Howto: Disabling Driver Signing in Windows Vista 64 bit

by admin on November 5, 2007

A security feature of Windows Vista 64 bit version is that unsigned drivers will not load. I’m all for increased security, until I run across a piece of hardware that does not have signed drivers.

It was easy to disable driver signing before two updates were released. From an elevated command prompt I ran

bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS

and rebooted, and I was able to load the unsigned drivers with no problem.

But that was before KB932596 and KB938979 were released. These two patches broke the bcdedit command listed above. Sure, I could still access the Advanced Boot Options menu by pressing F8 during the boot process and selecting Disable Driver Signature Enforcement, but that just disables driver signing for the current boot only.

I was looking for a permanent solution and came across this guide that explains the bcdedit command will work if if you uninstall the patches from KB932596 and KB938979. You can also use VBCDEDIT to edit Vista’s boot options, which are normally set using the bcdedit command.

[update 11-05-2007]

Violator posted that KB938194 also needs to be uninstalled , and he suggests running the following command as well:

Bcdedit /set nointegritychecks ON

[updated 11-14-2007]

E-M@iLinAtoR commented that Windows6.0-KB941649-v2-x64 also needs to be uninstalled.

[updated 03-24-2009]

If all else fails, try Mark’s technique for creating your own driver signing certificate and signing the driver or application yourself.  Thanks to Claus for the link.

{ 53 comments… read them below or add one }

E-M@iLinAtoR November 13, 2007 at 9:57 pm

Hi, thanks for the info!
But today I got another Update to put on the list, cause it disabled the boot setting, too.
Windows6.0-KB941649-v2-x64
After uninstalling and hiding in Windows Update it works again, we gotta do without those updates :-(

Reply

Julie November 14, 2007 at 10:34 am

Thanks for the update E-M@iLinAtoR, I’ve added your suggestion to the list.

- Julie

Reply

Chipp November 23, 2007 at 9:00 pm

Hello Julie and others,

Removing the four updates above worked perfectly for me, and I was able to load the ATI Tray Tools driver with no issues on my next reboot. However, it seemed that my internet connection had been locked down to only Windows Update, and upon opening the start menu my Shutdown and Reboot options were replaced with “Install Updates and reboot” and it’s shutdown variant. Is this some fluke for me, or is Windows really noticing that people have removed these updates? (After I rebooted with the Install Updates, the driver protection was restored.)

Thanks for the article nonetheless,
–Chipp

Reply

Chipp November 23, 2007 at 9:15 pm

Nevermind the above. :)

I turned off automatic updates and all is well.

Thanks!

Reply

yfki December 10, 2007 at 4:37 pm

Yep, I was looking for something like this for a while today.
This works as of 12/10

I’m using app called I8kfanGUI on Vista x64
fanio.sys stopped working

Uninstall the following:
KB932596
KB938979
KB938194
KB941649

Reply

E-M@iLinAtoR December 12, 2007 at 12:55 pm

Today came a pack of Updates to me and again, boot setting disabled :-( Those are:
KB941568
KB941569
KB942615
KB942624
KB943078
KB905866
KB942763
KB943597
Office SP1
I’m on figuring out which one is the smurf, I’ll tell if I find before some1 else ;-)

Reply

E-M@iLinAtoR December 12, 2007 at 4:31 pm

Okay I got it!
It’s the KB943078 Update, uninstall and hide that one too to make the boot setting permanent again.
Here’s the complete list till now, which will get longer and longer till Microsoft gives that up (never? :-( ):
KB932596
KB938979
KB938194
KB941649
KB943078

Reply

yfki December 15, 2007 at 7:52 pm

Smurf confirmed: KB943078

Gargamel that bitch.

Reply

E-M@iLinAtoR December 16, 2007 at 5:33 pm

automatic-F8 SOLUTION:
Today I finally got another Workaround working, which is the best solution ever, since you can Install all updates on Vista 64 and use unsigned drivers:
U can use this either with Floppy or USB-Drive. So cool, it is simulated that you press F8 during boot, twice Up, then Enter, but you just sitting there

For second choice, setup your BIOS that it can boot via USB-Flash-Drive (Boot Order (USB-HDD) and enable something like “USB Storage detection”, BIOS dependant).

1. download “fdboot.zip” from here and unzip
2. download “rwwrtwin.zip” (RAWwrite) from here, unzip and execute
3. browse for “fdboot.img”, insert blank Floppy into FDD, select drive and click “write”
4. make USB-Flash bootable with DOS. I made that by booting an old MS-DOS 6.22 Bootdisk and typing the Command in DOS “SYS B:” (B: was USB Flash, A: Floppy). There are many other ways to do that, you just need to write a boot sector to the USB-Flash someway.
5. boot the Floppy we have just flashed “fdboot.img” on
6. in FreeDOS type “BOOT_A” or “BOOT_B” (_A or _B being the driveletter for your USB, test with “dir” before)
7. then type “copy *.* b:” copy Floppy to USB without overwriting COMMAND.COM there (or under Windows, needs one more reboot)
8. eject Floppy, reboot, be happy like the “Magic Hand” does the F8 Trick everytime.
9. Install all Updates you want, don’t let MS fool U anymore!

If Floppy-Boot is OK for you (little slower), just do steps 1, 2, 3, 5 and 6 (boot Floppy, Boot_A and let Floppy always in Drive during bootups)

Btw, I can help on detailed questions. Have Fun

Reply

E-M@iLinAtoR December 16, 2007 at 5:35 pm

replace the from here’s with that:
fdboot.zip: http://uhlik.sk/?page=swreadydriver
rwwrtwin.zip: http://www.filewatcher.com/m/rwwrtwin.zip.261448.0.0.html
;-)

Reply

ITboykc January 4, 2008 at 12:11 am

Hey, that’s interesting E-M@iLinAtoR. I haven’t tried it becuase I don’t have a viable Vista Machine, but my friends do, and have problems with these updates and unsigned drivers. Sounds like it should work in theory, if it does what you say it does.

However, wouldn’t it be easier to use a boot sector file on the local disk (Like they did here -> http://port25.technet.com/archive/2006/10/13/Using-Vista_2700_s-Boot-Manager-to-Boot-Linux-and-Dual-Booting-with-BitLocker-Protection-with-TPM-Support.aspx ) instead of using a USB drive or a floppy? Do you think booting locally would be possible using something like this?

Thanks.

Reply

HappiHyppy January 8, 2008 at 8:04 am

I tried both usb and floppy method and they work.
However I have slight problem with usb.If I boot from usb
windows cannot acces to the floppy drive. I have disk(working) there but windows says I don’t have.

Reply

ITboykc January 9, 2008 at 1:21 am

Got it to run locally. Needs a bit of fanangling to accomplish this though. I do not experience the floppy drive access problem that HappiHyppy has (while booting locally, I haven’t tested USB).

Reply

HappiHyppy January 9, 2008 at 7:58 am

Like I said I don’t have this floppy problem if boot from floppy drive. -Only if I boot from USB. Actually I had problems to use that boot_b command since my usb drive letter was c. My computer’s bios showed USB drive as a hard disk and not removable like floppy drive.

Well… I used Vista’s disk management and deleted usb’s
logical partition. Then I made new primary partition and formatted it(fat16).

After this my usb drive appeared in bios under removable devices and I was able to use boot_b command on it.

And now when I boot from it Vista start’s and driver signing is disabled but I also have this floppy problem.

Reply

bejam January 11, 2008 at 9:53 am

Has anyone tried this with sp1 installed? I have the RC1 of SP1 installed and am using the floppy method. I get the F8 screen coming up, but it selects Safe Mode instead of disabled driver enforcement. MS seem to have changed this screen in SP1 – possibly to get around this hack??

Reply

trafsta January 27, 2008 at 3:56 pm

ITboykc: how did you get it to run locally exactly? Please post some instructions for us :)

I have it booting off of a floppy right now and its working quite well. But it would be even better if it ran locally.

And regarding bejam’s question about SP1 – how can we get this going with SP1 properly since the boot menu options have changed? How do you edit the keystrokes that are sent? Right now its F8, Up, Up, Enter – correct? Anyone shed some light as to how to edit this since SP1 is being released in the next month or so?

Reply

ITboykc January 29, 2008 at 3:06 pm

Booting locally… heheh….
This method uses some modified binaries (which are against Uhliks agreement…). I need to find where I got them. The place has an installer somewhere… I will report back when I have the installer location.

Reply

trafsta January 30, 2008 at 10:23 pm

Cool thanks ITboykc :)

Reply

Darky February 1, 2008 at 2:00 pm

wow this realy pissing me off ok how do i turn attomatic updates off so i can install drivers that are not signed .
please some one find a way to destroy this driver crap for good microsoft has gone to far fucking up my f8 key……………..

Reply

Pepperoni February 6, 2008 at 5:12 pm

The latest list seems to be outdated, as the unsigned drivers aren’t working again. I have the following uninstalled:
KB932596
KB938979
KB938194
KB941649
KB943078

Any ideas which is the latest update to mess it up?

Reply

Rick February 7, 2008 at 2:15 pm

Darky, that’s a lost cause, because SP1 (out now if you know where to look) also requires F8. So unless you plan to stick with the original Vista and be very restricted on which updates you install (some of which are very important), and never install any future SPs, I’m afraid you’re stuck with F8 or possibly one of the convoluted boot solutions described above.

BTW, in SP1, boot drivers for *32-bit* are signed as well. And guess what? If you try to boot with one that’s not signed (say, a modded tcpip.sys) you also need to do F8.

It’s documented on MS’s site:
“Driver binaries that load at boot time (“boot start drivers”) must contain an embedded signature, for both x86 and x64 versions of Windows Vista [SP1] and Windows Server 2008, as described in “Kernel-Mode Code Signing Walkthrough” on this site.”

Reply

ITboykc February 12, 2008 at 2:06 am

Well, I finally found it :)

http://www.citadel.co.nr/readydriverplus/

There is an installer there that will let you boot locally.

The installer has an awful lot of scary warnings and settings, but i just used the defaults and it worked for me. Don’t forget to take out the old ReadyDriver disk/USB drive, or it will cause problems…

Install, reboot, and enjoy :) No more driver enforcement.

Reply

Pepperoni February 16, 2008 at 8:49 am

ITboykc – Thank you :)

Unfortunately I couldn’t get it to install properly. The installer returns a message saying c:\windows\system32\bcdedit.exe was not found, although it’s there. I’ve turned UAC off and got the same problem. Damn… :(

Reply

ITboykc February 16, 2008 at 2:06 pm

Hmm.. Hopefully he’ll fix it…

Reply

ITboykc February 17, 2008 at 2:23 am

Woah… This guy is fast. He must read this forum. He has an update. It says it fixes the bug some people were having. Can anyone confirm this (It always worked fine on mine…)?

Reply

Pepperoni February 17, 2008 at 3:32 pm

He mentions the patch was useless on x64 systems, which is my case. v1.1 installs correctly on Vista 64.

Reply

anon February 22, 2008 at 6:56 am

ya know there is a reason for signed drivers and uac…

Reply

rhavey August 25, 2009 at 3:40 pm

“ya know there is a reason for signed drivers and uac”

yes to tic off the super users. and to force venders to pay microsoft money to get certified.
it does not make microsoft or the venders write better code.

it is also supposed to help protect your computer but is does not do that either.

rharvey

Reply

trafsta February 22, 2008 at 9:52 pm

Works great for me ITboykc! Thanks!

Reply

trafsta February 25, 2008 at 4:22 pm

If anyone still gets an error stating “C:\windows\system32\bcdedit.exe was not found” simply copy bcdedit.exe from C:\windows\system32\ to c:\windows\SysWOW64\ and reinstall. I had to do this on one of my x64 Vista SP1 systems but not the other – strange!

Reply

Bob February 26, 2008 at 12:06 pm

@ Anon

Yes there is a reason for signed drivers and uac

But there is also a reason to allow for unsigned drivers.

For Microsoft to completely disregard that reason, not provide any convenient permanent workaround that either allows user specified unsigned drivers to function or any unsigned drivers to function is flat out idiotic.

Not every PC user is a noob infecting their PC with trojans and spyware.

To completely disregard the needs of their advanced user base is a recipe of pushing that user base to a different platform that will meet their needs.

Reply

Vinny.Poo February 27, 2008 at 8:53 am

I don’t think this works for me. My keyboard Driver still doesn’t work. My Cyber Snipa WarBoard won’t let me use the macro keys unless the driver is installed. I installed the Local Fix ONLY (is there something else I should have done?) and rebooted and then installed the driver but still won’t work. Please Help.

Reply

yfki March 2, 2008 at 12:12 pm

Confirmed –Absolutely Amazing!!!

Installed on Vista Ultimate 64, got error:
“C:\Windows\System32\bcdedit.exe was not found”

Workaround….

Copied: C:\Windows\System32\bcdedit.exe
TO: C:\Windows\SysWOW64\bcdedit.exe

Ran Install again, completed just fine.

I actually ran the command :
bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
Not sure if this made a difference.

Restart, Un-signed drivers are working !!!!!!!
(i.e. I8kFanGui, CoreTemp)

I knew bookmarking this site would pay off.

Reply

yfki March 2, 2008 at 12:12 pm

I should have also noted, my Vista x64 is SP1.

Reply

ITboykc March 3, 2008 at 4:36 pm

I think the webmaster was accidentally serving 1.0 instead of 1.1 (which is why the bcdedit errors occurred). I contacted him and he has now put 1.1 up. The bcdedit not found errors should be gone now :).

Reply

TPLP02 March 16, 2008 at 10:10 am

WOW! The Citadel download worked perfect. Did not have to uninstall any updates on my Vista Ultimate 64. The program has a script built in to disable DDS each time you boot automaticlly. Great Find! Go to hell Microsoft!

Reply

Psychosmurf March 21, 2008 at 4:01 pm

Unfortunately; the Citadel download didn’t work for me. Vista boots and I can see the selector screen with the ReadyDriver selected but once the timeout expires the machine just hangs. Anyone got any ideas how to stop that?

Reply

Psychosmurf March 21, 2008 at 4:02 pm

Sorry; I meant that Vista *starts to boots*. Stupid fingers; my parents were southern and I’m pretty sure they were cousins or something. :)

Reply

Craig March 23, 2008 at 2:27 am

I get the same ‘hanging’ issue, using Vista 64-bit Ultimate with SP1.

It auto-selects the ReadyDrive option, at two menus, then the cusor just sits flashing at top of the screen, anyone else managed to get this and fix it?

Reply

Ryan March 27, 2008 at 12:58 am

That ReadyDrive from Citadel was a great find. Thanks a lot guys, it was getting old pretty quick having to reboot every time I wanted to fire up vmware.

Reply

ITboykc March 31, 2008 at 6:06 pm

If it is hanging, you have the wrong amount of strokes selected or you disabled the “Make ReadyDriver Plus the default.” The hanging happens when ReadyDriver Plus selects itself from the list. Try adjusting the number of strokes (this worked for my friend).

Reply

andrew April 2, 2008 at 11:37 pm

Im running vista 32bit buisness edition
I just installed SP1 today from microsoft update

And what do you know i started getting 4226 events again
so i installed
VistaTcpipUacPatch2.0.rar
from http://www.mydigitallife.info/2008/02/17/download-vista-tcpipsys-and-uac-auto-patcher-to-increase-tcp-connection-limit/

After reboot i got an error about unsigned driver tcpip at boot so i hit f8 and disable unsigned driver enforcement

found this site
so i installed
ReadyDriver Plus V1.1
from http://citadel.x10hosting.com/readydriverplus/

Worked perfectly confirmed on SP1 unsure why others are haveing problems with SP1

Reply

andrew April 2, 2008 at 11:57 pm

what happens when microsoft removes the disable unsigned driver enforcement boot options?

Reply

ITboykc April 3, 2008 at 11:38 pm

>>andrew

Well, then that leaves us out of the loop for this option, down but not out.

If that ever happens, you can run Vista in test mode and sign the drivers you need to run yourself. It’s possible, but not just a point and click like this solution. There are guides by Microsoft about how to do this.

Reply

usb Dani April 7, 2008 at 4:47 am

Oh thanks for this work-around, cause I hate this Vista Procedure with drivers. Thanks!

Reply

MaTrIx April 24, 2008 at 4:47 am

ReadyDriver Plus v1.1 (http://www.citadel.co.nr/readydriverplus) is indeed working flawlessly on Windows Vista 64-bit SP1, at least for me.

Reply

Jon May 17, 2008 at 12:58 am

When Microsoft takes the boot option away I’m going back to XP.
If they mess up XP hopefully linux derivatives will be ready.

Reply

uscs_vaughn May 26, 2008 at 9:49 am

ReadyDriver Plus 1.1 works as advertised on Vista 64-bit SP1. Set up with all defaults. Reminds me of the old ScriptIt which simply punches the keys for you.

Reply

trafsta July 25, 2008 at 4:52 pm

Any idea if this would work on Windows Server 2008 x64 SP1? I’d imagine it would, but I am not positive and won’t get a chance to test it out for another week or so (server is in a remote location). Has anyone ever tried it under 2008?

Reply

dens July 30, 2008 at 2:35 pm

yea
i want to know if it work in window 2008 64bit?

Reply

trafsta August 9, 2008 at 10:41 pm

Tested it under Windows Server 2008 x64 and it works just fine :)

Reply

tikal October 29, 2008 at 10:34 am

Just installed Ready Driver Plus v1.1 on my Vista Ultimate x64 SP1 machine. Selected two upticks during install and did a reboot. It worked great!! This is so nice to have!! Finally, no more bs M$ games during bootup!! Why does M$insist on limiting the amount of half-open concurrent TCP connections? What’s anti-virus software for? That is the only reason I need this fix, because of my modified tcpip.sys…

Reply

Richy February 25, 2009 at 10:25 pm

It’s saying bcdedit is not a valid win32 application…

Im running vista 64

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: