Windows Vista SP1 Security API RRS feed

  • Question

  • Hello!

    I have read in several places that since Windows Vista SP1 x64 a new security API was introduced that allows security software to monitor system without kernel patching.

    For example, it is written here (https://technet.microsoft.com/en-us/library/cc749132(v=ws.10).aspx):

    "Application programming interfaces (APIs) by which non-Microsoft security and malicious software–detection applications can work alongside Kernel Patch Protection on 64-bit versions of Windows Vista. These APIs help software partners develop applications that extend the functionality of the kernel on 64-bit computers without disabling or weakening the protection that Kernel Patch Protection offers".

    And here (https://en.wikipedia.org/wiki/Kernel_Patch_Protection):

    "Instead, Microsoft worked with third-party companies to create new Application Programming Interfaces that help security software perform needed tasks without patching the kernel. These new interfaces were included in Windows Vista Service Pack 1".

    Also some document named "Kernel Patch Protection Criteria Evaluation Document" is referenced in some places but I cannot find it.

    Could someone explain what kind of API is that? Is it about minifilter drivers or not? Is it documented anywhere?

    Thank you.

    Thursday, May 12, 2016 12:06 PM