The first two are used early on to decide which Root CA authorities will be allowed to participate in the signature check — different request are subject to different accepted root keys, as per Table 5 below.
Note that in these tables, PRS refers to “Product Release Services”, the internal team within Microsoft that is responsible for managing the PKI process and HSM which ultimately signs every officially released Microsoft product.
Two final important exceptions apply to the root key selection.
First, when a custom Secure Boot Signing Policy is installed, and it contains custom signers and scenarios, then absolutely all possible root keys, including incomplete chains, are allowed.
What prevents an unsigned binary from satisfying the scenario, or perhaps a test-signed binary, or even a perfectly validly signed binary, but from a random 3rd party company?
When Code Integrity performs its checks, it always remembers the Security Required bit mask, the Signature Level, and the Scenario.
The official names Microsoft uses for them are shown in Table 1 below.
In addition, the Se ILSigning Policy variable is no longer initialized through the registry.
Instead, it is set through the , a signed configurable policy blob which determines which binaries a Windows 8.1 computer is allowed to run.
The jailbreak, then, simply sets this value to “0”.
Another side effect of Signing Levels was that the “Protected Process” bit in EPROCESS was removed — whether or not a Windows 8 process is protected for DRM purposes (such as Audiodg.exe, which handles audio decoding) was now implied from the value in the “Signature Level” field instead.