Code integrity checking

Hypervisor-Protected Code Integrity can use hardware technology and virtualization to isolate the Code Integrity (CI) decision-making function from the rest of the Windows operating system. When using virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified. The code integrity checks ensure compatibility of these code integrity rules, and detects the following violations:

Error code	Code integrity issue
0x2000: 2 — The address in the driver’s code where the error was detected. 3 — Pool Type. 4 — Pool Tag (if provided).	The caller specified an executable pool type. (Expected: NonPagedPoolNx)
0x2001: 2 — The address in the driver’s code where the error was detected. 3 — Page Protection (WIN32_PROTECTION_MASK).	The caller specified an executable page protection. (Expected: cleared PAGE_EXECUTE* bits)
0x2002: 2 — The address in the driver’s code where the error was detected. 3 — Page Priority (MM_PAGE_PRIORITY logically OR’d with MdlMapping*).	The caller specified an executable MDL mapping. (Expected: MdlMappingNoExecute).
0x2003: 2 — The image file name (Unicode string). 3 — The address of the section header. 4 — The section name (UTF-8 encoded string).	The image contains an executable and writable section.
0x2004: 2 — The image file name (Unicode string). 3 — The address of the section header. 4 — The section name (UTF-8 encoded string).	The image contains a section that is not page aligned.
0x2005: 2 — The image file name (Unicode string). 3 — IAT Directory. 4 — The section name (UTF-8 encoded string).	The image contains an IAT located in an executable section.

Activating this option:

You can activate code integrity checking for one or more drivers by using Driver Verifier Manager or the Verifier.exe command line. For details, see Selecting driver verifier options. You must restart the computer to activate or deactivate the code integrity checking option.

At the command line

At the command line, the code integrity checking is represented by 0x02000000 (Bit 25). For example:

verifier /flags 0x02000000 /driver MyDriver.sys

The feature will be active after the next boot.

Using Driver Verifier Manager

1. Start Driver Verifier Manager. Type Verifier in a Command Prompt window.
2. Select Create custom settings (for code developers) and then click Next.
3. Select(check) code integrity checking.
4. Restart the computer.

Code Integrity Diagnostic System Log Events

The Code Integrity component of Windows Vista and later versions of Windows enforces the requirement that kernel-mode drivers be signed in order to load. Windows Vista and later versions of Windows always generate Code Integrity operational events and optionally will generate additional system audit events and verbose diagnostic events that provide information about the status of driver signing, as follows:

The Code Integrity operational log includes warning events that indicate that a kernel-mode driver failed to load because the driver signature could not be verified. Signature verification can fail for the following reasons:

• An administrator preinstalled an unsigned driver, but Code Integrity subsequently blocked loading the unsigned driver.
• The driver is signed, but the signature is invalid because the driver file has been altered.
• The system disk device might have device errors when reading the file for the driver from bad disk sectors.

If system audit policy is enabled, Code Integrity generates System Audit log events that correspond to the Operational warning events that indicate that signature verification of driver file failed. System audit policy is not enabled by default.

If verbose logging for Code Integrity is enabled, Code Integrity logs analytic and debug events that provide information about successful verification checks that occur prior to loading kernel-mode driver files. Verbose logging for Code Integrity is not enabled by default.

You can use Event Viewer to view Code Integrity events, as described in Viewing Code Integrity Events. For more information about these event log messages, see Code Integrity Event Log Messages.

For more information about how to enable the system audit log and verbose logging, see Enabling the System Event Audit Log.

Включение проверки целостности кода Enable code integrity

Если вы получили сообщение о том, что необходимо включить целостность кода, обратитесь к специалисту службы ИТ-поддержки. If you receive a message that you need to enable code integrity, contact your IT support person. Сотрудник поможет включить безопасную загрузку, которая будет активировать целостность кода при следующем запуске устройства. Your support person will help you enable Secure Boot, which will trigger code integrity the next time you start up your device.

Если вы используете ПК и считаете себя опытным пользователем, вы можете включить безопасную загрузку в меню BIOS ПК. If you’re using a PC and consider yourself an advanced user, you can enable Secure Boot through the PC BIOS menu. Инструкции см. в разделе Повторное включение безопасной загрузки. For instructions, see Re-enable Secure Boot.

Что такое целостность кода? What is code integrity?

Целостность кода — это функция защиты от угроз, которая проверяет драйверы и системные файлы на устройстве на наличие признаков повреждения или вредоносных программ. Code integrity is a threat protection feature that checks the drivers and system files on your device for signs of corruption or malicious software. Чтобы целостность кода работала на вашем устройстве, необходимо включить еще одну функцию безопасности: безопасную загрузку. For code integrity to work on your device, another security feature called Secure Boot must be enabled.

ИТ-поддержка IT pro support

Если вы являетесь администратором Intune и хотите узнать больше о параметрах соответствия требованиям в Intune, см. статью Добавление политики соответствия устройств для устройств с Windows 10 в Intune. If you’re an Intune administrator and want to learn more about Intune’s device health compliance settings, see Add a device compliance policy for Windows 10 devices in Intune. Подробные сведения о действиях по обеспечению соответствия, которые можно предпринять в Intune, см. в разделе Аттестация работоспособности устройства CSP. For a detailed look at the compliance actions you can take in Intune, see the HealthAttestation CSP.

Дальнейшие шаги Next steps

По-прежнему нужна помощь? Still need help? Обратитесь к специалисту службы ИТ-поддержки. Contact your IT support person. Его контактные данные доступны на веб-сайте корпоративного портала. For contact information, check the Company Portal website.

Windows Defender Application Control and virtualization-based protection of code integrity

Applies to

• Windows 10
• Windows Server 2016

Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to «lock down» Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI).

Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.

Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:

1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.

Windows Defender Application Control

When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn’t use HVCI, they couldn’t use configurable code integrity either.

Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.

Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: Windows Defender Application Control. We hope this change will help us better communicate options for adopting application control within an organization.

Code Integrity Event Log Messages

The following are warning events that are logged to the Code Integrity operational log:

Code Integrity is unable to verify the image integrity of the file because file hash could not be found on the system.

Code Integrity detected an unsigned driver.

This event is related to Software Quality Monitoring (SQM).

The following are informational events that are logged to the Code Integrity verbose log:

Code Integrity found a set of per-page image hashes for the file in a catalog .

Code Integrity found a set of per-page image hashes for the file in the image embedded certificate.

Code Integrity found a file hash for the file in a catalog .

Code Integrity found a file hash for the file in the image embedded certificate.

Code Integrity determined an unsigned kernel module is loaded into the system. Check with the publisher to see whether a signed version of the kernel module is available.

Code Integrity is unable to verify the image integrity of the file because the set of per-page image hashes could not be found on the system.

Code Integrity is unable to verify the image integrity of the file because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Code Integrity is unable to verify the image integrity of the file because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Code Integrity was unable to load the catalog.

Code Integrity successfully loaded the catalog.