Export (0) Print
Expand All

Kernel-mode Driver Validation

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

Code Integrity checks each kernel-mode driver for a digital signature when an attempt is made to load the driver into memory. If the kernel-mode driver is not signed, the operating system might not load it. Whether an unsigned driver is loaded without a digital signature depends on the platform of the operating system.

  • For x64-based computers, all kernel-mode drivers must be digitally signed.
  • For x86-based or Itanium-based computers, the following kernel-mode drivers require a digital signature: bootvid.dll, ci.dll, clfs.sys, hal.dll, kdcom.dll, ksecdd.sys, ntoskrnl.exe, pshed.dll, spldr.sys, tpm.sys, and winload.exe.

Note: If a kernel debugger is attached to the computer, Code Integrity still checks for a digital signature on every kernel-mode driver, but the operating system will load the drivers.


Event ID Source Message



Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.



Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.



Code Integrity is unable to verify the image integrity of the file %2 because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Related Management Information

Code Integrity

Core Security

Community Additions

© 2016 Microsoft