Driver signing for x86

I realize that driver signing is not a requirement for 32-bit vista. However, is there a mechanism to turn ON driver signing for 32-bit vista so that it requires, like vista-64, that all drivers be signed? If so, how do I turn it on?

I know this is backwards from what most people want. I’m doing this for testing purposes.

Thanks,
Phil Burr

I don’t believe that there is anything to directly enforce this, but I’m really not sure. I do wonder whether your average 32-bit Vista system that includes drivers in addition to in box ones would boot and run if this were enforced, as, in my experience, driver signing is not the sort of thing that people have been running voluntarily to do.

Apparently 32-bit drivers in the protected media path must be signed, but I’ve never really seen much information on that, other than that it is mentioned.

Here are a few Microsoft documents on driver signing:

http://www.microsoft.com/whdc/winlogo/drvsign/Pmp-sign.mspx
http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx

This is the main site:

http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

There is registry key that control some driver signing enforcement behavior. I have no idea if this applies to x86_32 or not, and I doubt it, nor do I imagine that it would be of use to you, but it’s the best I have. In particular, it is possible to force the debugger, which normally disables code integrity check, to honor them by breaking in if there is an attempt to load an unsigned driver. The same flag can also be used to fail the load of an unsigned driver even with a kd connection.

FROM MSDN:

HKLM\SYSTEM\CurrentControlSet\Control\CI\DebugFlags

If this value entry does not exist or has a value other than one of the following, the kernel loads a driver regardless of whether the driver is signed.

0x00000001
This flag value configures the kernel to break into the debugger if a driver is unsigned. The developer or tester can then choose to load the unsigned driver by entering g at the debugger prompt.

0x00000010
This flag value configures the kernel to ignore the presence of the debugger and to block an unsigned driver from loading.

Hopefully someone can give you a better answer, but I think that you are stuck on this one.

Good luck,

mm

You can use “driverquery /si” to find the signed and unsigned drivers.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntdev…
>I realize that driver signing is not a requirement for 32-bit vista.
>However, is there a mechanism to turn ON driver signing for 32-bit vista so
>that it requires, like vista-64, that all drivers be signed? If so, how do
>I turn it on?
>
> I know this is backwards from what most people want. I’m doing this for
> testing purposes.
>
> Thanks,
> Phil Burr
>