Results 1 to 2 of 2

Thread: A note on the Windows XP x64 kernel protection patch KB914784

  1. #1
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber

    Post A note on the Windows XP x64 kernel protection patch KB914784

    There have been some people complaining that Microsoft broke some applications (typically Tiny Personal Firewall, Daemon Tools and Alcohol) with this kernel update on x64 versions of Windows, but the fact of the matter is that the application developers have not followed the guidelines for writing kernel mode code, and now it has come back to bite them:
    Quote Originally Posted by Microsoft
    If your driver must perform a task that you think cannot be accomplished without patching the kernel, contact Microsoft Product Support Services or your Microsoft representative to help determine if a documented alternative exists. If no documented alternative exists for the functionality you want to implement, then the functionality will not be supported on any Windows operating system that includes patch protection support."
    Patching the kernel is basically what rootkits do - modifying the system so that certain information is hidden from sight: registry values, files on disk, running processes.

    Because the code and data is hidden from even the OS itself, anti-virus programs can find themselves unable to detect it, also the kernel is compromised in terms of stability - the developers are writing code that may only be 'compatible' with specific versions of the kernel and make assumptions about how the (undocumented) internal functions work.

    Modifying the kernel can have an impact of performance as the code in here is called millions of times per minute and is optimised for speed - if 3rd parties are inserting their additional code then it could be introducing a delay with unrelated kernel activities with which they are not concerned.

    There is also no guarantee that the kernel patch could not be used for malicious purposes even if that was not the original intent - Sony's DRM code is a prime example of this kind of short-sightedness.

    For those considering leaving the kernel protection patch off their x64 versions of Windows, consider what this means for future kernel updates from Microsoft - you have effectively left yourself with a kernel that cannot be updated, and anything that has a dependency on future versions of the kernel will not work/install.

    OS service packs include all public hotfixes since release, so Windows x64 SP2 and onwards could not be installed either as it will include this kernel patch protection enhancement.

    In the same way that users should follow best practice (keep OS & apps patched, use most recent drivers, do not use admin account for day-to-day use, have AV installed, etc.), developers also need to follow the recommended guidelines (not using undocumented methods to make their program work, not assuming the user has admin rights, etc.).

    This will have greater significance in the future when Windows versions may be natively 64-bit only, and of course Vista x64 already has this level of kernel protection in place so if developers want to look to the future then they should be working within the realms of supportability, stability and compatibility.

    I have had to debug memory dumps from crashes where the kernel has been hooked and it becomes impossible as the (Microsoft) source code can be traced up to a point, but then the code jumps off to a random memory location and starts running 3rd party code which we have no idea about.

    Buffer overruns, null pointers, deadlocks and so on in the in the 3rd party code would appear (incorrectly) to be within the Microsoft kernel component so lead to false troubleshooting.

    KB article 914784
    Security Advisory on KB 914784
    64-bit Kernel Patch Protection FAQ
    Patching Policy For x64-Based Systems
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  2. #2
    Gentoo Ricer
    Join Date
    Jan 2005
    944 times in 704 posts
    • aidanjt's system
      • Motherboard:
      • Asus Strix Z370-G
      • CPU:
      • Intel i7-8700K
      • Memory:
      • 2x8GB Corsiar LPX 3000C15
      • Storage:
      • 500GB Samsung 960 EVO
      • Graphics card(s):
      • EVGA GTX 970 SC ACX 2.0
      • PSU:
      • EVGA G3 750W
      • Case:
      • Fractal Design Define C Mini
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • Asus MG279Q
      • Internet:
      • 240mbps Virgin Cable
    Great advice Paul as usual

    3d party developers have little or no excuse to inject sloppy code into the NT kernel anymore. Lets hope they come around and start developing programs to work properly in userspace. Windows is a true multiuser operating system and it's about time developers respected that.
    Quote Originally Posted by Agent View Post
    ...every time Creative bring out a new card range their advertising makes it sound like they have discovered a way to insert a thousand Chuck Norris super dwarfs in your ears...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 63
    Last Post: 14-11-2011, 09:17 AM
  2. Replies: 11
    Last Post: 02-02-2005, 10:46 AM
  3. New Windows Updates out peeps
    By Skii in forum Software
    Replies: 10
    Last Post: 04-08-2004, 06:19 AM
  4. UT2K4 windows patch 3204
    By CrapshoT in forum Gaming
    Replies: 9
    Last Post: 04-06-2004, 07:58 PM
  5. Windows Update flaw 'left PCs open' to MSBlast
    By Bunjiweb in forum Software
    Replies: 10
    Last Post: 19-08-2003, 02:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts