jhalscott
asked on
Replace unsigned system drivers Windows Server 2008 R2
I had a server that would not boot with the following error:
LogonUI.exe Bad Image. c:\windows\system32\rpcrtr
The server would half boot, get stuck at this message and then not be able to use mouse or keyboard. It never finished the boot process.
After much troubleshooting and an obscure article, it appears that this is related to the behavior of Windows Server 2008 R2 unsigned driver loading policies.
I am now able to boot the server every single time if I use F8 and select the option to Disable Driver Signing Enforcement. It does not appear that there is a production worthy mechanism to disable this enforcement permanently, so the only option is to replace these system drivers.
I ran sigverif.exe and found that there are a total of 25 unsigned drivers. The problem is that these are all builtin Windows drivers, not hardware. They include files like http.sys, serial.sys, sermouse.sys etc.
Sfc /scannow reports protection violations which it can't fix, probably because of these files, but it never logs them as corrupt. Likewise it never replaces them or fixes their missing or invalid signatures.
What is the best way to replace these system drivers? I was thinking of booting to the repair options on the R2 disk and either using sfc or manually copying the files. Any thoughts?
LogonUI.exe Bad Image. c:\windows\system32\rpcrtr
The server would half boot, get stuck at this message and then not be able to use mouse or keyboard. It never finished the boot process.
After much troubleshooting and an obscure article, it appears that this is related to the behavior of Windows Server 2008 R2 unsigned driver loading policies.
I am now able to boot the server every single time if I use F8 and select the option to Disable Driver Signing Enforcement. It does not appear that there is a production worthy mechanism to disable this enforcement permanently, so the only option is to replace these system drivers.
I ran sigverif.exe and found that there are a total of 25 unsigned drivers. The problem is that these are all builtin Windows drivers, not hardware. They include files like http.sys, serial.sys, sermouse.sys etc.
Sfc /scannow reports protection violations which it can't fix, probably because of these files, but it never logs them as corrupt. Likewise it never replaces them or fixes their missing or invalid signatures.
What is the best way to replace these system drivers? I was thinking of booting to the repair options on the R2 disk and either using sfc or manually copying the files. Any thoughts?
Last Comment
gtworek
You can boot from DaRT Emergency Repair Disc (separate product from Microsoft) and look fol altered files and then repair them. If you have ERD entire proces takes few clicks and some minutes of scanning.
ASKER
I do have that from MDOP. I hadn't used it against a server before. Have you used this to repair Server 2008 R2 unsigned system drivers? Any further details on how this process should go?
Get the newest version (7 is ok but still in beta - http://go.microsoft.com/fwlink/?LinkID=214047 ) and run SFC Scan. It will find all changed files and give you an option to restore them.
running chkdsk /f sometimes cures the problem.
gheist: you are 100% right. I assume it was the first step. If not - it's necessary.
ASKER
I had done chkdsk /f before with no success.
Also, the SFC Scan comes back with no problems when run from a DaRT disk created using Windows Server 2008 R2 SP1 disk. Apparently it checks that the files are valid, but not the file signatures.
For giggles I used DaRT to copy a single one of the driver files, cdrom.sys from X:\ to C:\ after renaming the original file to cdron.sys.OLD. Upon reboot the file I copied in DaRT is there as is cdron.sys.OLD, but it still shows by sigverif.exe as unsigned.
Is there some file that contains the checksum that these signatures are valid? That is all I can think of now. I'm thinking it is going to be F8 boots for life for this thing.
I'm redownloading and reinstalling SP1 just in case something weird happened when that got installed a month or so ago.
Also, the SFC Scan comes back with no problems when run from a DaRT disk created using Windows Server 2008 R2 SP1 disk. Apparently it checks that the files are valid, but not the file signatures.
For giggles I used DaRT to copy a single one of the driver files, cdrom.sys from X:\ to C:\ after renaming the original file to cdron.sys.OLD. Upon reboot the file I copied in DaRT is there as is cdron.sys.OLD, but it still shows by sigverif.exe as unsigned.
Is there some file that contains the checksum that these signatures are valid? That is all I can think of now. I'm thinking it is going to be F8 boots for life for this thing.
I'm redownloading and reinstalling SP1 just in case something weird happened when that got installed a month or so ago.
ASKER
Sorry for the above spelling.
I renamed the file cdrom.sys.OLD. Upon reboot, the file copied from DaRT was present as was the renamed file.
I renamed the file cdrom.sys.OLD. Upon reboot, the file copied from DaRT was present as was the renamed file.
ASKER
OK, with SP1, can't reinstall it, can't uninstall it. Looking pretty bleak for a resolution. This is some really bad news MSFT!
I just wish there was a way that the OS could repair damaged signatures on files.
I just wish there was a way that the OS could repair damaged signatures on files.
ASKER
OK, so more hunting has helped me figure out that the files themselves contain valid digital signatures (probably why SFC turned up negative) since copying new versions in does nothing to affect this. It appears that the signatures are being read from some combination of c:\windows\system32\catroo
I even tried copying over valid catroot and catroot2 folders from an identical Windows Server 2008 R2 server that passed sigverif with no unsigned drivers. However, there is still something that is missing since this makes sigverif run for a long time and returns all Windows drivers unsigned.
So the question now shifts to how do you repair the catroot and catroot2 folders since something in one or both of these is causing the validly signed files to not appear to be validly signed?
I even tried copying over valid catroot and catroot2 folders from an identical Windows Server 2008 R2 server that passed sigverif with no unsigned drivers. However, there is still something that is missing since this makes sigverif run for a long time and returns all Windows drivers unsigned.
So the question now shifts to how do you repair the catroot and catroot2 folders since something in one or both of these is causing the validly signed files to not appear to be validly signed?
It looks really strange for me. Files look to be ok but your OS cannot compare their signatures with public keys. I can see you are reaching quite deep into your OS and the problem is not trivial. Maybe other experts give you useful advice but in my opinion it will be more like guessing. The issue is definitely not a common problem.
Did you ask Microsoft support about your case?
Did you ask Microsoft support about your case?
ASKER
Haven't gotten Microsoft support in on this yet. Each time I think I find simple fixes only to then later discover it goes deeper. They are getting a call tomorrow if I can't resolve.
Did you chkdsk /f by now?
It is strange that system signature catalogues have disappeared.
It is strange that system signature catalogues have disappeared.
ASKER
Yes. Disks come back fine. Apparently it has something to do with catroot2 as noted above.
I encountered the same problem on a Windows 7 Enterprise 32 bit system, additional symptoms being that when booting with digital signatures enforced, you also get a warning that Windows is not genuine. All problems disappear when you boot with F8 and select to not enforce the digital signature option. Since Win2008 and Win7 are same platform, I believe whatever solution you eventually come up with will help me too. So I am very curious to see what MS support had to say, because I just got off the phone with them having spent from 11am to 3:3pm and again from 6pm to 9pm (7.5 hrs, yes!) without getting any closer to a resolution. So now MS recommends that I get out the Win 7 DVD and run an in-place upgrade.
I am going to hold off on that one more day, pending a possible solution that might present itself here on EE.
Just to reiterate, the problem is the same, I only have 12 unsigned drivers, all Windows/no foreign, get the same exact error message about c:\windows\system32\RpcRtR
Point being if you never figure out the problem with Win2008 R2, you might extend your search to Win7 forums, just like I am extending to Win2008 forums. Good luck to us both!
I am going to hold off on that one more day, pending a possible solution that might present itself here on EE.
Just to reiterate, the problem is the same, I only have 12 unsigned drivers, all Windows/no foreign, get the same exact error message about c:\windows\system32\RpcRtR
Point being if you never figure out the problem with Win2008 R2, you might extend your search to Win7 forums, just like I am extending to Win2008 forums. Good luck to us both!
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Removal and reinstallation of Windows Server 2008 R2 service pack 1 resolved the unsigned drivers issue, even for pre-SP1 drivers.
Windows Server 2008
Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
