Driver — Windows Hello

A 2024 analysis by a firmware security firm found that three popular laptop models shipped with Hello drivers that in certain power-save modes. Why? To save 50 milliseconds of boot time. The driver would skip checking the TPM’s signed nonce if the system resumed from sleep. That meant a malicious USB device could pretend to be a Hello camera and unlock the PC.

The culprit? A corrupted . Specifically, a file called NgcSet.ndb —the database that stores biometric templates encrypted per device. After certain Windows Update cycles, the driver would desync from the Trusted Platform Module (TPM). The result: the hardware was screaming “I recognize you,” but the driver was saying, “I don’t trust that answer.” windows hello driver

But until then, every time you glance at your laptop and it unlocks, take a moment to thank the driver. It’s the buggy, paranoid, indispensable gatekeeper between your face and your files. A 2024 analysis by a firmware security firm

But the attack highlighted a fundamental tension: the driver is both the most trusted component and the most exposed. It must talk to weird USB fingerprint readers, cheap laptop IR sensors, and high-end enterprise cameras. Each new device adds a new driver—and a new potential leak. Not all Windows Hello drivers are equal. Microsoft provides a generic inbox driver (wbd.sys) that works with basic USB fingerprint readers. But most OEMs—Synaptics, Goodix, Realtek—ship their own custom drivers. And here lies the problem. The driver would skip checking the TPM’s signed