Geoff Chappell, Software Analyst
The SYSTEM_ISOLATED_USER_MODE_INFORMATION structure is produced in the output buffer by a successful call to the following functions:
when given the information class SystemIsolatedUserModeInformation (0xA5).
The SYSTEM_ISOLATED_USER_MODE_INFORMATION structure is not documented.
The SYSTEM_ISOLATED_USER_MODE_INFORMATION is 0x10 bytes in 32-bit and 64-bit Windows.
| Offset | Definition |
|---|---|
| 0x00 |
struct {
UCHAR SecureKernelRunning : 1; // 0x01
UCHAR HvciEnabled : 1; // 0x02
UCHAR HvciStrictMode : 1; // 0x04
UCHAR DebugEnabled : 1; // 0x08
UCHAR SpareFlags : 4;
};
|
| 0x01 |
struct {
UCHAR TrustletRunning : 1; // 0x01
UCHAR SpareFlags2 : 7;
};
|
| 0x02 |
UCHAR Spare0 [6]; |
| 0x08 |
ULONGLONG Spare1; |
This structure and the corresponding information class have only trivial support in 32-bit Windows: all members are zeroed. This is true also in 64-bit Windows unless the secure kernel (securekernel.exe) is running.
The secure kernel runs in the hypervisor’s Virtual Secure Mode (VSM) to support the kernel feature that’s known as Isolated User Mode (IUM). This feature requires not only suitable hardware and a suitable Microsoft-compatible hypervisor but also significant configuration so that the loader runs both the secure kernel and the (host) kernel under the hypervisor. That the loader has loaded the secure kernel is known to the kernel from a set IumEnabled bit in the LOADER_PARAMETER_EXTENSION. Indeed, the secure kernel is running by then, but not usefully. Only if the hypervisor implements the cpuid leaf 0x40000003 so that ebx on output has a set AccessVsm bit (undocumented, if only for now, in the HV_PARTITION_PRIVILEGE_MASK) does the kernel initialise itself for IUM. This, of course, depends on connecting with the secure kernel. A set SecureKernelRunning bit in the IUM information means that this initialisation has succeeded.
The TrustletRunning bit can be set only for an extended query.