Article ID: 959916 - View products that this article applies to.
The Media Foundation Protected Media Path executable program (Mfpmp.exe) runs in a protected environment (PE) when media content has digital rights management (DRM) restrictions. The Mfpmp.exe file has an extensibility model for third-party Media Foundation components.
The Audio Device Graph Isolation executable program (Audiodg.exe) always runs in a PE to protect any audio content that may require DRM. The Audiodg.exe binary also has an extensibility model for third-party user-mode components, such as audio processing objects.
These components, user-mode audio drivers, and user-mode video drivers load into a PE only if they are signed correctly for the environment. For drivers that are tied to hardware through the submission process, signing is implemented by using Windows Hardware Quality Labs (WHQL). For drivers that do not pass through WHQL and for other components, signing is implemented by using the licensed PE software development kit (SDK). The PE SDK provides instructions for signing binaries by using catalog files.
When catalog signing is used, the following issues may occur.
Issue 1Catalog entries in the catalog database do not persist when you upgrade the operating system. Therefore, PE-signed components no longer load into a PE after you upgrade the operating system.
Issue 2When you roll back a PE component upgrade, a newer entry in the catalog database is not reliably replaced by the preupgrade catalog. Therefore, the components that are signed by the catalog no longer load into a PE.
Cause 1The migration code is not present to reinstall the PE catalogs if you upgrade the operating system. Be aware that the catalog database is rebuilt when you upgrade.
Cause 2On rollback, the code integrity comparison of the older catalog sometimes does not correctly detect and install the older catalog.
To resolve both issues, use a different mode of signing in which a certificate chain is embedded into the component binaries. Use this mode of signing instead of using catalog signing. To perform embedded signing, use the Signtool.exe file together with a binary as the target and the /ph command-line switch. The /ph command-line switch generates page hashes for executable files.
The Signtool.exe file did not support embedded signing for PE in Windows Vista. Newer versions of the Windows SDK do have the required functionality.
Workaround 1To work around issue 1, reinstall the component after you upgrade the operating system.
Workaround 2To work around issue 2, use a different name for the catalog file in each revision of the third-party product.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about PE code signing, contact email@example.com
Article ID: 959916 - Last Review: January 27, 2009 - Revision: 2.1
Contact us for more help
Connect with Answer Desk for expert help.