Kernel-mode code-signing enforcement is implemented by a Windows Vista component known as “Code Integrity.” Code Integrity generates diagnostic events and a system audit log event when the signature of a kernel module fails to verify correctly.
Code Integrity operational events are always enabled. The operational events are warning events that an image verification check failed when loading a kernel-mode binary file.
Code Integrity system audit events are generated when the system audit policy is enabled. The system audit policy is not enabled by default.
Code Integrity verbose events are analytic and debug Information events that show all successful image verification checks when loading kernel-mode binary files. Verbose events are not enabled by default.
You can view Code Integrity events under Event Viewer, which is part of the Computer Management MMC snap-in. On the taskbar click Start, right-click Computer, and select Manage. On the Computer Management dialog box, click Event Viewer, click Applications and Services Logs, click Microsoft, click Windows, and then click CodeIntegrity, as shown in Figure 4.
Figure 4. Code Integrity events
The Code Integrity operational log shows events that the kernel generates when a kernel-mode driver fails an image verification check when the driver is loaded. The image verification failure may be due to a number of reasons:
The driver was unsigned but installed on the system by an administrator, and Code Integrity is not allowing the driver to load.
The driver was signed, but the driver image file was modified or tampered with, and the modification invalidated the driver signature.
The system disk device may have device errors when reading the image file for the device from bad disk sectors.
For details on a particular entry, right-click the entry and then select Event Properties on the shortcut menu. Figure 5 shows an operational log entry for an unsigned or modified driver image verification failure.
Figure 5. Operational log entry
The event indicates that the Toaster driver (toaster.sys) could not be loaded because it was unsigned (or the toaster.sys image that is trying to load is not the same one that was digitally signed by the publisher).
All Code Integrity event log messages are listed in “Code Integrity Event Log Messages” later in this paper.
System Audit Log Events
Code Integrity generates system audit log events that correspond to the operational warning events when image verification of a kernel-mode driver fails. The system log events are viewable in Event Viewer under the Windows Logs, System log view.
System audit events may not be enabled on all Windows Vista systems. Use the Local Security Settings MMC snap-in to verify or enable Audit system events under the Local Policies, Audit Policy settings.
Informational Events in the Verbose Log
Additional Code Integrity informational events for all kernel-mode image verification checks are available by using the verbose event view. These events show successful image verification of all drivers loaded on the system.
To enable the Code Integrity Verbose event view
1. Left-click Operational view to display current Code Integrity events (if any).
2. Left-click the Code Integrity node to set the focus.
3. Right-click the Code Integrity node, select View, and then select Show Analytic and Debug Logs on the shortcut menu.
This creates a subtree with two additional nodes: Operational and Verbose.
4. Right-click the Verbose node and select Properties on the shortcut menu.
5. On the General tab, select the Enable Logging option. This enables verbose logging mode.
6. Close the dialog boxes and reboot the system to reload all kernel-mode binaries.
7. After reboot, open the Computer Management snap-in and view the Code Integrity verbose event log.
You can check if toaster.sys is correctly signed. In this case, toaster.sys is a Plug and Play driver and is named in a catalog file (tstamd64.cat in “\src\general\toaster\toastpkg\toastcd”). Use SignTool to verify if toaster.sys is correctly catalog file signed by using the following command:
Signtool verify /kp /c tstamd64.cat toaster.sys
Driver Verification Debugging Options
Sometimes, developers may want to enforce mandatory kernel-mode code-signing policy even when a debugger is attached. An example of this is when a driver stack has an unsigned driver (such as a filter driver) that fails to load, which may invalidate the entire stack. Because attaching a debugger allows the unsigned driver to load, the problem appears to vanish as soon as the debugger is attached. Debugging this type of issue may be difficult. To facilitate debugging in this case, Code Integrity supports a registry key that can be set to enforce kernel-mode signing enforcement even when a debugger is attached.
Two DebugFlags values can be specified in the registry to control Code Integrity behavior under the debugger. The flags are not defined by default.
The following example shows the location of the DebugFlags value:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI
Value: DebugFlags REG_DWORD
Possible settings for DebugFlags include:
00000001
Results in a debug break into the debugger and an unsigned driver being allowed to load with ‘g’.
00000010
Results in CI ignoring the presence of the debugger, and unsigned drivers being blocked from loading.
Any other value results in unsigned drivers loading, which is the default policy.
Code Integrity Event Log Messages
The following are warning events that are logged to the Code Integrity operational log:
Code Integrity is unable to verify the image integrity of the file <file name> because file hash could not be found on the system.
Code Integrity detected an unsigned driver.
This event is related to Software Quality Monitoring (SQM).
The following are information events that are logged to the Code Integrity verbose log:
Code Integrity found a set of per-page image hashes for the file <file name> in a catalog <catalog name>.
Code Integrity found a set of per-page image hashes for the file <file name> in the image embedded certificate.
Code Integrity found a file hash for the file <file name> in a catalog <catalog name>.
Code Integrity found a file hash for the file <file name> in the image embedded certificate.
Code Integrity determined an unsigned kernel module <file name> is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.
Code Integrity is unable to verify the image integrity of the file <file name> because the set of per-page image hashes could not be found on the system.
Code Integrity is unable to verify the image integrity of the file <file name> because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached.
Code Integrity is unable to verify the image integrity of the file <file name> because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached.
Code Integrity was unable to load the <file name> catalog.
Code Integrity successfully loaded the <file name> catalog.
Resources
WHDC Web site
Code Signing for Protected Media Components in Windows Vista
http://www.microsoft.com/whdc/winlogo/drvsign/Pmp-sign.mspx
Code-Signing Best Practices
http://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx
Debugging Tools for Windows
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx
Driver Package Integrity during Plug and Play Device Installs in Windows Vista
http://www.microsoft.com/whdc/winlogo/drvsign/pnp-driver.mspx
Kernel-Mode Code Signing Walkthrough
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
Microsoft Cross-Certificates for Windows Vista Kernel Mode Code Signing
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
Windows Driver Kit (WDK)
http://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspx
Windows Logo Program and Driver Signing
http://www.microsoft.com/whdc/winlogo
MSDN
Certificate Creation Tool (Makecert.exe)
http://go.microsoft.com/fwlink/?LinkId=95774
Certificate Manager Tool (Certmgr.exe)
http://go.microsoft.com/fwlink/?LinkId=95775
CryptCATAdminAddCatalog in the SDK documentation on MSDN
http://go.microsoft.com/fwlink/?LinkId=95778
SignTool
http://go.microsoft.com/fwlink/?LinkId=95786
Using MakeCat
http://go.microsoft.com/fwlink/?LinkId=95790
WHQL Test Signature Program
http://go.microsoft.com/fwlink/?LinkId=95791
TechNet
Boot Configuration Data Editor Frequently Asked Questions
http://www.microsoft.com/technet/windowsvista/library/85cd5efe-c349-427c-b035-c2719d4af778.mspx
Deploying Authenticode with Cryptographic Hardware for Secure Software Publishing
http://www.microsoft.com/technet/security/topics/cryptographyetc/authenticodets.mspx
Other
Inf2cat FAQ
https://winqual.microsoft.com/help/Inf2cat_FAQ.htm
Windows Quality Online Services (Winqual)
https://winqual.microsoft.com
Windows Server 2003 SP1 Platform SDK download site
http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en
July 25, 2007
© 2006–2007 Microsoft Corporation. All rights reserved.
| 