VBS DeviceGuard status SecurityServicesRunning: {5} is undocumented?

Question

Windows VBS (Virtualization-Based Security, not VBScript!) has disjointed documentation, but Microsoft offers this article on activating various VBS components and verifying which ones are active, which seems like it should be fairly straightforward.

https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity#securityservicesrunning

Validate enabled VBS and memory integrity features

Use Win32_DeviceGuard WMI class

Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the following command:

PowerShell
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

( . . . )

SecurityServicesRunning

This field indicates whether Credential Guard or memory integrity is running.

Value   Description
0       No services running.
1       If present, Credential Guard is running.
2       If present, memory integrity is running.
3       If present, System Guard Secure Launch is running.
4       If present, SMM Firmware Measurement is running.

Here's my problem.

When I run the Powershell commandlet, I see the following line:

SecurityServicesRunning: {1, 2, 5}

I cannot find any documentation anywhere of what a value of "5" means!

The full output of the Powershell commandlet on my device is:

AvailableSecurityProperties                  : {1, 2, 3, 4…}
CodeIntegrityPolicyEnforcementStatus         : 2
InstanceIdentifier                           : <redacted>
RequiredSecurityProperties                   : {1, 2, 3}
SecurityFeaturesEnabled                      : {0}
SecurityServicesConfigured                   : {1, 2, 3}
SecurityServicesRunning                      : {1, 2, 5}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version                                      : 1.0
VirtualizationBasedSecurityStatus            : 2
VirtualMachineIsolation                      : False
VirtualMachineIsolationProperties            : {0}
PSComputerName                               : <redacted>

Any ideas what's going on here?

Answer 1

The Microsoft article linked in the question also says:

Use msinfo32.exe

Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the System Summary section.

Doing so on this device returns the following relevant lines from the System Information panel:

Secure Boot State                                               On
Kernel DMA Protection                                           On
Virtualization-based security                                   Running
Virtualization-based security Required Security Properties      Base Virtualization Support, Secure Boot, DMA Protection
Virtualization-based security Available Security Properties     Base Virtualization Support, Secure Boot, DMA Protection, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control, APIC Virtualization
Virtualization-based security Services Configured               Credential Guard, Hypervisor enforced Code Integrity, Secure Launch
Virtualization-based security Services Running                  Credential Guard, Hypervisor enforced Code Integrity, Hardware-enforced Stack Protection (Kernel-mode)

The last line lists the running services "Credential Guard," "Hypervisor enforced Code Integrity," "Hardware-enforced Stack Protection (Kernel-mode)." The first two items correspond to SecurityServicesRunning values {1} and {2}, so we could guess that the value {5} corresponds to Hardware-enforced Stack Protection (Kernel-mode).

More information on Hardware-enforced Stack Protection (Kernel-mode) can be found in this Microsoft article:

https://support.microsoft.com/en-us/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78#ID0EFN

Kernel-mode Hardware-enforced Stack Protection

Kernel-mode Hardware-enforced Stack Protection is a hardware-based Windows security feature that makes it difficult for malicious programs to use low-level drivers to hijack your computer.

A driver is a piece of software that lets the operating system (Windows in this case) and a device like a keyboard or a webcam for example, talk to each other. When the device wants Windows to do something it uses the driver to send that request.

The Kernel-mode Hardware-enforced Stack Protection works by preventing attacks that modify return addresses in kernel-mode memory to launch malicious code. This security feature requires a CPU that contains the ability to verify the return addresses of running code.

When executing code in kernel-mode, return addresses on the kernel-mode stack can be corrupted by malicious programs or drivers in order to redirect normal code execution to malicious code. On supported CPUs, the CPU maintains a second copy of valid return addresses on a read-only shadow stack that drivers cannot modify. If a return address on the regular stack has been modified, the CPU can detect this discrepancy by checking the copy of the return address on the shadow stack. When this discrepancy occurs, the computer prompts a stop error, sometimes known as a blue screen, to prevent the malicious code from executing.

Not all drivers are compatible with this security feature, as a small number of legitimate drivers engage in return address modification for non-malicious purposes. Microsoft has been engaging with numerous driver publishers to ensure that their latest drivers are compatible with Kernel-mode Hardware-enforced Stack Protection.

How do I manage Kernel-mode Hardware-enforced Stack Protection?

Kernel-mode Hardware-enforced Stack Protection is turned off by default.

To turn it on or off:

1. Select the Start button and type “Core isolation”.
2. Select the Core Isolation system settings from the search results to open the Windows security app.

On the Core isolation page, you’ll find Kernel-mode Hardware-enforced Stack Protection along with the toggle to turn it on or off.

To use Kernel-mode Hardware-enforced Stack Protection, you must have Memory Integrity enabled, and you must be running a CPU that supports Intel Control-Flow Enforcement Technology or AMD Shadow Stack.

It's not 100% certain that this is what the {5} means, but it's a reasonable conclusion.

It would be great if someone else who has Kernel-mode Hardware-enforced Stack Protection enabled could also run the PS commandlet to confirm/compare values.