Signers are the identities of the certificates used by Windows Defender Application Control (WDAC) to allow or deny a signed file to run. If you open a policy XML file, you will see the list of signers. It is interesting that many of the files allowed to run by this method are not, in fact, signed. This post explains how this works.
Here is an example of a signer obtained by scanning a drive at Publisher level, with New-CIPolicy -FilePath [path to policy file] –Level Publisher –UserPEs – NoShadowCopy. The scan produces an XML file containing the signers, and a TMP file containing a list of the unsigned files.
<Signers>
<Signer ID="ID_SIGNER_S_1" Name="Microsoft Windows Production PCA 2011">
<CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
<CertPublisher Value="Microsoft Windows" />
</Signer>
<Signer ID="ID_SIGNER_S_3A" Name="Microsoft Windows Production PCA 2011">
<CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
<CertPublisher Value="Microsoft Windows" />
</Signer>
You can take a look at the TMP file after the scan to see what the impact of the policy will be.
For some files, like chrome.exe, the presence of a signature is obvious.
But a file like notepad.exe also runs, and it does not appear to have a signature.
In fact, that seems to be true of most of the files in C:\Windows and C:\Windows\system32. They don’t appear to be signed, and yet they run with only a Signers policy. But 7-Zip is also not signed, and it does NOT run.
The reason is that the Windows files are part of a signed catalog. The catalog contains hashes of the files, and the catalog is signed. MDAC uses the certificate that signed the catalog to allow notepad.exe to run. The process is explained here: Deploy catalog files to support Windows Defender Application Control.
There’s nothing to tell us directly why notepad.exe is allowed. But the Sigcheck utility from Sysinternals shows why. It shows that notepad.exe is part of a signed catalog (in this case) C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1255_for_KB4523205~31bf3856ad364e35~amd64~~10.0.1.10.cat. The command to do this is: sigcheck.exe -i notepad.exe and the output is below.
C:\WINDOWS\system32\notepad.exe:
Verified: Signed
Link date: 04:52 26/11/1996
Signing date: 19:20 08/11/2019
Catalog: C:\WINDOWS\system32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1255_for_KB4523205~31bf3856ad364e35~amd64~~10.0.1.10.cat
Signers:
Microsoft Windows
Cert Status: Valid
Valid Usage: NT5 Crypto, Code Signing
Cert Issuer: Microsoft Windows Production PCA 2011
Serial Number: 33 00 00 02 32 41 FB 59 99 6D CC 4D FF 00 00 00 00 02 32
Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
Algorithm: sha256RSA
Valid from: 21:24 02/05/2019
Valid to: 21:24 02/05/2020
Microsoft Windows Production PCA 2011
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 61 07 76 56 00 00 00 00 00 08
Thumbprint: 580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D
Algorithm: sha256RSA
Valid from: 18:41 19/10/2011
Valid to: 18:51 19/10/2026
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 21:57 23/06/2010
Valid to: 22:04 23/06/2035
Counter Signers:
Microsoft Time-Stamp Service
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Time-Stamp PCA 2010
Serial Number: 33 00 00 01 13 B3 70 87 3D FA F0 C8 24 00 00 00 00 01 13
Thumbprint: 3D57569160D39D8863D2983809B2130A97B8EE95
Algorithm: sha256RSA
Valid from: 23:19 23/10/2019
Valid to: 23:19 21/01/2021
Microsoft Time-Stamp PCA 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 61 09 81 2A 00 00 00 00 00 02
Thumbprint: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Algorithm: sha256RSA
Valid from: 21:36 01/07/2010
Valid to: 21:46 01/07/2025
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 21:57 23/06/2010
Valid to: 22:04 23/06/2035
Company: Microsoft Corporation
Description: Notepad
Product: Microsoft® Windows® Operating System
Prod version: 10.0.17763.475
File version: 10.0.17763.475 (WinBuild.160101.0800)
MachineType: 64-bit
We can see the digital signature in the properties of the catalog file itself.
However, Sigcheck shows that 7zFM.exe is NOT signed, so we will not be able to use a signer to allow it to run.
c:\program files\7-zip\7zFM.exe:
Verified: Unsigned
Link date: 16:00 21/02/2019
Publisher: n/a
Company: Igor Pavlov
Description: 7-Zip File Manager
Product: 7-Zip
Prod version: 19.00
File version: 19.00
MachineType: 64-bit
Sigcheck can also be used to scan a folder to find unsigned executable files: sigcheck.exe -u -s -e [folder to check]. This will tell you whether scanning for certificates will be enough to allow an application to run.