Windows Driver Kit: Device Installation
Kernel-Mode Code Signing Policy (Windows Vista and Later)
For 64-bit versions of Windows Vista and later versions of Windows, the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. In addition, certain configurations of 32-bit versions of Windows Vista and later versions of Windows also require a kernel-mode driver to be digitally-signed in order to access next generation premium content that is controlled by the content protection policy. Windows Vista and later versions of Windows rely on digital signatures of these components to increase the safety and stability of the Microsoft Windows platform and enable new customer experiences with next generation premium content.
Digital signatures allow the administrator or end-user who is installing Windows-based software to know whether a legitimate publisher has provided the software package. When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers’ software was running on the system at the time of the error. Software publishers can then use the information that is provided by Microsoft to find and fix problems in their software.
In Windows Vista and later versions of Windows, the kernel-mode code signing policy requires that the following drivers have digital signatures:
- On 64-bit versions of Windows, all kernel mode software, including, but not limited to, kernel-mode device drivers.
- Drivers that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands. Information about these requirements is outside the scope of this documentation. For more information about these requirements, see
.gif)
Code-signing for Protected Media Components (Windows Vista and Later).
Be aware that this code signing policy is in addition to the Plug and Play (PnP) device installation signing requirements that affect the installation of a device driver. A developer and publisher of a driver must comply with both the kernel-mode code signing requirement for loading a kernel-mode driver and the PnP device installation signing requirements for installing a driver. Also be aware that, although an administrator can authorize the preinstallation of an unsigned kernel-mode driver on a 64-bit system, the administrator cannot subsequently load the unsigned driver during the installation of the driver for a device.
Starting with Windows Vista, kernel-mode code signing enforcement is implemented by a component known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file every time that the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator.
Starting with Windows Vista, Code Integrity helps ensure that the operating system is running known, identifiable code. Code Integrity generates diagnostic events and a system audit log event when the signature of a kernel module fails to verify correctly. You can use the information logged by Code Integrity to troubleshoot driver load problems.
For development and testing purposes only, kernel-mode code signing enforcement can be temporarily disabled. For more information, see Installing an Unsigned Driver Package during Development and Test.
For general information about how to sign a driver for public release on Windows Vista and later versions of Windows, see Signing Drivers for Public Release (Windows Vista and Later).
For general information about how to test-sign a driver during development and test on Windows Vista and later versions of Windows, see Signing Drivers during Development and Test (Windows Vista and Later).
For more information about the kernel-mode code signing requirements, see the Digital Signatures for Kernel Modules on Systems Running Windows Vista Web site.
Note The information that is provided at that Web site is also applicable to Windows Server 2008 and later versions of Windows.