Appendix 1: Enforcing Kernel-Mode Signature Verification in Kernel Debugging Mode

Enforcing Kernel-Mode Signature Verification in Kernel Debugging Mode

Excerpt from Installing an Unsigned Driver during Development and Test:

In certain cases, developers might have to enable load-time signature enforcement when a kernel debugger is attached. An example of this is when a driver stack has an unsigned driver (such as a filter driver) that fails to load, which may invalidate the entire stack. Because attaching a debugger allows the unsigned driver to load, the problem appears to vanish as soon as the debugger is attached. Debugging this type of issue may be difficult.

In order to facilitate debugging these situations, the kernel-mode code signing policy supports the following registry value:

HKLM\SYSTEM\CurrentControlSet\Control\CI\DebugFlags

This registry value is of type REG_DWORD, and can be assigned a value based on a bitwise OR of one or more of the following flags.

0x00000001

This flag value configures the kernel to break into the debugger if a driver is unsigned. The developer or tester can then choose to load the unsigned driver by entering g at the debugger prompt.

0x00000010

This flag value configures the kernel to ignore the presence of the debugger and to always block an unsigned driver from loading.

If this registry value does not exist in the registry or has a value that is not based on the flags described previously, the kernel always loads a driver in kernel debugging mode regardless of whether the driver is signed.

Note  This registry value does not exist in the registry by default. You must create the value in order to debug the kernel-mode signature verification.