Mark Berry April 19, 2011
A user running Windows 7 Enterprise received this UAC prompt at logon about a driver installation. But she hadn’t attached any devices, so why is a driver trying to install? And what device is it for? Is some new kind of virus using the driver install process to request UAC approval?
I can see the prompt when I connect to the user’s session using LogMeIn, but I do not get a UAC prompt when I log on as an admin user using Remote Desktop.
While the user was logged on, I clicked on the link to see the certificate. Several things here look suspicious.
First, the certificate is expired. Also, it was issued to an operating system, not a company:
It does link back to the Microsoft root:
The link in the Policies item is dead:
The revocation server is offline:
Here are the serial number and thumbprint:
I called Microsoft PC Safety line for help diagnosing the issue. I was trapped and misrouted for about ten minutes (their phone tree lists XP and Vista as choices, but not Windows 7). Once I finally got through to a rep, he wanted me to start with a system restore, then move on to an online virus scan. He did not seem interested in determining if Microsoft’s certificate had been compromised.
ATI HD 2400?
After taking the screen shots above, I logged on again as an admin, this time using LogMeIn. I did not get a UAC prompt, but I did see a popup appear briefly by the system tray telling me that an ATI HD 2400 driver had been installed. Checking back in my Windows Update history, I see that I did install an ATI update recently:
By now I am not surprised that the Winqual site listed in the Windows Update details, for a driver released last month, is also a dead link.
It is conceivable, even probable, that this was the driver asking for permission to install. I didn’t see it when logging in using Remote Desktop because as a local display driver, it wasn’t needed for the RDP session and therefore wasn’t installed.
How to Tell?
I’m still left wondering:
- How do I tell from the UAC prompt what is trying to install? That long \\.\pipe string is pretty useless.
- Is the certificate valid? If so, why is it expired? Why is the link in the Policies attribute dead? Why is the revocation list offline?
- Why is the Winqual driver page dead?
- How do I verify a certificate? If it looks suspicious, whom do I contact at Microsoft for help?
- Should I be able to find this “Microsoft Windows” certificate on the system? Where? I don’t see it in the Certificates Manager.
Just trying to exercise reasonable caution here before allowing an unexpected device to install on the system, but it seems a lot harder than it should be to verify what the driver is and whether it is legitimate.
Update April 20, 2011
A colleague pointed out and I can confirm that the file C:\Windows\System32\drivers\isapnp.sys on any Windows 7 system is signed by the same certificate, so apparently the certificate is legitimate. Although expired now, the certificate must have been valid when the driver was signed. He also noticed that by stripping off the end of the Policies URL, you can go to https://www.microsoft.com/pki/ssl/cps/. Here we find that this is the “Future Location of the Microsoft Certificate Practices Statement” and that the page was last updated on June 20, 2001: