OSR

Windows System Software -- Unique Expertise, Guaranteed Results

You are here: Home / Uncategorized / Should I Set PnPLockdown=1?

by on

Should I Set PnPLockdown=1?

At some point recently (“recently” being defined as “in the last year or so”) the WDK started whining at me with the following warning:

warning 1324: [Version] section should specify PnpLockdown=1.

It insists that I should specify PnPLockdown=1 in my INF. What IS this warning, does it matter, and do you really want to do what it advises? Here’s the scoop.

What Does Setting PnPLockdown=1 Do?

We fooled with this some when we first started getting the warning. And we determined that setting PnPLockdown to 1 makes the Trusted Installer the owner of the driver’s executable image (.SYS file). This means that applications can’t delete or change the file (or, indeed, even rename it). This is a good thing on a production system.

So, I Should Put This in my INF File, right?

Yes. No. Well, maybe. Sometimes.

Before shipping your driver as a production release, we definitely recommend specifying PnPLockdown=1 in your INF.

However, while you’re debugging your driver, specifying this parameter can make life more complicated for you. For example, during development here at OSR, when we want to update the version of our driver executable on the target machine, we:

  • Disable the driver on the target system (using Device Manager or some other utility);
  • Copy the new version our driver’s .sys file over the old version, directly in the \Windows\System32\drivers directory on the target system;
  • Re-enable the driver.

Setting PnPLockdown=1 prevents this from working. You’re not able to overwrite the old version of the driver. And you’re not even able to rename it (so you can replace the executable).

So, during development, we never set PnPLockdown=1 in our INF. We just leave the PnPLockdown directive out of our INF entirely. Setting it to 1 creates too much annoyance, and we specifically do not want the extra protection that this feature provided.

I’ll admit that this policy has sometimes caused a bit of confusion among our clients. When we ship them driver source code, it is a particular matter of pride that the solution builds without any errors or warnings (at warning level 4) and without an Code Analysis warnings. So, they can be a bit perplexed at why we let this one warning sneak through.

So, there you have it. Remember to set PnPLockdown=1 in the INF for the final product, and leave it out while you’re debugging.