OSRLogo
OSRLogoOSRLogoOSRLogo x Subscribe to The NT Insider
OSRLogo
x

Everything Windows Driver Development

x
x
x
GoToHomePage xLoginx
 
 

    Sat, 20 Dec 2014     105567 members

   Login
   Join


 
 
Contents
  About This Site
What's New?
OSR Dev Blog
The NT Insider
The Basics
File Systems
Downloads
ListServer / Forum
Driver Jobs
Store
  Express Links
  · Nov-Dec Issue of The NT Insider Released!
  · The NT Insider Digital Edition - Nov-Dec 2014 Now Available!
  · OSR Seminar Schedule
  · Writing WDF Drivers: Advanced Implementation Techniques
  · Windows 8.1 Update: VS Express Now Supported

Only Signed Drivers To Run on Vista X64

In the latest shocker to hit the driver development community, it seems that Microsoft has decdied that only signed drivers will be loadable on 64-bit Windows Vista systems.

In a paper released today (19 January) on the WHDC website Microsoft indicated that for Windows Vista "unsigned kernel-mode software will not load and will not run on x64-based systems." This is in addition to the fact the users without administrator privilege, on any Vista system (32-bit or 64-bit) will not be able to load unsigned drivers.

These announcements, which took most of the driver development community by surprise, follow closely last month's announcement that KMDF would not run on Windows 2000 systems.  While the KMDF decision is being "reconsidered" according to Microsoft sources, we can't imagine the same happening for Vista driver signing.

Note that Microsoft's statements do not mean that drivers must pass WHQL testing to be loaded.  While getting the Design For Windows logo by passing the WHQL tests is one option, developers can obtain a Publisher Identify Certificate (PIC) from Microsoft and use that to sign their code.  Prerequisite to obtaining a PIC is an organization having a Class 3 Commercial Software Publisher Certificate issued by Verisign. What?  Your org doesn't use Verisign for their PKI infrastructure?  Apparently that's just too bad.  The necessary certification is only $500 (valid for a year), which shouldn't present a burden for most companies.

With bombshells like this one being dropped only months before Vista's release, we can't wait to see what the next few months will bring.

Related Articles
Getting DbgPrint Output To Appear In Vista and Later
Feb CTP (5308) Symbols Now Available on Symbol Server
USB 2.0 Debugging
Disabling User Account Control on Vista
No More x86 Only Submissions to WHQL
Power Play - Power Management Changes in Vista
Take Two - x64 Driver Signing
Just Sign Everything - What to Sign and How to Sign It for Vista
What is Coming with Vista - Limited User Access
Write No Code...Get a GUI - Vista Power Plan Integration

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
Post Your Comment

"It's not all that bad..."
Let's be honest. The number of people that will really *need* to install unsigned 64-bit drivers is miniscule in comparison with number of uneducated users who don't understand that double-clicking that "way cool attachment" they got via email will install rootkits on their system. If professionals can't afford $400 per year, I think they need to reconsider their business model. And for the students and hobbyists out there who don't have a budget -- just plug in the kernel debugger or hit F8 before boot.

Re: Ouch

I think you were on the wrong page. Code signing certificates are only $499/year. Take a look here:

http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html

I think Microsoft leverages Verisign's "due diligence" process to make sure some bozon virus writer won't end up with a PIC. Or at least, if they do, there will be an evidence trail leading directly to the culprit.

Re: Chilling

If you have a driver for a piece of old hardware that needs to be signed, you can buy one certificate and timestamp the file(s) you're signing, so the signature is good even after the certificate expires.

Rating:
01-Mar-06, Dan Germann


"Chilling"
I'm surprised there seems to be so much acceptance of this.

I can understand having an option to reject unsigned kernel mode code that administrators can choose to employ, but for MS to tell me what I can and can't run on my own PC...That's not right.

I've written a driver for a piece of hardware whose manufacturer is long gone. Now MS is telling me that if I want to run this driver on my PC in Vista x64, I have to pay hundreds of dollars to Verisign each year?

Be careful. The road we're on likely ends with future versions of Windows requiring _all_ code to be signed. That'll have chilling effects on open source, independent and shareware developers.

25-Feb-06, Marc Klenotic


"Only Signed Drivers To Run on Vista X64"
It sucks. Another reason MS will go into oblivion. I hate to say this but Linux is the way to go.

Rating:
22-Feb-06, John Chiu


"Signing filter driver"
That's great but what about the non-AV file system filters? We don't have a program.

Rating:
10-Feb-06, Jerry Kelley


"Ouch"
What's with the insistence on verisign?

Their certificates are far from cheap... Clicking on 'buy' presents you will a nice bill for $1,295. I pay $100 a year for our non-verisign ones that work perfectly.

btw. the only place I can find 'Class 3 Commercial Software Publisher Certificate' is in their insurance plan.. they don't appear to sell them under that name on their website.

08-Feb-06, Tony Hoyle


"Test Test Test"
Let's hope that the quality of the software tests from Microsoft that we need to pass increase too! What about making some to the tests open source so that we as Developers can develop better test and then supply the changed code to Microsoft?

Rating:
03-Feb-06, William Jones


"One more result of viral attacks on the OS"
This shouldn't really be unexpected (although the timing sucks); it's just one more way that the big M is responding to criticism about the security of the OS.

It's interesting to speculate that we'll see is an increased push by MSFT to move everyone to 64-bit hardware, whether they need it or not. They have a lot more headroom to support things like prohibiting hooking and requiring signing (and supporting the memory necessary for the new Vista UI) with 64-bit hardware.

Rating:
24-Jan-06, David Beaver


"Only Signed Drivers To Run on Vista X64"
I'm actually OK with this one. Just as long as they don't change their minds about WHQL testing.

Rating:
20-Jan-06, Mike Yoke


Post Your Comments.
Print this article.
Email this article.

Windows Internals and SW Drivers
LAB

Seattle, WA
16-20 Feb 2015

Writing WDF Drivers: Core Concepts
LAB

Palo Alto, CA
16-20 Mar 2015

Writing WDF Drivers: Advanced Implementation Techniques
LAB

Palo Alto, CA
23-26 Mar 2015

Kernel Debugging and Crash Analysis
LAB

Palo Alto, CA
6-10 Apr 2015

Developing File Systems for Windows
Boston/Waltham, MA
12-15 May 2015

 
 

Windows Debugger

Checked Build Downloads
29-Apr-10

Debugging Symbols

WDK Documentation

Windows WDK

 
 
x
LetUsHelp
 

Need to develop a Windows file system solution?

We've got a kit for that.

Need Windows internals or kernel driver expertise?

Bring us your most challenging project - we can help!

System hangs/crashes?

We've got a special diagnostic team that's standing by.

Visit the OSR Corporate Web site for more information about how OSR can help!

 
bottom nav links