XPS 8950, memory Integrity off, no incompatible drivers found

---

@And Ye Shall Find wrote:
Core Isolation
Virtual Machine Platform, Windows Hypervisor in Optional features, 

---

I thought it was one or the other. I didn't think you could be both concurrently.

See msinfo32.

well I'm really not sure, but was able to add both in Optional Features - just trying different iterations suggested by others. So far, no joy!

Surprise, I hit this too on W11 Win22H2, build 22621.1792!!

It showed up in the Action Center a few days ago, probably after the last Patch Tuesday?

I did the SFC, DISM, and Autoruns too... nothing found. Even looked in Device Manager for possible Hidden drivers... nothing. Only driver related error is the Ethernet adapter. It does have a cable in it and attached to our router, but the device is DISABLED. I use it occasionally if I require faster speed, but since my ISP upgraded me to 1Gbps my wireless can reach the low 900bps (never get the max. 940bps though). I doubt that is doing it.

So, I decided to set it via the Registry editing. It seems to be staying set.

Thanks for the input @ispalten . I was hoping for a more holistic solution vs modifying the Registry, but am running out of alternatives. I've already deleted several "old" drivers that I thought would do no harm (using RAPR) but haven't gone hog-wild there. The next thing I was going to try was uninstalling SupportAssist (which honestly, I've been itching to do anyway) which someone somewhere suggested might be the culprit.

Regarding the Registry mod, one point to note is that my other Dell - a Vostro 5620 - isn't showing the Memory Integrity error, and it does contain the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] "Enabled"=dword:00000001Registry Key / Dword. On my problematic XPS, the key is missing entirely This certainly supports adding this key as a solution.

@ispalten 

A few people at ElevenForum thought that "old" drivers could result in Memory Integrity being disabled, yet not be flagged, which is why I was experimenting with RAPR. Saving space is nice, but not the objective. I'm not entirely confident that just because RAPR says it's old though, doesn't mean something somewhere isn't using it, so I didn't go too far down this road.

"the bigger question I can't find an answer to is "What is the actual reason it cannot be turned on, since it doesn't show any driver causing this, is there another reason?"

EXACTLY.  My other thought was whether setting the Dword to "1" in the Registry actually does anything besides enabling us to check a box in Windows Defender. Is it then really on, or just "pretending"? Might it have been on all along, with Windows showing a bad message?

I view Memory Integrity as an incremental protection. I don't believe it's necessarily "needed" until something happens, and you wished it was on. Some techies at ElevenForum actually go out of their way to disable it.

At least one person did suggest SupportAssist could be the culprit. I've learned through much trial (and tribulation) there are 6 Services that need to be stopped - some in sequence - to truly disable SupportAssist, but even then, I see the greedy, resource-hogging, heavy-handed, intrusive app doing things in the background without permission or notification. It has to go! I'm away from my XPS for possibly weeks, but will give that a try, and let you know if it made a difference. 

@And Ye Shall Find 

I hear you. I can be dangerous too, doing something I don't know or understand...

RAPR is just such a program. See my screen capture above. First I know Windows via Device Manager CAN back-level a driver. Good to know and do if you get a new driver that doesn't work too well.

However, just deleting what appears to be duplicate entries could be disastrous. First, the INF files, some have the same names even, and that means more than one copy exists on your PC.

First thing to do, on the title bar, RMB and CHECK all items... this will give you more info.

Now look at my list of BlueTooth items:

Note the highlighted line. That and the one below it, same version, same date, different name for the INF file. If I click OLD DRIVERS, all but the line with a Device Name entry is marked blue so you CAN delete them as they are checked (and so are all the others the program determines to be old). Now here is the RUB... they basically are the same...

One downside of deleting files, Device Manager KNOWS which one was the last and uses that to back-level the driver....

I'd ONLY consider using that program to SAVE SPACE if I needed it.

Some reading if you are interested:

https://www.edtittel.com/blog/rapr-v0-11-92-remains-a-real-gem.html  (similar case with Intel files).

https://www.ghacks.net/2018/01/31/driverstore-explorer-manage-the-windows-driverstore/

Now this is what MS says about the Driver Store:

https://learn.microsoft.com/en-us/windows-hardware/drivers/install/driver-store 

It clearly states in these 2 paragraphs what Driver Store is and contains:

Now reading those, two things stick out.. Driver SHOULD be good and trusted... AND it states in the last paragraph programs should not add or delete entries????

Reading this recent page explains the driver process as well, https://www.computerworld.com/article/3322513/how-to-reduce-windows-driver-bloat-remove-outdated-drivers.html 

However, my thought, bottom line, is take out the wrong file you might not be able to roll-back a driver. Get a corrupted driver or one that doesn't work, you might have little or no recovery possible.

I'd use that program for information only.

Still doesn't answer WHY not driver was shown that was stopping Core Isolation, does it?

This link, https://www.elevenforum.com/t/unable-to-find-the-incompatible-driver-s-preventing-core-integrity.9790/ is interesting.... implies it could be somewhere not IN Driver Store... might not even be used?

Tool listed didn't seem to be of much help to me either?

@ispalten Right - MSFT doesn't recommend removal, so it's probably best not to. Maybe they should force Intel and others to clean up some of their garbage as well. I can understand maybe 2 older versions of a driver for purposes for rollback, but 20? Also, if trying to make space, then nothing less than 10 MB is probably significant / worth the risk.

If MSFT security didn't fail to identify the offending driver (or didn't see an issue where none exists), we probably wouldn't even be having this discussion. They've had so many recent W22H2 issues with Windows Security (e.g., LSA, Core Isolation, Memory Integrity, Kernel-mode stack protection) it's hard to take any of their warning notifications seriously. Maybe best to just sit back, and wait for them to get their act together. They've obviously built something too difficult to maintain, and are clearly doing a horrible (i.e., irresponsible) job regression testing.

@And Ye Shall Find 

Well, 2 points:

• Intel might not know what level you are on, well they should, but not check it for processing older INF files? You, as the user can exercise those same INF files to put in older drivers... so they probably don't want to take a chance.
• Quite possible there ARE problem drivers, but NOT in places where Windows would check, but see one running? Why not tell you the name though? I'm thinking some utility. For instance, I have Revo Uninstaller, and it is NOT on C:. However, one of its drivers are in C:\windows\system32\drivers. RevoFLT.SYS, RAPR doesn't show it in its list. Even the SysInternals tool I've installed on a different drive doesn't appear and they have drivers.

RAPR and possibly MS Core Isolation only I think looks at the DriverStore in C:\Windows\System32\drivers. Ii seems RAPR just reads those subfolders in FileRepository?

Not knowing where Core Isolation looks, and it could be also looking at LOADED drivers, makes it hard to know if you actually have a suspect driver or not?

EDIT: Oh, open a CMD prompt with Administrator rights and run DRIVERQUERY /V /FO TABLE and probably redirect the output to file with >X:\DQUERY.TXT and then open it, it is/can be long, and it is easier to read. I had at least 2 off the C: drive. Run DRIVERQUERY /? to see all the options.

@ispalten  You may be right - I have maybe 15 "local" apps populated on my D drie, including Revo and SysInternals, and I've noticed (to my unpleasant surprise) that some have written to the Registry and /or populated drivers in System32. It hardly lets MSFT off the hook, though - if Memory Integrity is being disabled based upon some search criteria, their reporting mechanism should key off that same criteria.

Re your point about Intel "not knowing", I use their Driver & Support Assistant, which actually contains a history of the installed drivers, so yes, they should. I believe it's more a matter of not caring, as well as the point you raised about enabling roll-back.

Thank you for DriverQuery, Very handy. The list generated seems quite different from what's shown in RAPR. Historically I've used "Get-WindowsDriver -Online -All" to return a (complete?) list of installed drivers.

@ispalten  You may be right - I have maybe 15 "local" apps populated on my D drie, including Revo and SysInternals, and I've noticed (to my unpleasant surprise) that some have written to the Registry and /or populated drivers in System32. It hardly lets MSFT off the hook, though - if Memory Integrity is being disabled based upon some search criteria, their reporting mechanism should key off that same criteria.

Re your point about Intel "not knowing", I use their Driver & Support Assistant, which actually contains a history of the installed drivers, so yes, they should. I believe it's more a matter of not caring, as well as the point you raised about enabling roll-back.

Does the DriverQuery Cmd specifically look at the DriverStore? Traditionally I've used "Get-WindowsDriver -Online -All" to return a list, and the output from each is quite different.

@And Ye Shall Find 

I don't know if it drivers (.SYS files) only though, but I suspect it is. One of the 'fixes' I think says update all programs. Intel Driver and Support Assist (I assume that is what you meant) only has a log for Intel files?

I ran DriverQuery with /FO TABLE and /V. Yes, get a different 'story'. For instance these under Path:

\??\K:\tools\RAMMon\DirectIo64.sys and actually 2 lines with different names and they are 'stopped'. Both are Kernel mode drivers... could they be loaded, they are set to Manual too, but they are not listed in Services? Module Names are DIRECTIO and DIRECTIORM? Description and Display Name are the same names? Obviously, part of the RAMMON program, that is a Utility, and I assume those files are loaded and waiting to be used by the Utility?

Not the only ones, Glary Utilities, HWINFO, SPEEDFAN, and NOVABENCH are others off of the C: drive.

But I do have some I can't resolve to a utility, and they are listed like this:

RwDrv Kernel Manual Stopped 5/25/2013 9:02:31 AM \??\C:\Windows\system32\Drivers\RwDrv.sys

MYFAULT Kernel Manual Stopped 06/12/2019 2:36:53 PM \??\C:\WINDOWS\system32\drivers\myfault.sys

Clearly old from 2013, Manual I assume means it is not running and waiting to be used?

Run this in PowerShell (I used Terminal (Admin). " driverquery.exe /FO CSV | ConvertFrom-Csv | Out-GridView -Title Drivers

Produces this:

If you pulldown Criteria, you can add more info, like I did.

OK, I probably bombarded you with stuff, and I'm sure some is confusing?

Want MORE confusion? Head over to NirSoft.net and pick up DriverView and InstalledDriverList... More info but doesn't really identify which one stops Core Isolation?

The PS command, Get-WindowsDriver -Online -All, is OK, but if you leave -All off, you'd only get 3rd party drivers. Better for tracing down non-MS drivers... still, you don't know good from bad? However, it is a shorter list  

A lot to look at and digest, but it doesn't help finding the answer we want, WHAT is stopping Core Isolation from turning on since MS will not tell us? The answer could be in one of the output data above, but if it is, it isn't clearly marked as a 'problem' for Core Isolation? I'm wondering if it could be something else, a Virtualization setting, BIOS setting, or non-driver loading?

Odd we both should have the problem? I'm on BIOS V2.12.0 if that matters? Using Nvidia Game Ready driver 571.39 from 5/2/2023.

@ispalten 

My XPS is on V 1.12.0. I've played around with different combinations of optional features (e.g., hyper-V, Virtualization) and also tried matching those on my "working" vostro. I've gone through the BIOS settings, etc., and everything I can see that should be enabled, is.

As you've said, some of these drivers can't even be traced back to an app, so the only way to really check might be to remove them one by one, but clearly this is time consuming and impractical if not outright dangerous.

Personally, I find it interesting (and educational) to research this kind of stuff, but in the end, I feel like I've been just chasing my tail. We can see this isn't an isolated issue, and may are likely experiencing it. MSFT apparently thinks it's ok to skimp on Q/A ad expose their user-base to bugs and confusion. Sigh. 

@And Ye Shall Find 

We're only annoyed as we'd like it to work... but what is it really worth to have it on? Not clear to me... and possibly other 'things' might protect you too, like an A/V suite or your browser, maybe even a router if you have one or your ISP?

MS isn't the only one with problems they don't care to fix either...

Look at Dell and Support Assist, many reports of problems, and my Reconfigures happening? Even the MS GameInput does on every boot, and MS problem from 'forever', never fixed. Maybe it costs me 2 seconds of boot time? No side effects either... how high do you think it is on their list to fix?

I suspect with respect to Core Isolation, if it was an MS problem, some later Windows Update will automagically fix it. If not, well, someday something will happen and it will be fixed, program install/update, deleting a program, etc., but you probably wouldn't realize it happened unless you looked at the setting and tried it after each and every one of those.

I still would like to find detailed information and what and where Core Isolation looks for drivers (and what in them) that stops it from enabling. ZERO details on this now other than it IS a driver...., no mention of where it looks, nor if only drivers...

I'm OK I think with the Registry Hack though.

@ispalten I'm with you. At some point it would probably resolve itself, and in the meanwhile, Registry hack (of course if the Registry hack is applied, we'll never know if, when or how, which is why I've held off applying it for so long). My apartment is a total mess, but I like to keep my computing environment buttoned down, so I'll have to battle my own OCD and just let it slide. If I come across anything that might be relevant in the meanwhile, I'll let you know.