10x faster 'Check UEFI PK, KEK, DB and DBX'#41
Conversation
- Check against latest DBX revocations (Staged or GitHub)
- Refresh view by looping
- Clarify SVN origin
- Simplify arch check (faster runtime)
- Remove hardcoded bin file names, new expected pattern: "DBXUpdate_{YYYY-MM-DD}_{Version}_{Arch}.bin"
DBXUpdate_2025-02-25_v1.4.0_arm.bin
DBXUpdate_2025-02-25_v1.4.0_arm64.bin
DBXUpdate_2025-10-14_v1.6.0_amd64.bin
DBXUpdate_2025-10-14_v1.6.0_x86.bin
DBXUpdate_2025-10-14_v1.6.0_amd64.bin to DBXUpdate_v1.6.0_2025-10-14_amd64.bin
So the progress bar is actually slowing it. That code is from Microsoft (https://gist.github.com/out0xb2/f8e0bae94214889a89ac67fceb37f8c0).
The one on GitHub is the authoritative one and the one picked up by OEMs and other OS for distribution so I would keep that especially that it currently has more hashes. The one shipped in Windows may be faulty seeing how Microsoft still has not clarified the removal of hashes or update the one on GitHub until now.
This is going to get complaints from people who automate the script.
This is not needed as that section is showing the contents of the Current DBX.
Won't this throw an exception if the reg key does not exist? Anyway, I cannot really review right now since I keep getting "504 Gateway Time-out" on GitHub. Also thinking that since we are going to change so much, maybe we should just abandon the bin files completely and just use the JSON file for everything. Microsoft generates the bin files from the JSON anyway. So the fact that the bin shipped with Windows does not match the JSON means something is wrong. The existing script is from back in the day when there is only CSV but no JSON file of all the contents. |
Fantastic idea! Ran a benchmark and checking the entire DBX against the JSON is now 50 ms instead of 10.000+ ms.
Yes, thanks. Will add Will revert the other changes as you suggested - agree with checking both JSON and Staged, SVN labels as you had them and remove the loop. |
|
and for the JSON, since the JSON on GitHub is updated late usually, there is also a copy of the JSON shipped in Windows that maybe can be used. The issue is the last time I checked, the JSON in Windows has up-to-date hashes but old SVN whereas the one on GitHub now has updated SVN but not updated hash. |
|
Since new monthly update is out and contains new DBX hashes and the new signed bin file is available, I picked the speed improvement commit from this and updated the DBX check. There is no need to check Windows staged anymore since updated bin file contains all up-to-date hashes. For this PR maybe you can make it use JSON for checking instead. I am thinking to make use of the isOptional field in the JSON as well. So only flag the isOptional ones red when missing if the PCA2011 is not revoked. Need to wait for Microsoft to finalize the new updated JSON before the copy here can be updated. |
Is the FilePath known?
Should it be kept, in case it differs in the future again? But only show if it differs.
Really like the |
The issue is how to merge the info. Maybe just parse the JSON shipped in Windows then if there is a new hash not in the other JSON, add/merge to the check but what date.
Can just force push this PR, overwriting the commits with new ones and rename the PR as needed. |
Its Also under found under following. Its the latest SVN 9.0 JSON.
Can just do a background comparison of JSON vs STAGED, no? And only if they differ, add a new line with the results. Like: Current UEFI DBX
Latest revocations : SUCCESS: 443 successes detected.
Staged revocations : SUCCESS: 289 successes detected. # Only show line if different
Windows Bootmgr SVN : 9.0
Windows cdboot SVN : 3.0
Windows wdsmgfw SVN : 3.0 |
|
Just that people keep asking what is staged? what's the difference? Is it fine if one of the results are red? etc... also the JSON actually does not matched the staged binaries shipped in Windows so we cannot actually call that staged. Someone probably messed up again. As you see, the staged is only 200+ hashes and that is not correct. Microsoft confirmed that no hashes are supposed to be removed. |
PartitionStyle 'GPT' required for UEFI/Secure Boot. Legacy 'MBR' should indicate a non-compliant system and trigger warning with guidance.
|
I think just show warning below secure boot status if the status is disabled. If enabled then sure is GPT, no need check (it's already kinda out of scope for the script that is for checking UEFI variables). MBR disk on UEFI systems should be rare. Only self-installs with user error should end up like that. |
- Change two states (Check, Cross) into three states: PRESENT, REVOKED, ABSENT. - Take latest JSON (GitHub or Local Windows folder) as baseline for all comparisons - Add expiration date - Incorportate JSON revocation into - Add tag to Baseline certs, easier identification - Remove all binary reads to dramatically improve runtime - Split DBX revoc. checks into Main and isOptional - Read UEFI only once - Add SetupMode and CA2023 Status and Capability. - Add Default DBX states.
|
Due to various conceptional changes I created a copy of the script, so it can be executed next to the existing one. |
Due to Microsoft local JSON versioning missing the isOptional tag
This reverts commit 2cf39cd.
Add various minor visual improvements
Further add var. total bytes size and error codes
- Reduce severity of cert disclaimer - Add version to ComputerSystemProduct info, don't show BaseBoard info if prior available - Implement arch fallback from main
|
Adding this as the final conceptual commit. Total runtime for compliant systems about 1 sec. Core features not yet in main:
Compliant state (left new, right old) |
|
I was not on GitHub much recently. Also waiting to see how Microsoft deals with the various inconsistencies and if the JSON is reliable. Regarding the vulnerable cert, I plan to put that in DBX section and only after Windows begins automatically revoking PCA 2011 and most bootable media has been migrated to 2023. At the moment it is still needed by some users so do not want to put a red alert there and make the average user concerned. I am not sure if checking KEK update is needed. Windows should also auto apply if available and linking to a bin file will make users ask many questions regarding if it is needed to do manually and how to do it. Revocation is independent of whether the cert is present. Even when cert is not present, revoking it or not has a difference. A cert that is not present but revoked will block any dual-signed EFI files from booting even if the other signature is trusted and not revoked. If you want to change Secure Boot mode check, ensure it still properly shows non-UEFI/no-SecureBoot systems as 'Not supported'. The current script was tested to be detecting this properly and skipping all checks when not in supported state. There is no non-UEFI system available here to test now. Cert expiration dates are purposely not shown. There was a request previously from user who thinks expiration dates matter. Expiration dates are meaningless to UEFI. It does not care about them. Showing expiration dates will make some users misunderstand that their system will stop working upon expiry or that they are secure without needing to revoke/remove an old cert because it has expired anyway. Also adds unneeded info and clutter. An expired PK can also still be used to sign updates by some OEMs. Can see PR 310 at Microsoft's repo for example. So expired PK does not mean system can no longer be updated too. Secure Boot servicing attributes header and MBR detection is more suitable in Check Windows state as they are regarding Windows installation and not UEFI variables. We cannot conclude things from AvailableUpdates too. When all updates are completed automatically by Windows, it is 0x0, not 0x4000. 0x4000 also means something else and not completed. Any combination of bits are also possible, not everyone starts with 0x5944. Will leave this PR here for the time being while seeing what happens with Microsoft's DBX inconsistencies. I may cherry pick some things (like total variable size) when I am free. I also already changed the cert parsing to be proper and checking certs using their fingerprint rather than names. |
|
Thanks for the elaborate reply.
Could maybe gray the PCA2011 vulnerability disclaimer in both cases. SVNs also red when unapplied, which maybe should be white/gray, as it’s also optional hardening. Knowing what exists is always harder than figuring out what to do with given information. Maybe something like: Main EFI revocations : SUCCESS: 443 successes.
Windows Bootmgr SVN : Not applied (Optional)
Windows cdboot SVN : Not applied (Optional)
Windows wdsmgfw SVN : Not applied (Optional)
Some boards seem to have broken "Append KEK" implementations, so not possible for Windows to auto apply the KEK (on my MSI legacy board too). One needs to manually set a new KEK bin file. Implemented currently to only show if a KEK update file is available and when KEK 2023 is not present yet. Maybe should even check if the auto apply failed before, to avoid confusion (will need to look up the EventID, probably 1796.
To my knowledge there is no difference in on-machine behaviour. Made three observations to back that up:
Its Enabled / Disabled only. Switched because it’s much faster runtime. Maybe could only distinct between Disabled and Not supported if it isn’t enabled. Will be much faster for most users (~1s), and slightly slower for few (~50ms).
Was thinking its interesting to know when the next KEK update is required, which is 12 years away, so eases the mind a bit. Could maybe only show for KEK 2K CA 2023, the others not so interesting.
Definitely makes sense for
Appreciate your efforts with the tool. Thank you, @cjee21. |
That is true if none are revoked but if one is revoked, file will always be blocked. DBX always takes priority. As long as a related cert or hash is in DBX, file is blocked before checking DB. That is if the UEFI implementation follows UEFI specifications exactly.
Well known certs already have known valid periods. Don't really need this script to know. |




Proposing to remove the
Write-Progressbar entirely.The improved runtime is faster than most humans should be able to read.
Show-CheckDBXwith currently 431 + 278 checks: