[wue] add an option to copy SkuSiPolicy.p7b to the ESP on install

* This basically accomplishes the steps described in https://support.microsoft.com/kb/5042562 on first logon.
* Note that we use the installed system's SkuSiPolicy.p7b rather than the host system's, even if the latter
  is usually more up to date, because otherwise, the user may run into Error code: 0xc0000428 on first reboot.
* Likewise, we do not provide this option for Windows To Go, as it could prevent the existing Windows install
  from booting, and we'd have to extract SkuSiPolicy.p7b from `install.wim` to do so.
* Also remove dead code related to SkuSiPolicy.p7b hash parsing (which Microsoft no longer uses).
* Closes #2919 (though it doesn't actually address the issue reported there, which we couldn't replicate).

Author: pbatard

res/loc/rufus.loc

@@ -577,6 +577,7 @@ t MSG_320 "Refreshing partition layout (%s)..."
 t MSG_321 "The image you have selected is an ISOHybrid, but its creators have not made it compatible with ISO/File "
 	"copy mode.\nAs a result, DD image writing mode will be enforced."
 t MSG_322 "Unable to open or read '%s'"
+t MSG_324 "Apply SkuSiPolicy.p7b on installation (See KB5042562)"
 t MSG_325 "Applying Windows customization: %s"
 t MSG_326 "Applying user options..."
 t MSG_327 "Windows User Experience"
@@ -609,7 +610,7 @@ t MSG_346 "Restrict Windows to S-Mode (INCOMPATIBLE with online account bypass)"
 t MSG_347 "Expert Mode"
 t MSG_348 "Extracting archive files: %s"
 t MSG_349 "Use Rufus MBR"
-t MSG_350 "Use 'Windows CA 2023' signed bootloaders (requires a compatible target PC)"
+t MSG_350 "Use 'Windows CA 2023' signed bootloaders (Requires a compatible target PC)"
 t MSG_351 "Checking for UEFI bootloader revocation..."
 t MSG_352 "Checking for UEFI DBX updates..."
 t MSG_353 "DBX update available"

src/format.c

@@ -1979,7 +1979,6 @@ DWORD WINAPI FormatThread(void* param)
 						}
 					}
 				}
-				CopySKUSiPolicy(drive_name);
 				if ( (target_type == TT_BIOS) && HAS_WINPE(img_report) ) {
 					// Apply WinPE fixup
 					if (!SetupWinPE(drive_name[0]))

src/license.h

@@ -144,11 +144,6 @@ const char* additional_copyrights =
 "https://github.com/u-boot/u-boot\\line\n"
 "GNU General Public License (GPL) v2 or later\\line\n"
 "\\line\n"
-"SkuSiPolicy.p7b parsing derived from:\\line\n"
-"https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e\\line\n"
-"by Matthew Graeber, with contributions by James Forshaw\\line\n"
-"BSD 3-Clause\\line\n"
-"\\line\n"
 "About and License dialogs inspired by WinSCP by Martin Prikryl\\line\n"
 "https://winscp.net/\\line\n"
 "GNU General Public License (GPL) v3 or later\\line\n"

src/pki.c

@@ -1,7 +1,7 @@
 /*
  * Rufus: The Reliable USB Formatting Utility
  * PKI functions (code signing, etc.)
- * Copyright © 2015-2024 Pete Batard <pete@akeo.ie>
+ * Copyright © 2015-2026 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -260,7 +260,7 @@ const char* WinPKIErrorString(void)
 	}
 }
 
-// Mostly from https://support.microsoft.com/en-us/kb/323809
+// Mostly from https://support.microsoft.com/kb/323809
 char* GetSignatureName(const char* path, const char* country_code, uint8_t* thumbprint, BOOL bSilent)
 {
 	static char szSubjectName[128];
@@ -900,120 +900,3 @@ BOOL ValidateOpensslSignature(BYTE* pbBuffer, DWORD dwBufferLen, BYTE* pbSignatu
 		CryptReleaseContext(hProv, 0);
 	return r;
 }
-
-// The following SkuSiPolicy.p7b parsing code is derived from:
-// https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e
-// by Matthew Graeber, with contributions by James Forshaw.
-BOOL ParseSKUSiPolicy(void)
-{
-	char path[MAX_PATH];
-	wchar_t* wpath = NULL;
-	BOOL r = FALSE;
-	DWORD i, dwEncoding, dwContentType, dwFormatType;
-	DWORD dwPolicySize = 0, dwBaseIndex = 0, dwSizeCount;
-	HCRYPTMSG hMsg = NULL;
-	CRYPT_DATA_BLOB pkcsData = { 0 };
-	DWORD* pdwEkuRules;
-	BYTE* pbRule;
-	CIHeader* Header;
-	CIFileRuleHeader* FileRuleHeader;
-	CIFileRuleData* FileRuleData;
-
-	pe256ssp_size = 0;
-	safe_free(pe256ssp);
-	// Must use sysnative for WOW
-	static_sprintf(path, "%s\\SecureBootUpdates\\SKUSiPolicy.p7b", sysnative_dir);
-	wpath = utf8_to_wchar(path);
-	if (wpath == NULL)
-		goto out;
-
-	r = CryptQueryObject(CERT_QUERY_OBJECT_FILE, wpath, CERT_QUERY_CONTENT_FLAG_ALL,
-		CERT_QUERY_FORMAT_FLAG_ALL, 0, &dwEncoding, &dwContentType, &dwFormatType, NULL,
-		&hMsg, NULL);
-	if (!r || dwContentType != CERT_QUERY_CONTENT_PKCS7_SIGNED)
-		goto out;
-
-	r = CryptMsgGetParam(hMsg, CMSG_CONTENT_PARAM, 0, NULL, &pkcsData.cbData);
-	if (!r || pkcsData.cbData == 0) {
-		uprintf("ParseSKUSiPolicy: Failed to retreive CMSG_CONTENT_PARAM size: %s", WindowsErrorString());
-		goto out;
-	}
-	pkcsData.pbData = malloc(pkcsData.cbData);
-	if (pkcsData.pbData == NULL)
-		goto out;
-	r = CryptMsgGetParam(hMsg, CMSG_CONTENT_PARAM, 0, pkcsData.pbData, &pkcsData.cbData);
-	if (!r) {
-		uprintf("ParseSKUSiPolicy: Failed to retreive CMSG_CONTENT_PARAM: %s", WindowsErrorString());
-		goto out;
-	}
-
-	// Now process the actual Security Policy content
-	if (pkcsData.pbData[0] == 4) {
-		dwPolicySize = pkcsData.pbData[1];
-		dwBaseIndex = 2;
-		if ((dwPolicySize & 0x80) == 0x80) {
-			dwSizeCount = dwPolicySize & 0x7F;
-			dwBaseIndex += dwSizeCount;
-			dwPolicySize = 0;
-			for (i = 0; i < dwSizeCount; i++) {
-				dwPolicySize = dwPolicySize << 8;
-				dwPolicySize = dwPolicySize | pkcsData.pbData[2 + i];
-			}
-		}
-	}
-
-	// Sanity checks
-	Header = (CIHeader*)&pkcsData.pbData[dwBaseIndex];
-	if (Header->HeaderLength + sizeof(uint32_t) != sizeof(CIHeader)) {
-		uprintf("ParseSKUSiPolicy: Unexpected Code Integrity Header size (0x%02x)", Header->HeaderLength);
-		goto out;
-	}
-	if (!CompareGUID(&Header->PolicyTypeGUID, &SKU_CODE_INTEGRITY_POLICY)) {
-		uprintf("ParseSKUSiPolicy: Unexpected Policy Type GUID %s", GuidToString(&Header->PolicyTypeGUID, TRUE));
-		goto out;
-	}
-
-	// Skip the EKU Rules
-	pdwEkuRules = (DWORD*) &pkcsData.pbData[dwBaseIndex + sizeof(CIHeader)];
-	for (i = 0; i < Header->EKURuleEntryCount; i++)
-		pdwEkuRules = &pdwEkuRules[(*pdwEkuRules + (2 * sizeof(DWORD) - 1)) / sizeof(DWORD)];
-
-	// Process the Files Rules
-	pbRule = (BYTE*)pdwEkuRules;
-	pe256ssp = malloc(Header->FileRuleEntryCount * PE256_HASHSIZE);
-	if (pe256ssp == NULL)
-		goto out;
-	for (i = 0; i < Header->FileRuleEntryCount; i++) {
-		FileRuleHeader = (CIFileRuleHeader*)pbRule;
-		pbRule = &pbRule[sizeof(CIFileRuleHeader)];
-		if (FileRuleHeader->FileNameLength != 0) {
-//			uprintf("%S", FileRuleHeader->FileName);
-			pbRule = &pbRule[((FileRuleHeader->FileNameLength + sizeof(DWORD) - 1) / sizeof(DWORD)) * sizeof(DWORD)];
-		}
-		FileRuleData = (CIFileRuleData*)pbRule;
-		if (FileRuleData->HashLength > 0x80) {
-			uprintf("ParseSKUSiPolicy: Unexpected hash length for entry %d (0x%02x)", i, FileRuleData->HashLength);
-			// We're probably screwed, so bail out
-			break;
-		}
-		//  We are only interested in 'DENY' type with PE256 hashes
-		if (FileRuleHeader->Type == CI_DENY && FileRuleData->HashLength == PE256_HASHSIZE) {
-			// Microsoft has the bad habit of duplicating entries - only add a hash if it's different from previous entry
-			if ((pe256ssp_size == 0) ||
-				(memcmp(&pe256ssp[(pe256ssp_size - 1) * PE256_HASHSIZE], FileRuleData->Hash, PE256_HASHSIZE) != 0)) {
-				memcpy(&pe256ssp[pe256ssp_size * PE256_HASHSIZE], FileRuleData->Hash, PE256_HASHSIZE);
-				pe256ssp_size++;
-			}
-		}
-		pbRule = &pbRule[sizeof(CIFileRuleData) + ((FileRuleData->HashLength + sizeof(DWORD) - 1) / sizeof(DWORD)) * sizeof(DWORD)];
-	}
-
-	r = TRUE;
-
-out:
-	if (hMsg != NULL)
-		CryptMsgClose(hMsg);
-	free(pkcsData.pbData);
-	free(wpath);
-	return r;
-}

src/rufus.c

@@ -93,7 +93,7 @@ static char uppercase_select[2][64], uppercase_start[64], uppercase_close[64], u
 
 extern HANDLE update_check_thread;
 extern HIMAGELIST hUpImageList, hDownImageList;
-extern BOOL enable_iso, enable_joliet, enable_rockridge, enable_extra_hashes, is_bootloader_revoked;
+extern BOOL enable_iso, enable_joliet, enable_rockridge, enable_extra_hashes;
 extern BOOL validate_md5sum, cpu_has_sha1_accel, cpu_has_sha256_accel, toggle_dark_mode;
 extern BYTE* fido_script;
 extern HWND hFidoDlg;
@@ -1505,7 +1505,6 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 	char tmp[MAX_PATH], tmp2[MAX_PATH], c;
 
 	syslinux_ldlinux_len[0] = 0; syslinux_ldlinux_len[1] = 0;
-	is_bootloader_revoked = FALSE;
 	safe_free(grub2_buf);
 
 	if (ComboBox_GetCurSel(hDeviceList) == CB_ERR)
@@ -1688,6 +1687,8 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 				if (img_report.win_version.build >= 26200) {
 					StrArrayAdd(&options, lmprintf(MSG_350), TRUE);
 					MAP_BIT(UNATTEND_USE_MS2023_BOOTLOADERS);
+					StrArrayAdd(&options, lmprintf(MSG_324), TRUE);
+					MAP_BIT(UNATTEND_APPLY_SKUSIPOLICY);
 				}
 				if (expert_mode) {
 					StrArrayAdd(&options, lmprintf(MSG_346), TRUE);

src/rufus.h

@@ -685,8 +685,9 @@ typedef struct {
 #define UNATTEND_DISABLE_BITLOCKER          0x00080
 #define UNATTEND_FORCE_S_MODE               0x00100
 #define UNATTEND_USE_MS2023_BOOTLOADERS     0x00200
-#define UNATTEND_FULL_MASK                  0x003FF
-#define UNATTEND_DEFAULT_MASK               0x002FF		// Mask of values that are persisted
+#define UNATTEND_APPLY_SKUSIPOLICY          0x00400
+#define UNATTEND_FULL_MASK                  0x007FF
+#define UNATTEND_DEFAULT_MASK               0x006FF		// Mask of values that are persisted
 #define UNATTEND_WINDOWS_TO_GO              0x10000		// Special flag for Windows To Go
 
 #define UNATTEND_WINPE_SETUP_MASK           (UNATTEND_SECUREBOOT_TPM_MINRAM)
@@ -815,7 +816,6 @@ extern BOOL ExtractISO(const char* src_iso, const char* dest_dir, BOOL scan);
 extern BOOL ExtractZip(const char* src_zip, const char* dest_dir);
 extern int64_t ExtractISOFile(const char* iso, const char* iso_file, const char* dest_file, DWORD attributes);
 extern uint32_t ReadISOFileToBuffer(const char* iso, const char* iso_file, uint8_t** buf);
-extern BOOL CopySKUSiPolicy(const char* drive_name);
 extern BOOL HasEfiImgBootLoaders(void);
 extern BOOL DumpFatDir(const char* path, int32_t cluster);
 extern BOOL InstallSyslinux(DWORD drive_index, char drive_letter, int fs);
@@ -866,7 +866,6 @@ extern int GetIssuerCertificateInfo(uint8_t* cert, cert_info_t* info);
 extern uint64_t GetSignatureTimeStamp(const char* path);
 extern LONG ValidateSignature(HWND hDlg, const char* path);
 extern BOOL ValidateOpensslSignature(BYTE* pbBuffer, DWORD dwBufferLen, BYTE* pbSignature, DWORD dwSigLen);
-extern BOOL ParseSKUSiPolicy(void);
 extern BOOL IsFontAvailable(const char* font_name);
 extern BOOL WriteFileWithRetry(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite,
 	LPDWORD lpNumberOfBytesWritten, DWORD nNumRetries);

src/rufus.rc

@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.14.2317"
+CAPTION "Rufus 4.14.2318"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
     LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -408,8 +408,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,14,2317,0
- PRODUCTVERSION 4,14,2317,0
+ FILEVERSION 4,14,2318,0
+ PRODUCTVERSION 4,14,2318,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -427,13 +427,13 @@ BEGIN
             VALUE "Comments", "https://rufus.ie"
             VALUE "CompanyName", "Akeo Consulting"
             VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.14.2317"
+            VALUE "FileVersion", "4.14.2318"
             VALUE "InternalName", "Rufus"
             VALUE "LegalCopyright", "� 2011-2026 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
             VALUE "OriginalFilename", "rufus-4.14.exe"
             VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.14.2317"
+            VALUE "ProductVersion", "4.14.2318"
         END
     END
     BLOCK "VarFileInfo"

src/wue.c

@@ -1,7 +1,7 @@
 /*
  * Rufus: The Reliable USB Formatting Utility
  * Windows User Experience
- * Copyright © 2022-2025 Pete Batard <pete@akeo.ie>
+ * Copyright © 2022-2026 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -47,7 +47,6 @@ const char* bypass_name[] = { "BypassTPMCheck", "BypassSecureBootCheck", "Bypass
 int unattend_xml_flags = 0, wintogo_index = -1, wininst_index = 0;
 int unattend_xml_mask = UNATTEND_DEFAULT_SELECTION_MASK;
 char *unattend_xml_path = NULL, unattend_username[MAX_USERNAME_LENGTH];
-BOOL is_bootloader_revoked = FALSE;
 
 extern BOOL validate_md5sum;
 extern uint64_t md5sum_totalbytes;
@@ -65,7 +64,7 @@ char* CreateUnattendXml(int arch, int flags)
 {
 	const static char* xml_arch_names[5] = { "x86", "amd64", "arm", "arm64" };
 	const static char* unallowed_account_names[] = { "Administrator", "Guest", "KRBTGT", "Local", "NONE" };
-	static char path[MAX_PATH];
+	static char path[MAX_PATH], tmp[MAX_PATH];
 	char* tzstr;
 	FILE* fd;
 	TIME_ZONE_INFORMATION tz_info;
@@ -140,7 +139,8 @@ char* CreateUnattendXml(int arch, int flags)
 	}
 
 	if (flags & UNATTEND_OOBE_MASK) {
-		order = 1;
+		StrArray first_logon_commands = STRARRAY_EMPTY;
+		StrArrayCreate(&first_logon_commands, 8);
 		fprintf(fd, "  <settings pass=\"oobeSystem\">\n");
 		if (flags & UNATTEND_OOBE_SHELL_SETUP_MASK) {
 			fprintf(fd, "    <component name=\"Microsoft-Windows-Shell-Setup\" processorArchitecture=\"%s\" language=\"neutral\" "
@@ -200,20 +200,40 @@ char* CreateUnattendXml(int arch, int flags)
 					// Since we set a blank password, we'll ask the user to change it at next logon.
 					// NB: In case you wanna try, please be aware that Microsoft doesn't let you have multiple
 					// <FirstLogonCommands> sections in unattend.xml. Don't ask me how I know... :(
-					fprintf(fd, "      <FirstLogonCommands>\n");
-					fprintf(fd, "        <SynchronousCommand wcm:action=\"add\">\n");
-					fprintf(fd, "          <Order>%d</Order>\n", order++);
-					fprintf(fd, "          <CommandLine>net user &quot;%s&quot; /logonpasswordchg:yes</CommandLine>\n", unattend_username);
-					fprintf(fd, "        </SynchronousCommand>\n");
-					// Some people report that using the `net user` command above might reset the password expiration to 90 days...
+					static_sprintf(tmp, "net user &quot;%s&quot; /logonpasswordchg:yes", unattend_username);
+					StrArrayAdd(&first_logon_commands, tmp, TRUE);
+					// The `net user` command above might reset the password expiration to 90 days...
 					// To alleviate that, blanket set passwords on the target machine to never expire.
-					fprintf(fd, "        <SynchronousCommand wcm:action=\"add\">\n");
-					fprintf(fd, "          <Order>%d</Order>\n", order++);
-					fprintf(fd, "          <CommandLine>net accounts /maxpwage:unlimited</CommandLine>\n");
-					fprintf(fd, "        </SynchronousCommand>\n");
-					fprintf(fd, "      </FirstLogonCommands>\n");
+					StrArrayAdd(&first_logon_commands, "net accounts /maxpwage:unlimited", TRUE);
 				}
 			}
+
+			// Apply SkuSiPolicy.p7b, if the user requested it and we're not creating a Windows To Go drive.
+			// See https://support.microsoft.com/kb/5042562. We do it post install, on first logon, because
+			// we'd have to patch tons of files otherwise. And we *ALWAYS* use the installed system's
+			// SkuSiPolicy.p7b instead of the host system's, even if the latter might be more recent, on
+			// account that the bootloaders from the installed system might be trailing behind, and wills
+			// produce the 0xc0000428 signature validation error on (re)boot if the system hasn't gone
+			// through a full Windows Update cycle.
+			if (flags & UNATTEND_APPLY_SKUSIPOLICY) {
+				StrArrayAdd(&first_logon_commands, "cmd /c mountvol S: /S &amp;&amp; "
+					"copy %WINDIR%\\system32\\SecureBootUpdates\\SkuSiPolicy.p7b S:\\EFI\\Microsoft\\Boot &amp;&amp; "
+					"mountvol S: /D", TRUE);
+			}
+
+			// Now that we have all the commands to run, create the FirstLogonCommands section.
+			for (order = 1; order <= (int)first_logon_commands.Index; order++) {
+				if (order == 1)
+					fprintf(fd, "      <FirstLogonCommands>\n");
+				fprintf(fd, "        <SynchronousCommand wcm:action=\"add\">\n");
+				fprintf(fd, "          <Order>%d</Order>\n", order);
+				fprintf(fd, "          <CommandLine>%s</CommandLine>\n", first_logon_commands.String[order - 1]);
+				fprintf(fd, "        </SynchronousCommand>\n");
+				if (order == first_logon_commands.Index)
+					fprintf(fd, "      </FirstLogonCommands>\n");
+			}
+			StrArrayDestroy(&first_logon_commands);
+
 			fprintf(fd, "    </component>\n");
 		}
 		if (flags & UNATTEND_OOBE_INTERNATIONAL_MASK) {
@@ -510,31 +530,6 @@ BOOL PopulateWindowsVersion(void)
 	return ((img_report.win_version.major != 0) && (img_report.win_version.build != 0));
 }
 
-// Copy this system's SkuSiPolicy.p7b to the target drive so that UEFI bootloaders
-// revoked by Windows through WDAC policy do get flagged as revoked.
-BOOL CopySKUSiPolicy(const char* drive_name)
-{
-	BOOL r = FALSE;
-	char src[MAX_PATH], dst[MAX_PATH];
-	struct __stat64 stat64 = { 0 };
-
-	// Only copy SkuPolicy if we warned about the bootloader being revoked.
-	if ((target_type != TT_UEFI) || !IS_WINDOWS_1X(img_report) ||
-		(pe256ssp_size == 0) || !is_bootloader_revoked)
-		return r;
-
-	static_sprintf(src, "%s\\SecureBootUpdates\\SKUSiPolicy.p7b", system_dir);
-	static_sprintf(dst, "%s\\EFI\\Microsoft\\Boot\\SKUSiPolicy.p7b", drive_name);
-	if ((_stat64U(dst, &stat64) != 0) && (_stat64U(src, &stat64) == 0)) {
-		uprintf("Copying: %s (%s) (from %s)", dst, SizeToHumanReadable(stat64.st_size, FALSE, FALSE), src);
-		r = CopyFileU(src, dst, TRUE);
-		if (!r)
-			uprintf("  Error writing file: %s", WindowsErrorString());
-	}
-
-	return r;
-}
-
 /// <summary>
 /// Checks which versions of Windows are available in an install image
 /// to set our extraction index. Asks the user to select one if needed.
@@ -739,8 +734,6 @@ BOOL SetupWinToGo(DWORD DriveIndex, const char* drive_name, BOOL use_esp)
 		ErrorStatus = RUFUS_ERROR(APPERR(ERROR_ISO_EXTRACT));
 	}
 
-	CopySKUSiPolicy((use_esp) ? ms_efi : drive_name);
-
 	UpdateProgressWithInfo(OP_FILE_COPY, MSG_267, 99, 100);
 
 	// Setting internal drives offline for Windows To Go is crucial if, for instance, you are using ReFS