ssde icon indicating copy to clipboard operation
ssde copied to clipboard
verified publisher icon valinet

FYI: Does not work with Code Integrity

Open powellnorma opened this issue 6 months ago • 1 comments

I had to disable Code Integrity via the following command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 0

Before that, it logged:

3004 Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\ssde.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

And:

5038 Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
                                                                                                                                                                                                    
File Name:	\Device\HarddiskVolume3\Windows\System32\drivers\ssde.sys

Along with sc.exe giving the usual:

[SC] StartService FAILED 577:           
                                                                                                                                                                                                                               
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

powellnorma avatar Jun 17 '25 10:06 powellnorma

Today, disabling HypervisorEnforcedCodeIntegrity was not enough. I had to completely disable Virtualization-based Security (VBS).

For this, I first disabled DeviceGuard in the registry:

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -ErrorAction SilentlyContinue

Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -ErrorAction SilentlyContinue

Then I used the official "Device Guard and Credential Guard hardware readiness tool" which can be downloaded here. and ran it like this: DG_Readiness_Tool_v3.6.ps1 -Disable. It will boot into a temporary boot entry where one can opt-out from VBS by pressing F3.

Also see: https://learn.microsoft.com/en-us/answers/questions/245071/disable-virtualization-based-security-without-disa https://gist.github.com/LuemmelSec/590012ad04ad5bcfafc3b8257c636938

powellnorma avatar Oct 20 '25 21:10 powellnorma