Last week Microsoft’s vice-president of security technology was gadding round Europe briefing people on new capabilities in the forthcoming Windows Vista. We didn’t have much time so our discussion focused on the ideas behind Kernel Patch Protection (KPP).

In case you haven’t come across it yet, KPP is a feature of the 64bit versions of Vista that should help to prevent rootkits from taking hold of your system. Or at least, that is the idea.

Rootkits hit the headlines recently following a gaffe by Sony. The firm distributed CDs by Neil Diamond and other artists which carried anti-copying software that used rootkit techniques to hide itself when the CD was inserted in a PC. Sony’s move probably seemed like a good idea at the time, but has since attracted criticism because the software opened back doors that were then exploited.

Anyhow, the message from Microsoft is that KPP helps to block rootkits. It works by monitoring the kernel to ensure that the bits that should not change do not change. One problem for Microsoft is that Sony is not alone. Several independent software vendors do similar things to hook into the Windows kernel to make their security software work. Microsoft says it has never documented these bits of the kernel and has never supported this type of software design. It looks like those vendors will soon be left high and dry.

Given the extraordinary amount of effort it takes to remove a rootkit from a system, the idea that KPP would be completely effective seems too good to be true. By coincidence I was chatting with a Linux server administrator this week who was troubled by someone having hacked into one of his servers. After talking with many colleagues and peers, it seems the way to remove a rootkit is to connect a new hard disk to the system and install another copy of the operating system onto that disk, then attach the original disk so that you can copy the files you want.

The advice is: do not try to remove the rootkit, because it’s all but impossible to do it and be sure that you have removed all the back doors the hacker could have added. The key point here is that rootkits get added to a system after it has been compromised in some other way – in Sony’s case the original attack vector was a CD containing auto-run software and an operating system that allowed the auto-run software to reconfigure the computer.

It’s hard to say whether KPP really would always prevent such things from happening. Microsoft says it won’t prevent all viruses, rootkits or other malware from attacking a system. It’s just another layer of protection that should do more good than harm, at least for systems fitted with the latest x64 chips from Intel and Opteron.

Others would argue that anyone in possession of a Neil Diamond CD deserves everything the underworld can throw at them.