Event ID 3001 — Kernel-mode Driver Validation
Applies To: Windows Server 2008
.jpg)
Code Integrity checks each kernel-mode driver for a digital signature when an attempt is made to load the driver into memory. If the kernel-mode driver is not signed, the operating system might not load it. Whether an unsigned driver is loaded without a digital signature depends on the platform of the operating system.
- For x64-based computers, all kernel-mode drivers must be digitally signed.
- For x86-based or Itanium-based computers, the following kernel-mode drivers require a digital signature: bootvid.dll, ci.dll, clfs.sys, hal.dll, kdcom.dll, ksecdd.sys, ntoskrnl.exe, pshed.dll, spldr.sys, tpm.sys, and winload.exe.
Note: If a kernel debugger is attached to the computer, Code Integrity still checks for a digital signature on every kernel-mode driver, but the operating system will load the drivers.
Event Details
| Product: | Windows Operating System |
| ID: | 3001 |
| Source: | Microsoft-Windows-CodeIntegrity |
| Version: | 6.0 |
| Symbolic Name: | CiUnsignedDriverLoaded |
| Message: | Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available. |
Resolve
Update kernel-mode driver status on an x86-based operating system
When an unsigned driver is detected on x86-based computers, Code Integrity will not prevent the kernel-mode driver from loading. You should consult the manufacturer to see if a digitally-signed version of the kernel-model driver exists and update the current driver.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To update a kernel-mode driver:
- Copy the signed kernel-mode driver to a location on the local computer.
- Click Start, and then click Control Panel.
- Double-click Device Manager.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Right-click the hardware device that needs its driver updated, and then click Update Driver Software.
- Click Browse my computer for driver software.
- Click Browse, select the folder where the new driver file exists, and then click Next.
- Click Finish.
Note: An unsigned kernel-mode driver can affect the ability of media applications to play some media files.
Verify
You can verify that a kernel-mode driver was successfully validated and loaded by checking its driver status using the command prompt.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To verify a kernel-mode driver was successfully validated and loaded:
- Click Start, point to All Programs, point to Accessories.
- Right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type sc query type= driver, and then press ENTER.
- In the list, find the appropriate driver and ensure that 4 RUNNING is displayed in the STATE column.
Note: If you know the driver name, type sc querydriver, where driver is the name of the driver file without the extension, at the command prompt, and then press ENTER.