"Windows did not start this device driver ...", but driver is started!

We have a Windows 10/11, attestation signed, device specific, lower filter, HID kernel driver which works well for ages. It is still compiled in VS2015 as Platform = Desktop, Target = 10.0.14393, KMDF 1.15.

As a coincidence by looking up some driver details I saw this error in Windows 11 > Device Manager > Properties > Driver > Driver Details: Windows did not start this device driver because it could cause your computer to become unstable. Details. If you click on the Details link nothing happens.

The driver is started and works well. However in the Windows Event Log there is a related entry: Device USB\VID_XXXX&PID_XXXX&MI_00\1234567&0&0001 had a problem starting.

Is this a bug? Or is this in preparation of the upcoming Windows Core isolation (Memory integrity) addition of: Kernel mode Hardware-enforced Stack Protection (HSP) for Intel’s CET / AMD shadow stacks?

Any help is appreciated.

Mystery solved.

After about 100 different driver versions we found the little (ugly) secret of Windows 11 22H2.

To detect a kernel driver, which is incompatible with (upcoming) Kernel mode Hardware-enforced Stack Protection (HSP), Windows keeps a block list of these drivers.

Guess what the primary key (at least for our drivers) is:

  • The resource Version-Info field: OriginalFilename.

If this field has certain values (the actual filename of our drivers), Windows flags our driver (like described above) or doesn’t load it in case HSP is enabled. If one character is changed it’s working.

Is this really good operating system architecture? While a pragmatic approach, it’s more like using BluTack and DuckTape!

And it also explains why our attempts to make our drivers HSP compatible always failed until now!

Well, we certainly know better ways of wasting our valuable lifetime.

1 Like