RoddaSilva-3079 avatar image
0 Votes"
RoddaSilva-3079 asked XiaopoYang-MSFT answered

How to force Windows to Authenticate a signed .EXE?


I have a question about Authenticode verification for signed user-mode code. Basically I want to Authenticode sign a VS C++ Console app, and then force Windows to authenticate it whenever it is loaded.

I have a trivial hello world Windows C++ user-mode console app (.EXE) that has been compiled for Release mode with the linker /integritycheck switch. This sets the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag in the PE header. It is my understanding that this is supposed to force the Windows loader to verify the .EXE before execution.

If I attempt to run the application from the command line I get The system cannot execute the specified program as expected - since (I presume) the loader is attempting to verify an .EXE that has not been Authenticode code signed.

So I then sign the code using signtool.exe with a valid CA-acquired code signing certificate (that I paid good money for) using a command line similar to:

signtool.exe sign /f "MyCodeSignCert.pfx" /p password /t /v /ph /fd sha256 helloworld.exe"

I verify the code is properly signed with:

signtool.exe verify /pa helloworld.exe

and I am able to see the Digital Signatures tab o the signed helloworld.exe when I right click it in Windows Explorer and view the signature details and view the certificate.

However, any attempt to run the helloworld.exe from the command line continues to result in:

The system cannot execute the specified program.

If I double-click the .EXE from Windows Explorer I get a bit more information:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be a malicious software from an unknown source.

If I recompile and relink the .EXE without the /integritycheck linker switch, the .EXE loads and runs correctly as expected, regardless of whether it is signed or not.

FYI, I built (using Microsoft Visual Studio) and tested the .EXE on 2 separate machines - Windows 8.1 and Windows Server 2016. In both of these environments Windows Defender is not running. In case it mattered (I don't see why it should) I even installed the code signing certificate on both machines and tried rerunning the .EXE, with no difference in outcome.

Finally, I copied the helloworld.exe to a Windows 10 machine on which Windows Defender is running, and double-clicked it from Windows Explorer and received the following pop-up message:

Your organization used Windows Defender Application Control to block this App...Contact your support person for more info.

All I am trying to do is mark an .EXE in such a way as to force Windows to always verify its digital signature whenever it is loaded for execution. Any thoughts on what I might be doing wrong or how to achieve this?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered

According to Signing /INTEGRITYCHECK files, Perhaps It is kernel-mode relevant. And The Question provides a compromise solution.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks very much!

0 Votes 0 ·