Well, if you are here the chances that you know what KB3033929 is are really high, but for who doesn’t know:
This update adds support to SHA-2 hashing algorithm signing and verification.
In most cases this means this update enables your Windows to load drivers signed with SHA256 certificates only, otherwise you will need cross-sign your driver with a SHA1 + SHA256 certificates.
Everything sounds pretty good, right? Not at all!
This update has a long history of problems and already given a headache to many people.
Some computers even became unbootable after installing it, but that is not the point here…
If I remember correctly since January 1, 2016, all Certification Authorities (CAs) should no longer issue SHA1 certificates, except for compatibility cases.
So, now in 2017 this is even more present and tricky to deal with.
The big question here is:
How I check (programmatically) if my Windows supports to load drivers signed with SHA256 only?
A while ago I was using WMI to query Win32_QuickFixEngineering and check if the KB entry was present.
Sounds good! What could be wrong?
Well, since Microsoft keeping creating new cumulative packages with a lot of hotfixes, this proven to be a bad idea.
I found a lot of ideas on the internet, but none really solved the problem to me…
After hours comparing binaries and looking their export functions, plus many testing…
I finally get to somewhere!
If you check CryptCATAdminAcquireContext2 function at MSDN site.
You can see this note at the end:
Minimum supported client: 8 [desktop apps only]
Hey, but that is not entirely true.
This function will be available on Windows 7 SP1 after KB3033929 has been installed.
For this reason, this is the best way I have found to really check if SHA-2 support is available or not.
Of course, it is a good idea to check the Windows version first to make sure the user is running Windows 7 SP1 (6.1.7601).