Control Flow Guard

Jimmy_James · February 2, 2018, 6:51pm

All,
I’m looking for information on Control Flow Guard (CFG). Specifically, I’m
wondering how widely it is supported for kernel mode drivers. In my search
I found the very userful post from Ken Johnson (
https://www.osronline.com/showthread.cfm?link=283374) which seems to state
that CFG is only supported for OSes hosted by hypervisor when HVCI is
enabled. I’m wondering if anyone has any updated information on this.
TIA!

Ken_Johnson · February 6, 2018, 2:35am

If you are speaking about the OS side of things, the situation hasn’t since changed :

Kernel mode CFG requires HVCI to be enabled in order for kernel CFG to be enforced. (The root partition is also allowed to enable HVCI, and often does for client scenarios that involve HVCI, for example; HVCI is not a guest OS only capability.)

User mode CFG is independent of HVCI (though it does require NX enforcement for CFG to be effective; note that Windows has required processors to support NX for several releases now, and virtually all modern processors released in well over the last 10 years support NX).

Drivers and apps built with CFG instrumentation will work fine on old OS’s, or in configurations without CFG being enforced. The CFG instrumentation only “lights up” when paired with an OS with CFG enabled that wires up the support when loading images. Otherwise, the instrumentation is effectively a no-op if the image is used in a “CFG-unaware” environment.

Ken

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of JIm james
Sent: Friday, February 02, 2018 3:50 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Control Flow Guard

All,
I’m looking for information on Control Flow Guard (CFG). Specifically, I’m wondering how widely it is supported for kernel mode drivers. In my search I found the very userful post from Ken Johnson (https://www.osronline.com/showthread.cfm?link=283374 https:) which seems to state that CFG is only supported for OSes hosted by hypervisor when HVCI is enabled. I’m wondering if anyone has any updated information on this.
TIA!
— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</https:>