Since MSFT demands Secure Boot for windows 11 to be on in order to install, and this is a irrational demand.
I was wondering if we can sue a efiguard to fake the secure boot starts variable such that on a system without secure boot windows wil think it was booted securely?

Cheers
David X.

Hi Matt,
as a EFI novice I just wanted to thank you for this wonderful project ^^ I'm sure you know but this past year EfiGuard has been the source of inspiration for many other public EFI projects, that wouldn't have been possible without your efforts. From a hypervisor to various that involve hardware and memory. The application possibilities are endless, but I know it's been a huge help to security applications(such as kernel logging malware activities without patchguard whining) as well as in the gaming community. EfiGuard allowed https://www.techpowerup.com/forums/threads/sli-with-different-cards.158907/post-4027394 to work for their unique SLI setup and i've seen it used similarly involving 3rd party drivers that were able to run without expensive certificates. The fact you've managed to keep this project up to date for the latest windows while naggy patchguard keeps evolving is extremely impressive! I'll continue to study your code and learn from it thanks again!

Hi if I do a system info dump (-i) before disabling the DSE with the -d flag

My CodeIntegrityInformation is as follows:
SystemCodeIntegrityInformation: - IntegrityOptions: 0x0001

So then I disable DSE and do a dump again and its as follows:
SystemCodeIntegrityInformation: - IntegrityOptions: 0x0000

Then after running -e to re-enable DSE again and then do a dump IntegrityOptions are still:
SystemCodeIntegrityInformation: - IntegrityOptions: 0x0000

Thanks anyway, great release

i use kernel debug and insert __debugbreak() in EfiGuardInitialize, but no breakpoint is triggered

I have a driver that hooks SSDT function and after a while i get a bsod with a Stop Code CRITICAL_STRUCTURE_CORRUPTION

Windows 10 pro 1909 (build 18363.778)
EfiGuard v1.0.2 (not latest but also the fix in the latest version is for newer windows version)
EfiDSEFix.exe -i

SystemBootEnvironmentInformation:
        - BootIdentifier: {525c7818-68bb-11ea-8e6c-00d8615536c2}
        - FirmwareType: UEFI
        - BootFlags: 0x0

SystemModuleInformation:
        - Kernel: ntoskrnl.exe (\SystemRoot\system32\ntoskrnl.exe)

SystemCodeIntegrityInformation:
        - IntegrityOptions: 0x0001

SystemKernelDebuggerInformation:
        - KernelDebuggerEnabled: 0
        - KernelDebuggerNotPresent: 1

SystemKernelDebuggerInformationEx:
        - DebuggerAllowed: 0
        - DebuggerEnabled: 0
        - DebuggerPresent: 0

SharedUserData->KdDebuggerEnabled: 0x00

SystemKernelDebuggerFlags: 0x00

SystemCodeIntegrityPolicyInformation:
        - Options: 0x40000000
        - HVCIOptions: 0x0000

Also i use a signed driver(using a leaked cert) so i don't disable DSE

I do not get any errors in the loader itself

let me know what else i need to provide to help

c:\MyWorkspace>build -a X64 -t VS2019 -p EfiGuardPkg/EfiGuardPkg.dsc -b RELEASE
Build environment: Windows-10-10.0.19041-SP0
Build start time: 10:14:37, Jun.28 2021

WORKSPACE = c:\myworkspace
EDK_TOOLS_PATH = c:\myworkspace\basetools

Processing meta-data .EDK_TOOLS_BIN = c:\myworkspace\basetools\bin\win32
CONF_PATH = c:\myworkspace\conf
PYTHON_COMMAND = py -3

Architecture(s) = X64
Build target = RELEASE
Toolchain = VS2019

Active Platform = c:\myworkspace\EfiGuardPkg\EfiGuardPkg.dsc

build.py...
c:\myworkspace\EfiGuardPkg\EfiGuardPkg.dsc(...): error 4000: Instance of library class [RegisterFilterLib] is not found
in [c:\myworkspace\MdePkg\Library\BaseLib\BaseLib.inf] [X64]
consumed by module [c:\myworkspace\EfiGuardPkg\EfiGuardDxe\EfiGuardDxe.inf]

• Failed -
  Build end time: 10:14:37, Jun.28 2021
  Build total time: 00:00:00

1. As the title alludes, if I use EfiGuard from USB to boot Windows, are the patches applied permanently? The description of the patching process makes it sound like yes, but the part about the USB stick sounds like the USB might have to be plugged in every time I boot. Is that correct, or am I misinterpreting it?
2. Once I boot the loader (using the default settings), what exactly does that change? Does that just install EfiDSEFix.exe and make it available to run, or does it automatically change something about Windows (e.g. disable some security aspect)
3. I understand that executing EfiDSEFix.exe -d disables DSE; does this require reboot?
4. Can I later re-enable DSE?
5. What are the main security vulnerabilities of doing this patch and disabling DSE?
6. Do the patches persist across Windows OS updates/upgrades?

I know these are a lot of questions, and I appreciate your help!)

I am looking into using this patch to apply my own driver on boot. is this possible to load another driver at boot or would i have to work within the full standard EFIGuard source you have in order to make something like that work?
I only ask because i have tried so many times to setup EDK and i cannot for the life of me get it to work let alone looking at source code lol.
I am very knowledge in drivers as i currently have one now that works fine when loaded through windows im just trying to find a way to patch windows and run this driver on boot rather then loaded once in windows. if that makes sense.

Error executing efidsefix.exe -d

Disabling DSE...
CI!g_CiOptions at 0xFFFFF8034E4283B8.
Failure: NtSetSystemEnvironmentValueEx error C000000D
AdjustCiOptions failed: C000000D

EfiDSEFix.exe -i
SystemBootEnvironmentInformation:
- BootIdentifier: {f45c4fdd-b208-11eb-bfac-f6a794726b32}
- FirmwareType: UEFI
- BootFlags: 0x0

SystemModuleInformation:
- Kernel: ntoskrnl.exe (\SystemRoot\system32\ntoskrnl.exe)

SystemCodeIntegrityInformation:
- IntegrityOptions: 0x0001

SystemKernelDebuggerInformation:
- KernelDebuggerEnabled: 0
- KernelDebuggerNotPresent: 1

SystemKernelDebuggerInformationEx:
- DebuggerAllowed: 0
- DebuggerEnabled: 0
- DebuggerPresent: 0

SharedUserData->KdDebuggerEnabled: 0x00

SystemKernelDebuggerFlags: 0x00

SystemCodeIntegrityPolicyInformation:
- Options: 0x40000000
- HVCIOptions: 0x0000

Is it possible to patch other things in the kernel other than driver signing?

Lets say if we wanted to disable certain WinAPI calls etc?

Had to ask, thanks for this great project.

Newbie alert

I have an MBR motherboard that does not support UEFI. (Gigabyte GA-990FXA-UD3 rev 1.1)

Is it possible to get this to work or does it support UEFI boards only?
I did try to boot it from the USB but I got an operating system not found message.

how can i set DSEFix to activate on boot, without having to use the config tool manually each time?

I know i can create a task to run efidsefix.exe on logon (or even pre-logon) but i'd like to know if there is a way to integrate it into the boot process?

My windows boots with grub (chainload bootmgfw.efi).
Is it possible to load EfiGuard with grub?
chainload efiguard and then bootmgfw doesnt work.

Hello, im writting here to seek help, this is my last resort after trying almost everything and having 0 success on disabling patchguard

im currently using an Alienware 15R3 laptop, running W10 19041.450 build, im facing the following issues (not blaming your tool, instead it's my fault for being such a noob).

• If i try method 1 (Booting the loader) it only "works" if i have secure boot off. I rename Loader.efi to bootx64.efi but when it boots it just stays on the screen that says matti rootkits you can trust, shows like 2 lines of green text and that's it, it stays like that forever so i have to turn it off manually
• If i try the shell method it "works" until some point, on step 3 you say that i have to cd to /efi/boot but when i type cd and /efi/boot it says "unkown flag /efi/boot" i don't know if im typing something wrong or what, if i enter "load EfiGuardDxe.efi" it says: file not found.

When i enter either loader.efi or loader.config.efi i get redirected to the screen that says matti rootkits you can trust and it shows lots of green lines, at the end it says "successfully disabled patchguard, Successfully patched ntoskrnl.exe" but i think it stills enabled somehow, it should create a patched entry right?

Also, if i try to run on desktop EfiDSEFix.exe nothing happens, the file closes itself (AV turned off) also, i think it still disabled because when im using WKE to hide the process i need i keep getting bsod after some minutes, that's why im trying to disable patchguard, hope you can help me or guide me.

Hi. After installing KB5003173 update for Windows 10, 21H1, 20H2 и 2004 when you launch efidsefix with -d flag (after successfull OS launch with efidse bootkit i get BSOD

BDOS caused by cng.sys

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff8054b74d12d, Virtual address for the attempted write.
Arg2: 090000000394d121, PTE contents.
Arg3: ffffe085ef83e530, (reserved)
Arg4: 000000000000000b, (reserved)

PROCESS_NAME: EfiDSEFix.exe

TRAP_FRAME: ffffe085ef83e530 -- (.trap 0xffffe085ef83e530)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00f88b9000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8054d23a83f rsp=ffffe085ef83e6c0 rbp=ffffe085ef83e7b0
r8=ff00000000ffffff r9=fffff8054b74d12d r10=ffffe280a91a2c60
r11=ffffe085ef83ea48 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr ac po nc
fffff8054d23a83f 418911 mov dword ptr [r9],edx ds:fffff8054b74d12d=f88b9000
Resetting default scope

STACK_TEXT:
ffffe085ef83e288 fffff8054848dfb3 : 00000000000000be fffff8054b74d12d 090000000394d121 ffffe085ef83e530 : nt!KeBugCheckEx
ffffe085ef83e290 fffff80548328210 : 00000000004e004c 0000000000000003 ffffe085ef83e5b0 0000000000000000 : nt!MiSystemFault+0x147ef3
ffffe085ef83e390 fffff80548404e5e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!MmAccessFault+0x400
ffffe085ef83e530 fffff8054d23a83f : 0000000000000000 0000000000000008 ffffb20cba75e080 fffff8054829240a : nt!KiPageFault+0x35e
ffffe085ef83e6c0 0000000000000000 : 0000000000000008 ffffb20cba75e080 fffff8054829240a fffff9fc00000000 : 0xfffff805`4d23a83f

SYMBOL_NAME: nt!MiSystemFault+147ef3

MODULE_NAME: nt

STACK_COMMAND: .thread ; .cxr ; kb

IMAGE_NAME: memory_corruption

BUCKET_ID_FUNC_OFFSET: 147ef3

FAILURE_BUCKET_ID: 0xBE_nt!MiSystemFault

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {f42e95f2-ac01-9f1a-bba7-f215636b6297}

Followup: MachineOwner

Trying latest release v1.2. Boots and patches all good. No errors seen in the green boot process info while loading. Using default settings with renamed loader.efi. The BSOD is instant the moment i hit enter on "EfiDSEFix.exe -d" in cmd. Im a dumb dumb in this area but I hope the following info is helpful. Just let me know if there is anything else that could help. Thank you.

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff80472de5787, Virtual address for the attempted write.
Arg2: 0100000181cb2021, PTE contents.
Arg3: ffff800ec764c530, (reserved)
Arg4: 000000000000000b, (reserved)

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 1

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-9G6JOVA

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 23

Key  : Analysis.Memory.CommitPeak.Mb
Value: 76

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: be

BUGCHECK_P1: fffff80472de5787

BUGCHECK_P2: 100000181cb2021

BUGCHECK_P3: ffff800ec764c530

BUGCHECK_P4: b

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXPNP: 1 (!blackboxpnp)

PROCESS_NAME: EfiDSEFix.exe

TRAP_FRAME: ffff800ec764c530 -- (.trap 0xffff800ec764c530)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=008b486373000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800739d8f7f rsp=ffff800ec764c6c0 rbp=ffff800ec764c7b0
r8=ff00000000ffffff r9=fffff80472de5787 r10=ffff8880b8068ae0
r11=ffff800ec764ca40 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
fffff800739d8f7f 418911 mov dword ptr [r9],edx ds:fffff80472de5787=8b486373
Resetting default scope

STACK_TEXT:
ffff800ec764c248 fffff8006f6c3ea1 : 00000000000000be fffff80472de5787 0100000181cb2021 ffff800ec764c530 : nt!KeBugCheckEx
ffff800ec764c250 fffff8006f4e69c7 : 0000000000000000 0000000000000003 0000000000000000 fffff80472de5787 : nt!MiSystemFault+0x1678c1
ffff800ec764c390 fffff8006f66e983 : 0000000000000000 0000000000000000 ffff800ec764ca40 0000000000000000 : nt!MmAccessFault+0x327
ffff800ec764c530 fffff800739d8f7f : ffff8880b7739180 fffff8006f59257f ffff800ec764c7b0 ffff800ec764c7b0 : nt!KiPageFault+0x343
ffff800ec764c6c0 ffff8880b7739180 : fffff8006f59257f ffff800ec764c7b0 ffff800ec764c7b0 ffffb30200000000 : 0xfffff800739d8f7f ffff800ec764c6c8 fffff8006f59257f : ffff800ec764c7b0 ffff800ec764c7b0 ffffb30200000000 ffff800ec764c708 : 0xffff8880b7739180
ffff800ec764c6d0 fffff8006f443aa7 : 0000000000000000 ffff800ec764c7c0 ffff800ec764c778 0000000000000000 : nt!KeSetSystemGroupAffinityThread+0x14f
ffff800ec764c750 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : hal!HalSetEnvironmentVariableEx+0x127

SYMBOL_NAME: nt!MiSystemFault+1678c1

MODULE_NAME: nt

IMAGE_VERSION: 10.0.17763.1

STACK_COMMAND: .thread ; .cxr ; kb

IMAGE_NAME: memory_corruption

BUCKET_ID_FUNC_OFFSET: 1678c1

FAILURE_BUCKET_ID: 0xBE_nt!MiSystemFault

OS_VERSION: 10.0.17763.1

BUILDLAB_STR: rs5_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {f42e95f2-ac01-9f1a-bba7-f215636b6297}

Followup: MachineOwner

Hi,

I have a driver that is loaded at boot time.
In a win10 pro computer, the driver BSOD right after having booted on EfiGuard.

Here is the stack.

Seems like KiSwInterruptDispatch is an Hyper-V addon in PatchGuard.
I found a relatively interesting pdf talking about it https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf.

Do you think that their solution would work ? I'm not very confident at this low level, but I can try to implement it.

The bugcheck is occuring at the last line in this screen:

Im not sure but rdi seems to be the pointer to the PatchGuard structure, which is not initialized, resulting in

fffff802747a9a67 f7879409000000001000 test dword ptr [rdi+994h],100000h ds:00000000`00000994=????????

What do you think ?

Hey there, I wanted to know if you have any more information about the handler for int 20h that you patch? Your code comments (and other sources) mention that it triggers PatchGuard to "run a verification check." Naturally, I wanted to see how it works by simply making a function that contains

Test20 PROC
    int 20h
    ret
Test20 ENDP

I didn't expect this to "succeed" - it didn't. It seems like nt!KiSwInterruptDispatch+0x27 and the instruction test dword ptr [rdi+994h],100000h is obviously the culprit, as rdi was 0. I want to know if you know anything more about this interrupt, such as parameters and stuff? I'm assuming that you'll need a PatchGuard context before issuing the interrupt, but I've heard that some anti-cheat for example, like Vanguard, use this interrupt. Do you have any ideas about how they do it?

Its possible on old BIOS not UEFI?
my system dump:

SystemBootEnvironmentInformation:
        - BootIdentifier: {13299921-eaa4-11eb-9b90-d99f30e81197}
        - FirmwareType: BIOS
        - BootFlags: 0x1

SystemModuleInformation:
        - Kernel: ntoskrnl.exe (\SystemRoot\system32\ntoskrnl.exe)

SystemCodeIntegrityInformation:
        - IntegrityOptions: 0x0001

SystemKernelDebuggerInformation:
        - KernelDebuggerEnabled: 0
        - KernelDebuggerNotPresent: 1

SystemKernelDebuggerInformationEx:
        - DebuggerAllowed: 0
        - DebuggerEnabled: 0
        - DebuggerPresent: 0

SharedUserData->KdDebuggerEnabled: 0x00

SystemKernelDebuggerFlags: 0x00

SystemCodeIntegrityPolicyInformation:
        - Options: 0x40000000
        - HVCIOptions: 0x0000

hello i would like to know if this bootkit is compatible with windows 11?

I have downloaded from below link while following the steps stated for "Booting the loader" but could not find EFI/ Boot folder in it and so cannot proceed with the next steps to use.
https://github.com/Mattiwatti/EfiGuard

ntoskrnl.exe will release work.efi memory
BlMmAllocatePagesInRange can apply, but BSOD during ntoskrnl initialization.

Hello, first off thank you for this project. I'm experiencing an issue where the StartBootApplication hook doesn't get called. I'm using Loader.config.efi with option 1 (no dse) as my goal is just to disable patchguard. I did this same process a week ago and everything worked fine now today after multiple attempts the output never gets passed "Successfully patched bootmgfiw!ImgArchStartBootApplication".

I've tried using the normal loader (Loader.efi) and the same thing happens.

Hello
Can you help me Please get it working on All new Windows 10 versions
I am Using Before this tools UPGDSED-dev version 1.3.0 but this version just support Windows 10 version 1803
Please Can you Help me

Best Regards
Thanks

Why does the EFI image have a PE header?
Is the windows kernel responsible for loading the efi image?

I ask because I tought the EFI image is loaded before the kernel.

I'm on Windows 1809 (soon 1903), and I get this error when trying any command other than -i

Failure: NtSetSystemEnvironmentValueEx error C0000002
AdjustCiOptions failed: C0000002

Full error with -d:

Disabling DSE...
CI!g_CiOptions at 0xFFFFF80514541D18.
Failure: NtSetSystemEnvironmentValueEx error C0000002
AdjustCiOptions failed: C0000002

-i output (after booting from the loader):

SystemBootEnvironmentInformation:
        - BootIdentifier: {c57e01ab-e8ac-11e8-9c47-c18f143fd988}
        - FirmwareType: BIOS
        - BootFlags: 0x0

SystemModuleInformation:
        - Kernel: ntoskrnl.exe (\SystemRoot\system32\ntoskrnl.exe)

SystemCodeIntegrityInformation:
        - IntegrityOptions: 0x0001

SystemKernelDebuggerInformation:
        - KernelDebuggerEnabled: 0
        - KernelDebuggerNotPresent: 1

SystemKernelDebuggerInformationEx:
        - DebuggerAllowed: 0
        - DebuggerEnabled: 0
        - DebuggerPresent: 0

SharedUserData->KdDebuggerEnabled: 0x00

SystemKernelDebuggerFlags: 0x00

SystemCodeIntegrityPolicyInformation:
        - Options: 0x40000000
        - HVCIOptions: 0x0000

I also pulled from master and compiled the EfiDSEFix but the same issue occurs.

Can i use EfiDSEFix on anything past 1703 ?

C:\edk2>build -a X64 -t VS2017 -p EfiGuardPkg/EfiGuardPkg.dsc -b RELEASE
Build environment: Windows-10-10.0.22000-SP0
Build start time: 22:50:23, Mar.26 2022

WORKSPACE = c:\edk2
EDK_TOOLS_PATH = c:\edk2\basetools
EDK_TOOLS_BIN = c:\edk2\basetools\bin\win32
CONF_PATH = c:\edk2\conf

Processing meta-data .PYTHON_COMMAND = py -3

Architecture(s) = X64
Build target = RELEASE
Toolchain = VS2017

Active Platform = c:\edk2\EfiGuardPkg\EfiGuardPkg.dsc

build.py...
c:\edk2\EfiGuardPkg\EfiGuardPkg.dsc(...): error 4000: Instance of library class [VariablePolicyHelperLib] is not found
in [c:\edk2\MdeModulePkg\Library\UefiBootManagerLib\UefiBootManagerLib.inf] [X64]
consumed by module [c:\edk2\EfiGuardPkg\Application\Loader\Loader.inf]

• Failed -
  Build end time: 22:50:23, Mar.26 2022
  Build total time: 00:00:00

Right now i see loader.efi not disabling DSE by default (only via switch after Windows has booted).
Can i change this?

EfiGuard can patch a Windows, but can it run some code before run a Windows, and shutdown PC without "BSOD"? For example, password boot lock. And if yes, can you give a link to some documentation?

Hello,

First I want to say thank you for your development of Efiguard, it really helps solving one of my problems when using Rainbow, which is constant BSOD, but now with EfiGuard Windows won't shut down. Every time I try to shut the computer down it just keeps restarting.

I'm using the precompiled version 1.2.1 I downloaded off your repo here.

Luckily I have a dual boot box also running Linux, so for now, I boot into Linux and shut the computer down from there.

I hope there's a solution for this?

These are my Specs.

Windows 10 2004

Motherboard
ASUS Maximus VIII Hero

PSU
EVGA SuperNOVA 550 G3

RAM
Corsair Vengeance LPX 16GB (2x8GB) DDR4 DRAM 2133MHz C13

CPU
i7 -6700K

Video
EVGA GeForce GTX 1060 - 06G-P4-6262-KR

Monitor
MSI Optix G24C - 144hz

THANKS

I am foolish and ignorant, and I cannot find the cause of this problem.

In UEFI SHELL, after load efiguarddxe. efi, it shows a black screen soon after loading successfully (no task text), passing by the kind big guy,

can you leave your valuable experience, but I can only express my gratitude (this is ashamed), Amon!

E:\github\edk2>build -a X64 -t VS2019 -p EfiGuardPkg/EfiGuardPkg.dsc -b RELEASE
Build environment: Windows-10-10.0.18362-SP0
Build start time: 17:25:22, Aug.18 2020

WORKSPACE        = e:\github\edk2
EDK_TOOLS_PATH   = e:\github\edk2\basetools
EDK_TOOLS_BIN    = e:\github\edk2\basetools\bin\win32
CONF_PATH        = e:\github\edk2\conf
PYTHON_COMMAND   = py -3

Processing meta-data .

Architecture(s)  = X64
Build target     = RELEASE
Toolchain        = VS2019

Active Platform          = e:\github\edk2\EfiGuardPkg\EfiGuardPkg.dsc
. done!
Building ... e:\github\edk2\MdePkg\Library\BaseSynchronizationLib\BaseSynchronizationLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\UefiLib\UefiLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\UefiDriverEntryPoint\UefiDriverEntryPoint.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\BaseTimerLibNullTemplate\BaseTimerLibNullTemplate.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\UefiRuntimeServicesTableLib\UefiRuntimeServicesTableLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\UefiDevicePathLibDevicePathProtocol\UefiDevicePathLibDevicePathProtocol.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\BasePrintLib\BasePrintLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\UefiMemoryAllocationLib\UefiMemoryAllocationLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\UefiBootServicesTableLib\UefiBootServicesTableLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\BaseDebugLibNull\BaseDebugLibNull.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\BaseMemoryLibOptDxe\BaseMemoryLibOptDxe.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\BaseLib\BaseLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\DxePcdLib\DxePcdLib.inf [X64]
Building ... e:\github\edk2\MdeModulePkg\Library\UefiBootManagerLib\UefiBootManagerLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\UefiApplicationEntryPoint\UefiApplicationEntryPoint.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\BasePerformanceLibNull\BasePerformanceLibNull.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\BasePeCoffGetEntryPointLib\BasePeCoffGetEntryPointLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\DxeServicesTableLib\DxeServicesTableLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\DxeServicesLib\DxeServicesLib.inf [X64]
Building ... e:\github\edk2\MdeModulePkg\Library\DxeReportStatusCodeLib\DxeReportStatusCodeLib.inf [X64]
Building ... e:\github\edk2\MdeModulePkg\Library\UefiHiiLib\UefiHiiLib.inf [X64]
Building ... e:\github\edk2\MdeModulePkg\Library\UefiSortLib\UefiSortLib.inf [X64]
Building ... e:\github\edk2\MdePkg\Library\DxeHobLib\DxeHobLib.inf [X64]
Building ... e:\github\edk2\MdeModulePkg\Library\UefiHiiServicesLib\UefiHiiServicesLib.inf [X64]
Building ... e:\github\edk2\EfiGuardPkg\Application\Loader\Loader.inf [X64]
Building ... e:\github\edk2\EfiGuardPkg\EfiGuardDxe\EfiGuardDxe.inf [X64]
        "GenFw" -e UEFI_APPLICATION -o e:\github\edk2\Build\EfiGuard\RELEASE_VS2019\X64\EfiGuardPkg\Application\Loader\Loader\OUTPUT\Loader.efi e:\github\edk2\Build\EfiGuard\RELEASE_VS2019\X64\EfiGuardPkg\Application\Loader\Loader\DEBUG\Loader.dll --keepexceptiontable --keepzeropending --keepoptionalheader
        "GenFw" -e DXE_RUNTIME_DRIVER -o e:\github\edk2\Build\EfiGuard\RELEASE_VS2019\X64\EfiGuardPkg\EfiGuardDxe\EfiGuardDxe\OUTPUT\EfiGuardDxe.efi e:\github\edk2\Build\EfiGuard\RELEASE_VS2019\X64\EfiGuardPkg\EfiGuardDxe\EfiGuardDxe\DEBUG\EfiGuardDxe.dll --keepexceptiontable --keepzeropending --keepoptionalheader
'GenFw' ڲⲿҲǿеij
ļ
NMAKE : fatal error U1077: "GenFw: ش롰0x1
Stop.


build.py...
 : error 7000: Failed to execute command
        C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\bin\Hostx86\x86\nmake.exe /nologo tbuild [e:\github\edk2\Build\EfiGuard\RELEASE_VS2019\X64\EfiGuardPkg\Application\Loader\Loader]


build.py...
 : error 7000: Failed to execute command
        C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\bin\Hostx86\x86\nmake.exe /nologo tbuild [e:\github\edk2\Build\EfiGuard\RELEASE_VS2019\X64\EfiGuardPkg\EfiGuardDxe\EfiGuardDxe]


build.py...
 : error F002: Failed to build module
        e:\github\edk2\EfiGuardPkg\Application\Loader\Loader.inf [X64, VS2019, RELEASE]

- Failed -
Build end time: 17:25:24, Aug.18 2020
Build total time: 00:00:02

hello, how to fix this error?

Hi, I tried to run EFI guard on a USB stick and it did not boot, then I tried to run it on a FAT32 formatted partition on one of my drives separate from my windows boot drive and it didn't boot.
OS Win10
Motherboard Gigabyte z97x-UD3h-cf

It throws the error "LoadImage Error 800000000000000E (Not Found)" on each of my attempts to run it on the partition or USB stick.

Any help is greatly appreciated.

Hi Matti,
as you likely know in mid 2021 Microsoft will be forcing all drivers to be submitted, approved, and signed by them, each and every time they want to sign ...3rd party sellers will no longer be permitted to sell certificates and any existing drivers will be rendered useless once their certificates expire. This change will be pushed to all windows even windows xp.

my question is do you think efiguard will be affected? even though it's a boot driver? It's my understanding a lot of machines don't support secure boot so not reasonable to try and enforce that? or what are your thoughts.

I was mistaken, drivers with expired certificates will continue to run.

Im not sure how to go about this but i want to add the EFIGuard option to the boot menu without having to go through efishell. is this even possible? i added an entry to bcdedit that shows up and is pointing to the loader but it blue screens with the recovery page everytime. if i put on a usb stick and boot the usb it works fine so im not sure what else to try so i can add this to the boot options without having to go into efishell.

Thank you for sharing!
Why did I start up for the first time and work normally after I installed a new win10 system, but always failed for the second time? My system is win10 1809.

Can we fake the presence of a TPM using efiguard?
With this super irrational demand of MSFT to have a TPM in order to install windows 11, I was thinking if we can somehow reliably fake windows into thinking there is a TPM when there is

1. none or
2. a cheap emulation that just saves everything to a plain text file on the efi partition, muhahahahah...

Just some background info, the flashboot bootmgfw.efi is supposed to be able to boot non CSM, but the GPU drivers never work when CSM is disabled, it boots to desktop but refuses to use the GPU with the error code 21 in device manager.

I tried using EFIGuard on the normal bootmgfw for windows 7 and it gets stuck on the windows boot logo animation thing. I know it loads into the OS because i can hear the windows 7 startup sound.

I would just accept this as defeat, except when I used the flashboot bootmgfw.efi with EFIGuard it boots to the desktop, and loads the gpu (I can tell because aero starts working) except the resolution is tiny and the picture is all messed up.

I'll include a zip containing the flashboot bootmgfw, a link explaining how the flashboot bootmgfw works, and a link to my motherboard, thanks for your help, if this can actually get solved then I will have a fully working non csm windows 7, which i will be eternally grateful for, thank you.

https://www.prime-expert.com/articles/a21/windows-7-uefi-install-without-csm/

https://www.msi.com/Motherboard/MEG-X570-ACE

bootmgfw.zip

Care to add a project configuration to EfiDSEFix that as a SUBSYSTEM:NATIVE application so it can be used in BootExecute?
The implementation seems already ready for this, just need to change a little thing to work.

hi,

I tried calling KeGetCurrentIrql (after booting into Windows, so everything should've been loaded by then) in the SetVariable hook but it returned a strange value (decimal 125). Acquired function pointer via GetProcedureAddress.

Are there limitations of what kernel API can be called from this backdoor that I don't know of?

thank you in advance!

`Microsoft (R) Windows Debugger Version 10.0.22549.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\042022-17359-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Machine Name:
Kernel base = 0xfffff8072c600000 PsLoadedModuleList = 0xfffff8072d22a2d0
Debug session time: Wed Apr 20 15:52:59.072 2022 (UTC + 1:00)
System Uptime: 0 days 0:18:53.780
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...............................................
Loading User Symbols
Loading unloaded module list
...........................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8072c9f73b0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff687c6b9e300=000000000000003b
2: kd> !analyze -v

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff80733ac5d80, Address of the instruction which caused the BugCheck
Arg3: fffff687c6b9ec00, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 2218

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 11759

Key  : Analysis.Init.CPU.mSec
Value: 530

Key  : Analysis.Init.Elapsed.mSec
Value: 69411

Key  : Analysis.Memory.CommitPeak.Mb
Value: 86

Key  : Dump.Attributes.InsufficientDumpfileSize
Value: 1

Key  : Dump.Attributes.RequiredDumpfileSize
Value: 0x6b1fa253

FILE_IN_CAB: 042022-17359-01.dmp

DUMP_FILE_ATTRIBUTES: 0xc
Insufficient Dumpfile Size
Kernel Generated Triage Dump

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff80733ac5d80

BUGCHECK_P3: fffff687c6b9ec00

BUGCHECK_P4: 0

CONTEXT: fffff687c6b9ec00 -- (.cxr 0xfffff687c6b9ec00)
rax=fffff80733ac5d80 rbx=fffff687c6b9f680 rcx=fffff687c6b9f680
rdx=fffff687c6b9f948 rsi=0000000000000001 rdi=0000000000000007
rip=fffff80733ac5d80 rsp=fffff687c6b9f608 rbp=fffff687c6b9f6b0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff687c6b9f948 r12=fffff687c6b9f948 r13=ffffbb81c3b67760
r14=fffff687c6b9f680 r15=0000000000000020
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
fffff80733ac5d80 48895c2408 mov qword ptr [rsp+8],rbx ss:0018:fffff687c6b9f610=0000000000000020
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: EfiDSEFix.exe

STACK_TEXT:
fffff687c6b9f608 fffff8072cabec82 : 0000000000000020 fffff687c6b9f680 ffffbb81c3b67760 fffff687c6b9f948 : 0xfffff80733ac5d80 fffff687c6b9f610 fffff8072cab6ec7 : 0000000000000000 0000000000000000 0000000000000000 fffff8072ce97860 : nt!HalEfiSetEnvironmentVariable+0x5a fffff687c6b9f650 fffff8072ce97881 : fffff687c6b9f788 0000000000000000 00000000001e001c fffff8072cdc6150 : nt!HalSetEnvironmentVariableEx+0x127 fffff687c6b9f730 fffff8072ce968b7 : 0000000000000020 fffff687c6b9f831 ffff9382e02c7710 ffffab07c324d270 : nt!IopSetEnvironmentVariableHal+0x21 fffff687c6b9f770 fffff8072cf4e844 : 0000000000000020 ffff938200000000 fffff68700000000 00000000000023f0 : nt!IoSetEnvironmentVariableEx+0x8b fffff687c6b9f890 fffff8072cf5217a : 0000000000000010 000000a8cdaff760 000000a8cdaff760 0000000000000000 : nt!ExpSetFirmwareEnvironmentVariable+0x88 fffff687c6b9f8e0 fffff8072ca08db5 : 0000000000000000 00000000000023f0 0000000000000000 00007ff7e1e238b0 : nt!NtSetSystemEnvironmentValueEx+0x22a fffff687c6b9f990 00007fffd1310284 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25 000000a8cdaff718 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007fffd1310284

SYMBOL_NAME: nt!HalEfiSetEnvironmentVariable+5a

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.19041.1526

STACK_COMMAND: .cxr 0xfffff687c6b9ec00 ; kb

BUCKET_ID_FUNC_OFFSET: 5a

FAILURE_BUCKET_ID: AV_nt!HalEfiSetEnvironmentVariable

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {c61e3646-9ef3-fda6-5448-0cc81f8f9e40}

Followup: MachineOwner`

windows 10 x64 1511 ，at work。 √
windows 10 x64 1607, It doesn't work。 X

Please help me.

I need version 1511 above running

Can we catch up soon?

Title says it all.
After EfiGuardUnload is called (inside of the LoadImage hook), it will never try to boot to bootmgfw.

Nevermind.

Create release plz with new compiled files.

I can't seem to be able to boot using either the loader or the UEFI shell.

When using the loader, I select the USB and I get an error saying "The operating system wasn't found. Try disconnecting any drives that don't contain an operating system. Press any key to restart". After pressing a key this eventually leads to an error saying "No boot disk has been detected or the disk has failed."

When using the UEFI shell to load the driver, I get to the point where the title message is shown (Rootkits You Can Trust). However, my screen soon turns black with a blinking cursor and I have to turn off my computer.

Any ideas?