J
JP Styskal
Guest
Trying to connect host system to target system over USB 3.0 cable for WinDbg debugging.
Followed all the steps at the "setting-up-a-usb-3-0-debug-cable-connection" article.
Using WinDbg Preview, which installs the 10.0.19528.1000 version of usb2dbg (per .inf file). The problem has also occurred with the 10.0.17763.132 version.
Unable to connect. (The cable works in colleague's environment.)
Device Manager is showing the USB Debug Connection Device yellow-banged with the following message:
“Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)”
Manually/visually the certificate chain appears to be fine ("The certificate is OK" for each cert.)
Data point: I disabled driver signature enforcement (enabled testsigning) and it still failed.
I watched setupapi.dev.log on the most recent cycle, with these results:
Uninstalled WinDbg Preview à usb2dbg ‘19528 is removed from DriverStore).
Re-installed WinDbg Preview
Ran WinDbg and attempted to attach via USB ("Waiting to connect…")
NOTE: I had previously checked the box to trust drivers from “Microsoft Corporation” when prompted, so this time there was no prompt.
à usb2dbg ‘19528 is added to DriverStore at
C:\WINDOWS\System32\DriverStore\FileRepository\usb2dbg.inf_amd64_f3f7cebc79d06753
This results in the following lines in setupapi.dev.log:
. . .
sig: {_VERIFY_FILE_SIGNATURE} 10:49:22.696
sig: Key = usb2dbg.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 10:49:22.703
sig: {_VERIFY_FILE_SIGNATURE} 10:49:22.704
sig: Key = usb2dbg.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.cat
sig: Success: File is signed in Authenticode(tm) catalog.
Sig: Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
Sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 10:49:22.718
Then I connected host/target over USB3 cable and powered-on the target. Device arrival on host à
This resulted in the following lines in setupapi.dev.log:
. . .
!!! dvi: Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.
dvi: {Configure Device - exit(0x00000000)} 10:58:28.615
dvi: Device Status: 0x01806400, Problem: 0x34
Trying to validate the cert chain of the signature:
C:\Windows\System32\DriverStore\FileRepository\usb2dbg.inf_amd64_f3f7cebc79d06753>signtool verify /v /kp /c usb2dbg.cat usb2dbg.sys
Verifying: usb2dbg.sys
File is signed in catalog: usb2dbg.cat
Hash of file (sha1): 067B6BFEE040F38AC2181B37D1DAEB07F0F6A4DA
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2011
Issued by: Microsoft Root Certificate Authority 2011
Expires: Sat Mar 22 16:13:04 2036
SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE
Issued to: Microsoft Code Signing PCA 2011
Issued by: Microsoft Root Certificate Authority 2011
Expires: Wed Jul 08 15:09:09 2026
SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135
Issued to: Microsoft Corporation
Issued by: Microsoft Code Signing PCA 2011
Expires: Sat May 02 15:37:46 2020
SHA1 hash: 711AF71DC4C4952C8ED65BB4BA06826ED3922A32
The signature is timestamped: Thu Jan 02 16:14:20 2020
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 16:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Tue Jul 01 15:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Fri Dec 04 14:41:09 2020
SHA1 hash: 38071FF037D5DC5476017EDB8D63BCB31EA18CC5
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: File not valid: usb2dbg.sys
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
So at least it’s consistent with Device Manager (and setupapi.dev.log) now. However, I can’t find any evidence that the certificates are bad. The root certs in the two chains above are both present without error (“The certificate is OK”) in the Trusted Root Certification Authorities store. For the intermediate certs, only the one from the signing cert chain ("Microsoft Code Signing PCA 2011") appears in Intermediate Certification Authorities. The other one, from the time-stamp chain ("Microsoft Time-Stamp PCA 2010") is nowhere to be found in certlm.msc, certmgr.msc, or in the output of the powershell command: Get-ChildItem -Recurse Cert:\
However, I see this same intermediate cert in the apparently-OK chains of other MS drivers (acpi.sys, disk.sys, …).
I have gone through the process with three other generic machines (not a development system) as host, just installing WinDbg Preview, and the problem occurs there as well. In all, I have tried two 1809 Win10 x64 machines and two 1909 Win10 x64 machines.
Any ideas?
It's a lot of details -- please let me know if you need even more!
Thank you very much.
Continue reading...
Followed all the steps at the "setting-up-a-usb-3-0-debug-cable-connection" article.
Using WinDbg Preview, which installs the 10.0.19528.1000 version of usb2dbg (per .inf file). The problem has also occurred with the 10.0.17763.132 version.
Unable to connect. (The cable works in colleague's environment.)
Device Manager is showing the USB Debug Connection Device yellow-banged with the following message:
“Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)”
Manually/visually the certificate chain appears to be fine ("The certificate is OK" for each cert.)
Data point: I disabled driver signature enforcement (enabled testsigning) and it still failed.
I watched setupapi.dev.log on the most recent cycle, with these results:
Uninstalled WinDbg Preview à usb2dbg ‘19528 is removed from DriverStore).
Re-installed WinDbg Preview
Ran WinDbg and attempted to attach via USB ("Waiting to connect…")
NOTE: I had previously checked the box to trust drivers from “Microsoft Corporation” when prompted, so this time there was no prompt.
à usb2dbg ‘19528 is added to DriverStore at
C:\WINDOWS\System32\DriverStore\FileRepository\usb2dbg.inf_amd64_f3f7cebc79d06753
This results in the following lines in setupapi.dev.log:
. . .
sig: {_VERIFY_FILE_SIGNATURE} 10:49:22.696
sig: Key = usb2dbg.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 10:49:22.703
sig: {_VERIFY_FILE_SIGNATURE} 10:49:22.704
sig: Key = usb2dbg.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{5902830c-116d-5f4d-ac90-e5f55db1266e}\usb2dbg.cat
sig: Success: File is signed in Authenticode(tm) catalog.
Sig: Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
Sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 10:49:22.718
Then I connected host/target over USB3 cable and powered-on the target. Device arrival on host à
This resulted in the following lines in setupapi.dev.log:
. . .
!!! dvi: Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.
dvi: {Configure Device - exit(0x00000000)} 10:58:28.615
dvi: Device Status: 0x01806400, Problem: 0x34
Trying to validate the cert chain of the signature:
C:\Windows\System32\DriverStore\FileRepository\usb2dbg.inf_amd64_f3f7cebc79d06753>signtool verify /v /kp /c usb2dbg.cat usb2dbg.sys
Verifying: usb2dbg.sys
File is signed in catalog: usb2dbg.cat
Hash of file (sha1): 067B6BFEE040F38AC2181B37D1DAEB07F0F6A4DA
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2011
Issued by: Microsoft Root Certificate Authority 2011
Expires: Sat Mar 22 16:13:04 2036
SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE
Issued to: Microsoft Code Signing PCA 2011
Issued by: Microsoft Root Certificate Authority 2011
Expires: Wed Jul 08 15:09:09 2026
SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135
Issued to: Microsoft Corporation
Issued by: Microsoft Code Signing PCA 2011
Expires: Sat May 02 15:37:46 2020
SHA1 hash: 711AF71DC4C4952C8ED65BB4BA06826ED3922A32
The signature is timestamped: Thu Jan 02 16:14:20 2020
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 16:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Tue Jul 01 15:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Fri Dec 04 14:41:09 2020
SHA1 hash: 38071FF037D5DC5476017EDB8D63BCB31EA18CC5
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: File not valid: usb2dbg.sys
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
So at least it’s consistent with Device Manager (and setupapi.dev.log) now. However, I can’t find any evidence that the certificates are bad. The root certs in the two chains above are both present without error (“The certificate is OK”) in the Trusted Root Certification Authorities store. For the intermediate certs, only the one from the signing cert chain ("Microsoft Code Signing PCA 2011") appears in Intermediate Certification Authorities. The other one, from the time-stamp chain ("Microsoft Time-Stamp PCA 2010") is nowhere to be found in certlm.msc, certmgr.msc, or in the output of the powershell command: Get-ChildItem -Recurse Cert:\
However, I see this same intermediate cert in the apparently-OK chains of other MS drivers (acpi.sys, disk.sys, …).
I have gone through the process with three other generic machines (not a development system) as host, just installing WinDbg Preview, and the problem occurs there as well. In all, I have tried two 1809 Win10 x64 machines and two 1909 Win10 x64 machines.
Any ideas?
It's a lot of details -- please let me know if you need even more!
Thank you very much.
Continue reading...