What is HVCI protection (Hypervisor Enforced Code Integrity) and how to use the new free Microsoft software to check for any incompatibilities on your system.
HVCI (Hypervisor Enforced Code Integrity) is a security feature introduced in Windows 10 and later as well as Windows Server 2016 and later that allows you to protect the kernel system from cyberattacks that exploit vulnerabilities in memory or drivers. It works like an additional security measure which prevents unauthorized or potentially harmful code from running within the Windows kernel.
The operation of HVCI is based on the use of atwo-level architecture: The first level is the operating system itself, which it runs under protected mode (a series of security features contribute to the protection of the kernel, such as the digital signature applied to the various processes and the checking of the integrity of the code); the second level is a hypervisora virtualization software that allows you to enable process isolation from the rest of the system while ensuring its security.
The hypervisor performs a digital signature and code integrity check of each driver or system module that is loaded, before the kernel executes it.
HVCI therefore contributes to prevent code execution unauthorized or potentially harmful within the Windows kernel. It is an integral part of the platform Virtualization-based Security (VBS) of Windows which in turn takes advantage of virtualization in hardware to protect the operating system from advanced threats.
Being a form of protection based on virtualizationhowever, you pay a certain price in terms of performance which in some cases can be detectable: we talked about it in the article where we see how VBS can slow down performance in Windows.
In response to user requests, Microsoft has released the new Memory Integrity Scan Tool. Downloadable for free from the Microsoft site, Memory Integrity Scan Tool takes care of checking that the device in use is actually compatible with the HVCI security feature.
To use the software, just log in download then select the version compatible with the architecture of the system in use and finally double-click on the file hvciscan.exe from a terminal window opened with administrative privileges. As a last step, it is good to carefully examine the response provided to search for any incompatibility.
How to check if HVCI is enabled
To check if HVCI is enabled in Windows, you just need to follow a few simple steps. First you can type cmd in the operating system search box and then choose the entry Run as administrator. Then type the following command in the terminal window:
bcdedit /enum {current} findstr "hypervisorlaunchtype"
If the result of the command was hypervisorlaunchtype Auto, it means that the HVCI feature is enabled and is actively protecting the system. If the result is hypervisorlaunchtype Offit means HVCI is not activated.
The following commands enable and disable HVCI, respectively:
bcdedit /set {current} hypervisorlaunchtype auto
bcdedit /set {current} hypervisorlaunchtype off
The tool released publicly these days by Microsoft helps to check if any problems may arise with active HVCI.