While this makes it more difficult for a kernel-mode or boot-time driver to be injected into the system without Windows (or the administrator) crying foul, it also means that developers who write device drivers for Windows must obtain digital certificates and get their code signed. This isn't a problem for commercial developers, but it's a hassle for indie programmers since a one-year certificate can run hundreds of dollars.
The long-term solution is to obtain drivers that have been properly cross-signed by Microsoft. But in cases where this isn't possible, there is a two-step workaround: First, you enable a test mode in Windows that allows the loading of unsigned device drivers, and then, you self-sign the device driver with a certificate that works in test mode.
Enable test mode in Windows
Test mode is Microsoft's term for a special boot-time option in Windows Vista and Windows 7 that lets the system use drivers that have been test-signed with the Makecert.exe code-signing tool (more on this later).
To enable test mode in the current instance of Windows, launch an elevated command prompt and type the following:
bcdedit --set testsigning on
Reboot, and you'll see a watermark in the lower-right corner of the screen that reads Test Mode with the current Windows edition and build number. It is possible to remove this watermark by using one of the gray-market hacks that are floating around, but I don't recommend doing this because it involves hacking system resource files. In addition, leaving the watermark visible lets you see at a glance if a given system is running in test mode. (There are other methods -- e.g. inspecting the boot loader's configuration -- but this is by far the easiest way.)
Self-sign the driver and import the self-signing certificate.
When you're in test mode, you can load device drivers that have been signed with a class of certificates that don't need to be cross-signed by Microsoft to work. The process for doing this is somewhat involved, but thankfully Mark Minasi has documented it in detail. This is where Makecert comes into play. You have to use this tool to create a certificate for the driver, sign the driver with it and -- this part is also crucial -- import the certificate to the machine running in test mode.
Driver Signature Enforcement Overrider is a third-party program that allows you to enable test mode and sign any system file with a test certificate. I've tried the program out in a limited way, and it seems to perform as described without any adverse effects. However, since the source code is not available, the best I can say for the program is that it should be used at your own risk.
Not long after the Windows Vista beta was released, there were other options that made it possible to use unsigned kernel drivers such as the DDISABLE_INTEGRITY_CHECKS boot switch. But as far as I can tell, all of these options have been disabled over time. At this point, you either have to sign your drivers properly or use test mode with a test certificate.
ABOUT THE AUTHOR
Serdar Yegulalp has been writing about personal computing and IT for over 15 years for a variety of publications, including (among others) Windows Magazine, InformationWeek and the TechTarget family of sites.
This was first published in July 2010