What You Need to Know About …Kernel Patch Protection

Here's the scoop on the Kernel Patch Protection feature in the Vista x64 editions.

Paul Thurrott

January 29, 2007

3 Min Read
ITPro Today logo in a gray background | ITPro Today

An esoteric security feature in Windows Vistacalled Kernel Patch Protection (aka PatchGuard)garnered a lot of attention after security software companies complained that Microsoft was using the featureto shut them out of the new OS. Kernel Patch Protection iswidely misunderstood, and security companies have certainly misrepresented the feature to the public. Here's whatyou need to know about Kernel Patch Protection.

First, It's 64-Bit Only
The most often misunderstood fact about Kernel PatchProtection is that the feature is present only in Vista x64 editions, including the 64-bit editions of Vista Home Premium,Vista Business, Vista Enterprise, and Vista Ultimate. KernelPatch Protection isn't present in the more mainstream 32bit versions of Vista.

What It Does
Kernel Patch Protection prevents what has become a common practice with Windows XP: Both malicious hackersand security firms have come to rely on the ability to patch(or "hook") the Windows kernel at runtime. This practicecan lead to system instability because the kernel is the corecomponent of the Windows OS and is used by all other OScomponents, applications, and services. Of all the malicious software that relies on kernel patching to infiltrateWindows, probably the most common type is the so-calledrootkit, which is often impossible to remove because of itsdeep hooks in the Windows kernel.

Security software firms began using kernel-patchingtechniques years ago to battle these new, more maliciousforms of malware. But any kernel patch, malicious or otherwise, can render a Windows system unstable and generatea blue screen. The result is a nasty crash.

In 32-bit versions of Vista, the kernel behaves muchlike it does in XP, and security software firms can continuepatching the 32-bit Vista kernel at runtime, helping reduceinstances of rootkits and other malicious software. But in64-bit versions of Vista, Kernel Patch Protection renders thispractice obsolete. Kernel Patch Protection—which debutedin XP Professional x64 Edition and the 64-bit versions ofWindows Server 2003 with Service Pack 1 (SP1)—preventsthe Windows kernel from being patched at runtime. WhenKernel Patch Protection detects an attempt to patch thekernel, it immediately shuts down the OS.

An immediate shutdown might sound like an overlysevere reaction, but Microsoft says it's by design. The idea is to prevent the kernel from being modified, and to do that, KernelPatch Protection has to shut down the OS; otherwise, hackersmight be able to inject malicious code into the kernel whilethe user is fumbling with consent dialog boxes.

As its name suggests, Kernel Patch Protection protects onlythe kernel. It isn't designed to be a general tool for preventingmalware or attacks on other parts of the OS. Of course, Vistaincludes other security technologies, such as Address SpaceLayout Randomizer and Windows Defender, that provide abaseline level of support against other kinds of malware.

The Complaints
Companies such as McAfee and Symantec, which havebuilt successful businesses by protecting individuals andbusinesses against the electronic threats that endangerWindows systems, have complained that Kernel PatchProtection prevents them from providing the same typesof protections for Vista that they provided for XP. Microsoft counter-argued that Kernel Patch Protection makes64-bit Vista versions more secure and stable and renderskernel patching by security companies unnecessary andobsolete.

In the days before Vista was finalized, however, Microsoft announced a compromise: It will create a set of APIsthat will enable security software firms to interact withKernel Patch Protection at a programmatic level, providingthem with at least some of the kernel patching functionalitythey've requested. Microsoft says it will deliver these APIsin late 2007, perhaps as part of Vista SP1, which is due outat the same time as Longhorn Server.

This timetable has generated a second round of complaints from security firms, which argue that the wait is toolong. However, x64 uptake won't pick up in the first year ofVista availability. Although it's likely that most Vista userswill move to x64 systems in the future, that transition willtake years. In the meantime, users of Vista 64-bit editionswill be safer with Kernel Patch Protection in place.

Recommendations
Kernel Patch Protection is a valuable addition to Vista andwill make Vista more secure and stable. Any complaintsabout this functionality on the part of security softwarefirms is political posturing: Because of Microsoft's numerous antitrust problems around the world, these companiesbelieve they can threaten Microsoft and find a friendly earwith regulatory bodies in various countries.

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like