Catalog entries in the catalog database do not persist when you upgrade the operating system, and a newer entry in the catalog database is not reliably replaced when you roll back a PE component upgrade
The Media Foundation Protected Media Path executable program (Mfpmp.exe) runs in a protected environment (PE) when media content has digital rights management (DRM) restrictions. The Mfpmp.exe file has an extensibility model for third-party Media Foundation components.
The Audio Device Graph Isolation executable program (Audiodg.exe) always runs in a PE to protect any audio content that may require DRM. The Audiodg.exe binary also has an extensibility model for third-party user-mode components, such as audio processing objects.
These components, user-mode audio drivers, and user-mode video drivers load into a PE only if they are signed correctly for the environment. For drivers that are tied to hardware through the submission process, signing is implemented by using Windows Hardware Quality Labs (WHQL). For drivers that do not pass through WHQL and for other components, signing is implemented by using the licensed PE software development kit (SDK). The PE SDK provides instructions for signing binaries by using catalog files.
When catalog signing is used, the following issues may occur.
Catalog entries in the catalog database do not persist when you upgrade the operating system. Therefore, PE-signed components no longer load into a PE after you upgrade the operating system.
When you roll back a PE component upgrade, a newer entry in the catalog database is not reliably replaced by the preupgrade catalog. Therefore, the components that are signed by the catalog no longer load into a PE.
The migration code is not present to reinstall the PE catalogs if you upgrade the operating system. Be aware that the catalog database is rebuilt when you upgrade.
On rollback, the code integrity comparison of the older catalog sometimes does not correctly detect and install the older catalog.
To resolve both issues, use a different mode of signing in which a certificate chain is embedded into the component binaries. Use this mode of signing instead of using catalog signing. To perform embedded signing, use the Signtool.exe file together with a binary as the target and the /ph command-line switch. The /ph command-line switch generates page hashes for executable files.
The Signtool.exe file did not support embedded signing for PE in Windows Vista. Newer versions of the Windows SDK do have the required functionality.
To work around issue 1, reinstall the component after you upgrade the operating system.
To work around issue 2, use a different name for the catalog file in each revision of the third-party product.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Windows Vista Ultimate, Windows Vista Home Premium, Windows Vista Enterprise, Windows Vista Business, Windows Vista Home Basic, Windows Vista Business 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition