UefiSeven coexistance

[acoul]

Greetings,

I use UefiSeven to boot Windows 7 on a UEFI only system. Trying to test EfiGuard from a usb flash, I get an error: can't find bootmgfw.efi version number.

can EfiGuard coexist with UefiSeven ? if not, how can Windows 7 use EfiGuard on a UEFI only system ?

[Mattiwatti]

Hi,

I took a look at UefiSeven and there's no reason why it wouldn't theoretically work with EfiGuard. Unfortunately however because it replaces the Windows boot manager file (bootmgfw.efi) on disk, EfiGuard won't work with it as is because EfiGuard relies on this being the original Windows boot manager. This explains the warning you are seeing (not being able to find the version number is only a warning - it isn't fatal), as well as any subsequent errors which you will surely also receive if the Windows boot manager is located elsewhere with a different name.

So in short, no, EfiGuard won't work with UefiSeven as is, though there is no reason why it couldn't work if UefiSeven used a different method of loading.

if not, how can Windows 7 use EfiGuard on a UEFI only system ?

See wiki: Secure boot on Windows 7 (if you don't need secure boot enabled, you can skip the last section, and disabling the CSM is also not necessary in this case). In short: you'll want to have up-to-date graphics drivers installed or slipstreamed on Windows 7, and the boot manager updated to one from Windows 10 or 11. Then disable the Vga and VgaSave services, and run bcdedit /set {current} novesa on and bcdedit /set {current} quietboot on. Note: all of the steps are detailed the way you would run them from Windows 7 itself, but they can also be performed externally, e.g. from Windows 10/11 or a bootable ISO of same.

[acoul]

you are quite correct about the UefiSeven. it's not an error, just a non destructive warning. EfiGuard seems to overcome this and proceeds successfully on each patching stage. I switched from Loader.config.efi back to the default Loader.efi & all the steps (with the exception of the bootmgfw.efi version warning) went just fine.

unfortunately, the result is a garbled half screen output. I can kind of see the desktop with menus etc. but the result looks like a bad acid trip, which BTW, I've never tried so far. fortunately, VNC, that I use for remote access, works fine.

Edit:

EfiGuard seems to work fine with UefiSeven & this ticket can possibly go to rest, with the exception of the of the garbled half screen output.

my goal is to use EfiGuard to try to install the unsigned graphics driver for the 9th Gen Intel UHD 600. upon success, will then test boot Windows 7 in pure UEFI by directly using the graphics driver skipping UefiSeven along with the generic Vga and VgaSave services as you suggested & have a follow-up.

[acoul]

I am proceeding with the Vga and VgaSave services guide.

I have installed the graphics driver, booted Sergei Strelec's WinPE, renamed vga.sys & vgapnp.sys, used build-in remote regedit & switched the Start value to 4 according to the guide.

but the bcdedit commands through the following error:

The boot configuration data store could not be opened. The requested system device cannot be found.

This is a Windows 7 OS, installed on an msdos partition, ntfs formated which boots fine on a pure UEFI system with the assistance of UefiSeven

issuing the following:

bcdedit /store c:\EFI\Microsoft\Boot\BCD

produces:

Windows Boot Manager

identifier {bootmgr} device partition=C: path \EFI\Microsoft\Boot\bootmgfw.efi description Windows Boot Manager locale en-us inherit {globalsettings} default {default} resumeobject {237fce48-f036-11ed-983e-18c04dd05a2e} displayorder {default} {12a3b634-f027-11ed-aee3-18c04dd05a2e} {8d481ea9-efcf-11ed-8773-a8a1594ec55d} toolsdisplayorder {memdiag} timeout 30

Windows Boot Loader

identifier {default} device partition=C: path \Windows\system32\winload.efi description Windows 7 locale en-us inherit {bootloadersettings} osdevice partition=C: systemroot \Windows resumeobject {237fce48-f036-11ed-983e-18c04dd05a2e} nx OptIn detecthal Yes

Windows Boot Loader

identifier {12a3b634-f027-11ed-aee3-18c04dd05a2e} device unknown path \Windows\system32\winload.efi description Windows 7 locale en-us inherit {bootloadersettings} osdevice unknown systemroot \Windows resumeobject {12a3b633-f027-11ed-aee3-18c04dd05a2e} nx OptIn detecthal Yes

Windows Boot Loader

identifier {8d481ea9-efcf-11ed-8773-a8a1594ec55d} device unknown path \Windows\system32\winload.efi description Windows 7 locale en-us loadoptions DDISABLE_INTEGRITY_CHECKS inherit {bootloadersettings} osdevice unknown systemroot \Windows resumeobject {8d481ea8-efcf-11ed-8773-a8a1594ec55d} nx OptIn detecthal Yes

[Mattiwatti]

Are you sure Windows (so the partition containing the Windows directory) is on C: here if the BCD store (so normally the ESP) is too? I think this is probably possible on most systems nowadays, it's just not common to see this so just making sure.

Since you are running bcdedit from WinPE, you'll need to specify the BCD store location when running /set if you weren't doing this already, so just as you are doing with /enum above. You'll also have to specify the GUID explicitly, {current} won't work.

So the commands become (for the first entry): bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} novesa on bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} quietboot on bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} bootstatuspolicy IgnoreAllFailures bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} bootlog yes

Repeat for {12a3b634-f027-11ed-aee3-18c04dd05a2e} and {8d481ea9-efcf-11ed-8773-a8a1594ec55d} if you want to do this for all three entries.

Note: your other two entries have a missing device for the Windows partition (I'm guessing from the conversion to GPT), if you want to boot these you'll also need to run (assuming Windows is on C:): bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {12a3b634-f027-11ed-aee3-18c04dd05a2e} device partition=C: bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {12a3b634-f027-11ed-aee3-18c04dd05a2e} osdevice partition=C: bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {8d481ea9-efcf-11ed-8773-a8a1594ec55d} device partition=C: bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {8d481ea9-efcf-11ed-8773-a8a1594ec55d} osdevice partition=C:

[acoul]

unfortunately I had no success on my quest with my Ryzen system on directly UEFI booting to my Radeon HD 8490

graphics drivers are installed on this windows 7 system

I booted Sergei Strelec's WinPE and followed the directions (I used the EFI directory from an windows 8.1 system)

(After making a backup) Copy and overwrite all files under /EFI, excluding any files starting with BCD, from a newer Windows EFI partiton over to C:\EFI. Overwrite C:\EFI\Boot\bootx64.efi with C:\EFI\Microsoft\Boot\bootmgfw.efi.

I then used Macrium's Fix boot issues to properly setup the BCD boot sequence

after that I issued:

bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} novesa on bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} quietboot on bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} bootstatuspolicy IgnoreAllFailures bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} bootlog yes

and then

Rename %systemroot%\system32\drivers\vgapnp.sys and %systemroot%\system32\drivers\vga.sys to *.bak.sys.

for the following step:

reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VgaSave" /f /t REG_DWORD /v "Start" /d 4 reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Vga" /f /t REG_DWORD /v "Start" /d 4

I used autoruns offline from within the winPE & disabled the VgaSave & Vga services

I tried booting with & without EfiGuard without any success. there is no graphics output on the screen & remote VNC can't connect to the system.

Edit: I then used Bios CSM boot along with Ventoy/grub2-filemanager to legacy boot the windows 7 system and issued the following:

reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VgaSave" /f /t REG_DWORD /v "Start" /d 4 reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Vga" /f /t REG_DWORD /v "Start" /d 4

but still without any success on booting in pure UEFI mode

after UEFI booting, there is no screen output. the system though has disk I/O activity & pushing once the power button, properly shuts down the system

Edit II: FWIW, in order to fallback/restore the previous/default vga functionality I also had to issue the following with WinPE & offline/regedit:

reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VgaSave" /f /t REG_DWORD /v "Start" /d 1 reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Vga" /f /t REG_DWORD /v "Start" /d 3

bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} novesa off bcdedit /store C:\EFI\Microsoft\Boot\BCD /set {default} quietboot off

[Mattiwatti]

This looks like a firmware bug unfortunately. After testing this on a Ryzen system I arrive at the same conclusion (no VGA output without CSM), even though the same setup works on an older Intel system. I suspect this is somehow related to differences between their shared vendor firmware code (usually provided by AMI), or even caused by the video driver differentiating, since it does not make sense for the processor to be a factor in this. But this is just speculation.

I will close this issue now since it's not really a bug in EfiGuard and I can't help you further with it. However I'd be interested to hear about it if you do find a fix for this, since (depending on the fix) it might be possible to incorporate it into EfiGuard.

[acoul]

It is my Bad that I mixed couple of different hardware in-order to further explore the EfiGuard functionality.

The initial bug report has to do with an Intel J4125 UEFI Class 3 system that UefiSeven manages to provide VGA service that boots successfully to Windows 7. On this system, I am unable to install an unsigned graphics driver (UHD 600), thereof I wanted to try this procedure with EfiGuard (this is still a WiP for me)

Using EfiGuard along with UefiSeven results in an garbled video output similar to the following:

I have full access to this system though, through VNC which works fine.

This is the actual (still active) BUG that I wanted to report initially, find where the problem resides & perhaps resolve it ( besides my own quest to successfully install the graphics driver under the UEFI Class 3 system).

the rest, is some of my (off-topic) attempts, on a different Ryzen UEFI Class 2 system, which does not work under UEFI, to disable the VGA driver (as you kindly suggested) & try to UEFI boot directly to the graphics driver, in this case a Radeon HD 8490

Should this ticket perhaps be split to two ? the original issue (still active) and the later one (bypassing VGA driver) ?

[acoul]

This is my final report on this issue

Intel UHD600 is a tempered graphics unit. I was unable to find any working drivers for either win7 nor win8

for win7 I had to use UefiSeven, as my j4125/UHD600 is UEFI class 3 system, meaning no CSM capability

• Under win7: UefiSeven works fine with UHD600 but is stuck at resolution 1024x768 since there are no working drivers as UefiSeven locks the resolution at 1024x768. EfiGuard in combination with UefiSeven results on a garbled video output (the reason for this is still unknown)

there is a success UHD610 story though with UefiSeven & EfiGuard under win7

• Under win8: no UefiSeven is needed, but since there are no drivers available either, resolution of the MS Basic display driver is stuck at 1024x768. Surprisingly, booting with EfiGuard the resolution is unlocked to the full potential of the display monitor. the other positive news, in this case, is that the MS Basic display driver offers full DirectX 11 acceleration according to dxdiag

• Under win10: no need (yet) to use EfiGuard, but the later does work fluently

in all cases, EfiGuard worked wonderfully !

I used bootice to embed the EfiGuard into the UEFI boot menu under the EFI\Boot directory.