Jaa


Getting your unprivileged drivers and services to work

Currently, you need a privileged cerificate to get your driver or service to load at boot-time, even on Pocket PC 2005 or on a one-tier Smartphone.

The reason for this inconsistency is that at early boot time, the device hasn't yet finished processing the configuration information. The security policies might still be queued to change, so the device must assume it is in the most secure configuration. So we assume we're in two-tier mode, meaning your driver will load as unprivileged if it's unsigned or signed with an unprivileged cert. Since device.exe and services.exe are privileged, they won't be able to load your binary.

But there is a workaround!

If you can delay the loading of your driver or service until the device has booted, then the security model will be totally initialized. This means your code will run as trusted, so it will load fine. One way to do that would be to put a program in the startup folder that loads your service/driver.

This workaround is only applicable on devices where your code will be able to run fully trusted. (typical Pocket PC devices, or Smartphones configured as one-tier) To distribute a driver or service for a typical two-tier Smartphone, you will still need a real privileged development certificate.

Comments

  • Anonymous
    November 08, 2005
    So by using the priviledged test certificate included with the CE5 SDK, our application can be configured to replace the WM shell?

  • Anonymous
    November 16, 2005
    What is the method of loading for the workaround (loadlibrary or RegisterDevice)?

    I have an i-mate jasjar (ppc?) which exhibits two-tier behavior but I think it's a PPC so it should be a one-tier.

    A couple of other devices I have exhibit no-tier behavior because my unsigned device driver is loaded at boot time. One of these, I can call RegisterDevice without rebooting the device.

    Do you have an example of the workaround?

  • Anonymous
    November 16, 2005
    To load a after the boot process you'd just call ActivateDevice() or ActivateService().
    The "no-tier" behavior you describe should only happen on PPC 2003 - I can't think of a way you could see that behavior on the 2005 OS.

  • Anonymous
    December 06, 2005
    I could not load my NDIS driver the way you mentioned neither on WM5.0 emulator nor on HP Pocket PC device.

    I think it is as simple as calling ActivateDevice() to load the driver, but it does not work.

    -Ajay

  • Anonymous
    January 20, 2006
    The comment has been removed

  • Anonymous
    March 19, 2006
    So you have a DLL that you've written for services.exe and it's not loading?  The list below deal...

  • Anonymous
    November 14, 2006
    So you have a DLL that you've written for services.exe and it's not loading? The list below deal with

  • Anonymous
    December 13, 2006
    I've seen a number of issues where the Notification API fails to run a program at start up and generates an error, especially for unsigned applications or even signed apps with a certificate installed.   Could this be related?

  • Anonymous
    July 26, 2007
    Hi scott, Your blog is informative. I am too facing the same problem and stuck up in between. I have created service dll by implementing XXX_init and XXX_IOCTL functions. I am registering in in setup.dll install_Exit function. when I try to install the cab it is showing messagebox that is placed in install_Exit function but not showing the message boxes that is placed in XXX_init function of service.dll I think service.exe is not loading the dll? after reading your article i came to know that my service dll has to has trusted dll. How to make my service dll  as trusted dll? can you please help me in that? Thanks Krushna

  • Anonymous
    July 16, 2008
    The comment has been removed

  • Anonymous
    September 09, 2008
    Hi, I am trying to make my service to run even if the device is at sleep mode, (as a matter of fact that is one of the reasons i maded it as a service) but one it goes to sleep mode the timer won't work, when i get back from idle then the service will work again, is there any Registry value i need to set?, os something i need to program on my service DLL?

  • Anonymous
    December 22, 2008
    The comment has been removed