HVCI - tnodir/fort GitHub Wiki

Fort Firewall uses custom driver, which creates an executable and writable memory area to run a payload code.

A "Core Isolation: Memory Integrity" feature of Windows 10+ prevents creating such memory area (leading to BSOD).

We tried to attestation sign the driver via new EV certificate by MS to fix the driver's limitation, but failed (see #108).

---

So for now users have to disable the "Core Isolation: Memory Integrity" feature:

1. Open the Privacy & security >> Windows Security >> Device security tab from "Settings", and click on "Core Isolation":

2. Then turn off the "Memory Integrity":

---

You can disable the "Memory Integrity" by editing a registry and restarting computer.

hvci-off.reg

Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; Created on: March 1, 2022
; Tutorial: https://www.elevenforum.com/t/enable-or-disable-core-isolation-memory-integrity-in-windows-11.4942/


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
"Enabled"=dword:00000000


; https://learn.microsoft.com/en-us/answers/questions/1616402/how-to-silently-dismiss-windows-security-memory-in

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State]
"Hardware_HVCI_Off"=dword:00000000

hvci-on.reg

Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; Created on: March 1, 2022
; Tutorial: https://www.elevenforum.com/t/enable-or-disable-core-isolation-memory-integrity-in-windows-11.4942/


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
"Enabled"=dword:00000001


; https://learn.microsoft.com/en-us/answers/questions/1616402/how-to-silently-dismiss-windows-security-memory-in

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State]
"Hardware_HVCI_Off"=dword:00000001

hvci-all-off.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
"Enabled"=dword:0000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State]
"Hardware_HVCI_Off"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config]
"VulnerableDriverBlocklistEnable"=dword:00000000