September 8, 2017 at 3:43 pm #2212
Applies To:Windows Server 2003 with SP1
What does kernel patch protection do?
Kernel patch protection prohibits kernel-mode drivers thatextend or replacekernel services through undocumented means.
This feature describes changes in policy related to patching thekernel for Microsoft Windows Server 2003 Service Pack 1 x64-
based operating systems.
Who does this feature apply to?
This feature primarily applies to driver developers, but IT professionals may also find this information useful.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Patching policy for x64-based systems
Microsoft Windows Server 2003 SP1 and later versions of Windows for x64-based systems do notallow thekernel to be
patched except through authorized Microsoft-originated hotfixes.
Why is this change important?
Kernel-mode drivers thatextend or replacekernel services through undocumented means (such as hooking thesystem service
tables) can interfere with other softwareand affect thestability of the operating system.For x86-based systems, Microsoft
discourages such practices but does not prevent them programmatically, because doing so would break compatibility for a
significantamount of released software. A similar base of released software does notexist for x64-based systems, so it is
possibleto add this level of protection to thekernel without breaking compatibility.
What works differently?
Many system structures are protected on x64-based systems, including thesystem service dispatch tables, theinterrupt
descriptor table(IDT),and the global descriptor table(GDT).The operating system also does notallow third-party softwareto
allocate memory “on theside”and useitas a kernel stack. If the operating system detects one of these modifications or any
other unauthorized patch, it will generatea bug check with thestop code 0x109 and shut down thesystem.
How do I fix these issues?
For compatibility with Windows for x64-based systems, drivers cannot modify thekernel.Thefollowing actions are blocked in
Windows Server 2003 SP1 for x64-based systems:
Modify system services tables, for example, by hooking the KeServiceDescriptor table
Modify the GDT
Usekernel stacks thatare notallocated by thekernel
Patch any part of thekernel (detected on AMD64-based systems only)
Kernel patch protection might beextended in futuresystem updates to protectagainstadditional malicious patching
techniques as new vulnerabilities are detected.To avoid compatibility issues with these updates, drivers should notattempt to
updatethekernel using other mechanisms.
Drivers for other platforms should also avoid patching thekernel to help ensurestability and reliability of the operating system
and a better experiencefor users.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Windows Server 2003 SP1 for x64-based systems is a new platform that requires new drivers.These new drivers must
conform to x64 patch policy documented on the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=38447.
For additional information seeThe Microsoft Windows Driver Development Kit (DDK) on the Microsoft Web siteat
You must be logged in to reply to this topic.