Disabling Driver Enforcement In Windows 7 and 8

November 10, 2011


Windows has grown up a lot in the last several years, especially with its transition over to 64-bit processing (although legacy 32-bit is still present even in Windows 8.) As Windows has evolved so has the efforts made to increase security in our Internet-centric world. Even the drivers that run your hardware have built-in security measures. Most device drivers have something called “Driver Signatures” which all operating systems to validate that the driver files haven’t been tampered with since they were released from the driver maker. Of course there are some devices that don’t offer these signed drivers. Many of these are either older legacy devices or (like in the case of my wireless USB dongle) a cheaply made Chinese adapter that was purchased from Hong Kong for only a few bucks on Ebay. XP and even Vista didn’t require you to do anything special to run signed drivers, but in Windows 7 and 8 the operating system will refuse to run a driver unless it is signed. Luckily there are ways around if for those who need to use these unsigned devices. A word of caution though, make sure you trust the drivers you are installing! Windows created the driver signature program as a security initiative to protect its users and so if you are going to ignore their security attempt you better trust the company making the driver. If you want to run an unsigned driver, one method is disabling driver signature enforcement before starting up Windows. For Windows 7 users this would mean hitting F8 at boot and choosing the option “Disable Driver Signature Enforcement”. This will only allow unsigned drivers for this boot session and will have to be done EVERY time you start up Windows. On Windows 8, the F8 experience has changed a little. When I was first trying to disable enforcement to get my wifi working this part really baffled me. That’s when I found with a little research that the boot options are still accessible, but now you must hit SHIFT and f8. Also keep in mind that some BIOS setups will not recognize shift for booting at this early stage. The other way around this is to hit F10 during boot to get to “Edit Boot Options”. You will then type Add/DISABLE_INTEGRITY_CHECKS to the boot flags. This will do the same thing effectively. Although the F8/F10 options are way one to run your unsigned driver there is a better solution. The best solution is simply going ahead and signing the driver in question. To sign the driver you will need to download the Windows Driver Kit. From there make sure the driver .inf file has a CatalogFile=MyCatalogFile.cat line (specify your own value for mycatologfile.com) If it is missing then simply add it to the Version section. Point inf2cat to the driver .inf file and it will make a .cat file for you. This .cat file will have an entry for every file pulled in by the .inf. Use SignTool and you can then sign the .cat file. At this point you can see who says this driver is OK. If you are just using this for personal use you will add the root certificate for your signing certificate to the “trusted root certificates” store on the machine you want to load the driver. If everything was completed right you should now not have a problem installing the driver. If this method is a bit confusing, that’s understandable. I had to play around with it several times myself before I got it to work. You can always just disable every time you boot, once you get used to it there isn’t a lot of hassle or effort involved.]]>

Article Categories:

Mike Johnson is a writer for The Redmond Cloud - the most comprehensive source of news and information about Microsoft Azure and the Microsoft Cloud. He enjoys writing about Azure Security, IOT and the Blockchain.

All Comments