Kernel-mode Driver Validation
Applies To: Windows Server 2008
Code Integrity checks each kernel-mode driver for a digital signature when an attempt is made to load the driver into memory. If the kernel-mode driver is not signed, the operating system might not load it. Whether an unsigned driver is loaded without a digital signature depends on the platform of the operating system.
- For x64-based computers, all kernel-mode drivers must be digitally signed.
- For x86-based or Itanium-based computers, the following kernel-mode drivers require a digital signature: bootvid.dll, ci.dll, clfs.sys, hal.dll, kdcom.dll, ksecdd.sys, ntoskrnl.exe, pshed.dll, spldr.sys, tpm.sys, and winload.exe.
Note: If a kernel debugger is attached to the computer, Code Integrity still checks for a digital signature on every kernel-mode driver, but the operating system will load the drivers.
Events
Event ID | Source | Message |
---|---|---|
Microsoft-Windows-CodeIntegrity |
Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available. | |
Microsoft-Windows-CodeIntegrity |
Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
Microsoft-Windows-CodeIntegrity |
Code Integrity is unable to verify the image integrity of the file %2 because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached. |