Security warning

[crus]

I've got a new SP2 image, everything is working but during start-up appear
some
-Security Warning Dialog boxes - saying that:
"The publisher could not be verified. ......"
Then I press the run button for all messages and than I have the full system
OK.
This should means that files are not digitally signed.
After that I can install applications, even old ones, but this warning
doesn't appears any more, until next startup.
Files that are indicated as digitally unsigned get executed at start up and
are listed in the registry key
HKLM\Microsoft\Windows\CurrentVersion\Run
they are tray applications loaded by driver components as
hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
igfxpers.exe

To check this behavior I started the GroupPolicy Editor ( gpedit.msc) where
I find everything undefined, and set the Attachment Manager "inclusion list
for low files types" to disable warning for ALL .exe files. With this
setting the warning box is not shown, but this is not the way to understand
what is wrong.

I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
that seems someway related.
I hope that someone can give help to understand what's happening.
Raffaele

 

[KM]

Raffaele,

I'd say that you fixed that the right way on an embedded system where you control what Exe's are to be launched.
You could also fix it by modifying the following reg.entries directly:
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"RunInvalidSignatures"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"CheckExeSignatures"

If you want to know why you're seeing the warning you probably want first to debug what file [exe] is the "wrong" one. (just remove
all the agent apps from the Run key and launch them at run time manually to see which one shows the warning)

 

[crus]

Hi Konstantin
thank you for your reply, I don't find reg entries in your message even in
XP Pro.
I find this path
HKCU\Software\Microsoft\InternetExplorer\Download\, "checkExeSignatures" set
to YES, I changed to NO, and I added a key "RunInvalidSignatures" set to
yes.
The Security Warning still appears.
I'm starting a new project, so I'll do a new image from scratch using same
drivers. If this warning is still there I'll open a new question.
Thanks Raffaele

Raffaele,

I'd say that you fixed that the right way on an embedded system where you
control what Exe's are to be launched.
You could also fix it by modifying the following reg.entries directly:
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"RunInvalidSignatures"
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"CheckExeSignatures"

If you want to know why you're seeing the warning you probably want first
to debug what file [exe] is the "wrong" one. (just remove all the agent
apps from the Run key and launch them at run time manually to see which
one shows the warning)


--
=========
Regards,
KM

I've got a new SP2 image, everything is working but during start-up
appear some
-Security Warning Dialog boxes - saying that:
"The publisher could not be verified. ......"
Then I press the run button for all messages and than I have the full
system OK.
This should means that files are not digitally signed.
After that I can install applications, even old ones, but this warning
doesn't appears any more, until next startup.
Files that are indicated as digitally unsigned get executed at start up
and are listed in the registry key
HKLM\Microsoft\Windows\CurrentVersion\Run
they are tray applications loaded by driver components as
hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
igfxpers.exe

To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
where I find everything undefined, and set the Attachment Manager
"inclusion list for low files types" to disable warning for ALL .exe
files. With this setting the warning box is not shown, but this is not
the way to understand what is wrong.

I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
that seems someway related.
I hope that someone can give help to understand what's happening.
Raffaele

 

[crus]

I find also that all .EXE that gives security warning when run show a
security message in their Property :
"this file comes from an other computer and might be blocket to protect this
computer"
a button "unblock" is on side to make disappear this message and to allows
free use of the file.
As I said in my first message all files that behaves this way are installed
by components some already available and some ( as igfxcfg.exe ) that I made
from Intel device drivers with CD.

Raffaele,

I'd say that you fixed that the right way on an embedded system where you
control what Exe's are to be launched.
You could also fix it by modifying the following reg.entries directly:
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"RunInvalidSignatures"
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"CheckExeSignatures"

If you want to know why you're seeing the warning you probably want first
to debug what file [exe] is the "wrong" one. (just remove all the agent
apps from the Run key and launch them at run time manually to see which
one shows the warning)


--
=========
Regards,
KM

I've got a new SP2 image, everything is working but during start-up
appear some
-Security Warning Dialog boxes - saying that:
"The publisher could not be verified. ......"
Then I press the run button for all messages and than I have the full
system OK.
This should means that files are not digitally signed.
After that I can install applications, even old ones, but this warning
doesn't appears any more, until next startup.
Files that are indicated as digitally unsigned get executed at start up
and are listed in the registry key
HKLM\Microsoft\Windows\CurrentVersion\Run
they are tray applications loaded by driver components as
hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
igfxpers.exe

To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
where I find everything undefined, and set the Attachment Manager
"inclusion list for low files types" to disable warning for ALL .exe
files. With this setting the warning box is not shown, but this is not
the way to understand what is wrong.

I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
that seems someway related.
I hope that someone can give help to understand what's happening.
Raffaele

 

[KM]

Raffaele,

Well, that depends on how and from where you downloaded those files.
When you downloaded a file from the Web on SP2 machine, Windows automatically marks the file attachment with its zone information
(such as Restricted, local, internet..). Based on file's zone information Windows assigns a proper risk level (High, Moderate, or
Low).

To prevent Windows from checking Zone Information in files when user tries to open them in Windows Explorer you can set up the
following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" (or
whatever types you want to see here)

On the machine where you are trying to download the files to prevent Windows from preserving Zone Information in file attachments
you may want to set the following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:1

But I'd go and try the first key on your XPe image to not even worry about the file signatures for the defined types.

--
=========
Regards,
KM

I find also that all .EXE that gives security warning when run show a
security message in their Property :
"this file comes from an other computer and might be blocket to protect this
computer"
a button "unblock" is on side to make disappear this message and to allows
free use of the file.
As I said in my first message all files that behaves this way are installed
by components some already available and some ( as igfxcfg.exe ) that I made from Intel device drivers with CD.

Raffaele,

I'd say that you fixed that the right way on an embedded system where you
control what Exe's are to be launched.
You could also fix it by modifying the following reg.entries directly:
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"RunInvalidSignatures"
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"CheckExeSignatures"

If you want to know why you're seeing the warning you probably want first
to debug what file [exe] is the "wrong" one. (just remove all the agent
apps from the Run key and launch them at run time manually to see which
one shows the warning)


--
=========
Regards,
KM

I've got a new SP2 image, everything is working but during start-up
appear some
-Security Warning Dialog boxes - saying that:
"The publisher could not be verified. ......"
Then I press the run button for all messages and than I have the full
system OK.
This should means that files are not digitally signed.
After that I can install applications, even old ones, but this warning
doesn't appears any more, until next startup.
Files that are indicated as digitally unsigned get executed at start up
and are listed in the registry key
HKLM\Microsoft\Windows\CurrentVersion\Run
they are tray applications loaded by driver components as
hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
igfxpers.exe

To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
where I find everything undefined, and set the Attachment Manager
"inclusion list for low files types" to disable warning for ALL .exe
files. With this setting the warning box is not shown, but this is not
the way to understand what is wrong.

I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
that seems someway related.
I hope that someone can give help to understand what's happening.
Raffaele

 

[crus]

Yes Konstantin,
you are right it depends from the file download!
The solution I found is, according your suggest, to add the key Attachment
and a value to the DEVELOPMENT ( XP Pro SP2) registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:1

The Attachments key wasn't defined .

If you have SP2 without this keys all downloaded files have a security
info that the file is from unreliable source, just look at files's
Properties of downloaded files to check.
But I had components made with files downloaded before fix!

This is my full story:
BEFORE
I downloaded some ZIP files for Intel video drivers and a ZIP file for
touch screen, with ready XPE component,
I expanded them, ( by compressed folders) made components from INF files,
imported components into
the database and respective repositories, made the XPE image and put it on
the target hardware.
During development I had no warning at all that downloaded ZIP files were
marked unsecure,
and also that ALL the expanded files were marked unsecure too!
So I filled my repositories this way with .INF .EXE .SYS ... all marked
unsecure and my images were maked too.
The first run of XPE showed the warning message.
NOW
I have washed my component's repository to have them warning free and made
the
XPE image again, no more warning messages!
The Reg fix for IE guarantees me only for future downloads, files that are
on dev. machine need cleaning.
It's strange that nobody found this before, since it depends from XPPro XP2,
not a new release!
Anyway thanks for the help to explore the problem, I hope that helps someone
to save the time I lost on it.
I plan to publish my video components in xpefiles, one reason more to be
sure of its quality.
regards
Raffaele

Raffaele,

Well, that depends on how and from where you downloaded those files.
When you downloaded a file from the Web on SP2 machine, Windows
automatically marks the file attachment with its zone information (such as
Restricted, local, internet..). Based on file's zone information Windows
assigns a proper risk level (High, Moderate, or Low).

To prevent Windows from checking Zone Information in files when user tries
to open them in Windows Explorer you can set up the following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

"LowRiskFileTypes"=".exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
(or whatever types you want to see here)

On the machine where you are trying to download the files to prevent
Windows from preserving Zone Information in file attachments you may want
to set the following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:1

But I'd go and try the first key on your XPe image to not even worry about
the file signatures for the defined types.

--
=========
Regards,
KM

I find also that all .EXE that gives security warning when run show a
security message in their Property :
"this file comes from an other computer and might be blocket to protect
this
computer"
a button "unblock" is on side to make disappear this message and to
allows
free use of the file.
As I said in my first message all files that behaves this way are
installed
by components some already available and some ( as igfxcfg.exe ) that I
made from Intel device drivers with CD.

Raffaele,

I'd say that you fixed that the right way on an embedded system where
you
control what Exe's are to be launched.
You could also fix it by modifying the following reg.entries directly:
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"RunInvalidSignatures"
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"CheckExeSignatures"

If you want to know why you're seeing the warning you probably want
first
to debug what file [exe] is the "wrong" one. (just remove all the agent
apps from the Run key and launch them at run time manually to see which
one shows the warning)


--
=========
Regards,
KM


I've got a new SP2 image, everything is working but during start-up
appear some
-Security Warning Dialog boxes - saying that:
"The publisher could not be verified. ......"
Then I press the run button for all messages and than I have the full
system OK.
This should means that files are not digitally signed.
After that I can install applications, even old ones, but this warning
doesn't appears any more, until next startup.
Files that are indicated as digitally unsigned get executed at start up
and are listed in the registry key
HKLM\Microsoft\Windows\CurrentVersion\Run
they are tray applications loaded by driver components as
hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
igfxpers.exe

To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
where I find everything undefined, and set the Attachment Manager
"inclusion list for low files types" to disable warning for ALL .exe
files. With this setting the warning box is not shown, but this is not
the way to understand what is wrong.

I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
that seems someway related.
I hope that someone can give help to understand what's happening.
Raffaele

 

[KM]

It's strange that nobody found this before, since it depends from XPPro XP2,

not a new release!

Well, quite frankly I did run into this issue before but since I always turned off all the XP security shields on my XPe images it
never was a big problem for me here

--
=========
Regards,
KM

Yes Konstantin,
you are right it depends from the file download!
The solution I found is, according your suggest, to add the key Attachment and a value to the DEVELOPMENT ( XP Pro SP2) registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:1

The Attachments key wasn't defined .

If you have SP2 without this keys all downloaded files have a security
info that the file is from unreliable source, just look at files's Properties of downloaded files to check.
But I had components made with files downloaded before fix!

This is my full story:
BEFORE
I downloaded some ZIP files for Intel video drivers and a ZIP file for
touch screen, with ready XPE component,
I expanded them, ( by compressed folders) made components from INF files, imported components into
the database and respective repositories, made the XPE image and put it on
the target hardware.
During development I had no warning at all that downloaded ZIP files were marked unsecure,
and also that ALL the expanded files were marked unsecure too!
So I filled my repositories this way with .INF .EXE .SYS ... all marked
unsecure and my images were maked too.
The first run of XPE showed the warning message.
NOW
I have washed my component's repository to have them warning free and made the
XPE image again, no more warning messages!
The Reg fix for IE guarantees me only for future downloads, files that are on dev. machine need cleaning.
It's strange that nobody found this before, since it depends from XPPro XP2,
not a new release!
Anyway thanks for the help to explore the problem, I hope that helps someone to save the time I lost on it.
I plan to publish my video components in xpefiles, one reason more to be sure of its quality.
regards
Raffaele

Raffaele,

Well, that depends on how and from where you downloaded those files.
When you downloaded a file from the Web on SP2 machine, Windows automatically marks the file attachment with its zone information
(such as Restricted, local, internet..). Based on file's zone information Windows assigns a proper risk level (High, Moderate, or
Low).

To prevent Windows from checking Zone Information in files when user tries to open them in Windows Explorer you can set up the
following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

"LowRiskFileTypes"=".exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" (or whatever
types you want to see here)

On the machine where you are trying to download the files to prevent Windows from preserving Zone Information in file attachments
you may want to set the following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:1

But I'd go and try the first key on your XPe image to not even worry about the file signatures for the defined types.

--
=========
Regards,
KM

I find also that all .EXE that gives security warning when run show a
security message in their Property :
"this file comes from an other computer and might be blocket to protect this
computer"
a button "unblock" is on side to make disappear this message and to allows
free use of the file.
As I said in my first message all files that behaves this way are installed
by components some already available and some ( as igfxcfg.exe ) that I made from Intel device drivers with CD.


"KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
Raffaele,

I'd say that you fixed that the right way on an embedded system where you
control what Exe's are to be launched.
You could also fix it by modifying the following reg.entries directly:
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"RunInvalidSignatures"
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"CheckExeSignatures"

If you want to know why you're seeing the warning you probably want first
to debug what file [exe] is the "wrong" one. (just remove all the agent
apps from the Run key and launch them at run time manually to see which
one shows the warning)


--
=========
Regards,
KM


I've got a new SP2 image, everything is working but during start-up
appear some
-Security Warning Dialog boxes - saying that:
"The publisher could not be verified. ......"
Then I press the run button for all messages and than I have the full
system OK.
This should means that files are not digitally signed.
After that I can install applications, even old ones, but this warning
doesn't appears any more, until next startup.
Files that are indicated as digitally unsigned get executed at start up
and are listed in the registry key
HKLM\Microsoft\Windows\CurrentVersion\Run
they are tray applications loaded by driver components as
hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
igfxpers.exe

To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
where I find everything undefined, and set the Attachment Manager
"inclusion list for low files types" to disable warning for ALL .exe
files. With this setting the warning box is not shown, but this is not
the way to understand what is wrong.

I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
that seems someway related.
I hope that someone can give help to understand what's happening.
Raffaele