Cannot load driver in safe mode

[leochou0729]

Hi,
I notice that I cannot load madcodehook driver in safe mode, even the proper registry key are created under minimal and network.
Using sc command also doesn't help. I have one mini filter and one network filtering driver in my software, which both can be auto started successfully in safe mode. I have no idea what could be the reason. Maybe some registry values are missing?
These are the registry screenshots for all the three drivers.
The madcodehook driver seems to have very few info in the registry.
Please help!

Leo

[iconic]

Hello,

Safe Mode's purpose is to load only required system drivers in hopes of keeping 3rd party drivers from loading unless you're a filter driver or other driver tied into the system at a lower layer. This increases the chances of the system properly booting in case of some other buggy driver that is preventing it from doing so. For standard plain vanilla drivers, like MCH's driver, ZwLoadDriver() will always return STATUS_NOT_SAFE_MODE_DRIVER. You can add your driver name (e.g: Driver64.sys) as a new registry key with the (default) value as "Driver" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot. The driver should be placed in a system accessible area (System32\Drivers, System32, Windows etc.) and then should be loadable.

--Iconic

[leochou0729]

Hi Iconic,
I have already added madcodehook driver' name under these two registry keys.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
The sys file is also in the system32\drivers folder.
I don't know what's going wrong here. The other two drivers can be loaded in safe mode without any problem.

[iconic]

Hello,

This is definitely a Windows Safe Mode issue with your driver. I know this because I booted up Windows 7 Pro x64 and was able to load MCH's driver without issue *only* after adding the entry to the SafeBoot Registry area. I could load and unload perfectly fine. If you try loading the MCH driver with NtLoadDriver() you can see the NTSTATUS code for the reason of failure, the tool I used is one I wrote many years ago, still works fine however. Let me know if you'd like me to upload a useful Driver Loader/Unloader (pre-built and uses NtLoadDriver) - worked for me on Win7 when I tested with MCH's driver. The return code is visibile and will tell you why it failed.

--Iconic

[leochou0729]

Hello Iconic,
The NtLoadDriver also failed with this error.
0xC000035F
STATUS_NOT_SAFE_MODE_DRIVER

I also found this statement on msdn.
If the system is running in safe mode, and the driver fails to load because it is not on the safe mode list, ZwLoadDriver returns STATUS_SUCCESS.

So I think the failure is unrelated to the safeboot registry settings.
BTW, I'm using MCH 4.2.1.

Leo

[iconic]

Hello,

If you look at my original post I mention the error code STATUS_NOT_SAFE_MODE_DRIVER specifically. But, NtLoadDriver() still works fine here on Windows 7 Pro x64 in Safe Mode/Safe Boot. If MCH's driver is loading fine for you in "normal" boot it must definitely be an issue with Safe Mode? I confirmed the MCH driver was actually loaded with Process Hacker. See the screenshot please. Do you happen to have the actual NTSTATUS code for failure of your driver? Hmmmm. The returned status code you shared is the same I originally posted so it seems that your SafeBoot entry might be incorrect? Can you snap a screenshot please of your registry entry in SafeBoot for MCH? You might also clear out any settings that are not needed such as start type, Windows only needs the "imagepath" and driver "type", which is not the same as start type. Unless there was a dramatic change in newer OSes affecting that registry area (known for allowing legacy drivers) I don't see why this would fail for you. You might also try Windows 7 if you have a virtual machine snapshot available.

If the system is running in safe mode, and the driver fails to load because it is not on the safe mode list, ZwLoadDriver returns STATUS_SUCCESS.

That should only be applicable to boot drivers that can not fail, otherwise the system would fail as the driver may have several dependencies. My test driver is actually loaded, it's not a fake return of STATUS_SUCCESS(0).


*See attachment image*

--Iconic

[leochou0729]

Hello,
I modified this code to load MCH driver and printed the error code.
https://github.com/GitMirar/DriverLoade ... Loader.cpp

I also tried Process Hacker, which produced a similar error.
Error 1084: This service cannot be started in Safe Mode.

Please take a look at all the screenshots. Thanks!

Leo

[iconic]

Your entries in the Registry seem ok to me after looking at them. It may be worth deleting the "Start Type" still present in your entry. If this is a newer Windows "Safe Boot" issue then clearly other 3rd-party drivers are also affected. On Windows 7 all works fine which usually translates to higher security in newer OS versions, Microsoft doesn't even want people allowing a random driver from Safe Mode, otherwise it would ruin the meaning behind the name. Have you tried also loading a random driver that is 3rd-party? If they can load then there must be a better explanation as to why for you.

--Iconic

[iconic]

Quick update, I've just run a couple of tests on Windows 10 Pro 22H2 x64 and a couple of standard drivers (not function or filter drivers, just basic) loaded fine for me in SafeMode even with SecureBoot enabled. I also checked if the driver was *truly* loaded and it was, the product worked as expected as well. Other drivers with the same company signature as well as Microsoft Hardware Compatibility Publisher failed for some odd reason. Both signatures (company and MS co-signature) are SHA-256. Now we know it *IS* possible with the information we have discusssed even on newer OS versions such as Win10 but the question is why do some load while others fail? That unfortunately is only an answer Microsoft can give us unless another user knowledgeable in Safe Boot driver loading happens to see this thread. I know they have a tech site for Q&A online here https://learn.microsoft.com/en-us/answers/questions/

I've attached my screen shot of a standard driver loading just fine, strange!

--Iconic

[iconic]

I've tested the print monitor driver that comes with the demo and is pre-signed by Madshi in Safe Mode. I was only able to load the driver in Safe Mode after adding the proper entries to SafeBoot key and disabling SecureBoot. When SecureBoot was enabled and test signing was off it failed unfortunately. His driver is dual-signed with SHA-1 and SHA-256. The only differences I've noticed from drivers that do load and are standard drivers are that they no longer have SHA-1 signatures, have an EV SHA-256 signature and are Microsoft co-signed (achieved through HLK testing and submission to Microsoft's dev portal or the attestation route, but the latter is limited, best to go the HLK route)

So, if your MCH driver is signed by an EV SHA-256 cert, co-signed by MS and does not have a SHA-1 signature attached you're more likely to be able to load it. These are just differences I have noticed from what works vs. what did not. Hope this helps

TL;DR

Try signing with an EV SHA-256 cert and also get Microsoft's co-signature on the driver, I'm not sure if SHA-1 would cause failure but in my tests files loaded without SHA-1 signatures so I'm not sure if it would be denied, probably best to only stick to SHA-256 on Windows 8+ and follow the above differences I've observed for successful driver loading in Safe Mode.


--Iconic