Kernel patch protection for x64-based operating systems

  • Article

Applies To: Windows Server 2003 with SP1

What does kernel patch protection do?

Kernel patch protection prohibits kernel-mode drivers that extend or replace kernel services through undocumented means. This feature describes changes in policy related to patching the kernel for Microsoft Windows Server 2003 Service Pack 1 x64-based operating systems.

Who does this feature apply to?

This feature primarily applies to driver developers, but IT professionals may also find this information useful.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Patching policy for x64-based systems

Detailed description

Microsoft Windows Server 2003 SP1 and later versions of Windows for x64-based systems do not allow the kernel to be patched except through authorized Microsoft-originated hotfixes.

Why is this change important?

Kernel-mode drivers that extend or replace kernel services through undocumented means (such as hooking the system service tables) can interfere with other software and affect the stability of the operating system. For x86-based systems, Microsoft discourages such practices but does not prevent them programmatically, because doing so would break compatibility for a significant amount of released software. A similar base of released software does not exist for x64-based systems, so it is possible to add this level of protection to the kernel without breaking compatibility.

What works differently?

Many system structures are protected on x64-based systems, including the system service dispatch tables, the interrupt descriptor table (IDT), and the global descriptor table (GDT). The operating system also does not allow third-party software to allocate memory "on the side" and use it as a kernel stack. If the operating system detects one of these modifications or any other unauthorized patch, it will generate a bug check with the stop code 0x109 and shut down the system.

How do I fix these issues?

For compatibility with Windows for x64-based systems, drivers cannot modify the kernel. The following actions are blocked in Windows Server 2003 SP1 for x64-based systems:

  • Modify system services tables, for example, by hooking the KeServiceDescriptor table

  • Modify the IDT

  • Modify the GDT

  • Use kernel stacks that are not allocated by the kernel

  • Patch any part of the kernel (detected on AMD64-based systems only)

Kernel patch protection might be extended in future system updates to protect against additional malicious patching techniques as new vulnerabilities are detected. To avoid compatibility issues with these updates, drivers should not attempt to update the kernel using other mechanisms.

Drivers for other platforms should also avoid patching the kernel to help ensure stability and reliability of the operating system and a better experience for users.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

Windows Server 2003 SP1 for x64-based systems is a new platform that requires new drivers. These new drivers must conform to x64 patch policy documented on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=38447.

For additional information see The Microsoft Windows Driver Development Kit (DDK) on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=38448.