What You Need to Know About …Kernel Patch Protection

An esoteric security feature in Windows Vista called Kernel Patch Protection (aka PatchGuard) garnered a lot of attention after security software companies complained that Microsoft was using the feature to shut them out of the new OS. Kernel Patch Protection is widely misunderstood, and security companies have certainly misrepresented the feature to the public. Here's what you need to know about Kernel Patch Protection.

What It Does
Kernel Patch Protection prevents what has become a common practice with Windows XP: Both malicious hackers and security firms have come to rely on the ability to patch (or "hook") the Windows kernel at runtime. This practice can lead to system instability because the kernel is the core component of the Windows OS and is used by all other OS components, applications, and services. Of all the malicious software that relies on kernel patching to infiltrate Windows, probably the most common type is the so-called rootkit, which is often impossible to remove because of its deep hooks in the Windows kernel.

Security software firms began using kernel-patching techniques years ago to battle these new, more malicious forms of malware. But any kernel patch, malicious or otherwise, can render a Windows system unstable and generate a blue screen. The result is a nasty crash.

In 32-bit versions of Vista, the kernel behaves much like it does in XP, and security software firms can continue patching the 32-bit Vista kernel at runtime, helping reduce instances of rootkits and other malicious software. But in 64-bit versions of Vista, Kernel Patch Protection renders this practice obsolete. Kernel Patch Protection—which debuted in XP Professional x64 Edition and the 64-bit versions of Windows Server 2003 with Service Pack 1 (SP1)—prevents the Windows kernel from being patched at runtime. When Kernel Patch Protection detects an attempt to patch the kernel, it immediately shuts down the OS.

An immediate shutdown might sound like an overly severe reaction, but Microsoft says it's by design. The idea is to prevent the kernel from being modified, and to do that, Kernel Patch Protection has to shut down the OS; otherwise, hackers might be able to inject malicious code into the kernel while the user is fumbling with consent dialog boxes.

As its name suggests, Kernel Patch Protection protects only the kernel. It isn't designed to be a general tool for preventing malware or attacks on other parts of the OS. Of course, Vista includes other security technologies, such as Address Space Layout Randomizer and Windows Defender, that provide a baseline level of support against other kinds of malware.

In the days before Vista was finalized, however, Microsoft announced a compromise: It will create a set of APIs that will enable security software firms to interact with Kernel Patch Protection at a programmatic level, providing them with at least some of the kernel patching functionality they've requested. Microsoft says it will deliver these APIs in late 2007, perhaps as part of Vista SP1, which is due out at the same time as Longhorn Server.

This timetable has generated a second round of complaints from security firms, which argue that the wait is too long. However, x64 uptake won't pick up in the first year of Vista availability. Although it's likely that most Vista users will move to x64 systems in the future, that transition will take years. In the meantime, users of Vista 64-bit editions will be safer with Kernel Patch Protection in place.

Recommendations
Kernel Patch Protection is a valuable addition to Vista and will make Vista more secure and stable. Any complaints about this functionality on the part of security software firms is political posturing: Because of Microsoft's numerous antitrust problems around the world, these companies believe they can threaten Microsoft and find a friendly ear with regulatory bodies in various countries.

End of Article