Share via

HLK - Smart Card Minidriver Certification Test fails

Darth Tester 20 Reputation points
2025-11-24T13:50:07.32+00:00

Dear team,

I work on smart card driver certification using windows Hardware Lab Kit (HLK).

The matter is that smart card minidriver certification test started failing since I updated test computer to windows 11 25H2 release.

The output from test run on test computer is:

C:\SmartCardMinidriverTest> .\cmck.exe certify

Device string in use: $LogFile:encoding=UNICODE,Writemode=overwrite,Shared=false,file="CMCK_log.xml",CRC=true;$Console

WTTLogger_CPP_GitEnlistment(SSCPBLD02); Version: 2.7.3483.0

Error: 0x80100002, The action was cancelled by an SCardCancel request.

    **SCardUIDlgSelectCard() failed**

    **File=ds\security\scard\test\hlk\minidriver\cmck\cardconnection.cpp Line=206**

Warn: ConnectCardModule failed unexpectedly with an error. There is a setup issue with the smart card device. For example, you may need to verify you have the correct dependent dll binaries installed on the machine, that the smart card reader and smart card are properly configured in the operating system, or that the xml config file needed is properly configured.

To run CMCK test from the command line, copy all files needed by the test to the client and run the test from the command line within an Administrator command window. The command line is "cmck.exe certify". The test files can be found at \<yourcontroller>\tests<architecture>\NTTest\dstest\security\core\bin\credentials\smartcard.

    **File=ds\security\scard\test\hlk\minidriver\cmck\testcasemanager.cpp, Line=3626**

Summary: Total=0, Passed=0, Failed=0, Blocked=0, Warned=0, Skipped=0

I set up test environment as previous times, but after updating windows, test fails.

Any idea?

Thanks in advance.

Windows for business | Windows Server | Devices and deployment | Other
0 comments
Answer accepted by question author
  1. VPHAN 10,640 Reputation points Independent Advisor
    2025-11-28T15:35:12.8233333+00:00

    The error 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND) combined with SCardGetCardTypeProviderName failing is definitive: the Calais Database (the Smart Card registry hive) does not have an entry for the ATR 3b 7f 96 00 00 00 6a 43 52 59 50 03 04 11 43 01 00 03 90 00. Essentially, the electrical layer (the reader) sees the card, but the logical layer (Windows Resource Manager) has no idea which DLL to load for that specific byte sequence, so it fails before it can even attempt to load a driver. This often happens after a major Windows feature update (like 25H2), as the update process can scrub the registry of "third-party" smart card entries that aren't backed by an active, digitally signed PnP driver package it recognizes as valid for the new kernel.

    You need to verify the registry state immediately. Open Registry Editor (regedit.exe) and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards. You are looking for a subkey that matches the ATR (often stored as a binary value or a subkey name derived from the ATR mask). Since certutil failed to find it, it is almost certainly missing. In a functional environment, you should see a key there containing values like 80000001 (pointing to your minidriver DLL name) and Crypto Provider (usually "Microsoft Base Smart Card Crypto Provider").

    To resolve this, you must re-register the card's ATR in the Calais database. Since you are in a driver development environment, locate the .inf file associated with your minidriver project. Right-click that .inf file and select Install. This performs the [Install.AddReg] directives that write the ATR and DLL mapping into the registry. If you cannot reinstall via INF, you can force the mapping using certutil in administrative mode: certutil -addcard -c "Your Card Name" "YourMinidriver.dll". You will be prompted to enter the ATR; copy the exact hex string from your output (3b 7f 96...) and paste it there.

    Once the registry key is restored, verify that the minidriver DLL (e.g., yourminidriver.dll) physically exists in %SystemRoot%\System32. Note that if your HLK test suite is running as a 32-bit process on this 64-bit OS, you must also ensure the DLL is in %SystemRoot%\SysWOW64 and the registry entry exists in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\SmartCards. Without this dual registration, the 64-bit OS sees the card, but the 32-bit cmck.exe test harness will still fail with "File Not Found."

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 10,640 Reputation points Independent Advisor
    2025-11-24T14:27:22.1933333+00:00

    Hi Darth Tester,

    Hope you don't mind reading this fairly comprehensive explanation. The failure you're encountering with the smart card minidriver certification test on Windows 11 25H2 is likely due to a compatibility issue introduced in the update, specifically affecting the smart card subsystem or the HLK test environment. The error code 0x80100002 (SCARD_E_CANCELLED) during SCardUIDlgSelectCard() indicates that the card selection UI was terminated prematurely, which can stem from changes in the smart card service behavior, driver conflicts, or altered security policies in the new OS build.

    Begin by verifying that the smart card reader drivers are certified for Windows 11 25H2 and that no incompatible drivers were inherited from the previous version. Check Device Manager for any warnings under "Smart card readers" and ensure the reader is detected without errors. Then, confirm that the smart card is properly inserted and recognized by the system using the Certificates snap-in (certmgr.msc) to view available certificates, which can help isolate if the issue is with card detection versus the test harness.

    Next, inspect the Windows Smart Card service (ScardSvr) is running and set to start automatically; sometimes updates reset service configurations. Also, review group policies or registry settings related to smart card logon or driver enforcement, as 25H2 may have tightened security requirements that interrupt the HLK test's UI dialog. For instance, check if "Interactive logon: Require smart card" is disabled during testing to avoid conflicts.

    Since HLK tests rely on specific dependencies, ensure all prerequisite binaries and XML configuration files are updated to versions compatible with Windows 11 25H2. Redeply the HLK test files from the latest kit, as Microsoft often releases patches for OS version shifts. If the issue persists, consider testing with a debugger attached to cmck.exe to capture why SCardUIDlgSelectCard() is being cancelled, which may reveal timeout issues or permission denials related to UIPI (User Interface Privilege Isolation) in newer Windows builds.

    I hope my ideas can be some of your help. It's really appreciated of you to accept the answer if you find it useful. Should you have any questions, feel free to leave a message.

    VP

  2. VPHAN 10,640 Reputation points Independent Advisor
    2025-11-25T08:40:25.9333333+00:00

    Hi

    How is your issue coming along? If you require more details or assistance, don’t hesitate to send a message. Glad to support you!

    VP

    0 comments
  3. Darth Tester 20 Reputation points
    2025-11-26T14:44:57.7166667+00:00

    Dear Vivian,

    thanks for your kind attention and complete explanation.

    I have solved a little issue with card detection.

    I played with Group Policy settings (gpedit) but was a bad idea.

    If I set every smart card setting to "Not configured" state, it works fine.

    However, test keeps failing.

    I checked your suggestions out but nothing changed.

    Before debugging, I wish to know more failure details using this interesting doc:

    https://v4.hkg1.meaqua.org/en-us/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings

    I'll keep you posted.

    0 comments
  4. VPHAN 10,640 Reputation points Independent Advisor
    2025-11-27T11:32:09.77+00:00

    Well how about trying Certutil? But you must run it with the -scinfo flag to see the low-level binding that cmck.exe is likely rejecting.

    Open an Administrator command prompt and run certutil -v -scinfo. Don't look for "success" at the bottom; look specifically at the "Card Module Name" and "Provider" fields for the reader containing your test card. In Windows 11 24H2/25H2, the operating system aggressively prioritizes the inbox PIV driver (msclmd.dll) over custom vendor minidrivers for any card that reports PIV capabilities. If certutil reports the Card Module as msclmd.dll or the card name as "Identity Device (NIST SP 800-73 [PIV])", cmck.exe will fail exactly as you described because it filters the card selection dialog to only show cards bound to the minidriver under test. If the OS has seized the card using the inbox driver, the selection list becomes empty or mismatches, causing SCardUIDlgSelectCard to return SCARD_E_CANCELLED (0x80100002) immediately.

    If you confirm the wrong driver is loaded, you can force the correct association by going to Device Manager, finding the Smart Card (often listed under "Smart cards" as "Identity Device..."), right-clicking, and selecting Update driver → Browse my computer... → Let me pick..., then manually selecting your specific minidriver. Once certutil -scinfo shows your specific driver DLL and card name, retry cmck.exe.

    For deeper logging without a debugger, you can use the event logs mentioned in the "Smart Card Tools" documentation. Specifically, enable and check the Microsoft-Windows-SmartCard-DeviceEnum/Operational log in Event Viewer. This log details the Plug and Play decision-making process and will explicitly tell you if Windows rejected your custom minidriver in favor of the inbox driver due to driver ranking or signature scoring, a common hurdle in newer Windows 11 builds.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.