An Introduction to Kernel Patch Protection
Hello, I'm Scott Field, an Architect working on Windows Kernel Security. There have been a lot
of questions recently about a Windows technology called Kernel Patch Protection (sometimes
referred to as PatchGuard) so I wanted to provide some context about the feature to help answer
them. OS kernel design is a very specialized area of computer science that rarely receives a lot
of public attention, so it's understandable that there are a lot of questions out there. The purpose
of this post is to give a basic primer on Kernel Patch Protection and why it is an important
technology to increase the security and reliability of Windows-based PCs.
What is the Kernel?
The kernel is the lowest-level, most central part of a computer operating system and one of the
first pieces of code to load when the machine starts up. The kernel is what enables the software
of the machine to talk to the hardware and is responsible for basic OS housekeeping tasks such
as memory management, launching programs and processes, and managing the data on the disk.
All applications and even the graphical interface of Windows run on a layer on top of the kernel.
The performance, reliability, and security of the entire computer depend on the integrity of the
kernel.
You may have heard the term "rootkit" and that they can be very difficult to detect and remove.
Rootkits are a type of malicious software that can use a number of different techniques, including
monitoring keystrokes, changing system log files or existing system applications, or creating a
backdoor into the system to gain remote access to a computer and launch attacks. Rootkits often
try to gain access to the kernel of the OS. Since the kernel has the power to control all of the
other applications on the PC, the rootkit can actually hide itself from the file system or even anti-
malware tools, and ultimately from view of the user.
The kernel is the most carefully coded piece of the entire operating system. Since all other
programs depend upon it, a glitch in the kernel can make all other programs crash or perform
unexpectedly. You're probably also familiar with the term, "Blue Screen of Death" (BSoD). This
is the result of an error in the kernel or in a driver running in the kernel that is so severe that the
system can't recover from it. The BSoD is bad, so we want to do everything we can to keep
customers from seeing it. One of the ways we can do that is to maintain the integrity of the
kernel by restricting what software is allowed to run in and interact with it.
What is Kernel Patching?

"Kernel patching" or "kernel hooking" is the practice of using unsupported mechanisms to
modify or replace kernel code. Patching fundamentally violates the integrity of the Windows
kernel and is undocumented, unsupported and has always been discouraged by Microsoft.
Kernel patching can result in unpredictable behavior, system instability and performance
problems—like the Blue Screen of Death–which can lead to lost user productivity and data.
More importantly, kernel patching has increasingly become a mechanism used by malware
developers to attack Windows systems.
Motivations for patching the kernel vary widely. Anti-malware vendors, for example, may
intercept system calls to prevent applications they have deemed malicious from creating
processes on the system. The goals of these types of software are obviously laudable but these
practices also may cause reliability and performance problems. The greatest risk from kernel
patching comes from virus and spyware writers that use this technique with malicious intent and
to hide their presence.
Malware authors are motivated to patch the kernel because it is a powerful mechanism for
attacking the user's PC and data. Patching can be used to implement rootkits, which also hide the
presence of other malware on the system. This form of malware can be extremely potent—for
example, allowing the capture of banking passwords and monitoring of all user activities.
What is Kernel Patch Protection?
There are many brand new security features in Windows Vista, but Kernel Patch Protection is
actually not one of them. Kernel Patch Protection was first supported on x64 (AMD64 and Intel
EMT64T) CPU architecture versions of Microsoft Windows including Microsoft Windows
Server 2003 SP1 and Windows XP Microsoft Windows XP Professional x64 Edition. (Patch
protection is currently not supported on x86 or ia64 architectures.) Though, as the use of 64-bit
computers is increasing, Windows Vista users will end up benefiting most from this technology.
Kernel Patch Protection monitors if key resources used by the kernel or kernel code itself has
been modified. If the operating system detects an unauthorized patch of certain data structures or
code it will initiate a shut down of the system.
Kernel Patch Protection does not prevent all viruses, rootkits, or other malware from attacking
the operating system. It helps prevent one way to attack the system: patching kernel structures
and code to manipulate kernel functionality. Protecting the integrity of the kernel is a

fundamental steps in protecting the entire system from malicious attacks and from inadvertent
reliability problems that result from patching.
Impacts on Application Compatibility
Kernel Patch Protection may impact compatibility of some legitimate software, on x64 systems,
which were built using unsupported kernel patching techniques. Microsoft is sensitive to how
application compatibility changes impact our customers and our partners. That is the reason that
we have implemented this technology on x64 systems only. As customers adopt the x64
platform, and new native 64-bit software, we have the opportunity to build a more secure and
reliable next generation platform that does not facilitate unsupported and unreliable practices
such as kernel patching.
We have also been asked to provide a supported way for 'known good' vendors to continue
hooking the kernel but prevent others from doing so. Unfortunately, there is no reliable
mechanism for us to distinguish between 'known good' software and malicious software.
Moreover, we cannot prevent a malicious software author from "bundling" purportedly good
software in an attempt to thwart the system. Even if we could include such a mechanism, it's
unclear if we could use this mechanism to selectively allow kernel hooking in a manner that
provides an acceptable trade off between performance and reliability and security. Furthermore,
creating such an exception would greatly hamper the ability to utilize hardware assisted security
technology, such as a virtual machine hypervisor, to further improve the integrity of the
operating system.
Alternatives to Kernel Patching
Clearly, customers demand effective security solutions, and they can be developed without
relying on kernel patching techniques. Some of the alternatives to kernel patching are:
Windows Vista includes the "Windows Filtering Platform", which enables software to perform
network oriented activities such as packet inspection and other activities necessary to support
firewall products.
The file system mini filter model allows software to participate in file system activities, which
can be used by Anti-Virus software.
Registry notification hooks, introduced in Windows XP, and recently enhanced in Windows
Vista, allow software to participate in registry related activities in the system.

These solutions were designed with reliability and long term supportability in mind, and also
provide a means for multiple products to co-exist without the conflicts that kernel patching could
cause. We have been working with our security partners and other types partners for almost 2
years to assist them in making their solutions compatible with our current x64 architecture—and
we are working with them even more closely as the Windows Vista launch approaches. If your
application or driver must perform a task that you believe cannot be accomplished without
patching the kernel, contact your Microsoft representative or for help in
finding a documented alternative.
It's important to note that Kernel Patch Protection applies uniformly to Microsoft products as
well as third party products. No code is allowed to modify the kernel using unsupported
patching techniques. Security products developed by Microsoft only have access to the same
supported interfaces that any other vendor would use.
In Conclusion
Since Microsoft announced our Trustworthy Computing initiative, helping to ensure the security
of our customers has been one of our primary goals as an organization. Part of this is ensuring a
rich ecosystem of powerful security products that will reduce the threats from malware and other
types of attack. We would not develop a technology designed to lessen the security of our
customers or weaken the security of the Windows platform.
We will continue to work with security partners to help them make their current and future
products compatible with Kernel Patch Protection and the new security investments that we have
made in Windows Vista.
More information on Kernel Patch Protection is available at these locations and we will update
the post as more resources become available.
· Patching Policy for x64-Based Systems
· Kernel Patch Protection: Frequently Asked Questions
· Kernel Enhancements for Windows Vista and Windows Server "Longhorn"
· Microsoft Windows Vista Security Advancements [Word Document]

Scott Field