Windows PV drivers: update and roadmap

Devblog Jul 29, 2025

The Xen Windows PV drivers are an important component of Windows guests running on Xen, crucial for better performance and support of VM features such as migration. As you may have noticed, we have recently ramped up our involvement in the development of these drivers, notably by joining the Windows PV maintainer team. Here's a story of what happened and our future plans.

🚀 Our downstream work

The "downstream" work is everything we did on our side, for the XCP-ng project, originating from the Open Source Xen PV driver project (the "upstream").

New and improved installer

The previous 8.2-series drivers were bundled with agent services for driver installation, updates and guest integration. These services contained code originally from XenServer that was no longer being open-sourced, and in some cases, did not work properly for our needs. As a result, our renovation of the Windows PV drivers actually started with reimplementing the driver packaging itself.

GitHub - xcp-ng/win-pv-drivers: Windows PV Drivers for XCP-ng
Windows PV Drivers for XCP-ng. Contribute to xcp-ng/win-pv-drivers development by creating an account on GitHub.
GitHubxcp-ng

With the 9.0 series, we decided to start fresh, with a new, simpler and self-contained installer. It would serve as the clean base for PV driver servicing, free of any legacy features and without needing XenServer-specific agents. We took the opportunity to rebase all drivers on upstream Xen Project code, removing legacy drivers (XenVSS) while adding new ones (Xencons, Xenhid).

Better testing and reliability improvements

We also looked into making the drivers and installer more robust during key scenarios such as installation, uninstallation and upgrades. This led to a series of new tests in our CI infrastructure:

Add Windows PV tools installer tests by dinhngtu · Pull Request #262 · xcp-ng/xcp-ng-tests
This PR adds tests for the new XCP-ng 9.x Windows PV Tools installer. It tests various actions of the installer (install, uninstall, upgrade) under various conditions (with XCP-ng v8 tools, with Ci…
GitHubxcp-ng

At the same time, our support staff were getting frequent reports of difficulties with uninstalling and upgrading the drivers, especially the 8.2 series. XenClean and XenBootFix were developed to solve these issues; notably, XenClean shared substantial amounts of code with the new installer, significantly simplifying its development.

Rust guest agent for Windows

Our focus next turned to the Windows guest agent, which also depended on XenServer code which was no longer being published. We decided to retire the old C#-based agent and instead extended the Rust guest agent to support Windows, starting with IP address reporting and clipboard sync. You can find our blogpost introducing the Rust guest agent here:

New Guest Tools in Rust
Discover the latest blog on integrating Rust into Xen Project. We’re building a flexible Rust-based agent for VM-Dom0 communication, showing promise in supporting various guest OS with room to grow!
XCP-ng BlogYann Dirson

🐼 Our upstream contributions

This time, it's about the work we are contributing back to the Open Source project. At Vates, downstream and upstream are equally important, because we truly believe in collaboration and the Open Source ethos.

XSA-468

Most importantly, our work on the Windows Rust guest agent required working on the Xen PV interface driver Xeniface, which gave applications access to Xenstore, a datastore for communication between the guest and hypervisor. It is during this development that we found the initial vulnerability of XSA-468, which granted excessive permissions to the Xeniface device.

After this discovery, we realized that more issues may be lurking in other Windows PV drivers. We conducted a security analysis to find similar vulnerabilities, resulting in 3 assigned CVEs and 5 patches for 9 different weaknesses in Xenbus, Xencons and Xeniface.

XSA-468: multiple Windows PV driver vulnerabilities - update now!
Multiple vulnerabilities have been discovered in Windows PV drivers, allowing unprivileged users to gain system privileges inside Windows VMs. We provide updates, tools and guidance in response.
XCP-ng BlogTu Dinh

Other contributions

Previously, we have already contributed fixes to the Xenvif network class driver, solving an issue where VMs would hang or crash when their network interfaces were deleted.

Our discovery and fix of XSA-468 renewed our interest in actively contributing to Windows PV upstream. Following our open-source spirit, we decided to step up and join the maintainer team of the Windows drivers, helping to review patches and contribute to the general health of the project.

With that said, here are some of the features and fixes we have contributed to the upstream Windows PV drivers so far:

  • General improvements to the build process and automated CI builds;
  • A reworked and improved autoreboot feature;
  • Fixed memory ballooning using new Windows APIs and made sure that the memory target is correctly applied during boot;
  • Fixed longstanding bugs in the network RSS hashing feature;
  • Time sync improvements with an option to disable time sync, useful in Active Directory domain environments where domain controllers serve as the main time source;
  • Overhauled source code annotations in Xenbus to make better use of automated code analysis, discovering a few bugs in the process;
  • Various other fixes coordinated with our XAPI team.

The Microsoft driver signing situation

The current XCP-ng Windows PV 9.0 drivers are test-signed, meaning that they were not signed by Microsoft and cannot be loaded on a default installation. For context, Microsoft tightened the rules around driver signing in July 2021, deprecating the use of third-party certificate authorities for Windows kernel driver signing. Any drivers made for Windows 10 beyond this date must be signed by Microsoft through a hardware developer account.

While the 8.2 drivers predate this change and so were usable as long as Secure Boot was disabled, they were no longer supported and cannot be safely used due to XSA-468. Yet, even though the current 9.0 drivers are stable and reliable, the new rules mean that XCP-ng Windows PV drivers still aren't ready for production.

Unfortunately, despite us having all necessary documents and meeting all requirements, Microsoft's response to our request for access to the hardware developer program has been very slow. We are not alone in having this issue; multiple other hardware developers are currently experiencing the same issue that is preventing them from shipping their own drivers.

Our current top priority remains to work with Microsoft and resolve the hardware developer account situation. However, if you are not running a production environment, we highly recommend trying out our test-signed drivers, available below. Your feedback is very valuable in helping us improve the quality of our drivers and establish a roadmap for our future work.

Releases · xcp-ng/win-pv-drivers
Windows PV Drivers for XCP-ng. Contribute to xcp-ng/win-pv-drivers development by creating an account on GitHub.
GitHubxcp-ng

🔮 Our future plans

As stated above, getting Microsoft-signed drivers is our current top priority. Still, you can look forward to upcoming improvements for the Windows drivers:

  • Better reliability and servicing options via key driver improvements (Xenbus, driver registration, installation);
  • Better dynamic memory control and balloon management;
  • More static analysis and bug finding in kernel drivers;
  • Continue upstreaming Windows support in Rust guest tools;
  • Even more secure, reliable and traceable build process.

Be sure to reach out to our community forum for more updates on our Windows drivers, as well as Vates VMS announcements in general.

Tags

Tu Dinh

XCP-ng developer, working on improving Windows guest support.

Recommended for you