Code Integrity

Applies To: Windows Server 2008 R2

Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

Aspects

The following is a list of all aspects that are part of this managed entity:

Name Description

Catalog File Validation

The catalog files are comprised of multiple files that store file and page hashes used to validate the integrity of  system and non-Microsoft files. Each catalog (.cat file) has a digital signature that is used to validate the integrity of the contents stored within that file. If the digital signature on a system catalog file is corrupt, all of the file and page hashes stored in that file will be considered not valid.

Note: Some Windows boot drivers have the page hash and digital signature embedded in the file itself and do not require a catalog file to validate the digital signature.

Kernel-mode Driver Validation

Code Integrity checks each kernel-mode driver for a digital signature when an attempt is made to load the driver into memory. If the kernel-mode driver is not signed, the operating system might not load it. Whether an unsigned driver is loaded without a digital signature depends on the platform of the operating system.

  • For x64-based computers, all kernel-mode drivers must be digitally signed.
  • For x86-based or Itanium-based computers, the following kernel-mode drivers require a digital signature: bootvid.dll, ci.dll, clfs.sys, hal.dll, kdcom.dll, ksecdd.sys, ntoskrnl.exe, pshed.dll, spldr.sys, tpm.sys, and winload.exe.

Note: If a kernel debugger is attached to the computer, Code Integrity still checks for a digital signature on every kernel-mode driver, but the operating system will load the drivers.

User-mode Protected Media Path File Validation

Protected Processes are used to enhance the Digital Rights Management technology in Windows Vista and Windows Server 2008. Code Integrity validates user-mode files loaded into Protected Processes that are part of the Protected Media Path. The validation compares the page hashes stored in the system security catalog files to the page hashes of the user-mode files themselves. If the page hashes in the system security catalog files do not match the page hashes from the system file, the system file is not loaded by the operating system.

Additionally, Code Integrity validates cryptographic system files. The following cryptographic system files are validated by Code Integrity: bcrypt.dll, dssenh.dll, rsaenh.dll, win32_tpm.dll, and fveapi.all.

Note: If a kernel debugger is attached to the computer, Code Integrity still validates the page hashes on the user-mode files against the page hashes stored in the system security catalog files, but the operating system will load the files.

Core Security