Windows 7 - 'Publisher could not be verified' message, IE UserControl

Asked By CStewar on 02-Apr-07 10:52 AM
On Embedded with XPSP2 & Feature Pack 2007, whenever a web page containing a
UserControl is opened, the user is presented with the 'Publisher could not be
verified' dialog.  IE (6 w/h SP2) is being brought up programmatically, as
this embedded system has no keyboard or mouse with which to acknowledge the
dialog box.

This embedded system has no network connectivity, and I am not interested in
digitally signing the user control dll.

I have thoroughly gone through the myriad of registry settings which relate
to the this issue, although one would think turning off the ‘Check for
signatures on downloaded programs’ within IE would be enough.  I have
manipulated the LMZ and other zones, worked with the IE advanced settings, as
well as other related registry settings
(http://blogs.msdn.com/embedded/archive/2005/06/06/425907.aspx).  Nothing has
had any effect.

I have even strong named the assembly and signed it in an attempt to simply
get different behavior, but to no avail.

If anyone has any ideas, I would be keenly interested in hearing them.
Thanks.




KM replied on 02-Apr-07 01:50 PM
CStewart,

I guess you are already tried this one?
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"RunInvalidSignatures"=dword:0

Corresponds to the "Allow software to run or install even if the signature is invalid" policy.

--
=========
Regards,
KM
CStewar replied on 02-Apr-07 02:22 PM
It is my understanding that the common location for this setting is

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Download]RunInvalidSignatures

But regardless, the setting has no effect in either location.  I wonder if
anyone knows whether a missing component could be causing IE to not recognize
or behave on the specified registry settings.  Of the numerous settings I
have tried, nothing has augmented the behavior of the dialog box; it always
appears.
KM replied on 02-Apr-07 04:37 PM
CStewart,

My bad. I should've mentioned all the related keys there.

[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"RunInvalidSignatures"=dword:1
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"CheckExeSignatures"=dword:0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments],"SaveZoneInformation"=dword:1

Please let us know if that helps you.

Unlike this is you problem but just in case please check if you got "Primitive: CryptUI" component in your image config. Of course,

--
=========
Regards,
KM
KM replied on 02-Apr-07 04:46 PM
Opps. Sorry, should be
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"CheckExeSignatures"=reg_sz:"no".

--
=========
Regards,
KM
CStewar replied on 03-Apr-07 08:26 AM
I set the specified 3 registry settings (RunInvalidSig, CheckExe, &
SaveZone), and they had no effect.

Under MKCU\Software\Policies\Microsoft, 'SystemCertificates' was the only
existing key, so 'Internet Explorer\Download' had to be created.  Also, only
'Explorer' existed at
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies, so 'Attachments' had
to be created.  Should these keys have already existed?

Components "Primitive: CryptUI", "Internet Explorer" and "Windows XP Service
Pack 2 Resource DLL" are all included in the image.

I also included everything needed to support installing IE7 into the image,
built it, then installed IE7.  IE7 exhibits the same behavior, again with all
Advanced options set to allow everything and registry values all set to
'enabled'.
KM replied on 03-Apr-07 08:35 PM
I don't think going to IE7 would help. The behavior of that security setting didn't change between IE6 and 7.

Just to clarify, you did set the
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"CheckExeSignatures"=reg_sz:"no".
(please note the value type)


No, policy entries don't necessarily have to be pre-populated in registry. If they are missing, the policies are considered "not
configured" and usually it lead to behavior defined by documentation (check GPEdit for more info).

--
=========
Regards,
KM
CStewar replied on 04-Apr-07 07:56 AM
Yes, CheckExeSignatures is a string value, and it was set to 'no'.  I have
played extensively with all the settings.  I have manipulated the ‘Zone\1’
values to where I can get the behavior to change for other settings, such as
URLACTION_SHELL_FILE_DOWNLOAD and others, but I still am unable to prevent
the ‘publisher not verified’ dialog box.

I can turn off activex controls all together by manipulating the Zone
values, but I can not stop the prompt.
CStewar replied on 04-Apr-07 08:08 AM
And just for further clarification:

I performed a REGMON on IE, opened the Tools | Internet Options... |
Advanced windows and logged the registry interaction.  Both the
RunInvalidSignatures='1' and CheckExeSignatures='no' values where read, and
these settings were also reflected in the check box settings within the
Advanced Tab.  Still, the 'publisher not verified' dialog appears.

Is it possible that the dialog is not being presented by IE, but by
something else?
KM replied on 05-Apr-07 02:21 PM
Sorry for delayed response. I somehow missed your last post.

I mentioned earlier in this thread that is it not IE but the CryptUI library who's showing the dialog.
I am clueless why it doesn't want to work for you when you set the value. Could you provide me with the link or test page you are
using to test out the appearance of the dialog?

Since you are dealing with a UserControl (well, I'd love to see more details on this) I'd try to set to Enable all the ActiveX
related policies of the Zone you are downloading the page from.

A couple more things to mention here:
- You might have already done this but worth to mention. Are you able to repro the issue on XP Pro?
- If you can't repro the issue on XP Pro, I suggest you trying XPProEmulation image (www.xpefiles.com). If you can't repro it
there either, the issue is due to a missing dependency then.

--
=========
Regards,
KM
CStewar replied on 05-Apr-07 04:42 PM
Unfortunately it is not possible to make a link to the URL available outside
of the program area; this is a DOD classified program.

The problem does not exhibit itself on XP PRO SP2; setting the desired
registry settings have the intended effect of NOT presenting the "publisher
not verified" dialog.

Also, I can access the offending page residing on the embedded system from a
‘non-Embedded’ XP SP2 machine, and the problem does not occur.  The problem
only occurs when accessing the URL residing on XPE from IE which is also
running on that same XPE machine.
KM replied on 06-Apr-07 03:38 PM
I see. You are dealing with My Computer zone.

You may first want to make the zone show up in the Internet Options dialog.
To accomplish that, please remove 0x20 bit of Flags value under [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0] key for IE7.
In IE6 just do that under [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] key.

Then go to Internet Options dialog, Security Tab, select My Computer Zone and change the security level for the zone. Better to make
sure No Prompts sent for *any* option there.

--
=========
Regards,
KM
CStewar replied on 09-Apr-07 08:58 AM
I set the 'Flags' dword value in the ...Zones\0 key from 0x21 => 0x1, and
the 'My Computer' zone appeared in the Security tab.  I turned everything to
Enable (where appropriate), then ran the UserControl again.  Nothing changed,
the same "publisher could not be verified" dialog was presented.  I reopened
the Security tab, and all the 'My Computer' settings were as I had configured
them, including:

'Download unsigned ActiveX Controls'=Enabled
'Download signed ActiveX Controls'=Enabled
'Run ActiveX controls and plug-ins'=Enabled
'Automatic prompting for file downloads'=Disable
'File Download'=Enable

I also set the 'Flags' setting on my XP Pro machine to view the 'My
Computer' Security settings.  Those are set to the default level of 'High'
security, and many of the options are set to Disabled or Prompt.  Yet, as
mentioned before, the UserControl runs fine of that machine with no propmts
(it runs fine when served from IIS on the XP Pro machine as well as IIS on
the embedded system).

As determined before, it is the XP Embedded IE Client that is exhibiting the
problem/feature.
KM replied on 12-Apr-07 03:11 PM
CStewart,

I can see only two possible things left here:
- You are using a custom activex control. Then I can't help you tracing the issue without seeing the control.
- You have downloaded that binary component on another machine/OS. IE then changed the binary signature of that file to include
zone information. To avoid such you will have to set the SaveZoneInformation to 0 on that PC or OS (not on the embedded image).

Sorry, couldn't be of more help here.

--
=========
Regards,
KM