In a recent discussion about moving Windows Vista's graphics subsystem out of the operating system kernel and into its own area, called the Windows Presentation Foundation, the Windows Vista infrastructure architects revealed that in the new operating system most drivers, including graphics, will run in user mode rather that in kernel mode. According to Microsoft, the main reason for the move to user mode is that when a driver runs at the kernel level, it can basically do anything it wants—including overwriting memory that doesn't belong to it. The result of such an action is more often than not a system crash. In fact, it was revealed that about 90 percent of all system crashes in Windows XP are caused by problems with drivers—namely unsigned drivers.
As such, when you're troubleshooting strange behavior with a Windows XP system, the first things you should put under the microscope are the drivers currently installed on the system. To do so, you can use the File Signature Verification Utility and configure it to search for and identify any unsigned drivers currently installed in the operating system.
In this article, I'll show you how to use the File Signature Verification Utility as troubleshooting aid. As I do, I'll go into more detail on the significance of signed verses unsigned drivers in Windows XP.
As you know, all of the system files and device driver files provided on the Windows XP CD and added to the system by Windows Update have an official Microsoft digital signature attached to them. This digital signature indicates that the files are original, unaltered system and driver files from Microsoft or that they are third-party driver files that have been approved by Microsoft for use with Windows XP.
You probably also know that software and drivers for hardware products that carry the Designed for Microsoft Windows XP logo, shown in Figure A, have a digital signature from Microsoft, indicating that the product was tested for compatibility with the Windows XP operating system using official testing procedures provided by Microsoft.
|This logo ensures that the software and drivers for hardware products are digitally signed by Microsoft.|
The logo also indicates that if the driver is ever updated, the hardware manufacturer should have the updated driver tested, signed, and made readily available either on the manufacturer's Web site or on the Windows Update Web site.
While the goals proposed by Designed for Microsoft Windows XP logo program and signed drivers are designed to improve overall system stability, not all hardware manufactures choose to participate in the program. On the other hand, some hardware may have been manufactured and shipped before Windows XP was released and the manufactures have not gone back and created signed drivers for what they consider their legacy devices.
Regardless of the situation, chances are good that at one time or another you've been installing a piece of hardware and encountered the Hardware Installation dialog box shown in Figure B. In the case of new hardware, chances are that the accompanying installation guide instructed you to click the Continue Anyway button with the assurance that the functionality of the driver is sound and that the warning can safely be ignored.
|By default, Windows XP will warn you before allowing the installation of unsigned drivers.|
Because you need or really want to use the hardware, you go ahead and click the button. In many cases, an unsigned driver seems to work fine, so you go about our business and eventually forget all about the fact that the driver was unsigned.
But what happens to the functionality of an unsigned driver over time as you add other hardware and drivers to the system or update the operating system? Will an unsigned driver continue to play nice or will it be the instigator of strange problems or crashes?
Investigating Windows XP's Drivers settings
When it comes to device drivers, Windows XP has two built in settings that are designed to ensure signed drivers are used in the system. First, when you begin a driver installation procedure, Windows XP will by default check to see if the driver has been signed. Second, when you connect a new device to your system without first installing the drivers, Windows XP is configured to prompt you to allow the operating system to check the Windows Update site for a signed driver.
You can alter or investigate these settings on the Hardware tab of the System Properties dialog box. To do so, press [Windows]-Break to display the System Properties dialog box and then select the Hardware tab. As you can see in Figure C, the Drivers panel on the Hardware tab contains two buttons titled Driver Signing and Windows Update.
|On the Hardware tab, the Drivers panel contains buttons titled Driver Signing and Windows Update.|
When you click the Driver Signing button, you'll see the Driver Signing Options dialog box, which provides you with three levels of digital signature verification, as shown in Figure D. As you can see, the default setting is to warn you when an unsigned driver is detected. This is the setting that will generate the Hardware Installation dialog box shown earlier in Figure B.
|By default, Windows XP is configured to warn you when an unsigned driver is detected.|
As you can see, you can either lower or raise the digital signature verification level. For example, if you don't ever want to install unsigned drivers on your Windows XP system, you'd select the Block-Never Install Unsigned Driver Software option. You should also verify that the Make This Action The System Default check box is selected. When you do so, rather than a dialog box like the one shown in Figure B, you'll see a Hardware Installation dialog box like the one shown in Figure E, anytime you attempt to install a device with an unsigned driver.
|If you block unsigned drivers, you won't be able to install any hardware unless it has a signed driver.|
Returning to the Drivers panel on the Hardware tab, if you click the Windows Update button you'll see the Connect to Windows Update dialog box, as shown in Figure F. As you can see, the available settings allow you to select one of three levels of control over how the operating system is to access the Windows Update site when looking for signed drivers.
|There are three levels when it comes to searching the Windows Update site for signed drivers.|
The default setting is to prompt you to search the Windows Update site for a signed driver. However, if you really want to enforce the policy, you can select the first option in order to make Windows XP immediately go to the Windows Update site.
The File Signature Verification Utility
Now that you have a good idea of how Windows XP's driver signing features work and how they can be configured, let's take a look at how you can use the File Signature Verification Utility, as shown in Figure G, to troubleshoot driver problems. The official access point for the File Signature Verification Utility is on the Tools menu in System Information. However, you can launch the utility much quicker from the Run command. To do so, press [Windows]+R, type Sigverif.exe in the Open text box, and click OK.
|The File Signature Verification Utility provides a very straightforward interface.|
In order to configure the Signature Verification Utility to track down unsigned drivers, click the Advanced button. When the Advanced File Signature Verification Settings dialog box appears, you'll notice that the default setting is to scan for unsigned system files. In order to scan for unsigned drivers, you need to select the Look For Other Files That Are Not Digitally Signed option, as shown in Figure H. You can click the Browse button adjacent to the Look In This Folder text box to drill down to the C:\Windows\System32\Drivers folder.
|In order to track down unsigned drivers, you need to choose the other files option.|
To continue with the configuration option, select the Logging tab and make sure that the Save The File Signature Verification Results To A Log File check box is selected, as shown in Figure I. You can leave the default Logging options set to Overwrite Existing Log File and the Log File Name set to Sigverif.txt. To complete the configuration operation, click OK.
|You'll want to make sure that the File Signature Verification Utility is configured to save the results to a log file.|
When you return to the File Signature Verification window, click Start. As soon as you do, the File Signature Verification window will begin building a file list and then start scanning all the files in the Drivers folder for unsigned drivers, as shown in Figure J.
|The File Signature Verification Utility uses a progress bar to keep you apprised of its scan operation.|
When the utility finishes its scan operation, you'll see the Signature Verification Results window, as shown in Figure K. As you can see, the window lists all of the unsigned drivers that the utility found installed on the system. In addition, there is a mini report in the status area the provides a total and breakdown of all the files scanned.
|The File Signature Verification provides detailed information about all of the unsigned drivers installed on the system.|
While looking over the preliminary information provided in this window is helpful, the working copy of the report is in the Sigverif.txt log file, which can be found in the Windows folder and viewed in Notepad, as shown in Figure L. Don't be alarmed that the report identifies the operating system as Windows 2000—this utility is a carry over from the previous operating system and through an oversight Windows 2000 is still listed in the log file header.
|The Sigverif.txt log file lists all of the driver files, both signed and unsigned, and is sorted alphabetically.|
While the report is comprehensive, it lists all of the driver files and is sorted alphabetically rather than by status. As such, it can be a bit unwieldy for use as a map for a troubleshooting expedition. However, with a bit of manipulation via Excel's Text Import Wizard, the report can be imported into a spreadsheet, where you can easily sort the data by the status, as shown in Figure M. As you can see, in the Sigverif log file drivers that are unsigned are displayed as Not Signed.
|Using Excel's Text Import Wizard, the report can be imported into a spreadsheet and sorted by status.|
Disabling unsigned drivers
Once you've identified the unsigned drivers on the system, you can use the report as a map for your troubleshooting expedition. Basically, what you'll want to do is disable the unsigned drivers one-by-one to see if one of the unsigned drivers is the cause of the problem.
There are several ways that you can disable an unsigned driver. Probably the easiest way to do so, is to launch Windows Explorer, access the Windows\System32\Drivers folder, locate the driver file, and rename it. If you can recognize the hardware via the driver file name, you can launch Device Manager from the Hardware tab of the System Properties dialog box, access the device's properties dialog box, and disable the device.
After you disable a device, use the system as you normally would and see if the problem persists. If it does, re-enable the device, and then disable the next driver in your list.
If after disabling a driver, the problem appears to be resolved, you can be fairly certain that you've isolated the problem driver. At this point, you'll want to contact manufacturer and see if you can download an updated version of the driver that is designed to run with Windows XP.
Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.