The TESTSIGNING Boot Configuration Option

The TESTSIGNING boot configuration option determines whether Windows Vista and later versions of Windows will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers will not load by default on 64-bit versions of Windows Vista and later versions of Windows.

Note  For 64-bit versions of Windows Vista and later versions of Windows, the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on 32-bit versions of Windows Vista and later versions of Windows. For more information, see Kernel-Mode Code Signing Policy (Windows Vista and Later).

The TESTSIGNING boot configuration option is enabled or disabled through the BCDEdit command. To enable test-signing, use the following BCDEdit command:


Bcdedit.exe -set TESTSIGNING ON

To disable test-signing, use the following BCDEdit command:


Bcdedit.exe -set TESTSIGNING OFF

Note  After you change the TESTSIGNING boot configuration option, restart the computer for the change to take effect.

To use BCDEdit, you must be a member of the Administrators group on the system and run the command from an elevated command prompt. To open an elevated Command Prompt window, create a desktop shortcut to Cmd.exe, right-click the Cmd.exe shortcut, and select Run as administrator.

The following screen shot shows the result of using the BCDEdit command-line tool to enable test-signing.

Screen shot of the results of using the TESTSIGNING boot configuration option

When the BCDEdit option for test-signing is enabled, Windows does the following:

  • Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled.

    Note  Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.

  • The operating system loader and the kernel load drivers that are signed by any certificate. The certificate validation is not required to chain up to a trusted root certification authority. However, each driver image file must have a digital signature.

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft. All rights reserved.