Win 10 1803 Core Isolation and Memory Integrity

Discussion in 'other software & services' started by itman, Aug 18, 2018.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,390
    Location:
    Canada
    My laptop recovers from that mode fine.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,779
    Location:
    U.S.A. (South)
    Stats please? Model-Year maybe some other useful details.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I suspect that newer PC's/motherboards probably won't have an issue with S3 power mode. I was reading the manual on this newer Gigabyte motherboard I haven't installed yet. It doesn't have any options whatsoever to specify power mode used. This implies the BIOS firmware will apply the appropriate power mode based on OS settings.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,390
    Location:
    Canada
    Some of the most pertinent specs provided:

    Code:
    System Name: DESKTOP-LKCE1LD
    [System Summary]
    Item    Value  
    OS Name    Microsoft Windows 10 Pro  
    Version    10.0.17134 Build 17134  
    Other OS Description     Not Available  
    OS Manufacturer    Microsoft Corporation  
    System Name    DESKTOP-LKCE1LD  
    System Manufacturer    LENOVO  
    System Model    20KS003WUS  
    System Type    x64-based PC  
    System SKU    LENOVO_MT_20KS_BU_Think_FM_ThinkPad E580  
    Processor    Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2701 Mhz, 2 Core(s), 4 Logical Processor(s)  
    BIOS Version/Date    LENOVO R0PET42W (1.19 ), 6/14/2018  
    SMBIOS Version    3.0  
    Embedded Controller Version    1.19  
    BIOS Mode    UEFI  
    BaseBoard Manufacturer    LENOVO   
    Code:
    Installed Physical Memory (RAM)    4.00 GB  
    Total Physical Memory    3.86 GB  
    Available Physical Memory    1.31 GB  
    Total Virtual Memory    5.23 GB  
    Available Virtual Memory    1.97 GB  
    Page File Space    1.38 GB  
    Page File    C:\pagefile.sys  
    Kernel DMA Protection    Off  
    Virtualization-based security    Running  
    Virtualization-based security Required Security Properties    Base Virtualization Support, Secure Boot  
    Virtualization-based security Available Security Properties    Base Virtualization Support, Secure Boot, DMA Protection, UEFI Code Readonly, Mode Based Execution Control  
    Virtualization-based security Services Configured    Hypervisor enforced Code Integrity  
    Virtualization-based security Services Running    Hypervisor enforced Code Integrity  
    Device Encryption Support    Elevation Required to View  
    A hypervisor has been detected. Features required for Hyper-V will not be displayed.   
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    The following explains this behavior:
    https://techcommunity.microsoft.com...Making-a-leap-forward-in-platform/td-p/167303
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Don't know if anyone has noticed the impact of VMS using Process Explorer or Task Manager.

    What you will observe is a process name "Secure System" running in suspended mode. Next is a new process named lsalso.exe that locks down lsass.exe credential stealing, etc. by the likes of mimikatz. This article: http://woshub.com/virtual-secure-mode-vsm-in-windows-10-enterprise/ is a bit dated but still is one of the best references on what kind of protections you get with this feature:
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,390
    Location:
    Canada
    I had seen the Secure System process before but didn't know what it was, nor did I research it. Thank you for the heads up and the link to the article.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Well, I "threw in the towel" in regards to memory integrity running on my 8 year old Gigabyte motherboard. Or rather, Windows did …….

    Tried every option "under the power management sun" to get resume from standby to work. It the last on a multitude of reboots, Win finally disabled it upon restart. At least I learned a hell of a lot about power management internals in the process.

    What I do know is this. With memory integrity enabled on my build, hybrid sleep mode doesn't exist as a setting under power management settings. Without hybrid sleep enabled on my build, the PC won't resume from sleep. This in itself is odd since prior to all this, hybrid sleep didn't exist and the PC resumed from sleep w/o issue. What powercfg told me about S3 sleep state was with memory integrity enabled, less than half of my devices were S3 state compatible versus all being compatible with memory integrity disabled and hybrid sleep enabled.

    Now hybrid sleep is a combo of S3 and S4(hibernate) modes. My Gigabyte motherboard doesn't support S4 state; at least as a BIOS setting option. Appears Win 10 will compensate for this internally as long as memory integrity is not enabled. Most newer motherboard BIOS/UEFI don't even have sleep state options anymore; the detection to correct mode is either automatic or delegated to the OS. So again, memory integrity appears to have a lot of hidden activities that aren't documented anywhere.
     
  9. reldel

    reldel Registered Member

    Joined:
    Aug 14, 2007
    Posts:
    27
    Location:
    Felton, DE, USA
    I'm another towel thrower. On a Dell XPS 8700 circa 2015 with WIN 10 build 1803 memory Core Isolation Memory Integrity appeared to work fine. I installed 1809 and Microsoft pop-up box told me Memory Integrity could not be activated because it is not compatible. Not worth the effort.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    BTW - before I delete this screen shot, will post this interesting "tidbit" about memory integrity I discovered.

    Microsoft is great with the "blah-blah" propaganda about how all these new security protections are supposedly kernel based revisions. Well, it turns out memory integrity is driver based. And it is one very interesting driver. It is completely hidden. The only thing I found that will detect it is WinObj per the screen shot. Also, the driver name changes on each system boot. It however is always a numeric value. So if you somehow find something other than WinObj that will detect it, don't panic and think you got nailed by a rootkit. Or, perhaps you did get nailed; by a Microsoft based rootkit.:shifty:

    Hidden_Driver.png
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I have a hunch on where the resume from standby issue is.

    @guest and @wat0114 I need to open regedit and navigate to this key since both of you are not having resume from standby issues:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity.

    Then see if the following DWORD value exists, "WasEnabledBy". If it exists, what value is it set to.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,390
    Location:
    Canada
    Screenshot attached...
     

    Attached Files:

  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Thanks. Unfortunately, that is what mine is currently set to.

    Looks like there isn't any solution to the issue. I could have saved myself a lot of work if I initially Googled "Gigabyte + Hyper-V + resume from standby issues. Found a thread on TechNet dated 2015 full of postings of folks having the same issue. Almost all were from AMD based Gigabyte motherboards supporting Anthon and Phenom processors. There were however other motherboards mentioned although most of the Asus board users were able to find BIOS settings to get it working. Appears Gigabyte's implementation of virtualization has been problematic for some time.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,390
    Location:
    Canada
    That's too bad. Hopefully either Gigabyte or MS can find a solution. It otherwise seems you've exhausted every avenue possible in an effort to get it working.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    One other possibility is USB 3.0. It has caused past Hyper-V issues. I did disable it in the BIOS and it didn't help. However when I reset 1803, Microsoft installed a new driver for it and it is from a different manufacture than that provided by Gigagbyte. Also there was always a process for it running under explorer.exe that now doesn't exist with the new MS provided driver.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,603
    Location:
    Outer space
    I just tried enabling Memory Integrity, fortunately the enabling interface will now(on 21H1 at least) scan for incompatible drivers and show them to you. For me it shows the Intel HD graphics driver as incompatible, which is strange because I have the latest available driver from Intel, released in 2020. It's a 3rd gen (Ivy Bridge) i5, and I have seen comments in the Windows Defender thread that have succesfully enabled it on a 3rd gen CPU.
     
    Last edited: Oct 30, 2021
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,286
    Location:
    Among the gum trees
    I just checked on my desktop PC. I don't know about the Western Digital driver as I have a Crucial SSD.
     

    Attached Files:

  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,286
    Location:
    Among the gum trees
    I updated my graphics driver and now I'm left with this:
     

    Attached Files:

  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,757
    Location:
    USA
    I assume it's still likely that memory integrity is incompatible with Kaspersky. I seem to remember Microsoft breaking it in the past with Windows Updates as well. I've been able to turn it on for my laptop but it all seemed like more pain than gain so I gave up and turned it off.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,779
    Location:
    U.S.A. (South)
    Interesting. Nothing wrong with borrowing from malware techniques I suppose. I did that a lot with captured malware and would hide my Good Security Programs in the AlternateDataStreams with a driver that also hid my detectors which was previously slipped in by a baddie for other purposes. Effectively rendering their trick turned right back on them.

    That was years ago so no telling how one would snatch a donated trick malware these days without reversing and/or safely modifying it first.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,286
    Location:
    Among the gum trees
    While I certainly DO NOT recommend it, (after imaging my machine, of course) after deleting the WD driver I was able to enable Memory Integrity. Hopefully there is a less painful method available.
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,603
    Location:
    Outer space
    I tried uninstalling the driver, that reverted back to some really old version that ships with Windows, also incompatible. Then I installed a driver update through Windows update, which was also a lot older than the latest from Intel and also incompatible.
    Strangely, on an even older notebook with a 1st(!) gen i3, I could enable memory integrity, because it has a crappy GeForce 310M so it has Nvidia graphics drivers instead and those are compatible even though the hardware is 2 years older.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.