The TESTSIGNING Boot Configuration Option
The TESTSIGNING boot configuration option determines whether Windows Vista and later versions of Windows will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers will not load by default on 64-bit versions of Windows Vista and later versions of Windows.
Note For 64-bit versions of Windows Vista and later versions of Windows, the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on 32-bit versions of Windows Vista and later versions of Windows. For more information, see Kernel-Mode Code Signing Policy (Windows Vista and Later).
The TESTSIGNING boot configuration option is enabled or disabled through the BCDEdit command. To enable test-signing, use the following BCDEdit command:
Bcdedit.exe -set TESTSIGNING ON
To disable test-signing, use the following BCDEdit command:
Bcdedit.exe -set TESTSIGNING OFF
Note After you change the TESTSIGNING boot configuration option, restart the computer for the change to take effect.
To use BCDEdit, you must be a member of the Administrators group on the system and run the command from an elevated command prompt. To open an elevated Command Prompt window, create a desktop shortcut to Cmd.exe, right-click the Cmd.exe shortcut, and select Run as administrator.
The following screen shot shows the result of using the BCDEdit command-line tool to enable test-signing.
When the BCDEdit option for test-signing is enabled, Windows does the following:
- Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled.
Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.
The operating system loader and the kernel load drivers that are signed by any certificate. The certificate validation is not required to chain up to a trusted root certification authority. However, each driver image file must have a digital signature.