Unable to load kernel driver (not yet supported on this kernel version)
MarekKnapek opened this issue ยท 211 comments
Steps preceding reproduction:
- Use SystemInformer normally.
- Click Help -> Check for updates.
- Update downloads, installs.
- Unable to load kernel driver.
- Restart computer.
Steps to reproduce:
- Start System Informer (I'm admin but starting without admin privileges).
- Go to main menu -> System -> Show details of all processes.
- UAC dialog appears, Click YES.
- "Unable to load kernel driver" message appears. More info in [1] and [2].
- System Informer has limited capabilities due to not having access to its kernel driver.
Details:
- System Informer version 3.0.7029 (f647fb0) x64.
- Windows Server 2022 x64, 21H2, 10.0.20348.1906 (running in cloud inside QEMU).
- SystemInformer.exe SHA-1
b09759778099468188434408f929d675ce289b97
. - SystemInformer.sys SHA-1
ae6b8522ca5205b4cef89606ea6c7d043e81dc4f
. - ntdll.dll SHA-1
4ffc26a940dffa2931923c345eb9824f76dcfca4
. - ntoskrnl.exe SHA-1
ecbad74c2629f4dd516c35887b8e5d0b7032b135
.
[1]
[Window Title]
System Informer
[Main Instruction]
Unable to load kernel driver
[Content]
Unable to load the kernel driver service.
The request is not supported.
Kernel version: 10.0.20348.1906
State mask: 0x00000000
[ ] Don't show this message again [OK]
I have the same with 10.0.1941.3391
kernel.
I assume it is related to recent dyndata
changes and these builds are simply not supported by driver yet.
Hopefully the support will be added soon.
I have the same with 10.0.19401.3391 kernel.
I only have 10.0.19041.3393
at the moment and there aren't symbols available. @ge0rdi could you send me your ntoskrnl.exe 10.0.19041.3391
? Discord, email, or attach it here should be fine.
Windows Server 2022 x64, 21H2, 10.0.20348.1906
I'm adding Windows Server 2022 offsets soon.
could you send me your ntoskrnl.exe 10.0.19041.3391?
E-mail sent.
Thanks for getting me the build @ge0rdi - like you mentioned in the email symbols are also not yet published for 3391 yet. Once they are I'll make sure dyndata gets updated.
@MarekKnapek I added dyndata for Server 2022 here: 03f5c8c - it'll get picked up in the next build
Microsoft released KB5029331 first as 19041.3391 and 2nd version is 19041.3393 in Release Preview/Insider version which is now also releaded to public in version 3393.
Thank you @MagicAndre1981 .
After manual Windows update check I'm on .3393
too.
ok, on 1809 LTSC 17763.4737 I also miss the ++ , so no driver is loaded for System Informer version 3.0.7029, but I dont get the messagebox
Out of curiosity: What is this dyndata
thing for? I can see that it is stored into the Registry. It is definitely not a Windows thing, it is SystemInformer thing. Maybe for communication between the user-space part of SI with kernel-space part? But why is it needed? What purpose it serves? What would happen if it was not there? What are alternatives for it? Why is it needed to be Windows version specific? Sorry for bothering you with so many questions.
What is this dyndata thing for? ... Maybe for communication between the user-space part of SI with kernel-space part? But why is it needed? What purpose it serves?
They're undocumented offsets used for both protections and APIs from the client:
systeminformer/KSystemInformer/include/dyndata.h
Lines 31 to 75 in 4c28c8f
What would happen if it was not there? What are alternatives for it?
The driver can't function without them. They're required for the protections to function correctly. The old driver would load without them, but it was arguably mostly useless without them. There was some functionality without them, but it was a bit non-obvious why some things would work and some wouldn't. So, during the rewrite we opted to make it a requirement. This come with the benefit that we know where we don't have support/visibility. Obviously the cost is we have to work harder to have more compatibility.
Why is it needed to be Windows version specific?
Because they're undocumented offsets that are version-specific.
I hope this helps. I am experiencing the same issue after installing KB5029351. Before this update, I only got that message once when I installed Build 3.0.7029, but now I get it every time I launch System Informer.
137cc3a adds support for 10.0.19041.3393
and 10.0.22621.2215
Will be in next build ๐
I can confirm that with latest SI driver loads on 19041.3393
.
Thank you very much.
@MagicAndre1981 when I was scraping to rebuild the offsets I missed three builds:
10.0.17763.4499
10.0.17763.4644
10.0.17763.4737
I just went over them and the offsets didn't change from 10.0.17763.4377 - I updated dyndata here: f733df4 - will be in next build ๐
22621.2283
Should i send my ntoskrnl.exe?
ntoskrnl.zip
Symbols are not yet available for 10.0.22621.2283
, I'll keep checking back - when they're available I'll update dyndata ๐
@jxy-s out of curiosity when you guys update System Informer for newer kernels does it lose its compatibility with older kernels?
Cause I have been thinking to switch to RP channel on Windows and I was curious about how this whole thing works
you guys update System Informer for newer kernels does it lose its compatibility with older kernels
No, it doesn't break compatibility. We support older kernels. We support release builds for Win10+ x64/ARM64. The supported kernel versions are specified in https://github.com/winsiderss/systeminformer/blob/master/kphlib/kphdyn.xml
RP channel on Windows
We do not yet support preview builds. Updates to those kernels are too frequent for me to keep up with manually. I'm hoping to finish some automation eventually to support them.
I noticed I have an older SI Rev.6806 running on another Win10 17763 and here I see the ++ so driver is loaded on 17763.4851 ๐ค ๐คทโโ๏ธ
I noticed I have an older SI Rev.6806 running on another Win10 17763 and here I see the ++ so driver is loaded on 17763.4851 ๐ค ๐คทโโ๏ธ
See: #1823 (comment)
Dyndata format had to change and I went to rebuild all the offsets using some tooling. I missed a few versions. I've corrected it already, once a new build is out that kernel will be supported.
Older releases supported it with the older format. But there were bugs.
the + and ++ show that both have different driver usage levels while ++ is the best
3.0.7148 fixed it on 19045.3448, but NOT for 17763.4851
@MagicAndre1981 send me your 10.0.17763.4851
It isn't defined here:
systeminformer/kphlib/kphdyn.xml
Lines 427 to 433 in 9fa8d51
I can't seem to locate that version myself. If you send it to me I can look into adding it.
@MagicAndre1981 send me your
10.0.17763.4851
I can't seem to locate that version myself. If you send it to me I can look into adding it.
Thank you @MagicAndre1981, updated here: e940474
Thank you @MagicAndre1981, updated here: e940474
I selfcompiled it at rev.1750 and now get this error message:
("specified event is not monitored" - my poor translation)
Latest prod version is 10.0.22621.2283
Update your system.
Since windows updates kb5030183 and kb5030180, I have the same issue , "unable to load kernel driver".
Back to last restore point before installation, no error message, after re-installation of the kbs,the message back again.
Windows Version 22H2 (build du systรจme d'exploitation 19045.3448).
System Informer 3.0.7148 (ed40620)
I selfcompiled it at rev.1750 and now get this error message:
Could you try another build with the latest commits? I improved the error messaging so we can see the actual error code instead of just the localized string. My guess is you built yourself using your own signing keys outlined here. I now recognize that information is incomplete, I'll update it, but I think you may have not rebuilt the dynamic data using your signing keys (.\tools\CustomBuildTool\bin\Release\CustomBuildTool.exe -dyndata
). Note that both the dynamic data, kernel driver, and the user mode binaries need rebuilt after you generate and place your developer keys.
I'm on 10.0.22621.1928 but it seems to think it's a preview build.
We have seen in the past that preview build and the kernel file version can diverge. My guess is your kernel version is actually 10.0.22621.1928
but the OS reported version is >10.0.22621
. See the following, which checks the "OS reported version", that might be different than what we print as the "Kernel version":
Lines 190 to 199 in 8d8843e
I've updated the message box information displayed there to include more information about the environment in which the error occurred, here: 8d8843e
Since windows updates kb5030183 and kb5030180, I have the same issue
Based on that error message in the window, I think you might be running an older version. I'm also not sure what HKLM\System\CurrentControlSet\Control\WMI\Security\...
has to do with this?
ok, I haven't done the signing thing. So I'll wait for next official nightly
10.0.22621.2361
and 10.0.19041.3516
are both on my radar, waiting for symbols to be published ๐
I'm not seeing a new build for Server 2022 yet.
7251 works now fine in 17763.4851 with full driver support (++ in title)
3.0.7254 was not offered via updater, so I extraced the zip and this is the same error I get with my self compiled version:
We're working on build pipelines. Two things here:
was not offered via updater
This is intended, deployment is disabled while we're testing.
so I extraced the zip and this is the same error
Signatures files (.sig
) aren't in the zip. Use systeminformer-3.0.7254-setup.exe
if you want, but probably best to wait until we're done testing. These builds will be pulled shortly.
ok, the .sig file is present in both, the zip and exe. I'll revert to the older version.
Thanks, I just noticed the issue with the pipeline that is causing the .sig
not to be correct. So, that's probably what you're running into. I'm addressing that now. Thanks for your patience. In general tho, just because a build shows up on si-builds
doesn't mean it's ready for consumption.
Pipeline work is complete - 3.0.7256
should be available for upgrade shortly.
I'm going to leave this issue open for a while longer. But all issues to load should already be resolved.
3.0.7256 is offered and works fine.
System Informer
Version: 3.0.7256 (121e1d2)
Many thanks for your hardworking.
๐
So I downloaded 7256 as I have the kernel driver error on 19044,3488
Is it normal to have to reboot to replace ksi.dll? (I did shutdown system informer before trying to update). The dll remains in use with system informer not running.
--
Never mind updated now using the update checker, I guess manually exiting system informer keeps ksi.dll active but using the updater removes it from memory.
Is it normal to have to reboot to replace ksi.dll?
Yes, but generally it doesn't update. ksi.dll
is a library used by the kernel driver. It can not be unloaded. The purpose of this DLL is to extend the kernel and provide functionality that would otherwise be unsafe or impossible. The updater will check the hash of the DLL to know if it needs replaced, if it does a reboot is requested for the update to finish.
@MagicAndre1981 send me 10.0.17763.4974
please. I'm looking into the others now.
@MagicAndre1981 send me
10.0.17763.4974
please. I'm looking into the others now.
.7270 works fine for 17763, 19045 and 22621 ๐
Hello and thank you all,
I had the same problem as View MagicAndre1981, yesterday after the update:
Title: 2023-10 Cumulative Update for Windows 10 Version 22H2 for x64 Systems (KB5031356)
Date: 11/10/2023 16:36:56
KB Number: KB5031356
Operation: Installation
Result Code: Succeeded
HResult: 0x00000000
Update ID: 603aa2ce-9d30-473c-a175-0bdd19bd0a60
Support URL: https://support.microsoft.com/help/5031356
You have found the solution, I believe that Microsoft has chosen to annoy everyone and has been doing so for a long time.
Thanks again for your hard work.
search for new update, latest system informer update works with new Windows updates from this week.
Windows 11 23H2 is now official released with optinal Update KB5031455 (OS Builds 22621.2506 and 22631.2506) Preview
It looks like @jxy-s works on automating the dyn data in a new branch. So we'll have to wait a bit until this update race is resolved.
works, but I had to enable driver loading again, due to your renamings. So if you see no ++ in title bar, make sure kernel driver loading is enabled.
Yep, thanks for calling that out @MagicAndre1981 - the setting names were normalized. Rather bite that bullet now then when we do a full release. Thanks.
KB5032190 (OS Builds 22621.2715 and 22631.2715)
https://support.microsoft.com/en-us/topic/november-14-2023-kb5032190-os-builds-22621-2715-and-22631-2715-f9e3e13c-5e98-42c2-add8-f075841ca812
KB5032189 (OS Builds 19044.3693 and 19045.3693)
https://support.microsoft.com/en-us/topic/november-14-2023-kb5032189-os-builds-19044-3693-and-19045-3693-fe81e7e5-06bd-4e13-8233-4f7c07b1c512
Windows Server 2022
x64
10.0.20348.2113
KB5032198
ntoskrnl.exe
10.0.20348.2110
Timestamp, 0x9729528b
SizeOfImage, 0x1047000 (16.28 MB)
Guid, {53b8a0b3-6fad-7869-0204-da3ce552a05c} (b3a0b853ad6f69780204da3ce552a05c) (deterministic)
Age, 1
http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/9729528B1047000/ntoskrnl.exe
http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/53B8A0B36FAD78690204DA3CE552A05C1/ntkrnlmp.pdb
Windows 10 21H2 LTSC
x64
Kernel 10.0.19041.3693
System Informer 3.0.7310
Error kernel driver not supported on this kernel version.
I agree with earlier idea for error box to link to this issue, maybe it could even auto submit details.
Microsoft Windows [Version 10.0.22631.2715]
hello everydody , same error as chrcoluk except is windows 10 22h2.
See attached file
@
ok, looks like symbol for 17763 are not online, so you haven't added it
ok, looks like symbol for 17763 are not online, so you haven't added it
I'll look today ๐
ok, looks like symbol for 17763 are not online, so you haven't added it
I'll look today ๐
still missing for 17763 ๐คทโโ๏ธ
SYMSRV: HTTPGET: /download/symbols/ntkrnlmp.pdb/AA44BDCCE47E33E9B131260A6B98E1991/ntkrnlmp.pdb
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntkrnlmp.pdb/AA44BDCCE47E33E9B131260A6B98E1991/ntkrnlmp.pd_
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntkrnlmp.pdb/AA44BDCCE47E33E9B131260A6B98E1991/file.ptr
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
DBGHELP: ntkrnlmp.pdb - file not found
Symbols for Windows Server 2k22 are now available:
http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/3B845E5D1047000/ntoskrnl.exe
http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/CEB3272F2DA918532E985797AA1099AD1/ntkrnlmp.pdb
Symbols for previous update of Server 2k22 are also available, they were not incorporated into System Informer (as of last week or so), I don't know the current situation as I already updated both Windows and SI.
http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/9729528B1047000/ntoskrnl.exe
http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/53B8A0B36FAD78690204DA3CE552A05C1/ntkrnlmp.pdb
10.0.20348.2141
and 10.0.20348.2110
already have support
10.0.17763.5202
is checked in but needs a new build, will do one when I get an opportunity to
10.0.17763.5202
- 3.0.7412
-> Help > Check for updates
๐
10.0.17763.5202
-3.0.7412
->Help > Check for updates
๐
works fine ๐
Unfortunately; It still refuses to work on my end as well @jxy-s this is the error I am presented with.
Error:
Attached:
Exe: ntoskrnl.zip
PDB: http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/C7DF30B22252078525B414CC51B257D31/ntkrnlmp.pdb
That's a different error. Either the ksidyn.bin
or ksidyn.sig
- reading the file failed (or returned a failure and didn't communicate it). I found a problem with this path that I'll correct to make the any error propagate more clearly. The handle is also leaked that might be causing an issue with the update.
If either of those files are zero length, try running the setup again (you can run it on an existing install and it will keep the settings).
That's a different error. Either the
ksidyn.bin
orksidyn.sig
- reading the file failed (or returned a failure and didn't communicate it). I found a problem with this path that I'll correct to make the any error propagate more clearly. The handle is also leaked that might be causing an issue with the update.If either of those files are zero length, try running the setup again (you can run it on an existing install and it will keep the settings).
Got an idea, on how I would check that?
- I build mine from scratch with the exact settings as intended.
- I do not mess with anything.
- Running the nightly, this same error results.
Investigation
Edit: Interesting. These files are what exist after building.
ksidyn.zip
Confirmation: they both match. It's the signature file however that is 0 bytes in size.
For others having this issue: Please ensure your sig file is not 0 bytes and copy it from the nightly.
I build mine from scratch with the exact settings as intended.
You need to follow the instructions here for generating your own keys for signing. The driver restricts callers unless you have the correct signatures. You can do plugin development (with restricted access), but realizing now that is somewhat broken with the new dyndata signing workflow ๐ค.
I build mine from scratch with the exact settings as intended.
You need to follow the instructions here for generating your own keys for signing. The driver restricts callers unless you have the correct signatures. You can do plugin development (with restricted access), but realizing now that is somewhat broken with the new dyndata signing workflow ๐ค.
Seems my 'fix' does not work anymore on the recent git push: 4708b9f
- Nightly hasn't been updated just yet, but I'll try again later on.
The error you get after copying current .sig files to x64 directory and attempt to load the driver:
10.0.17763.5202
-3.0.7412
->Help > Check for updates
๐works fine ๐
ok, one 1 RS5 it it not working, telling me to do a reboot which I did but error is still the same:
After deleting the
ksi.dll-old
file error is gone (without any reboot).
ksi.dll-old
is marked for deletion on reboot since it must remain loaded. My speculation is that one machine had the pending rename operation key corrupted or reverted. Which resulted in the file not being deleted. I can add some logic to try to delete the file if somehow the OS leaves it around after reboot. That should serve as a fallback without needing manual intervention.
January 9, 2024โKB5034122 (OS Builds 19044.3930 and 19045.3930)
https://support.microsoft.com/en-us/topic/january-9-2024-kb5034122-os-builds-19044-3930-and-19045-3930-7656c6a4-0b06-4424-86a9-d0719f4ac252
January 9, 2024โKB5034123 (OS Builds 22621.3007 and 22631.3007)
https://support.microsoft.com/en-us/topic/january-9-2024-kb5034123-os-builds-22621-3007-and-22631-3007-3f7e169f-56e8-4e6e-b6b8-41f4aa4b9b88
symbols are again not online like last months.
Symbols for Server 2k22 are available.
http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/F290800D1047000/ntoskrnl.exe
http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/B3ED6FA26A1FD6DF6A34DF3B125CAFE81/ntkrnlmp.pdb
17763 symbol is now online:
ok, 1 day delay is now normal according to Microsoft.
3.0.7429 works on 17763, 19045 and 22631. All have ++ in title ๐
@jxy-s can you please add a link to this issue to the messagebox that shows unsupported version to avoid the duplicates?