On non-Windows RT PCs the OEM should consider including the Microsoft Corporation UEFI CA 2011 with a SHA-1 Certificate Hash of 46 de f6 3b 5c e6 1c f8 ba 0d e2 e6 63 9c 10 19 d0 ed 14 f3. Signing UEFI drivers and applications with this certificate will allow UEFI drivers and applications from 3rd parties to run on the PC without requiring additional steps for the user. The UEFI CA can be downloaded from here: =321194.

Microsoft Windows Verification Pca Certificate Download

The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when verifying images before checking db and any matches must prevent the image from executing. The database may contain multiple certificates, keys, and hashes in order to identify forbidden images. The Windows Hardware Certification Requirements state that a dbx must be present, so any dummy value, such as the SHA-256 hash of 0, may be used as a safe placeholder until such time as Microsoft begins delivering dbx updates. Click Here to download the latest UEFI revocation list from Microsoft.

Microsoft has this made available to anyone who wants to sign UEFI drivers. This certificate is part of the Windows HCK Secure Boot tests. Follow [this blog](( _hardware_certification/2013/12/03/microsoft-uefi-ca-signing-policy-updates/) to read more about UEFI CA signing policy and updates.

WINDOWS UPDATE FAILING TO DOWNLOAD OR INSTALL UPDATES-----------------------------------------------------Windows Update sits on "Downloading 70 updates (0KB total, 0% complete) for a long time (2 hours?) then fails with error code 80243004.Google search on error code eventually led me to "How do I reset Windows Update components" on MS site - -au/kb/971058I downloaded WindowsUpdateDiagnostic.diagcab. Out of interest I ran this file through sigcheck and it came up as unsigned. ** Is this correct, that the WindowsUpdateDiagnostic.diagcab Windows Update fixer from MS would be unsigned?c:\users\admin\desktop\WindowsUpdateDiagnostic.diagcab: Verified: Unsigned File date: 9:40 AM 16/09/2016 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a Binary Version: n/a Original Name: n/a Internal Name: n/a Copyright: n/a Comments: n/a Entropy: 7.972SYSTEM FILE CHECKER-------------------SFC is already failing.C:\Windows\system32>sfc /verifyonlyBeginning system scan. This process will take some time.Beginning verification phase of system scan.Verification 100% complete.Windows Resource Protection found integrity violations. Details are included inthe CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.logC:\Windows\system32>sfc /scannowBeginning system scan. This process will take some time.Beginning verification phase of system scan.Verification 100% complete.Windows Resource Protection found corrupt files and successfully repairedthem. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. Forexample C:\Windows\Logs\CBS\CBS.logCBS.log is filled with many (hundreds, possibly thousands) of entries like this (these cover several runs of SFC over the past week):2016-09-13 08:10:01, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]2016-09-13 08:10:01, Info CBS Session: 30543170_1751246887 initialized by client WindowsUpdateAgent.2016-09-15 07:54:09, Info CBS Session: 30543570_2244303469 initialized by client WindowsUpdateAgent.2016-09-15 07:54:09, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]2016-09-16 07:02:29, Info CBS Session: 30543764_2021930775 initialized by client WindowsUpdateAgent.2016-09-16 07:02:29, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]SETUP EVENT LOG---------------Setup log has its newest entry as being at 12/9/16 4:24pm.Two minutes prior to that, I installed RSAT (Remote Server Admin Tools) on this machine. The installer I used was downloaded on this machine prior to it getting a new hard drive and windows reinstall - in hindsight this was a mistake (Im now of the opinion that this machine was at the time infected with something nasty - more below).So, there's a possibility that I may have reinfected this machine with something when I installed RSAT.I ran the installer through sigcheck, it doesnt look "wrong" as such, but it doesn't quite look "right" to me either (notice total lack of company details, although having said that I have no idea what sort of information should be visible for a .msu file):c:\temp\oldtemp\RSAT_Windows6.1-KB958830-x64-RefreshPkg.msu: Verified: Signed File date: 9:22 AM 22/08/2016 Signing date: 1:44 PM 25/03/2011 Catalog: c:\temp\oldtemp\RSAT_Windows6.1-KB958830-x64-RefreshPkg.msu Signers: Microsoft Corporation Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Code Signing Cert Issuer: Microsoft Code Signing PCA Serial Number: 61 08 77 5F 00 00 00 00 00 4A Thumbprint: 9BF69D5E8D01A92F413B60A4BE003E323CB52F7F Algorithm: sha1RSA Valid from: 8:53 AM 20/07/2010 Valid to: 8:53 AM 20/10/2011 Microsoft Code Signing PCA Cert Status: Valid Valid Usage: Code Signing Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 15 08 27 00 00 00 00 00 0C Thumbprint: FDD1314ED3268A95E198603BA8316FA63CBCD82D Algorithm: sha1RSA Valid from: 9:22 AM 26/01/2006 Valid to: 9:32 AM 26/01/2017 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 9:19 AM 10/05/2001 Valid to: 9:28 AM 10/05/2021 Counter Signers: Microsoft Time-Stamp Service Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Timestamp Signing Cert Issuer: Microsoft Time-Stamp PCA Serial Number: 61 04 B3 F5 00 00 00 00 00 0D Thumbprint: 7CB0244C7CEC5283E7EFDADF5CCC58772DD67F42 Algorithm: sha1RSA Valid from: 5:13 AM 26/07/2008 Valid to: 5:23 AM 26/07/2011 Microsoft Time-Stamp PCA Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 16 68 34 00 00 00 00 00 1C Thumbprint: 375FCB825C3DC3752A02E34EB70993B4997191EF Algorithm: sha1RSA Valid from: 10:53 PM 3/04/2007 Valid to: 11:03 PM 3/04/2021 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 9:19 AM 10/05/2001 Valid to: 9:28 AM 10/05/2021 Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a Binary Version: n/a Original Name: n/a Internal Name: n/a Copyright: n/a Comments: n/a Entropy: 7.998ONGOING SIGNS OF MALWARE ACTIVITY---------------------------------The reason that I started this post is that I suspect there may be some very stealthy, nasty malware at play in this environment (small office network). I've got a couple of the machines on the network that I'm fairly certain are infected. It appears to be an atypical/unusual infection - I've tried many different products yet none detect anything that would explain what I have been seeing. I've sought assistance with some of these infections on sites like bleepingcomputer and Emsisoft, and each time the experts have been somewhat baffled - they also seem to think something nasty is at play here, but nailing it down has proved difficult (each time I've started making progress (being guided by those on Bleeping etc), Windows craps itself and I end up having to reinstall before being able to identify the threat)..I wish I could say its a "CryptoWall" infection or a "zepto" infection, but nothing that I have tried (or bleeping/emsisoft etc) ever seems to be able to identify a specific known, named threat.Some of the behaviour I have observed multiple times from this malware:- Early on in an infection, the computer experiences clipboard problems when using Remote Desktop. Clipboard totally stops until pc is rebooted. This will go on for a few days, and some time after that the machine starts showing signs of infection. - has me suspicious that its using the clipboard to travel across machines via Remote Desktop.

- I suspect that it's infected the BIOS: Booting of e.g. Kaspersky or Bit Defender rescue disks is difficult. Some wont run at all (e.g. F-Secure loads to its GUI then crashes), some will run but wont find anything and wont be able to download updates as part of the scan (e.g. Windows Defender offline), some will run and find nothing after updating, but the update process seems to take far longer (hours) than it should (Kaspersky and Bit Defender). This behaviour has been seen on multiple infected machines, so I dont suspect hardware issues.- Subtle (Chrome) browser interference: E.g. many microsoft.com URLs result in the browser showing Microsoft's 404-not-found, but if I try the same URLs on other machines they work no problem. Another E.g. when loading new pages I often get Chrome error pages (e.g. DNS lookup failure) that stay onscreen for a second or two, then suddenly the correct page appears (without me trying to reload).- There's another machine on this network that I suspect may have some sort of rootkit on it: When it first boots I can see a flashing (dos-like) text cursor on screen while its showing the "Starting Windows" animation with the four colored balls that merge to become the Windows logo. The machine also boots VERY slowly (considering its got 32Gb memory and an i7) and has other issues. Its very hard to get anti-malware to run on this machine. It had Trend Micro on it, but the machine basically locks up and is unusable unless Trend Micro is turned off. (The machine is now running Windows Defender instead until I can get back to it). 2ff7e9595c