Windows XP is a personal computer operating system produced by Microsoft as part of the Windows NT family of operating systems. It was released to manufacturing on August 24, 2001, broadly released for retail sale on October 25, 2001. Development of Windows XP began in the late 1990s as "Neptune", an operating system built on the Windows NT kernel, intended for mainstream consumer use. An updated version of Windows 2000 was originally planned for the business market; as such, Windows XP was the first consumer edition of Windows not to be based on MS-DOS. Upon its release, Windows XP received positive reviews, with critics noting increased performance and stability, a more intuitive user interface, improved hardware support, expanded multimedia capabilities. However, some industry reviewers were concerned by the new licensing model and product activation system. Extended support for Windows XP ended on April 8, 2014, after which the operating system ceased receiving further support or security updates to most users.
As of March 2019, 1.75% of Windows PCs run Windows XP, the OS is still most popular in some countries with up to 38% of the Windows share. In the late 1990s, initial development of what would become Windows XP was focused on two individual products. However, the projects proved to be too ambitious. In January 2000, shortly prior to the official release of Windows 2000, technology writer Paul Thurrott reported that Microsoft had shelved both Neptune and Odyssey in favor of a new product codenamed "Whistler", after Whistler, British Columbia, as many Microsoft employees skied at the Whistler-Blackcomb ski resort; the goal of Whistler was to unify both the consumer and business-oriented Windows lines under a single, Windows NT platform: Thurrott stated that Neptune had become "a black hole when all the features that were cut from were re-tagged as Neptune features. And since Neptune and Odyssey would be based on the same code-base anyway, it made sense to combine them into a single project". At PDC on July 13, 2000, Microsoft announced that Whistler would be released during the second half of 2001, unveiled the first preview build, 2250.
The build notably introduced an early version of Windows XP's visual styles system. Microsoft released the first beta build of Whistler, build 2296, on October 31, 2000. Subsequent builds introduced features that users of the release version of Windows XP would recognise, such as Internet Explorer 6.0, the Microsoft Product Activation system and the Bliss desktop background. On February 5, 2001, Microsoft announced that Whistler would be known as Windows XP, where XP stands for "eXPerience". In June 2001, Microsoft indicated that it was planning to, in conjunction with Intel and other PC makers, spend at least 1 billion US dollars on marketing and promoting Windows XP; the theme of the campaign, "Yes You Can", was designed to emphasize the platform's overall capabilities. Microsoft had planned to use the slogan "Prepare to Fly", but it was replaced due to sensitivity issues in the wake of the September 11 attacks. On August 24, 2001, Windows XP build. During a ceremonial media event at Microsoft Redmond Campus, copies of the RTM build were given to representatives of several major PC manufacturers in briefcases, who flew off on decorated helicopters.
While PC manufacturers would be able to release devices running XP beginning on September 24, 2001, XP was expected to reach general, retail availability on October 25, 2001. On the same day, Microsoft announced the final retail pricing of XP's two main editions, "Home" and "Professional". While retaining some similarities to previous versions, Windows XP's interface was overhauled with a new visual appearance, with an increased use of alpha compositing effects, drop shadows, "visual styles", which changed the appearance of the operating system; the number of effects enabled are determined by the operating system based on the computer's processing power, can be enabled or disabled on a case-by-case basis. XP added ClearType, a new subpixel rendering system designed to improve the appearance of fonts on liquid-crystal displays. A new set of system icons was introduced; the default wallpaper, Bliss, is a photo of a landscape in the Napa Valley outside Napa, with rolling green hills and a blue sky with stratocumulus and cirrus clouds.
The Start menu received its first major overhaul in XP, switching to a two-column layout with the ability to list and display used applications opened documents, the traditional cascading "All Programs" menu. The taskbar can now group windows opened by a single application into one taskbar button, with a popup menu listing the individual windows; the notification area hides "inactive" icons by default. A "common tasks" list was added, Windows Explorer's sidebar was updated to use a new task-based design with lists of common actions. Fast user switching allows additional users to log into a Windows XP machine without existing users having to close their programs and loggin
MS Antivirus (malware)
MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. Many clones of MS Antivirus that include slight variations have been distributed throughout the web, they are known as XP Antivirus, Vitae Antivirus, Windows Antivirus, Win Antivirus, Antivirus Action, Antivirus Pro 2009, 2010, 2017 or just Antivirus Pro, Antivirus 2007, 2008, 2009, 2010, 2011, 360, AntiMalware GO, Internet Antivirus Plus, System Antivirus, Spyware Guard 2008 and 2009, Spyware Protect 2009, Winweb Security 2008, System Security, Malware Defender 2009, Ultimate Antivirus2008, Vista Antivirus, General Antivirus, AntiSpywareMaster, Antispyware 2008, XP AntiSpyware 2008, 2009 and 2010, Antivirus Vista 2010, Real Antivirus, WinPCDefender, Antivirus XP Pro, Anti-Virus-1, Antivirus Soft, Vista Antispyware 2012, Antispyware Soft, Antivirus System PRO, Antivirus Live, Vista Anti Malware 2010, Internet Security 2010, XP Antivirus Pro, Security Tool, VSCAN7, Total Security, PC Defender Plus, Disk Antivirus Professional, AVASoft Professional Antivirus, System Care Antivirus, System Doctor 2014.
Another MS Antivirus clone is named ANG Antivirus. This name is used to confuse the user of the software into thinking that it is the legitimate AVG Antivirus before downloading it; each variant has its own way of installing itself onto a computer. MS Antivirus is made to look functional to fool a computer user into thinking that it is a real anti-virus system in order to convince the user to "purchase" it. In a typical installation, MS Antivirus runs a scan on the computer and gives a false spyware report claiming that the computer is infected with spyware. Once the scan is completed, a warning message appears that lists the spyware ‘found’ and the user either has to click on a link or a button to remove it. Regardless of which button is clicked -- "Next" or "Cancel"—a download box will still pop up; this deceptive tactic is an attempt to scare the Internet user into clicking on the link or button to purchase MS Antivirus. If the user decides not to purchase the program they will receive pop-ups stating that the program has found infections and that they should register it in order to fix them.
This type of behavior can cause a computer to operate more than normal. MS Antivirus will occasionally display fake pop-up alerts on an infected computer; these alerts pretend to be a detection of an attack on that computer and the alert prompts the user to activate or purchase the software in order to stop the attack. More it can paste a fake picture of a Blue Screen of Death over the screen and display a fake startup image telling the user to buy the software; the malware may block certain Windows programs that allow the user to modify or remove it. Programs such as Regedit can be blocked by this malware; the registry is modified so the software runs at system startup. The following files may be downloaded to an infected computer: MSASetup.exe MSA.exe MSA.cpl MSx.exeDepending on the variant, the files have different names and therefore can appear or be labeled differently. For example, Antivirus 2009 has the.exe file name a2009.exe. In addition, in an attempt to make the software seem legitimate, MS Antivirus can give the computer symptoms of the "viruses" that it claims are on the computer.
For example, some shortcuts on the desktop may be changed to links of sexually explicit websites instead. Most variants of this malware will not be overtly harmful, as they will not steal a user's information nor critically harm a system. However, the software will act to inconvenience the user by displaying popups that prompt the user to pay to register the software in order to remove non-existent viruses; some variants are more harmful. It does this by modifying the Windows registry; this can clog the screen with repeated pop-ups making the computer unusable. It can disable real antivirus programs to protect itself from removal. Whichever variant infects a computer, MS Antivirus always uses system resources when running making an infected computer run more than before; the malware can block access to known spyware removal sites and in some instances, searching for "antivirus 2009" on a search engine will result in a blank page or an error page. Some variants will redirect the user from the actual Google search page to a false Google search page with a link to the virus' page that states that the user has a virus and should get Antivirus 2009.
In some rare cases, with the newest version of the malware, it can prevent the user from performing a system restore. In November 2008, it was reported that a hacker known as NeoN hacked the Bakasoftware's database, posted the earnings of the company received from XP Antivirus; the data revealed. On December 2, 2008 the U. S. District Court for the District of Maryland issued a temporary restraining order against Innovative Marketing, Inc. and ByteHosting Internet Services, LLC after receiving a request from the Federal Trade Commission. According to the FTC, the combined malware of WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, XP Antivirus has fooled over one million people into purchasing the software marketed as security products; the court froze the assets of the companies in an effort to provide some monetary reimbursement to affected victims. The FTC claims the c
A rootkit is a collection of computer software malicious, designed to enable access to a computer or an area of its software, not otherwise allowed and masks its existence or the existence of other software. The term rootkit is a concatenation of "root" and the word "kit"; the term "rootkit" has negative connotations through its association with malware. Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of direct attack on a system, i.e. exploiting a known vulnerability or a password. Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access; the key is the administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it. Rootkit detection is difficult because a rootkit may be able to subvert the software, intended to find it. Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, memory dump analysis.
Removal can be complicated or impossible in cases where the rootkit resides in the kernel. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment; the term rootkit or root kit referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access. If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst concealing these activities from the legitimate system administrator; these first-generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information. Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems' SunOS UNIX operating system. In the lecture he gave upon receiving the Turing award in 1983, Ken Thompson of Bell Labs, one of the creators of Unix, theorized about subverting the C compiler in a Unix distribution and discussed the exploit.
The modified compiler would detect attempts to compile the Unix login command and generate altered code that would accept not only the user's correct password, but an additional "backdoor" password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, would insert the same exploits into the new compiler. A review of the source code for the login command or the updated compiler would not reveal any malicious code; this exploit. The first documented computer virus to target the personal computer, discovered in 1986, used cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, redirected these to elsewhere on the disk, where a copy of the original boot sector was kept. Over time, DOS-virus cloaking methods became more sophisticated, with advanced techniques including the hooking of low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files; the first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund.
It was followed by HackerDefender in 2003. The first rootkit targeting Mac OS X appeared in 2009, while the Stuxnet worm was the first to target programmable logic controllers. In 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended Copy Protection, created by software company First 4 Internet; the software included a music player but silently installed a rootkit which limited the user's ability to access the CD. Software engineer Mark Russinovich, who created the rootkit detection tool RootkitRevealer, discovered the rootkit on one of his computers; the ensuing scandal raised the public's awareness of rootkits. To cloak itself, the rootkit hid from the user any file starting with "$sys$". Soon after Russinovich's report, malware appeared which took advantage of that vulnerability of affected systems. One BBC analyst called it a "public relations nightmare." Sony BMG released patches to uninstall the rootkit, but it exposed users to an more serious vulnerability.
The company recalled the CDs. In the United States, a class-action lawsuit was brought against Sony BMG; the Greek wiretapping case of 2004-05 referred to as Greek Watergate, involved the illegal telephone tapping of more than 100 mobile phones on the Vodafone Greece network belonging to members of the Greek government and top-ranking civil servants. The taps began sometime near the beginning of August 2004 and were removed in March 2005 without discovering the identity of the perpetrators; the intruders installed a rootkit targeting Ericsson's AXE telephone exchange. According to IEEE Spectrum, this was "the first time a rootkit has been observed on a special-purpose system, in this case an Ericsson telephone switch." The rootkit was designed to patch the memory of the exchange while it was running, enable wiretapping while disabling audit logs, patch the commands that list active processes and active data blocks, modify the data block checksum verification command. A "backdoor" allowed an operator with sysadmin status to deactivate the exchange's transaction log and access commands r
User Account Control
User Account Control is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012 and Windows 10. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it. UAC uses Mandatory Integrity Control to isolate running processes with different privileges. To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology, User Interface Privilege Isolation, is used in conjunction with User Account Control to isolate these processes from each other.
One prominent use of this is Internet Explorer 7's "Protected Mode". Operating systems on mainframes and on servers have differentiated between superusers and userland for decades; this had an obvious security component, but an administrative component, in that it prevented users from accidentally changing system settings. Early Microsoft home operating-systems did not have a concept of different user-accounts on the same machine. Subsequent versions of Windows and Microsoft applications encouraged the use of non-administrator user-logons, yet some applications continued to require administrator rights. Microsoft does not certify applications as Windows-compliant if they require administrator privileges. MS-DOS and Windows versions 1.0 to 3.11: all applications had privileges equivalent to the operating system. Further, some applications would require that the user be an administrator for some or all of their functions to work. Windows Vista: Microsoft developed Vista security firstly from the Limited User Account renamed the concept to User Account Protection before shipping User Account Control.
Introduced in Windows Vista, User Account Control offers an approach to encourage "super-user when necessary". The key to UAC lies in its ability to elevate privileges without changing the user context; as always, it is difficult to introduce new security features without breaking compatibility with existing applications. When someone logs into Vista as a standard user, the system sets up a logon session and assigns a token containing only the most basic privileges. In this way, the new logon session can not make changes; when a person logs in as a user with membership in the Administrators group, the system assigns two separate tokens: the first token contains all privileges awarded to an administrator, the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell start with the restricted token, resulting in a reduced-privilege environment - when running under an Administrator account; when an application requests higher privileges or when a user selects a "Run as administrator" option, UAC will prompt standard users to enter the credentials of an Administrator account and prompt Administrators for confirmation and, if consent is given, continue or start the process using an unrestricted token.
Windows 7: Microsoft included a user interface to change User Account Control settings, introduced one new notification mode: the default setting. By default, UAC does not prompt for consent when users make changes to Windows settings that require elevated permission through programs stored in %SystemRoot% and digitally signed by Microsoft. Programs that require permission to run still trigger a prompt. Other User Account Control settings that can be changed through the new UI could have been accessed through the registry in Windows Vista. Windows 8 and 8.1: add a design change. When UAC is triggered, all applications and the taskbar are hidden. Windows 10: copies the same layout as Windows 8 and 8.1, but the Anniversary Update has a more modern look. Windows 10 adds support for Windows Hello in the User Account Control dialog box. Tasks that require administrator privileges will trigger a UAC prompt. In the case of executable files, the icon will have a security shield overlay; the following tasks require administrator privileges: Running an Application as an Administrator Changes to system-wide settings Changes to files in folders that standard users don't have permissions for Changes to an access control list referred to as file or folder permissions Installing and uninstalling applications outside of: The %USERPROFILE% folder and its sub-folders.
Most of the time this is in %APPDATA%. By default, this is a hidden folder
Sony BMG copy protection rootkit scandal
A scandal erupted in 2005 regarding Sony BMG's implementation of deceptive and harmful copy protection measures on about 22 million CDs. When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management by modifying the operating system to interfere with CD copying. Neither program could be uninstalled, they created vulnerabilities that were exploited by unrelated malware. Sony claims. One of the programs installed if the user refused its end-user license agreement, would still "phone home" with reports on the user's private listening habits. Sony BMG denied that the rootkits were harmful, it released, for one of the programs, an "uninstaller" that only un-hid the program, installed additional software which could not be removed, collected an email address from the user, introduced further security vulnerabilities. Following public outcry, government investigations, class-action lawsuits in 2005 and 2006, Sony BMG addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs, the suspension of CD copy protection efforts in early 2007.
In August 2000, statements by Sony Pictures Entertainment US senior VP Steve Heckler foreshadowed the events of late 2005. Heckler told attendees at the Americas Conference on Information Systems "The industry will take whatever steps it needs to protect itself and protect its revenue streams... It will not lose that revenue stream, no matter what... Sony is going to take aggressive steps to stop this. We will develop technology. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC... These strategies are being aggressively pursued because there is too much at stake."In Europe, BMG created a minor scandal in 2001 when it released Natalie Imbruglia's second album, White Lilies Island, without warning labels stating that the CD had copy protection. The CDs were replaced. BMG and Sony both released copy-protected versions of certain releases in certain markets in late 2001, a late 2002 report indicated that all BMG CDs sold in Europe would have some form of copy protection.
The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs marketed by Sony BMG, the record company formed by the 2004 merger of Sony and BMG's recorded music divisions. About two million of those CDs, spanning 52 titles, contained First 4 Internet's Extended Copy Protection, installed on Microsoft Windows systems after the user accepted the EULA which made no mention of the software; the remaining 20 million CDs, spanning 50 titles, contained SunnComm's MediaMax CD-3, installed on either Microsoft Windows or Mac OS X systems after the user was presented with the EULA, regardless of whether the user accepted it. The scandal erupted on October 31, 2005, when Winternals researcher Mark Russinovich posted to his blog a detailed description and technical analysis of F4I's XCP software that he ascertained had been installed on his computer by a Sony BMG music CD. Russinovich compared the software to a rootkit due to its surreptitious installation and its efforts to hide its existence.
He noted that the EULA does not mention the software, he asserted emphatically that the software is illegitimate and that digital rights management had "gone too far". Anti-virus firm F-Secure concurred: "Although the software isn't directly malicious, the used rootkit hiding techniques are the same used by malicious software to hide themselves; the DRM software will cause many similar false alarms with all AV software that detect rootkits.... Thus it is inappropriate for commercial software to use these techniques." After public pressure and other anti-virus vendors included detection for the rootkit in their products as well, Microsoft announced it would include detection and removal capabilities in its security patches. Russinovich discovered numerous problems with XCP: It creates security holes that can be exploited by malicious software such as worms or viruses, it runs in the background and excessively consumes system resources, slowing down the user's computer, regardless of whether there is a protected CD playing.
It employs unsafe procedures to stop, which could lead to system crashes. It has no uninstaller, is installed in such a way that inexpert attempts to uninstall it can lead to the operating system to fail to recognize existing drives. Soon after Russinovich's first post, there were several trojans and worms exploiting XCP's security holes; some people used the vulnerabilities to cheat in online games. Sony BMG released software to remove the rootkit component of XCP from affected Microsoft Windows computers, but after Russinovich analyzed the utility, he reported in his blog that it only exacerbated the security problems and raised further concerns about privacy. Russinovich noted that the removal program unmasked the hidden files installed by the rootkit, but did not remove the rootkit, he reported that it installed additional software that could not be uninstalled. In order to download the uninstaller, he found it was necessary to provide an e
A computing platform or digital platform is the environment in which a piece of software is executed. It may be the hardware or the operating system a web browser and associated application programming interfaces, or other underlying software, as long as the program code is executed with it. Computing platforms have different abstraction levels, including a computer architecture, an OS, or runtime libraries. A computing platform is the stage. A platform can be seen both as a constraint on the software development process, in that different platforms provide different functionality and restrictions. For example, an OS may be a platform that abstracts the underlying differences in hardware and provides a generic command for saving files or accessing the network. Platforms may include: Hardware alone, in the case of small embedded systems. Embedded systems can access hardware directly, without an OS. A browser in the case of web-based software; the browser itself runs on a hardware+OS platform, but this is not relevant to software running within the browser.
An application, such as a spreadsheet or word processor, which hosts software written in an application-specific scripting language, such as an Excel macro. This can be extended to writing fully-fledged applications with the Microsoft Office suite as a platform. Software frameworks. Cloud computing and Platform as a Service. Extending the idea of a software framework, these allow application developers to build software out of components that are hosted not by the developer, but by the provider, with internet communication linking them together; the social networking sites Twitter and Facebook are considered development platforms. A virtual machine such as the Java virtual machine or. NET CLR. Applications are compiled into a format similar to machine code, known as bytecode, executed by the VM. A virtualized version of a complete system, including virtualized hardware, OS, storage; these allow, for instance, a typical Windows program to run on. Some architectures have multiple layers, with each layer acting as a platform to the one above it.
In general, a component only has to be adapted to the layer beneath it. For instance, a Java program has to be written to use the Java virtual machine and associated libraries as a platform but does not have to be adapted to run for the Windows, Linux or Macintosh OS platforms. However, the JVM, the layer beneath the application, does have to be built separately for each OS. AmigaOS, AmigaOS 4 FreeBSD, NetBSD, OpenBSD IBM i Linux Microsoft Windows OpenVMS Classic Mac OS macOS OS/2 Solaris Tru64 UNIX VM QNX z/OS Android Bada BlackBerry OS Firefox OS iOS Embedded Linux Palm OS Symbian Tizen WebOS LuneOS Windows Mobile Windows Phone Binary Runtime Environment for Wireless Cocoa Cocoa Touch Common Language Infrastructure Mono. NET Framework Silverlight Flash AIR GNU Java platform Java ME Java SE Java EE JavaFX JavaFX Mobile LiveCode Microsoft XNA Mozilla Prism, XUL and XULRunner Open Web Platform Oracle Database Qt SAP NetWeaver Shockwave Smartface Universal Windows Platform Windows Runtime Vexi Ordered from more common types to less common types: Commodity computing platforms Wintel, that is, Intel x86 or compatible personal computer hardware with Windows operating system Macintosh, custom Apple Inc. hardware and Classic Mac OS and macOS operating systems 68k-based PowerPC-based, now migrated to x86 ARM architecture based mobile devices iPhone smartphones and iPad tablet computers devices running iOS from Apple Gumstix or Raspberry Pi full function miniature computers with Linux Newton devices running the Newton OS from Apple x86 with Unix-like systems such as Linux or BSD variants CP/M computers based on the S-100 bus, maybe the earliest microcomputer platform Video game consoles, any variety 3DO Interactive Multiplayer, licensed to manufacturers Apple Pippin, a multimedia player platform for video game console development RISC processor based machines running Unix variants SPARC architecture computers running Solaris or illumos operating systems DEC Alpha cluster running OpenVMS or Tru64 UNIX Midrange computers with their custom operating systems, such as IBM OS/400 Mainframe computers with their custom operating systems, such as IBM z/OS Supercomputer architectures Cross-platform Platform virtualization Third platform Ryan Sarver: What is a platform
Kernel Patch Protection
Kernel Patch Protection, informally known as PatchGuard, is a feature of 64-bit editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1."Patching the kernel" refers to unsupported modification of the central component or kernel of the Windows operating system. Such modification has never been supported by Microsoft because, according to Microsoft, it can reduce system security and performance. Although Microsoft does not recommend it, it is possible to patch the kernel on x86 editions of Windows. Since patching the kernel is possible in 32-bit editions of Windows, several antivirus software developers use kernel patching to implement antivirus and other security services; these techniques will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection resulted in antivirus makers having to redesign their software without using kernel patching techniques.
However, because of the design of the Windows kernel, Kernel Patch Protection cannot prevent kernel patching. This has led to criticism that since KPP is an imperfect defense, the problems caused to antivirus vendors outweigh the benefits because authors of malicious software will find ways around its defenses. Kernel Patch Protection can still prevent problems of system stability and performance caused by legitimate software patching the kernel in unsupported ways; the Windows kernel is designed so that device drivers have the same privilege level as the kernel itself. Device drivers are expected to not patch core system structures within the kernel; however in x86 editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and antivirus programs, were designed to perform needed tasks through loading drivers that modify core kernel structures. In x64 editions of Windows, Microsoft began to enforce restrictions on what structures drivers can and cannot modify.
Kernel Patch Protection is the technology. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected Windows will initiate a bug check and shut down the system, with a blue screen and/or reboot; the corresponding bugcheck number is 0x109, the bugcheck code is CRITICAL_STRUCTURE_CORRUPTION. Prohibited modifications include: Modifying system service tables Modifying the interrupt descriptor table Modifying the global descriptor table Using kernel stacks not allocated by the kernel Modifying or patching code contained within the kernel itself, or the HAL or NDIS kernel librariesKernel Patch Protection only defends against device drivers modifying the kernel, it does not offer any protection against one device driver patching another. Since device drivers have the same privilege level as the kernel itself, it is impossible to prevent drivers from bypassing Kernel Patch Protection and patching the kernel. KPP does however present a significant obstacle to successful kernel patching.
With obfuscated code and misleading symbol names, KPP employs security through obscurity to hinder attempts to bypass it. Periodic updates to KPP make it a "moving target", as bypass techniques that may work for a while are to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions. Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects. Kernel Patch Protection protects against these negative effects, which include: Serious errors in the kernel. Reliability issues resulting from multiple programs attempting to patch the same parts of the kernel. Compromised system security. Rootkits can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove. Microsoft's Kernel Patch Protection FAQ further explains: Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...
An examination of Online Crash Analysis data at Microsoft shows that system crashes result from both malicious and non-malicious software that patches the kernel. Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, worked by patching the kernel on x86 systems. Anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows; this kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection. Because of this, McAfee called for Microsoft to either remove KPP from Windows or make exceptions for software made by "trusted companies" such as themselves. Symantec's corporate antivirus software and Norton 2010 range and beyond worked on x64 editions of Windows despite KPP's restrictions, although with less ability to provide protection against zero-day malware. Antivirus software made by competitors ESET, Trend Micro, Grisoft AVG, avast!, Avira Anti-Vir and Sophos do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled.
Microsoft does not weaken Kernel Patch Protection by making exceptions to it, though Microsoft has been known to relax its restrictions from time to time, such as for the benefit of hypervisor virtualization softwa