Code integrity checking
Hypervisor-Protected Code Integrity can use hardware technology and virtualization to isolate the Code Integrity (CI) decision-making function from the rest of the Windows operating system. When using virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified. The code integrity checks ensure compatibility of these code integrity rules, and detects the following violations:
Error code | Code integrity issue |
---|---|
0x2000:
|
The caller specified an executable pool type. (Expected: NonPagedPoolNx) |
0x2001:
|
The caller specified an executable page protection. (Expected: cleared PAGE_EXECUTE* bits) |
0x2002:
|
The caller specified an executable MDL mapping. (Expected: MdlMappingNoExecute). |
0x2003:
|
The image contains an executable and writable section. |
0x2004:
|
The image contains a section that is not page aligned. |
0x2005:
|
The image contains an IAT located in an executable section. |
Activating this option:
You can activate code integrity checking for one or more drivers by using Driver Verifier Manager or the Verifier.exe command line. For details, see Selecting driver verifier options. You must restart the computer to activate or deactivate the code integrity checking option.
At the command line
At the command line, the code integrity checking is represented by 0x02000000 (Bit 25). For example:
verifier /flags 0x02000000 /driver MyDriver.sys
The feature will be active after the next boot.
Using Driver Verifier Manager
- Start Driver Verifier Manager. Type Verifier in a Command Prompt window.
- Select Create custom settings (for code developers) and then click Next.
- Select(check) code integrity checking.
- Restart the computer.