How to enable or disable test signing mode in Windows.

Windows test signing mode is a special mode of operation designed to allow loading of the unsigned drivers into Windows. What it means, basically, that beginning with Windows Vista 64-bit edition Microsoft imposed a restriction that only digitally signed device drivers are normally allowed to be loaded and used by the system. When the test signing mode is enabled, it removes such a restriction. Note that if you have a 32-bit version of Windows, then you may not need to worry about the test signing mode, because this restriction applies only to the 64-bit versions.

Why would you want to enable the test signing mode? Well, if you use an older 64-bit version of Windows, such as Windows Vista or Windows 7, it may no longer recognize a digital signature of a recent driver. For example, when you try to run the latest version of Folder Guard on Windows 7 64-bit, it may report that it cannot load its driver:

Error Cannot load Folder Guard driver

and Windows 7 may show the following explanation:

Windows requires a digitally signed driver

What's puzzling, when you check the digital signature of the driver (by navigating to the folder C:/Program Files/Folder Guard, right-clicking on the file FGUARD64.sys, and selecting Properties from the menu), Windows reports that the digital signature of that file is OK:

Digital signature is OK

So, the digital signature of the Folder Guard driver is OK, but Windows 7 reports that it is unsigned. What makes Windows 7 so confused? Let us spare you a lot of boring technical details that involve cryptographic algorithms (SHA1 ans SHA256), Certificate Authorities, the EV certificates, cross-signing certificates, root certificates, as well as the (un)willingness of Microsoft to update the old versions of Windows, because the conclusion would eventually come down to, as time progresses, and as Microsoft and other software companies tighten up the restrictions on what kind of digital signatures are allowed to be used, deprecating the old, less secure standards, the old versions of Windows simply cannot keep up with such advances, and enabling the test signing mode becomes the only practical solution to allow the use of the newer products on the old versions of Windows.

Wait, wouldn't enabling the test signing mode make my Windows 7 computer less secure, you might be asking? Yes, it would, but that ship has sailed when you decided not to update Windows 7 to a more recent version of Windows that is still supported and updated by Microsoft. Your Windows 7 computer is already insecure, and if you are OK with that, enabling the test signing mode would not make a significant difference in its security anyway.

How to enable the test signing mode

First, if your computer supports secure boot, disable it in the BIOS settings, because if the secure boot is enabled, Windows would not allow you to enable the test signing mode.

Next, open a Windows command window as Administrator. The exact procedure is a bit different in different versions of Windows, but usually the following procedure should work: click the Start button and type cmd (if there is a Search box, type it into that box). You should see a list of the results displayed and if it contains cmd.exe or Command prompt, right-click it, and select Run as Administrator from the menu.

When the command prompt window appears on the screen, type the following command:

bcdedit /set TESTSIGNING ON

You should see the result similar to the following:

Enabling test signing mode using command prompt window

If you see an error message that tells you that this setting is protected by secure boot, then you need to turn off the secure boot option of your computer using the UEFI/BIOS configuration utility. (Refer to the instructions provided by your computer or system board manufacturer.)

If you see the Access denied or some other error message, it could mean you have not opened the command window in the Administrator mode. Or, you can try the following command:

Bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS

and then try the previous command again.

To make the change effective, restart the computer. If you see the Test mode message displayed in the bottom-right corner of the desktop, it means that the test signing mode is enabled and the loading of the unsigned device drivers is allowed:

The test signing mode has been enabled

If you had a problem running Folder Guard (or another program) before, run it again now, and it should proceed normally, without displaying an error message about loading a driver.

How to disable the test signing mode

If you have decided that you no longer want to allow unsigned drivers to be used by Windows, and to remove the Test mode message from the desktop, you need to open the command window as Administrator in the same way as described above, and type the following command:

bcdedit /set TESTSIGNING OFF

Restart the computer, and the Test mode message should disappear from the corner of the desktop. If you still see the Test mode message in the corner, it could be that you have the debugging mode enabled. To disable it, run System Configuration tool of Windows, select the Boot tab, press Advanced options, and finally make sure the Debug box is cleared:

Disable the debug mode using System Configuration

Restart the computer again, and the Test mode message should now disappear. Of course, any software that might be using a driver with an unrecognized digital signature may stop working after that.

Happy computing!

If you want to link to this article, you can use this HTML code: <a href="">How to enable or disable test signing mode in Windows.</a>

Read more