Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 2007

What You Need to Know About …Kernel Patch Protection


From the February 2007 Edition
of Windows IT Pro
Paul Thurrott
Need to Know
InstantDoc #94219
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Windows OSs Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

An esoteric security feature in Windows Vista called Kernel Patch Protection (aka PatchGuard) garnered a lot of attention after security software companies complained that Microsoft was using the feature to shut them out of the new OS. Kernel Patch Protection is widely misunderstood, and security companies have certainly misrepresented the feature to the public. Here's what you need to know about Kernel Patch Protection.

First, It's 64-Bit Only
The most often misunderstood fact about Kernel Patch Protection is that the feature is present only in Vista x64 editions, including the 64-bit editions of Vista Home Premium, Vista Business, Vista Enterprise, and Vista Ultimate. Kernel Patch Protection isn't present in the more mainstream 32bit versions of Vista.

What It Does
Kernel Patch Protection prevents what has become a common practice with Windows XP: Both malicious hackers and security firms have come to rely on the ability to patch (or "hook") the Windows kernel at runtime. This practice can lead to system instability because the kernel is the core component of the Windows OS and is used by all other OS components, applications, and services. Of all the malicious software that relies on kernel patching to infiltrate Windows, probably the most common type is the so-called rootkit, which is often impossible to remove because of its deep hooks in the Windows kernel.

Security software firms began using kernel-patching techniques years ago to battle these new, more malicious forms of malware. But any kernel patch, malicious or otherwise, can render a Windows system unstable and generate a blue screen. The result is a nasty crash.

In 32-bit versions of Vista, the kernel behaves much like it does in XP, and security software firms can continue patching the 32-bit Vista kernel at runtime, helping reduce instances of rootkits and other malicious software. But in 64-bit versions of Vista, Kernel Patch Protection renders this practice obsolete. Kernel Patch Protection—which debuted in XP Professional x64 Edition and the 64-bit versions of Windows Server 2003 with Service Pack 1 (SP1)—prevents the Windows kernel from being patched at runtime. When Kernel Patch Protection detects an attempt to patch the kernel, it immediately shuts down the OS.

An immediate shutdown might sound like an overly severe reaction, but Microsoft says it's by design. The idea is to prevent the kernel from being modified, and to do that, Kernel Patch Protection has to shut down the OS; otherwise, hackers might be able to inject malicious code into the kernel while the user is fumbling with consent dialog boxes.

As its name suggests, Kernel Patch Protection protects only the kernel. It isn't designed to be a general tool for preventing malware or attacks on other parts of the OS. Of course, Vista includes other security technologies, such as Address Space Layout Randomizer and Windows Defender, that provide a baseline level of support against other kinds of malware.

The Complaints
Companies such as McAfee and Symantec, which have built successful businesses by protecting individuals and businesses against the electronic threats that endanger Windows systems, have complained that Kernel Patch Protection prevents them from providing the same types of protections for Vista that they provided for XP. Microsoft counter-argued that Kernel Patch Protection makes 64-bit Vista versions more secure and stable and renders kernel patching by security companies unnecessary and obsolete.

In the days before Vista was finalized, however, Microsoft announced a compromise: It will create a set of APIs that will enable security software firms to interact with Kernel Patch Protection at a programmatic level, providing them with at least some of the kernel patching functionality they've requested. Microsoft says it will deliver these APIs in late 2007, perhaps as part of Vista SP1, which is due out at the same time as Longhorn Server.

This timetable has generated a second round of complaints from security firms, which argue that the wait is too long. However, x64 uptake won't pick up in the first year of Vista availability. Although it's likely that most Vista users will move to x64 systems in the future, that transition will take years. In the meantime, users of Vista 64-bit editions will be safer with Kernel Patch Protection in place.

Recommendations
Kernel Patch Protection is a valuable addition to Vista and will make Vista more secure and stable. Any complaints about this functionality on the part of security software firms is political posturing: Because of Microsoft's numerous antitrust problems around the world, these companies believe they can threaten Microsoft and find a friendly ear with regulatory bodies in various countries.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...

What service packs and fixes are available?

...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Microsoft Exchange & Windows Connections event returns to Las Vegas Nov 10 - 13
Connections returns to Las Vegas for this exciting event where each attendee will receive SQL Server 2008 standard with 1 CAL. Co-located with Microsoft ASP.NET, SQL Server, and SharePoint Connections with over 250 in-depth sessions.

Free Online Event! Virtualization:Get the Facts!
Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!

Check Out Hyper-V Video on ITTV
Watch Karen Forster's interview on Hyper-V's performance on ITTV.net.

Ease Your Scripting Pains with the Flexibility of PowerShell!
Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!

PASS Community Summit 2008 in Seattle on Nov 18-21
The don’t-miss event for Microsoft SQL Server Professionals. Register now and you’ll enjoy top-notch Microsoft and Community speakers and more.



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST Files.

Get Protected -- Data Protection Manager 2007
Protect your virtualized environment with Data Protection Manager

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Maximize Your SharePoint Investment: Get Your Data Moving
Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing