Driver Signing in Windows

Windows Vista x64/Windows 7 x64

One of the well-known problems of 64-bit versions of Windows Vista and later operating systems is the driver signature enforcement. Basically, 64-bit Windows Vista will not load a driver without a valid Authenticode signature (one-year certificate costs ~500$, according to VeriSign). While providing a reliable way of verifying the origin of a driver, it creates problems for free kernel-mode software. The best workaround for this problem is using the test signing mode. When a system is booted in "testsigning" mode, any driver having a digital signature (even not approved by Microsoft), can be successfully loaded by the system.

Thanks to the users' donations, WinCDEmu now comes with a valid Authenticode signature. However, if you build a custom version from the sources, you might need to enable the testsigning mode by selecting Start->All Programs->Accessories->Command Prompt, right-clicking on it, selecting "Run as administrator" and typing the following command:

bcdedit -set TESTSIGNING ON

To disable testsigning mode, you need to run the following command:

bcdedit -set TESTSIGNING OFF

Note that you will need to restart your computer for this change to take effect.

Windows XP

You can get rid of the 'unsigned driver' warning in Windows XP while installing SysProgs software by importing the SysProgs.org certificate to the trusted root certificates folder:

  1. Select the installer (for example, WinCDEmu installer) in Explorer, right-click on it and select "Properties".

  2. Select the "Digital Signatures" page.

  3. Select the SysProgs.org signature and press "Details".

  4. Press "View Certificate" button.

  5. Press the "Install Certificate" button.

  6. Press "Next", select "Place all certificates in the following store", press "Browse" and select "Trusted Root Certification Authorities"

  7. Press "Next", then "Finish".

During certificate installation you will be prompted to verify that the certificate actually represents SysProgs.org. To do so, compare the SHA1 thumbprint with the one on the screenshot:

Note that this will install the SysProgs.org certificate as a trusted root certificate, recognizing all SysProgs software as signed and verified. If you want only the software signed by Microsoft and its partners to be considered 'verified', do not install SysProgs.org certificate.