Having troubles after update Windows 11 yesterday

Martin

HWiNFO Author
Staff member
Well, at least some good news.
I don't know how to solve this with Core isolation yet, will need to perform several tests and see if there's anything that could be done.
But it's quite possible that in this build Core isolation completely blocks some drivers...
 
The long arm of Microsoft, I've already sent them lousy feedback about this update.
I'm looking further to your tests.
Thanks a lot for your time!

Best regards,
Eliran.
 

Martin

HWiNFO Author
Staff member
Thank you too for reporting this and testing! I will update this once I know more...
 

A55imilat0r

New Member
I'm experiencing the same issue after updating to the latest Windows 11 dev insider build 25145 today.
Core isolation was on previously. For me the app will not launch at all. I just get the Can't install driver error.

1655984859221.png
 

Martin

HWiNFO Author
Staff member
Yes, it seems MS has tightened rules for Core isolation in this build and it restricts a lot of drivers.
Not sure what the exact criteria are now though, but HWiNFO is a tool that inherently requires direct access to hardware, otherwise it wouldn't work.
 

FearDC

Member
I also have exactly the same issue, same Windows version, same everything. Damn beta channels :-D

AMD Ryzen Master is removed from my PC. it was preinstalled though.
 

Martin

HWiNFO Author
Staff member
Yes, I noticed that Ryzen Master's driver is listed among the incompatible ones as well.
 

Martin

HWiNFO Author
Staff member
Could you please look in Event Viewer under: Applications and Service Logs\Microsoft\Windows\CodeIntegrity\Operational
If there are any messages why HWiNFO driver was blocked?
 

Martin

HWiNFO Author
Staff member
Well, this is really weird and I couldn't find an explanation for this blocking of several drivers yet.
Several months ago I verified HWiNFO's driver using recommended Microsoft tools and techniques to ensure it's HVCI-compliant and after a small update it passed all tests. So I don't understand what is Microsoft doing now...
 

FearDC

Member
@ https://github.com/winsiderss/systeminformer/issues/1142

Seems like HWiNFO, and CPU-Z for that matter, driver also got into vulnerable driver blocklist.

So I have tested this first, without results:

@ https://github.com/winsiderss/systeminformer/issues/1142#issuecomment-1148635917
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable > 0

Then I also added this and HWiNFO was able to load again using both combinations:

@ https://github.com/winsiderss/systeminformer/issues/1142#issuecomment-1156480958
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled > 0

hw02.png

The guys mentioned above resolved the issue renaming the driver, until next time MS block it again. :-D

Also found this blocklist: https://docs.microsoft.com/en-us/wi...trol/microsoft-recommended-driver-block-rules

I didn't find anything related to HWiNFO64A_171.SYS in that list, but the certificate used by HWiNFO, I don't know if this is related:

Code:
<Signer ID="ID_SIGNER_MIMIKATZ_KERNEL" Name="GlobalSign CodeSigning CA - G2">
  <CertRoot Type="TBS" Value="589A7D4DF869395601BA7538A65AFAE8C4616385" />
  <CertPublisher Value="Benjamin Delpy" />
</Signer>
<Signer ID="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" Name="GlobalSign CodeSigning CA - G2">
  <CertRoot Type="TBS" Value="F6CAE0B028995EB13B1C2CCE5B5107384AB7C77279AE5560933E345061D99CC0" />
  <CertPublisher Value="Benjamin Delpy" />
</Signer>
<Signer ID="ID_SIGNER_MIMIKATZ_USER" Name="Certum Code Signing CA SHA2">
  <CertRoot Type="TBS" Value="F7B6EEB3A567223000A61F68C53B458193557C17E5D512D2825BCB13E5FC9BE5" />
  <CertPublisher Value="Open Source Developer, Benjamin Delpy" />
</Signer>

<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />

Haha, it's funny but I was reading Windows 11 build 25145 annoncement this morning: https://blogs.windows.com/windows-i...ncing-windows-11-insider-preview-build-25145/

There is a list of known issues, and one of those is "Some games that use Easy Anti-Cheat may crash or cause your PC to bugcheck". Efter doing some research on Easy Anti-Cheat, I found that it also uses kernel drivers. So I guess they have similar situation.
 
Last edited:

Martin

HWiNFO Author
Staff member
@ https://github.com/winsiderss/systeminformer/issues/1142

Seems like HWiNFO, and CPU-Z for that matter, driver also got into vulnerable driver blocklist.

So I have tested this first, without results:

@ https://github.com/winsiderss/systeminformer/issues/1142#issuecomment-1148635917
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable > 0

Then I also added this and HWiNFO was able to load again using both combinations:

@ https://github.com/winsiderss/systeminformer/issues/1142#issuecomment-1156480958
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled > 0

View attachment 7895

The guys mentioned above resolved the issue renaming the driver, until next time MS block it again. :-D

Also found this blocklist: https://docs.microsoft.com/en-us/wi...trol/microsoft-recommended-driver-block-rules

I didn't find anything related to HWiNFO64A_171.SYS in that list, but the certificate used by HWiNFO, I don't know if this is related:

Code:
<Signer ID="ID_SIGNER_MIMIKATZ_KERNEL" Name="GlobalSign CodeSigning CA - G2">
  <CertRoot Type="TBS" Value="589A7D4DF869395601BA7538A65AFAE8C4616385" />
  <CertPublisher Value="Benjamin Delpy" />
</Signer>
<Signer ID="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" Name="GlobalSign CodeSigning CA - G2">
  <CertRoot Type="TBS" Value="F6CAE0B028995EB13B1C2CCE5B5107384AB7C77279AE5560933E345061D99CC0" />
  <CertPublisher Value="Benjamin Delpy" />
</Signer>
<Signer ID="ID_SIGNER_MIMIKATZ_USER" Name="Certum Code Signing CA SHA2">
  <CertRoot Type="TBS" Value="F7B6EEB3A567223000A61F68C53B458193557C17E5D512D2825BCB13E5FC9BE5" />
  <CertPublisher Value="Open Source Developer, Benjamin Delpy" />
</Signer>

<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />

Haha, it's funny but I was reading Windows 11 build 25145 annoncement this morning: https://blogs.windows.com/windows-i...ncing-windows-11-insider-preview-build-25145/

There is a list of known issues, and one of those is "Some games that use Easy Anti-Cheat may crash or cause your PC to bugcheck". Efter doing some research on Easy Anti-Cheat, I found that it also uses kernel drivers. So I guess they have similar situation.

Thanks for your great research!
I also did some research and getting a feeling that MS is now either explicitly or implicitly blocking certain 3rd party drivers.
The blocklist you found includes well known vendors - I can see AMD Ryzen Master driver, CPU-Z, Sandra a many others, but none of them is related to HWiNFO. I think that list wasn't yet updated for build 25145 yet, so we will see many more entries there soon...
It's an ugly thing to block so many drivers and entire software packages depending on them without any notifications or explanation why.
 

A55imilat0r

New Member
Thanks for your great research!
I also did some research and getting a feeling that MS is now either explicitly or implicitly blocking certain 3rd party drivers.
The blocklist you found includes well known vendors - I can see AMD Ryzen Master driver, CPU-Z, Sandra a many others, but none of them is related to HWiNFO. I think that list wasn't yet updated for build 25145 yet, so we will see many more entries there soon...
It's an ugly thing to block so many drivers and entire software packages depending on them without any notifications or explanation why.

This is indeed sad, and I hope they work out how to open things up via APIs or provide vendors with a way to get WHQL signing for drivers like this. Windows defender is very primitive compared to other enterprise Core Isolation AV software where we can add rules to allow signed code.
 

FearDC

Member
@ Martin

One thing certainly needs to be changed in HWiNFO, is to perform an update check of application before loading any kernel drivers, and possibly displaying a message about critical update availability. Because lets say they have blocked your driver forever, by file hash or what ever. Then after resolving the problem by issuing a new driver for example, you will probably make a new release of software, but users with old version won't be able to update, or even know that there is a new version available that fixes the issue, unless they check for updates manually ofcourse. I have experience of many people using old piece of software for tens of years, they have no idea that there is a new version available, until they see a message with big text saying that. :)
 
Last edited:

FearDC

Member
@ Martin

This is interesting. I have extracted the HWiNFO64A_171.sys by running HWiNFO64 on another system. Then I have written my own software to load the driver into Windows 11 build 25145, the software simply loads the driver and starts the service, nothing else:

A service was installed in the system.

Service Name: HWiNFO64 Kernel Driver
Service File Name: C:\Users\hundr\Downloads\HWiNFO64A_171.SYS
Service Type: kernel mode driver
Service Start Type: demand start
Service Account:

hw03.png

Now that driver is loaded, I can start HWiNFO64 again, with all HVCI protection enabled. :D I guess HWiNFO checks if driver is already loaded before it actually tries to load one itself.

hw04.png

I don't know if that matter or not, but I named this service 'HWiNFO64 Kernel Driver'.
 
Last edited:
Top