Kernel Patch Protection

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.^[1]

"Patching the kernel" refers to unsupported modification of the central component or kernel of the Windows operating system. Such modification has never been supported by Microsoft because, according to Microsoft, it can greatly reduce system security, reliability, and performance.^[1] Although Microsoft does not recommend it, it is possible to patch the kernel on x86 editions of Windows; however, with the x64 editions of Windows, Microsoft chose to implement additional protection and technical barriers to kernel patching.

Since patching the kernel is possible in 32-bit (x86) editions of Windows, several antivirus software developers use kernel patching to implement antivirus and other security services. These techniques will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection resulted in antivirus makers having to redesign their software without using kernel patching techniques.

However, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.^[2]^[3] This has led to criticism that since KPP is an imperfect defense, the problems caused to antivirus vendors outweigh the benefits because authors of malicious software will simply find ways around its defenses.^[4]^[5] Nevertheless, Kernel Patch Protection can still prevent problems of system stability, reliability, and performance caused by legitimate software patching the kernel in unsupported ways.

^ ^a ^b "Kernel Patch Protection: Frequently Asked Questions". Microsoft. 22 January 2007. Retrieved 30 July 2007.
^ Cite error: The named reference skape was invoked but never defined (see the help page).
^ dushane (2023-04-03), PatchGuardBypass, retrieved 2023-04-03
^ Cite error: The named reference Samenuk was invoked but never defined (see the help page).
^ Cite error: The named reference Gewirtz was invoked but never defined (see the help page).

[KPP_FAQ-1] "Kernel Patch Protection: Frequently Asked Questions". Microsoft. 22 January 2007. Retrieved 30 July 2007.

[skape-2] Cite error: The named reference skape was invoked but never defined (see the help page).

[3] ushane (2023-04-03), PatchGuardBypass, retrieved 2023-04-03

[Samenuk-4] Cite error: The named reference Samenuk was invoked but never defined (see the help page).

[Gewirtz-5] Cite error: The named reference Gewirtz was invoked but never defined (see the help page).

[1]

[2]

[3]

[4]

[5]

Kernel Patch Protection

From Wikipedia, the free encyclopedia · View on Wikipedia