How to find driver causing "Windows can't verify the publisher of this driver software"?

5

For the second time in about a week I got a "Windows can't verify the publisher of this driver software" popup after entering my password on the lock screen.

I had been away for 45 minutes, the system locked itself in the meantime.

How can I find the driver that may cause this?

Note that there's no additional info in the popup:

enter image description here

There is nothing in the Security Event log.
There are these errors in the Application Event log happening during my absence:

19:30:01 VSS Event ID 8194
         Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.
         hr = 0x80070005, Access is denied.
         This is often caused by incorrect security settings in either the writer or requestor process. 
         Operation: Gathering Writer Data
         Context:
           Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
           Writer Name: System Writer
           Writer Instance ID: {a76e4df1-e62e-4f3e-9075-c77295c9ecdc}
19:30:01 VSS Event ID 8194 Idem
19:30:46 VSS Event ID 8194 Idem
         (and then at 19:41:09 the 8224 information message 'The VSS service is shutting down due to idle timeout.)
19:41:37 C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe Application event ID 1000
         Faulting application name: DDVDataCollector.exe, version: 5.2.7.93, time stamp: 0x5bce2506
         Faulting module name: DDVDataCollector.exe, version: 5.2.7.93, time stamp: 0x5bce2506
         Exception code: 0xc0000409
         Fault offset: 0x00000000001cd3cb
         Faulting process id: 0xe34
         Faulting application start time: 0x01d4f4797e0833c9
         Faulting application path: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
         Faulting module path: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
         Report Id: 2afed137-4f0a-47f9-b67a-5a49814e3dbd
         Faulting package full name: 
         Faulting package-relative application ID: 

enter image description here

The system event log shows three DistributedCOM events 10016 around 19:31:50:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
to the user DESKTOP-COV1MII\JanDoggen SID (S-1-5-21-3973335050-762844696-57333725-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). 
This security permission can be modified using the Component Services administrative tool.

I recently investigated this DCOM error in another context and this is expected and by design.

Cloudberry Backup ran a short incremental backup of my data drive D: from 19:30:01 to 19:31:34

Updates in the last two weeks:

  • Notepad++ 7.6.6
  • Dell SupportAssist 3.2.0.90
  • Adobe Flash Player 32.0.0.171
  • FireFox 66.0.3

From all this the primary suspect is DDVDataCollector.exe which seems to belong to the Dell SupportAssist 'Data Vault', but as my title question says: how can I check this (other than disabling all this Dell stuff and waiting a month or more)?

windows-10
drivers
asked on Super User Apr 16, 2019 by Jan Doggen • edited Apr 17, 2019 by Jan Doggen

1 Answer

5

The place in the Event Viewer to look for applicable error messages for certificate errors for drivers, is in the branch of Applications and Services Logs > Microsoft > Windows > CodeIntegrity.

For the poster, the relevant error message was one level deeper, in the sub-folder Operational.

answered on Super User Apr 16, 2019 by harrymc

User contributions licensed under CC BY-SA 3.0