
// WinVerifyTrust verifies signatures as specified by the GUID
// and Wintrust_Data.
lStatus = WinVerifyTrust(NULL, &wvtPolicyGUID, &winTrustData);
// Any hWVTStateData must be released by a call with close.
winTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
WinVerifyTrust(NULL, &wvtPolicyGUID, &winTrustData);
return lStatus == ERROR_SUCCESS;
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXY%3C/text%3E%3C/svg%3E)
@Edward Jiang Any update?
Hi XiaopoYang-MSFT, private memory limit is always set to 0 which means no limit. But it will get the error ERROR_NOT_ENOUGH_MEMORY. I have tried to add Adjust memory quotas for a process privilege for IIS_IUSRS group in local group policy. But it also fails with ERROR_NOT_ENOUGH_MEMORY.
Private Memory Limit is just an example. You need to find the real setting like memory limit on the impersonated account, etc.
I don't think the process have insufficient memory actually. I have allocated 100M memory and it succeeded.
It could be stack size. see The default maximum stack size of threads created in a native IIS process is 256 KB.
I have also tried stack memory with "char bigStackBuffer[100000000] = {0};". It should be 100M stack memory and it works well.
Can you access the source code of WinVerifyTrust to check which logic will return ERROR_NOT_ENOUGH_MEMORY?
NO, I don't have. But you can open an incident via 'Contact us' tab at link below so that our engineer can work with you closely: https://developer.microsoft.com/en-us/windows/support/ and Please choose the 'Technical Support - Coding/Debugging' for Windows SDK for this issue. In-addition, if the support engineer determines that the issue is the result of a bug the service request will be a no-charge case and you won't be charged.
There is a limitation in your IIS setting which causes the process cannot get enough memory resources. For example: Adjust memory quotas for a process
The picture is from Internet.