Introduction

When running one of the FlexNet Embedded XT Kits on an older unpatched version of Windows, we have seen several incidents where our tamper detection mechanism is triggered, resulting in the inability to run the software.

For example, running the capability request example from the 2022.02 release of 64bt C XT kit on a Windows 7 64bit machine that is currently not connected to the network results in the following error:

C:\Users\testuser\Documents\flexnet_client-xt-c-x64_windows-2022.02.0\build\capabilityrequest\x64\Debug>capabilityrequest.exe -server http://192.168.0.149:7070/fne/bin/capability

ERROR: creating licensing object: Internal error:

  1201:516, MID=0, SID=0, EID=6,

  Tamper detected: IHRfX1RJcEFSM3ZiV0VsRVNWcENlUmVzNWxEQVAySSAgZmFsc2UgeyBbInZpc

3VhbF9zdHVkaW8iXSA9IHRydWUsWyJ0X19vQTFTWWhQdjE1MDN5Z0FNb0FFd3JjVEozRSJdID0gdHJ1Z

SxbInRfX1JtenBFWVlUZ3pDMjNMdElMTHEzeHZ1QSJdID0geEhhQXRJemtWbTBZcTRCRUdJZ2hqb1NRR

UksfSA=

Cause

The issue appears to be a false positive and is due to the operating system not having a required root certificate in order to confirm the signature used on FlxCore.dll/FlxCore64.dll.

How to Confirm

Microsoft provides a tool called Signtool which allows you to check the reason why the signature cannot be verified:

C:\Users\testuser\Documents\flexnet_client-xt-c-x64_windows-2022.02.0\build\capabilityrequest\x64\Debug>signtool verify /pa FlxCore64.dll

File: FlxCore64.dll

Index  Algorithm  Timestamp

========================================

SignTool Error: A certificate chain processed, but terminated in a root

        certificate which is not trusted by the trust provider.

Number of errors: 1

Possible Solutions to This Issue

Generally, when the operating system is connected to the internet and is auto-updating, the certificate chain will be updated and this should not be a problem. In cases where the OS is in an ‘offline’ situation, it may be that there have not been any updates and therefore the situation will not resolve without some manual intervention.

The following link provides details on how to update an OS in an offline environment: How to Update Trusted Root Certificates in Windows 7 in an article entitled Updating List of Trusted Root Certificates in Windows.

In the case of Windows 7, you would follow these steps:

1. To update root certificates in Windows 7, you must first download and install MSU update as described in KB2813430: An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows.
2. After that, you can use the certutil to generate an SST file with root certificates (on current or another computer):
   

   certutil.exe -generateSSTFromWU c:\ps\roots.sst

3. Now you can import certificates into trusted ones. Run MMC >add snap-in > certificates > computer account > local computer.
4. Right click Trusted root certification authority and select All Tasks > Import.
5. Find your SST file (in the file type select Microsoft Serialized Certificate Store — *.sst) > Open > Place all certificates in the following store > Trusted Root Certification Authorities.