Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Control Flow Guard

Jimmy_JamesJimmy_James Posts: 106
All,
I'm looking for information on Control Flow Guard (CFG). Specifically, I'm
wondering how widely it is supported for kernel mode drivers. In my search
I found the very userful post from Ken Johnson (
https://www.osronline.com/showthread.cfm?link=283374) which seems to state
that CFG is only supported for OSes hosted by hypervisor when HVCI is
enabled. I'm wondering if anyone has any updated information on this.
TIA!

Comments

  • Ken_JohnsonKen_Johnson Posts: 1,556
    If you are speaking about the OS side of things, the situation hasn’t since changed :

    Kernel mode CFG requires HVCI to be enabled in order for kernel CFG to be enforced. (The root partition is also allowed to enable HVCI, and often does for client scenarios that involve HVCI, for example; HVCI is not a guest OS only capability.)

    User mode CFG is independent of HVCI (though it does require NX enforcement for CFG to be effective; note that Windows has required processors to support NX for several releases now, and virtually all modern processors released in well over the last 10 years support NX).


    Drivers and apps built with CFG instrumentation will work fine on old OS’s, or in configurations without CFG being enforced. The CFG instrumentation only “lights up” when paired with an OS with CFG enabled that wires up the support when loading images. Otherwise, the instrumentation is effectively a no-op if the image is used in a “CFG-unaware” environment.

    - Ken

    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of JIm james
    Sent: Friday, February 02, 2018 3:50 PM
    To: Windows File Systems Devs Interest List
    Subject: [ntfsd] Control Flow Guard

    All,
    I'm looking for information on Control Flow Guard (CFG). Specifically, I'm wondering how widely it is supported for kernel mode drivers. In my search I found the very userful post from Ken Johnson (https://www.osronline.com/showthread.cfm?link=283374) which seems to state that CFG is only supported for OSes hosted by hypervisor when HVCI is enabled. I'm wondering if anyone has any updated information on this.
    TIA!
    --- NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!