Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Windows7 boot option to allow unsigned drivers ignored

I'm learning Windows kernel mode driver development. I've written a small test driver that I can successfully register, unregister, load and unload under Windows 7 32bit Ultima edition running under a VM in VirtualBox.

My host is Windows 7 64bit Home Premium edition.

The driver, compiled for 64 bit, will not load under Windows 7 Home edition. I keep getting a rejection noticed that this version of windows does not allow unsigned drivers.

I've tried two things:

  1. I've used the F8 boot option to allow unsigned drivers (didn't work)

  2. I run a CMD as administrator and execute the following two commands

    bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS

    bcdedit.exe -set TESTSIGNING ON

and rebooted. My desktop shows me in "TestMode" but still I get same rejection noticed.

Can anyone help me out here or explain if there is an additional step for Home edition?

----{ update }---- After pouring through tons of MSDN stuff, it would appear my solution lies in self signing the driver I created. The DDK I downloaded does not appear to have the tool chain to do self signing. I've downloaded WinDDK-7600.16385.1. But what is so strange is that my Windows Ultima Edition happily loads my driver if I simply F8 @ boot time and tell it to allow unsigned drivers.

like image 631
Eric Avatar asked Feb 08 '11 01:02

Eric


People also ask

How do I force unsigned drivers in Windows 7?

Type gpedit.In the right panel, double click on 'Code Signing for Device Drivers'. Choose 'Enabled' in the window that appears. In the underlying options, choose 'Ignore'. This disables drivers signing in Windows 7, and now you can install unsigned drivers in Windows 7.

How do I force Windows to use an unsigned driver?

Use the F8 Advanced Boot Option Windows Vista and later versions of Windows support the F8 Advanced Boot Option -- "Disable Driver Signature Enforcement" -- that disables load-time signature enforcement for a kernel-mode driver only for the current system session. This setting does not persist across system restarts.

How do I allow unsigned drivers to install?

The easiest way to install unsigned drivers is to use the Windows 10 Advanced Boot menu. To do that, press “Win + X,” navigate to “Shutdown” and then “Shift + Left Click” on the “Restart” option. 2. The above action will restart your system and will take you to the Advanced Boot menu.

How do I permanently enable driver signature enforcement?

Option 1 – Command to Enable or Disable Right-click on “Command Prompt” and select “Run As Administrator“. Do one of the following: To disable device driver signing, type “BCDEDIT /set nointegritychecks ON” then press “Enter“ To enable device driver signing, type “BCDEDIT /set nointegritychecks OFF” then press “Enter“


2 Answers

You might try the Driver Signature Enforcement Overrider. It's supported on 64-bit versions of Windows 7, and reports that I've seen confirm that it does indeed work on the "Home Premium" edition.

     Driver Signature Enforcement Overrider screenshot

  1. Download the application from the link below. Right click on it and choose "Run as administrator". Inside its main menu, press on the “Enable Test Mode” button and follow the instructions on the screen. This will enable TESTSIGNING mode, which allows unverified system files to be loaded.

  2. Now all you have to do is to add the unverified signature to the required system files. To do so press on the “Sign a System File” button from the main menu, and enter specific filename including full path. For example: if ATITool64.sys from C:\Windows\System32\drivers refuses to load due to driver signature enforcement, you should type: “C:\Windows\System32\drivers\ATITool64.sys”, and if you would like to sign more than a single file, just repeat this procedure until you’re done, and finally reboot.

After you enabled Test Mode and added signatures to the required system files, they should bypass Windows’s driver signature enforcement and load without any issues. However, if for some reason you are interested to revert it, you can re-launch the application, choose “Disable Test Mode” from the main menu, and reboot. If you encounter issues or having questions, feel free to post it on our forums.

Note: DSEO requires administrative privileges (Run as administrator).

It even allows you to remove the watermark from your desktop!

like image 69
Cody Gray Avatar answered Oct 27 '22 00:10

Cody Gray


You do not need to use that tool. Just test sign the driver with your own personal certificate with the signtool in the DDK.

like image 41
Nick Avatar answered Oct 26 '22 23:10

Nick