Security warning

Hi Konstantin
thank you for your reply, I don't find reg entries in your message even in
XP Pro.
I find this path
HKCU\Software\Microsoft\InternetExplorer\Download\ , "checkExeSignatures" set
to YES, I changed to NO, and I added a key "RunInvalidSignatures" set to
yes.
The Security Warning still appears.
I'm starting a new project, so I'll do a new image from scratch using same
drivers. If this warning is still there I'll open a new question.
Thanks Raffaele

"KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
news:%23YNWRZaDHHA.4928@TK2MSFTNGP02.phx.gbl...

> Raffaele,
>
> I'd say that you fixed that the right way on an embedded system where you
> control what Exe's are to be launched.
> You could also fix it by modifying the following reg.entries directly:
> [HKCU\Software\Policies\Microsoft\Internet
> Explorer\Download],"RunInvalidSignatures"
> [HKCU\Software\Policies\Microsoft\Internet
> Explorer\Download],"CheckExeSignatures"
>
> If you want to know why you're seeing the warning you probably want first
> to debug what file [exe] is the "wrong" one. (just remove all the agent
> apps from the Run key and launch them at run time manually to see which
> one shows the warning)
>
>
> --
> =========
> Regards,
> KM
>
>
> "crus" <crus@discussions.microsoft.com> wrote in message
> news:e5mr4QJDHHA.3660@TK2MSFTNGP02.phx.gbl...

>> I've got a new SP2 image, everything is working but during start-up
>> appear some
>> -Security Warning Dialog boxes - saying that:
>> "The publisher could not be verified. ......"
>> Then I press the run button for all messages and than I have the full
>> system OK.
>> This should means that files are not digitally signed.
>> After that I can install applications, even old ones, but this warning
>> doesn't appears any more, until next startup.
>> Files that are indicated as digitally unsigned get executed at start up
>> and are listed in the registry key
>> HKLM\Microsoft\Windows\CurrentVersion\Run
>> they are tray applications loaded by driver components as
>> hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
>> igfxpers.exe
>>
>> To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
>> where I find everything undefined, and set the Attachment Manager
>> "inclusion list for low files types" to disable warning for ALL .exe
>> files. With this setting the warning box is not shown, but this is not
>> the way to understand what is wrong.
>>
>> I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
>> that seems someway related.
>> I hope that someone can give help to understand what's happening.
>> Raffaele
>>
>>

>
>

I find also that all .EXE that gives security warning when run show a
security message in their Property :
"this file comes from an other computer and might be blocket to protect this
computer"
a button "unblock" is on side to make disappear this message and to allows
free use of the file.
As I said in my first message all files that behaves this way are installed
by components some already available and some ( as igfxcfg.exe ) that I made
from Intel device drivers with CD.


"KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
news:%23YNWRZaDHHA.4928@TK2MSFTNGP02.phx.gbl...

> Raffaele,
>
> I'd say that you fixed that the right way on an embedded system where you
> control what Exe's are to be launched.
> You could also fix it by modifying the following reg.entries directly:
> [HKCU\Software\Policies\Microsoft\Internet
> Explorer\Download],"RunInvalidSignatures"
> [HKCU\Software\Policies\Microsoft\Internet
> Explorer\Download],"CheckExeSignatures"
>
> If you want to know why you're seeing the warning you probably want first
> to debug what file [exe] is the "wrong" one. (just remove all the agent
> apps from the Run key and launch them at run time manually to see which
> one shows the warning)
>
>
> --
> =========
> Regards,
> KM
>
>
> "crus" <crus@discussions.microsoft.com> wrote in message
> news:e5mr4QJDHHA.3660@TK2MSFTNGP02.phx.gbl...

>> I've got a new SP2 image, everything is working but during start-up
>> appear some
>> -Security Warning Dialog boxes - saying that:
>> "The publisher could not be verified. ......"
>> Then I press the run button for all messages and than I have the full
>> system OK.
>> This should means that files are not digitally signed.
>> After that I can install applications, even old ones, but this warning
>> doesn't appears any more, until next startup.
>> Files that are indicated as digitally unsigned get executed at start up
>> and are listed in the registry key
>> HKLM\Microsoft\Windows\CurrentVersion\Run
>> they are tray applications loaded by driver components as
>> hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
>> igfxpers.exe
>>
>> To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
>> where I find everything undefined, and set the Attachment Manager
>> "inclusion list for low files types" to disable warning for ALL .exe
>> files. With this setting the warning box is not shown, but this is not
>> the way to understand what is wrong.
>>
>> I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
>> that seems someway related.
>> I hope that someone can give help to understand what's happening.
>> Raffaele
>>
>>

>
>

Raffaele,

Well, that depends on how and from where you downloaded those files.
When you downloaded a file from the Web on SP2 machine, Windows automatically marks the file attachment with its zone information
(such as Restricted, local, internet..). Based on file's zone information Windows assigns a proper risk level (High, Moderate, or
Low).

To prevent Windows from checking Zone Information in files when user tries to open them in Windows Explorer you can set up the
following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Associations]
"LowRiskFileTypes"=".exe;.bat;.com;.cmd;.reg;.msi; .htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp 3;.m3u;.wav;" (or
whatever types you want to see here)

On the machine where you are trying to download the files to prevent Windows from preserving Zone Information in file attachments
you may want to set the following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Attachments]
"SaveZoneInformation"=dword:1

But I'd go and try the first key on your XPe image to not even worry about the file signatures for the defined types.

--
=========
Regards,
KM


"crus" <crus@discussions.microsoft.com> wrote in message news:O6d8WzkDHHA.952@TK2MSFTNGP03.phx.gbl...

>I find also that all .EXE that gives security warning when run show a
> security message in their Property :
> "this file comes from an other computer and might be blocket to protect this
> computer"
> a button "unblock" is on side to make disappear this message and to allows
> free use of the file.
> As I said in my first message all files that behaves this way are installed
> by components some already available and some ( as igfxcfg.exe ) that I made from Intel device drivers with CD.
>
>
> "KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
> news:%23YNWRZaDHHA.4928@TK2MSFTNGP02.phx.gbl...

>> Raffaele,
>>
>> I'd say that you fixed that the right way on an embedded system where you
>> control what Exe's are to be launched.
>> You could also fix it by modifying the following reg.entries directly:
>> [HKCU\Software\Policies\Microsoft\Internet
>> Explorer\Download],"RunInvalidSignatures"
>> [HKCU\Software\Policies\Microsoft\Internet
>> Explorer\Download],"CheckExeSignatures"
>>
>> If you want to know why you're seeing the warning you probably want first
>> to debug what file [exe] is the "wrong" one. (just remove all the agent
>> apps from the Run key and launch them at run time manually to see which
>> one shows the warning)
>>
>>
>> --
>> =========
>> Regards,
>> KM
>>
>>
>> "crus" <crus@discussions.microsoft.com> wrote in message
>> news:e5mr4QJDHHA.3660@TK2MSFTNGP02.phx.gbl...

>>> I've got a new SP2 image, everything is working but during start-up
>>> appear some
>>> -Security Warning Dialog boxes - saying that:
>>> "The publisher could not be verified. ......"
>>> Then I press the run button for all messages and than I have the full
>>> system OK.
>>> This should means that files are not digitally signed.
>>> After that I can install applications, even old ones, but this warning
>>> doesn't appears any more, until next startup.
>>> Files that are indicated as digitally unsigned get executed at start up
>>> and are listed in the registry key
>>> HKLM\Microsoft\Windows\CurrentVersion\Run
>>> they are tray applications loaded by driver components as
>>> hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
>>> igfxpers.exe
>>>
>>> To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
>>> where I find everything undefined, and set the Attachment Manager
>>> "inclusion list for low files types" to disable warning for ALL .exe
>>> files. With this setting the warning box is not shown, but this is not
>>> the way to understand what is wrong.
>>>
>>> I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
>>> that seems someway related.
>>> I hope that someone can give help to understand what's happening.
>>> Raffaele
>>>
>>>

>>
>>

>
>
>

Yes Konstantin,
you are right it depends from the file download!
The solution I found is, according your suggest, to add the key Attachment
and a value to the DEVELOPMENT ( XP Pro SP2) registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Attachments]
"SaveZoneInformation"=dword:1

The Attachments key wasn't defined .

If you have SP2 without this keys all downloaded files have a security
info that the file is from unreliable source, just look at files's
Properties of downloaded files to check.
But I had components made with files downloaded before fix!

This is my full story:
BEFORE
I downloaded some ZIP files for Intel video drivers and a ZIP file for
touch screen, with ready XPE component,
I expanded them, ( by compressed folders) made components from INF files,
imported components into
the database and respective repositories, made the XPE image and put it on
the target hardware.
During development I had no warning at all that downloaded ZIP files were
marked unsecure,
and also that ALL the expanded files were marked unsecure too!
So I filled my repositories this way with .INF .EXE .SYS ... all marked
unsecure and my images were maked too.
The first run of XPE showed the warning message.
NOW
I have washed my component's repository to have them warning free and made
the
XPE image again, no more warning messages!
The Reg fix for IE guarantees me only for future downloads, files that are
on dev. machine need cleaning.
It's strange that nobody found this before, since it depends from XPPro XP2,
not a new release!
Anyway thanks for the help to explore the problem, I hope that helps someone
to save the time I lost on it.
I plan to publish my video components in xpefiles, one reason more to be
sure of its quality.
regards
Raffaele

"KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
news:ul2hLvmDHHA.1748@TK2MSFTNGP02.phx.gbl...

> Raffaele,
>
> Well, that depends on how and from where you downloaded those files.
> When you downloaded a file from the Web on SP2 machine, Windows
> automatically marks the file attachment with its zone information (such as
> Restricted, local, internet..). Based on file's zone information Windows
> assigns a proper risk level (High, Moderate, or Low).
>
> To prevent Windows from checking Zone Information in files when user tries
> to open them in Windows Explorer you can set up the following key:
> [HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Associations]
>
> "LowRiskFileTypes"=".exe;.bat;.com;.cmd;.reg;.msi; .htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp 3;.m3u;.wav;"
> (or whatever types you want to see here)
>
> On the machine where you are trying to download the files to prevent
> Windows from preserving Zone Information in file attachments you may want
> to set the following key:
> [HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Attachments]
> "SaveZoneInformation"=dword:1
>
> But I'd go and try the first key on your XPe image to not even worry about
> the file signatures for the defined types.
>
> --
> =========
> Regards,
> KM
>
>
> "crus" <crus@discussions.microsoft.com> wrote in message
> news:O6d8WzkDHHA.952@TK2MSFTNGP03.phx.gbl...

>>I find also that all .EXE that gives security warning when run show a
>> security message in their Property :
>> "this file comes from an other computer and might be blocket to protect
>> this
>> computer"
>> a button "unblock" is on side to make disappear this message and to
>> allows
>> free use of the file.
>> As I said in my first message all files that behaves this way are
>> installed
>> by components some already available and some ( as igfxcfg.exe ) that I
>> made from Intel device drivers with CD.
>>
>>
>> "KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
>> news:%23YNWRZaDHHA.4928@TK2MSFTNGP02.phx.gbl...

>>> Raffaele,
>>>
>>> I'd say that you fixed that the right way on an embedded system where
>>> you
>>> control what Exe's are to be launched.
>>> You could also fix it by modifying the following reg.entries directly:
>>> [HKCU\Software\Policies\Microsoft\Internet
>>> Explorer\Download],"RunInvalidSignatures"
>>> [HKCU\Software\Policies\Microsoft\Internet
>>> Explorer\Download],"CheckExeSignatures"
>>>
>>> If you want to know why you're seeing the warning you probably want
>>> first
>>> to debug what file [exe] is the "wrong" one. (just remove all the agent
>>> apps from the Run key and launch them at run time manually to see which
>>> one shows the warning)
>>>
>>>
>>> --
>>> =========
>>> Regards,
>>> KM
>>>
>>>
>>> "crus" <crus@discussions.microsoft.com> wrote in message
>>> news:e5mr4QJDHHA.3660@TK2MSFTNGP02.phx.gbl...
>>>> I've got a new SP2 image, everything is working but during start-up
>>>> appear some
>>>> -Security Warning Dialog boxes - saying that:
>>>> "The publisher could not be verified. ......"
>>>> Then I press the run button for all messages and than I have the full
>>>> system OK.
>>>> This should means that files are not digitally signed.
>>>> After that I can install applications, even old ones, but this warning
>>>> doesn't appears any more, until next startup.
>>>> Files that are indicated as digitally unsigned get executed at start up
>>>> and are listed in the registry key
>>>> HKLM\Microsoft\Windows\CurrentVersion\Run
>>>> they are tray applications loaded by driver components as
>>>> hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
>>>> igfxpers.exe
>>>>
>>>> To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
>>>> where I find everything undefined, and set the Attachment Manager
>>>> "inclusion list for low files types" to disable warning for ALL .exe
>>>> files. With this setting the warning box is not shown, but this is not
>>>> the way to understand what is wrong.
>>>>
>>>> I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
>>>> that seems someway related.
>>>> I hope that someone can give help to understand what's happening.
>>>> Raffaele
>>>>
>>>>
>>>
>>>

>>
>>
>>

>
>

> It's strange that nobody found this before, since it depends from XPPro XP2,

> not a new release!

Well, quite frankly I did run into this issue before but since I always turned off all the XP security shields on my XPe images it
never was a big problem for me here :-)

--
=========
Regards,
KM


"crus" <crus@discussions.microsoft.com> wrote in message news:e48tiayDHHA.3544@TK2MSFTNGP03.phx.gbl...

> Yes Konstantin,
> you are right it depends from the file download!
> The solution I found is, according your suggest, to add the key Attachment and a value to the DEVELOPMENT ( XP Pro SP2) registry:
>
> [HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Attachments]
> "SaveZoneInformation"=dword:1
>
> The Attachments key wasn't defined .
>
> If you have SP2 without this keys all downloaded files have a security
> info that the file is from unreliable source, just look at files's Properties of downloaded files to check.
> But I had components made with files downloaded before fix!
>
> This is my full story:
> BEFORE
> I downloaded some ZIP files for Intel video drivers and a ZIP file for
> touch screen, with ready XPE component,
> I expanded them, ( by compressed folders) made components from INF files, imported components into
> the database and respective repositories, made the XPE image and put it on
> the target hardware.
> During development I had no warning at all that downloaded ZIP files were marked unsecure,
> and also that ALL the expanded files were marked unsecure too!
> So I filled my repositories this way with .INF .EXE .SYS ... all marked
> unsecure and my images were maked too.
> The first run of XPE showed the warning message.
> NOW
> I have washed my component's repository to have them warning free and made the
> XPE image again, no more warning messages!
> The Reg fix for IE guarantees me only for future downloads, files that are on dev. machine need cleaning.
> It's strange that nobody found this before, since it depends from XPPro XP2,
> not a new release!
> Anyway thanks for the help to explore the problem, I hope that helps someone to save the time I lost on it.
> I plan to publish my video components in xpefiles, one reason more to be sure of its quality.
> regards
> Raffaele
>
> "KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio news:ul2hLvmDHHA.1748@TK2MSFTNGP02.phx.gbl...

>> Raffaele,
>>
>> Well, that depends on how and from where you downloaded those files.
>> When you downloaded a file from the Web on SP2 machine, Windows automatically marks the file attachment with its zone information
>> (such as Restricted, local, internet..). Based on file's zone information Windows assigns a proper risk level (High, Moderate, or
>> Low).
>>
>> To prevent Windows from checking Zone Information in files when user tries to open them in Windows Explorer you can set up the
>> following key:
>> [HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Associations]
>>
>> "LowRiskFileTypes"=".exe;.bat;.com;.cmd;.reg;.msi; .htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp 3;.m3u;.wav;" (or whatever
>> types you want to see here)
>>
>> On the machine where you are trying to download the files to prevent Windows from preserving Zone Information in file attachments
>> you may want to set the following key:
>> [HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Attachments]
>> "SaveZoneInformation"=dword:1
>>
>> But I'd go and try the first key on your XPe image to not even worry about the file signatures for the defined types.
>>
>> --
>> =========
>> Regards,
>> KM
>>
>>
>> "crus" <crus@discussions.microsoft.com> wrote in message news:O6d8WzkDHHA.952@TK2MSFTNGP03.phx.gbl...

>>>I find also that all .EXE that gives security warning when run show a
>>> security message in their Property :
>>> "this file comes from an other computer and might be blocket to protect this
>>> computer"
>>> a button "unblock" is on side to make disappear this message and to allows
>>> free use of the file.
>>> As I said in my first message all files that behaves this way are installed
>>> by components some already available and some ( as igfxcfg.exe ) that I made from Intel device drivers with CD.
>>>
>>>
>>> "KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
>>> news:%23YNWRZaDHHA.4928@TK2MSFTNGP02.phx.gbl...
>>>> Raffaele,
>>>>
>>>> I'd say that you fixed that the right way on an embedded system where you
>>>> control what Exe's are to be launched.
>>>> You could also fix it by modifying the following reg.entries directly:
>>>> [HKCU\Software\Policies\Microsoft\Internet
>>>> Explorer\Download],"RunInvalidSignatures"
>>>> [HKCU\Software\Policies\Microsoft\Internet
>>>> Explorer\Download],"CheckExeSignatures"
>>>>
>>>> If you want to know why you're seeing the warning you probably want first
>>>> to debug what file [exe] is the "wrong" one. (just remove all the agent
>>>> apps from the Run key and launch them at run time manually to see which
>>>> one shows the warning)
>>>>
>>>>
>>>> --
>>>> =========
>>>> Regards,
>>>> KM
>>>>
>>>>
>>>> "crus" <crus@discussions.microsoft.com> wrote in message
>>>> news:e5mr4QJDHHA.3660@TK2MSFTNGP02.phx.gbl...
>>>>> I've got a new SP2 image, everything is working but during start-up
>>>>> appear some
>>>>> -Security Warning Dialog boxes - saying that:
>>>>> "The publisher could not be verified. ......"
>>>>> Then I press the run button for all messages and than I have the full
>>>>> system OK.
>>>>> This should means that files are not digitally signed.
>>>>> After that I can install applications, even old ones, but this warning
>>>>> doesn't appears any more, until next startup.
>>>>> Files that are indicated as digitally unsigned get executed at start up
>>>>> and are listed in the registry key
>>>>> HKLM\Microsoft\Windows\CurrentVersion\Run
>>>>> they are tray applications loaded by driver components as
>>>>> hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
>>>>> igfxpers.exe
>>>>>
>>>>> To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
>>>>> where I find everything undefined, and set the Attachment Manager
>>>>> "inclusion list for low files types" to disable warning for ALL .exe
>>>>> files. With this setting the warning box is not shown, but this is not
>>>>> the way to understand what is wrong.
>>>>>
>>>>> I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
>>>>> that seems someway related.
>>>>> I hope that someone can give help to understand what's happening.
>>>>> Raffaele
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>

>>
>>

>
>