Udostępnij za pośrednictwem


Event ID 3001 — Kernel-mode Driver Validation

Applies To: Windows Server 2008

Code Integrity checks each kernel-mode driver for a digital signature when an attempt is made to load the driver into memory. If the kernel-mode driver is not signed, the operating system might not load it. Whether an unsigned driver is loaded without a digital signature depends on the platform of the operating system.

  • For x64-based computers, all kernel-mode drivers must be digitally signed.
  • For x86-based or Itanium-based computers, the following kernel-mode drivers require a digital signature: bootvid.dll, ci.dll, clfs.sys, hal.dll, kdcom.dll, ksecdd.sys, ntoskrnl.exe, pshed.dll, spldr.sys, tpm.sys, and winload.exe.

Note: If a kernel debugger is attached to the computer, Code Integrity still checks for a digital signature on every kernel-mode driver, but the operating system will load the drivers.

Event Details

Product: Windows Operating System
ID: 3001
Source: Microsoft-Windows-CodeIntegrity
Version: 6.0
Symbolic Name: CiUnsignedDriverLoaded
Message: Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.

Resolve

Update kernel-mode driver status on an x86-based operating system

When an unsigned driver is detected on x86-based computers, Code Integrity will not prevent the kernel-mode driver from loading. You should consult the manufacturer to see if a digitally-signed version of the kernel-model driver exists and update the current driver.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To update a kernel-mode driver:

  1. Copy the signed kernel-mode driver to a location on the local computer.
  2. Click Start, and then click Control Panel.
  3. Double-click Device Manager.
  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  5. Right-click the hardware device that needs its driver updated, and then click Update Driver Software.
  6. Click Browse my computer for driver software.
  7. Click Browse, select the folder where the new driver file exists, and then click Next.
  8. Click Finish.

Note: An unsigned kernel-mode driver can affect the ability of media applications to play some media files.

Verify

You can verify that a kernel-mode driver was successfully validated and loaded by checking its driver status using the command prompt.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify a kernel-mode driver was successfully validated and loaded:

  1. Click Start, point to All Programs, point to Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Type sc query type= driver, and then press ENTER.
  5. In the list, find the appropriate driver and ensure that 4 RUNNING is displayed in the STATE column.

Note: If you know the driver name, type sc querydriver, where driver is the name of the driver file without the extension, at the command prompt, and then press ENTER.

Kernel-mode Driver Validation

Core Security