Howto: Disabling Driver Signing in Windows Vista 64 bit

A security feature of Windows Vista 64 bit version is that unsigned drivers will not load. I’m all for increased security, until I run across a piece of hardware that does not have signed drivers.

It was easy to disable driver signing before two updates were released. From an elevated command prompt I ran

bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS

and rebooted, and I was able to load the unsigned drivers with no problem.

But that was before KB932596 and KB938979 were released. These two patches broke the bcdedit command listed above. Sure, I could still access the Advanced Boot Options menu by pressing F8 during the boot process and selecting Disable Driver Signature Enforcement, but that just disables driver signing for the current boot only.

I was looking for a permanent solution and came across this guide that explains the bcdedit command will work if if you uninstall the patches from KB932596 and KB938979. You can also use VBCDEDIT to edit Vista’s boot options, which are normally set using the bcdedit command.

[update 11-05-2007]

Violator posted that KB938194 also needs to be uninstalled , and he suggests running the following command as well:

Bcdedit /set nointegritychecks ON

[updated 11-14-2007]

E-M@iLinAtoR commented that Windows6.0-KB941649-v2-x64 also needs to be uninstalled.

[updated 03-24-2009]

If all else fails, try Mark’s technique for creating your own driver signing certificate and signing the driver or application yourself.  Thanks to Claus for the link.

54 thoughts on “Howto: Disabling Driver Signing in Windows Vista 64 bit”

  1. Hi, thanks for the info!
    But today I got another Update to put on the list, cause it disabled the boot setting, too.
    Windows6.0-KB941649-v2-x64
    After uninstalling and hiding in Windows Update it works again, we gotta do without those updates :-(

  2. Hello Julie and others,

    Removing the four updates above worked perfectly for me, and I was able to load the ATI Tray Tools driver with no issues on my next reboot. However, it seemed that my internet connection had been locked down to only Windows Update, and upon opening the start menu my Shutdown and Reboot options were replaced with “Install Updates and reboot” and it’s shutdown variant. Is this some fluke for me, or is Windows really noticing that people have removed these updates? (After I rebooted with the Install Updates, the driver protection was restored.)

    Thanks for the article nonetheless,
    –Chipp

  3. Yep, I was looking for something like this for a while today.
    This works as of 12/10

    I’m using app called I8kfanGUI on Vista x64
    fanio.sys stopped working

    Uninstall the following:
    KB932596
    KB938979
    KB938194
    KB941649

  4. Today came a pack of Updates to me and again, boot setting disabled :-( Those are:
    KB941568
    KB941569
    KB942615
    KB942624
    KB943078
    KB905866
    KB942763
    KB943597
    Office SP1
    I’m on figuring out which one is the smurf, I’ll tell if I find before some1 else 😉

  5. Okay I got it!
    It’s the KB943078 Update, uninstall and hide that one too to make the boot setting permanent again.
    Here’s the complete list till now, which will get longer and longer till Microsoft gives that up (never? :-( ):
    KB932596
    KB938979
    KB938194
    KB941649
    KB943078

  6. automatic-F8 SOLUTION:
    Today I finally got another Workaround working, which is the best solution ever, since you can Install all updates on Vista 64 and use unsigned drivers:
    U can use this either with Floppy or USB-Drive. So cool, it is simulated that you press F8 during boot, twice Up, then Enter, but you just sitting there

    For second choice, setup your BIOS that it can boot via USB-Flash-Drive (Boot Order (USB-HDD) and enable something like “USB Storage detection”, BIOS dependant).

    1. download “fdboot.zip” from here and unzip
    2. download “rwwrtwin.zip” (RAWwrite) from here, unzip and execute
    3. browse for “fdboot.img”, insert blank Floppy into FDD, select drive and click “write”
    4. make USB-Flash bootable with DOS. I made that by booting an old MS-DOS 6.22 Bootdisk and typing the Command in DOS “SYS B:” (B: was USB Flash, A: Floppy). There are many other ways to do that, you just need to write a boot sector to the USB-Flash someway.
    5. boot the Floppy we have just flashed “fdboot.img” on
    6. in FreeDOS type “BOOT_A” or “BOOT_B” (_A or _B being the driveletter for your USB, test with “dir” before)
    7. then type “copy *.* b:” copy Floppy to USB without overwriting COMMAND.COM there (or under Windows, needs one more reboot)
    8. eject Floppy, reboot, be happy like the “Magic Hand” does the F8 Trick everytime.
    9. Install all Updates you want, don’t let MS fool U anymore!

    If Floppy-Boot is OK for you (little slower), just do steps 1, 2, 3, 5 and 6 (boot Floppy, Boot_A and let Floppy always in Drive during bootups)

    Btw, I can help on detailed questions. Have Fun

  7. Hey, that’s interesting E-M@iLinAtoR. I haven’t tried it becuase I don’t have a viable Vista Machine, but my friends do, and have problems with these updates and unsigned drivers. Sounds like it should work in theory, if it does what you say it does.

    However, wouldn’t it be easier to use a boot sector file on the local disk (Like they did here -> http://port25.technet.com/archive/2006/10/13/Using-Vista_2700_s-Boot-Manager-to-Boot-Linux-and-Dual-Booting-with-BitLocker-Protection-with-TPM-Support.aspx ) instead of using a USB drive or a floppy? Do you think booting locally would be possible using something like this?

    Thanks.

  8. I tried both usb and floppy method and they work.
    However I have slight problem with usb.If I boot from usb
    windows cannot acces to the floppy drive. I have disk(working) there but windows says I don’t have.

  9. Got it to run locally. Needs a bit of fanangling to accomplish this though. I do not experience the floppy drive access problem that HappiHyppy has (while booting locally, I haven’t tested USB).

  10. Like I said I don’t have this floppy problem if boot from floppy drive. -Only if I boot from USB. Actually I had problems to use that boot_b command since my usb drive letter was c. My computer’s bios showed USB drive as a hard disk and not removable like floppy drive.

    Well… I used Vista’s disk management and deleted usb’s
    logical partition. Then I made new primary partition and formatted it(fat16).

    After this my usb drive appeared in bios under removable devices and I was able to use boot_b command on it.

    And now when I boot from it Vista start’s and driver signing is disabled but I also have this floppy problem.

  11. Has anyone tried this with sp1 installed? I have the RC1 of SP1 installed and am using the floppy method. I get the F8 screen coming up, but it selects Safe Mode instead of disabled driver enforcement. MS seem to have changed this screen in SP1 – possibly to get around this hack??

  12. ITboykc: how did you get it to run locally exactly? Please post some instructions for us :)

    I have it booting off of a floppy right now and its working quite well. But it would be even better if it ran locally.

    And regarding bejam’s question about SP1 – how can we get this going with SP1 properly since the boot menu options have changed? How do you edit the keystrokes that are sent? Right now its F8, Up, Up, Enter – correct? Anyone shed some light as to how to edit this since SP1 is being released in the next month or so?

  13. Booting locally… heheh….
    This method uses some modified binaries (which are against Uhliks agreement…). I need to find where I got them. The place has an installer somewhere… I will report back when I have the installer location.

  14. wow this realy pissing me off ok how do i turn attomatic updates off so i can install drivers that are not signed .
    please some one find a way to destroy this driver crap for good microsoft has gone to far fucking up my f8 key……………..

  15. The latest list seems to be outdated, as the unsigned drivers aren’t working again. I have the following uninstalled:
    KB932596
    KB938979
    KB938194
    KB941649
    KB943078

    Any ideas which is the latest update to mess it up?

  16. Darky, that’s a lost cause, because SP1 (out now if you know where to look) also requires F8. So unless you plan to stick with the original Vista and be very restricted on which updates you install (some of which are very important), and never install any future SPs, I’m afraid you’re stuck with F8 or possibly one of the convoluted boot solutions described above.

    BTW, in SP1, boot drivers for *32-bit* are signed as well. And guess what? If you try to boot with one that’s not signed (say, a modded tcpip.sys) you also need to do F8.

    It’s documented on MS’s site:
    “Driver binaries that load at boot time (“boot start drivers”) must contain an embedded signature, for both x86 and x64 versions of Windows Vista [SP1] and Windows Server 2008, as described in “Kernel-Mode Code Signing Walkthrough” on this site.”

  17. Well, I finally found it :)

    http://www.citadel.co.nr/readydriverplus/

    There is an installer there that will let you boot locally.

    The installer has an awful lot of scary warnings and settings, but i just used the defaults and it worked for me. Don’t forget to take out the old ReadyDriver disk/USB drive, or it will cause problems…

    Install, reboot, and enjoy :) No more driver enforcement.

  18. ITboykc – Thank you :)

    Unfortunately I couldn’t get it to install properly. The installer returns a message saying c:\windows\system32\bcdedit.exe was not found, although it’s there. I’ve turned UAC off and got the same problem. Damn… :(

  19. Woah… This guy is fast. He must read this forum. He has an update. It says it fixes the bug some people were having. Can anyone confirm this (It always worked fine on mine…)?

    1. “ya know there is a reason for signed drivers and uac”

      yes to tic off the super users. and to force venders to pay microsoft money to get certified.
      it does not make microsoft or the venders write better code.

      it is also supposed to help protect your computer but is does not do that either.

      rharvey

  20. If anyone still gets an error stating “C:\windows\system32\bcdedit.exe was not found” simply copy bcdedit.exe from C:\windows\system32\ to c:\windows\SysWOW64\ and reinstall. I had to do this on one of my x64 Vista SP1 systems but not the other – strange!

  21. @ Anon

    Yes there is a reason for signed drivers and uac

    But there is also a reason to allow for unsigned drivers.

    For Microsoft to completely disregard that reason, not provide any convenient permanent workaround that either allows user specified unsigned drivers to function or any unsigned drivers to function is flat out idiotic.

    Not every PC user is a noob infecting their PC with trojans and spyware.

    To completely disregard the needs of their advanced user base is a recipe of pushing that user base to a different platform that will meet their needs.

  22. I don’t think this works for me. My keyboard Driver still doesn’t work. My Cyber Snipa WarBoard won’t let me use the macro keys unless the driver is installed. I installed the Local Fix ONLY (is there something else I should have done?) and rebooted and then installed the driver but still won’t work. Please Help.

  23. Confirmed –Absolutely Amazing!!!

    Installed on Vista Ultimate 64, got error:
    “C:\Windows\System32\bcdedit.exe was not found”

    Workaround….

    Copied: C:\Windows\System32\bcdedit.exe
    TO: C:\Windows\SysWOW64\bcdedit.exe

    Ran Install again, completed just fine.

    I actually ran the command :
    bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
    Not sure if this made a difference.

    Restart, Un-signed drivers are working !!!!!!!
    (i.e. I8kFanGui, CoreTemp)

    I knew bookmarking this site would pay off.

  24. I think the webmaster was accidentally serving 1.0 instead of 1.1 (which is why the bcdedit errors occurred). I contacted him and he has now put 1.1 up. The bcdedit not found errors should be gone now :).

  25. WOW! The Citadel download worked perfect. Did not have to uninstall any updates on my Vista Ultimate 64. The program has a script built in to disable DDS each time you boot automaticlly. Great Find! Go to hell Microsoft!

  26. Unfortunately; the Citadel download didn’t work for me. Vista boots and I can see the selector screen with the ReadyDriver selected but once the timeout expires the machine just hangs. Anyone got any ideas how to stop that?

  27. Sorry; I meant that Vista *starts to boots*. Stupid fingers; my parents were southern and I’m pretty sure they were cousins or something. :)

  28. I get the same ‘hanging’ issue, using Vista 64-bit Ultimate with SP1.

    It auto-selects the ReadyDrive option, at two menus, then the cusor just sits flashing at top of the screen, anyone else managed to get this and fix it?

  29. That ReadyDrive from Citadel was a great find. Thanks a lot guys, it was getting old pretty quick having to reboot every time I wanted to fire up vmware.

  30. If it is hanging, you have the wrong amount of strokes selected or you disabled the “Make ReadyDriver Plus the default.” The hanging happens when ReadyDriver Plus selects itself from the list. Try adjusting the number of strokes (this worked for my friend).

  31. Im running vista 32bit buisness edition
    I just installed SP1 today from microsoft update

    And what do you know i started getting 4226 events again
    so i installed
    VistaTcpipUacPatch2.0.rar
    from http://www.mydigitallife.info/2008/02/17/download-vista-tcpipsys-and-uac-auto-patcher-to-increase-tcp-connection-limit/

    After reboot i got an error about unsigned driver tcpip at boot so i hit f8 and disable unsigned driver enforcement

    found this site
    so i installed
    ReadyDriver Plus V1.1
    from http://citadel.x10hosting.com/readydriverplus/

    Worked perfectly confirmed on SP1 unsure why others are haveing problems with SP1

  32. >>andrew

    Well, then that leaves us out of the loop for this option, down but not out.

    If that ever happens, you can run Vista in test mode and sign the drivers you need to run yourself. It’s possible, but not just a point and click like this solution. There are guides by Microsoft about how to do this.

  33. When Microsoft takes the boot option away I’m going back to XP.
    If they mess up XP hopefully linux derivatives will be ready.

  34. ReadyDriver Plus 1.1 works as advertised on Vista 64-bit SP1. Set up with all defaults. Reminds me of the old ScriptIt which simply punches the keys for you.

  35. Any idea if this would work on Windows Server 2008 x64 SP1? I’d imagine it would, but I am not positive and won’t get a chance to test it out for another week or so (server is in a remote location). Has anyone ever tried it under 2008?

  36. Just installed Ready Driver Plus v1.1 on my Vista Ultimate x64 SP1 machine. Selected two upticks during install and did a reboot. It worked great!! This is so nice to have!! Finally, no more bs M$ games during bootup!! Why does M$insist on limiting the amount of half-open concurrent TCP connections? What’s anti-virus software for? That is the only reason I need this fix, because of my modified tcpip.sys…

Leave a Reply

Your email address will not be published. Required fields are marked *