The pnpLockdown problem
If you’ve been involved in Windows kernel driver development, you might have encountered a somewhat cryptic warning from the Windows Driver Kit (WDK): “warning 1324: [Version] section should specify PnPLockdown=1.”
What is this warning, and why does it matter? In this blog post, we’ll delve into the world of Windows kernel drivers, INF files, and the enigmatic PnPLockdown setting.
A Mysterious Warning
In recent times, the WDK has started issuing a warning that goes something like this:
warning 1324: [Version] section should specify PnPLockdown=1.
For those of us who dabble in kernel driver development, this warning might seem puzzling at first. What does it mean, and should you follow its advice? Let’s break it down.
Understanding PnPLockdown
When you set PnPLockdown=1
in your INF (Information) file, you essentially designate the Trusted Installer as the owner of your driver’s executable image (the .SYS file). This action prevents applications from deleting, modifying, or even renaming the file. In a production environment, this is a desirable security feature.
So, it seems logical to include PnPLockdown=1
in your INF file, right? Well, the answer is not that simple.
The Debugging Dilemma
During the development and debugging phase of your driver, enabling PnPLockdown=1
can complicate your life. Here’s why:
- Updating the Driver: When you need to update the driver’s version on the target machine, you typically:
-
- Disable the driver on the target system (using Device Manager or a similar tool).
- Replace the old .sys file with the new version in the
\Windows\System32\drivers
directory on the target system. - Re-enable the driver.
- PnPLockdown’s Impact: Setting
PnPLockdown=1
prevents this straightforward update process. You can’t overwrite or rename the old driver version. This added protection can be frustrating during the debugging phase when frequent updates are common.
To Set or Not to Set
At Secured Globe, Inc. we deal a lot with Kernel Drivers, and have our own policy regarding to whether we should include PnPLockdown=1
in our kernel driver’s INF files:
- For Production Releases: when it comes to some commercial products such as lawful interception systems, we always specify
PnPLockdown=1
in our INF. This enhances security and ensures that our driver’s executable image remains tamper-proof. However, in products such as our File / Folder hiding system, when we would like to enable fast switching between invisible and visible modes, we set it to 0. - During Debugging and Development: During the development and debugging of our drivers, we do not specify PnPLockdown at all.
This approach might seem a bit counterintuitive, especially when you strive for clean builds without any errors or warnings. However, it’s a deliberate choice made by many seasoned kernel driver developers to maintain efficiency during the development phase.
Conclusion
In the world of Windows kernel driver development, PnPLockdown
is a crucial, yet sometimes puzzling, setting in your INF file. It provides valuable security for production releases but can hinder your development process. As a best practice, remember to set PnPLockdown=1
in your INF for the final product, and leave it out while you’re debugging. This nuanced approach strikes a balance between security and practicality in the world of kernel drivers.
If you ever find yourself wondering about this warning, rest assured, you’re not alone. It’s all part of the intricate journey of Windows kernel driver development.