Code integrity checking

Hypervisor-Protected Code Integrity can use hardware technology and virtualization to isolate the Code Integrity (CI) decision-making function from the rest of the Windows operating system. When using virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified. The code integrity checks ensure compatibility of these code integrity rules, and detects the following violations:

Error code Code integrity issue
0x2000:
  • 2 - The address in the driver's code where the error was detected.
  • 3 - Pool Type.
  • 4 - Pool Tag (if provided).

The caller specified an executable pool type. (Expected: NonPagedPoolNx)
0x2001:
  • 2 - The address in the driver's code where the error was detected.
  • 3 - Page Protection (WIN32_PROTECTION_MASK).
The caller specified an executable page protection. (Expected: cleared PAGE_EXECUTE* bits)
0x2002:
  • 2 - The address in the driver's code where the error was detected.
  • 3 - Page Priority (MM_PAGE_PRIORITY logically OR'd with MdlMapping*).
The caller specified an executable MDL mapping. (Expected: MdlMappingNoExecute).
0x2003:
  • 2 - The image file name (Unicode string).
  • 3 - The address of the section header.
  • 4 - The section name (UTF-8 encoded string).
The image contains an executable and writable section.
0x2004:
  • 2 - The image file name (Unicode string).
  • 3 - The address of the section header.
  • 4 - The section name (UTF-8 encoded string).
The image contains a section that is not page aligned.
0x2005:
  • 2 - The image file name (Unicode string).
  • 3 - IAT Directory.
  • 4 - The section name (UTF-8 encoded string).
The image contains an IAT located in an executable section.

Activating this option:

You can activate code integrity checking for one or more drivers by using Driver Verifier Manager or the Verifier.exe command line. For details, see Selecting driver verifier options. You must restart the computer to activate or deactivate the code integrity checking option.

  • At the command line

    At the command line, the code integrity checking is represented by 0x02000000 (Bit 25). For example:

    verifier /flags 0x02000000 /driver MyDriver.sys

    The feature will be active after the next boot.

  • Using Driver Verifier Manager

  1. Start Driver Verifier Manager. Type Verifier in a Command Prompt window.
  2. Select Create custom settings (for code developers) and then click Next.
  3. Select(check) code integrity checking.
  4. Restart the computer.

Evaluate HVCI driver compatibility