Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista


This is an important change for Vista drivers.  The biggest change, from my perspective is this...


"Note: Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems. This applies for any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services."


Tripp has a good take on the changes.

Comments (6)

  1. Will Dean says:

    Tripp invites feedback, but doesn’t actually allow comments on his blog, so you’re going to get it here…

    *Requiring* WHQL signing would be one of the worst decisions MS ever made. Nobody who has EVER worked *outside* MS developing peripherals or drivers would support this.

    Acheiving WHQL signing is difficult, slow, expensive, and backed by an extremely poorly documented test suite which rarely does the same thing twice, and rarely fails because of the thing you’re testing.

    Even the XP level of interference with driver installation can be an almost impossible problem – in common with many others in the industry, I have written one of those apps which pushes the buttons on the ‘unsigned’ warning dialog. Why? Because the client was running headless machines, and needed to be confident that things wouldn’t grind to a halt if somebody moved a USB device from one port to another.

    That’s their computer, their software, their hardware and their drivers. And yet the MS monopoly wants to extort thousands of dollars to avoid a message box.

    Place whatever restrictions you like on getting into the box or onto Windows Update. Let the rest of us get on with using our time, money and computers how we’d like to.

    Have a look at http://groups.google.co.uk/groups?hl=en&q=group%3A*winlogo+%22walter+oney%22&qt_s=Search

    to see how frustated even the guy who wrote the MS Press WDM book gets with the idiotic HCT/WHQL process.

    It seriously alarms me that there are people in MS who think that Tripp’s post is a ‘good take’.

  2. Norman Diamond says:

    What Will Dean said. Me 1.99, i.e. me too except for one point.

    I would rather manipulate the registry or whatever, using known programmatic techniques, instead of pushing buttons on a dialog that was designed to be seen. I’ve been shafted twice by automatic button pushers.

  3. Will Dean says:

    Norman,

    Of course – I’d have much rather we could have turned the warnings off too. The button pushing is a desperate last resort, however loudly the Raymond Chens of this world may be heard scoffing from their ivory towers.

    Will

  4. SiM says:

    Drivers DigSig is generally good move with one exception: currently it _requires_ Verisign certificate and so establishes Verisign monopoly

  5. I was reading the comments on craigrow’s blog about WHQL signing and I saw a rather interesting comment…

Skip to main content