SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED

Driver Shims

That things go wrong with kernel-mode drivers is hardly news. That fixing them, or at least mitigating the problem, can sometimes be done on-the-fly shouldn’t be any surprise, either. Microsoft’s operating systems have varied their behaviour to accommodate defects in pre-existing software, even to go as far as identifying specific code sequences to patch at run-time, since at least MS-DOS 5.0. The modern Windows has long formalised this practice into an Application Compatibility database of all sorts of shims to apply when running particular applications. Microsoft even distributes, as a free download, an Application Compatibility Toolkit, now rebadged as the Windows Assessment and Deployment Kit (ADK), that opens the shim database to more or less easy inspection and even for creation of a custom databse.

Shims for drivers, though, are relatively recent. Among the standard Shim Database (SDB) files, the one that is specialised for drivers, named DRVMAIN.SDB, is as old a provision as the database for applications, but long served only to list drivers that are blocked from being loaded. Starting with Windows 8, new values are defined for the TAG, such that DRVMAIN.SDB also describes shims that can be applied to drivers and also lists the drivers that those shims are to be applied to.

The shims to apply to a driver are determined when the driver gets loaded. They can have been configured in either the registry or the database. The relevant registry value is:

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\basename
Value: Shims
Type: REG_MULTI_SZ

Here, basename is the name of the driver as a loaded module. For most drivers this is the filename, including any file extension such as “.sys”, of the driver relative to whatever directory it is loaded from. In the multi-string data, for which the kernel allows 0x0800 bytes, each string names one shim.

These names of shims are meaningless on their own. Each must be resolved in the database to obtain a GUID and other properties. Each shim must be described in the database by data for a TAG_KSHIM (0x7025) tag. This data is its own list of child tags. The meaningful ones are TAG_NAME (0x6001) which is the name to match, TAG_FIX_ID (0x9010) which is the corresponding GUID, TAG_MODULE (0x6003) which typically names the corresponding shim provider, and TAG_FLAGS (0x4017) which can supply bit flags for configuration.

In the XML from which Microsoft compiles SDB files, a driver shim is described by a <KSHIM> tag whose attributes convert to the child tags as follows:

XML SDB
NAME="name" TAG_NAME has name as string data
ID="guid" TAG_FIX_ID has guid, converted from string, as binary data
LOGO="boolean" TAG_FLAGS has 0x00000001 set or clear in dword data according to whether boolean is yes or no
ONDEMAND="boolean" TAG_FLAGS has 0x00000002 set or clear in dword data according to whether boolean is yes or no
FILE="module" TAG_MODULE has module as string data

The following table shows the driver shims that are thus installed via the DRVMAIN.SDB file in the disc image for successive Windows versions.

Name GUID Flags Provider Versions
autofail {407D63CE-419D-4550-B54A-4F1C1B5BDD9F} 0x00000002 autofail 6.2 and higher
DeviceIdShim {0332EC62-865A-4A39-B48F-CDA6E855F423} 0x00000000 storport 10.0 and higher
driverscope {BC04AB45-EA7E-4A11-A7BB-977615F4CAAE} 0x00000000 NT kernel component 6.2 and higher
kmautofail {8ED4D238-F82D-433E-BC60-6117BC32EDCD} 0x00000002 kmautofail 6.2 and higher
KmWin7VersionLie {3E28B2D1-E633-408C-8E9B-2AFA6F47FCCB} 0x00000000 NT kernel component 6.2 and higher
KmWin81VersionLie {21C4FB58-F477-4839-A7EA-AD6918FBC518} 0x00000000 NT kernel component 10.0 and higher
KmWin8VersionLie {47712F55-BD93-43FC-9248-B9A83710066E} 0x00000000 NT kernel component 6.3 and higher
NdisGetVersion640Shim {49691313-1362-4E75-8C2A-2DD72928EBA5} 0x00000000 ndis 10.0 and higher
SkipDriverUnload {3E8C2CA6-34E2-4DE6-8A1E-9692DD3E316B} 0x00000000 NT kernel component 10.0 and higher
Srbshim {434ABAFD-08FA-4C3D-A88D-D09A88E2AB17} 0x00000000 storport 6.2 and higher
usbshim {FD8FD62E-4D94-4FC7-8A68-BFF7865A706B} 0x00000000 usbd 6.2 and higher

WORK IN PROGRESS