Digital signature driver as a means of improving system security

It’s not that the driver’s digital signature is akin to the widow of a retired lieutenant who whipped herself, but the analogies simply suggest themselves. To the question: “What is a digital signature of drivers and what is it for?” - the answer will be very simple. First, it is a certain sequence of codes that is inserted into the code of the driver program by its developer, and about which the operating system (in this case, Windows) knows (or knows the algorithm for obtaining these codes).

Ways to disable digital signature verification for Windows drivers.

And secondly, it is already quite simple and clear when the driver is installed in the system, it checks its digital signature for authenticity. If everything matches, the installation continues. If it does not coincide, then, of course, it stops. The idea of ​​a digital signature is not new at all, it has been used for a long time (and is still used, although more sophisticated mechanisms for protection against distortion have long been developed) in information transmission systems and often called “checksum”. In the simplest version, it was just a single-byte “modulo 2 addition” of the entire contents of the file.

Specificity of drivers as operating system control programs

Well, and then the policy comes into play - to begin with, the business policy of equipment manufacturers and, accordingly, drivers. The device has been developed, its driver has been developed, now you just need a software company to convince Microsoft to insert information about this driver in Windows so that it recognizes the device and its driver from this manufacturer. After all, there are plenty of third-party competitors who can develop their own driver for the same device - the best or the worst, even if it is not important, the main thing is illegal, which means that it is not allowed to be used in the system.

Further. A driver is a program and, therefore, an object of exposure to viruses. Moreover, such a program is a non-killer card for viruses, because the driver will be launched anyway, with the system itself. But the virus “does not know” the digital signature of the driver, and Windows every time it is installed, they check the signature for authenticity - this is the way to protect against drivers infected with viruses and one more plus of the digital signature.

But, on the other hand, there are many, indeed, third-party drivers, which are significantly superior to the official ones. But they do not have a digital signature, which means that they cannot be delivered if you do not turn off the driver digital signature check in Windows. And this possibility is provided by Microsoft itself, it didn’t become “burn bridges behind it”. By default, the Windows boot options provide for a mandatory verification of the driver’s digital signature, but it can be canceled, if, of course, you understand the danger that the system suffers from - either from a crookedly written "non-native" driver or from viruses.

A small nuance - in passing

Turning off the driver signature verification of Windows 10 or any other version is so important that some developers include it in the indispensable condition for the functioning of their program. Usually various gaming applications behave this way. Here is a good example - games from 4Game service. At the dawn of the appearance of the service, it was necessary to pre-download a special client for drivers, but over time they decided to just embed everything they needed into browsers. Such a change led to a change in the root of the protection policy, called Frost - Frost.

The only problem is that the new policy does not work without first disabling the mandatory driver signature verification. There will, however, have to "disable" and your questions about how this official service can offer to disable the official protection of the system against piracy and viruses. But in the end, Microsoft itself provides such an opportunity. Well, then the developer’s policy in this case is not included in the current subject of the proceedings, especially if Microsoft is not against it.

Ways to disable driver digital signature verification

There are several ways to solve the problem, how to disable the digital signature of the drivers for Windows 7, 8 and all subsequent versions. Many of them are very similar to each other. The first possibility is that you will need to work on a computer with system administrator rights. We enter the work with the command line - go to the Main menu of the system using the “Start” button. Then choose “My Programs” and “Standard”. In the list that opens - "Command Line". In the opened "black window" in the prompt line, enter:

  • bcdedit.exe / set nointegritychecks ON to disable mandatory driver signature verification.

To turn on the check again, the line is the same, but c "OFF":

  • bcdedit.exe / set nointegritychecks OFF

Why disabling the check is ON, and turning it on is OFF can be understood from the name of the parameter used - “nointegritychecks”, which translates as “without internal checks”.

Another possibility is also related to the use of the bcdedit.exe system utility in the command line. But here we act in two stages. First, we type and run the utility with the loadoptions parameter value:

  • bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS

Then, with the value of the signature test parameter testsigning:

  • bcdedit.exe -set testsigning ON

It is imperative to wait for the message “Operation successfully completed” in the command window; it may appear after a short delay. Now driver digital signature verification is disabled. In order for the verification of the signature to work again, we enter the same commands, but in the reverse order and with different values ​​of the parameters:

  • Bcdedit.exe -set testsigning OFF first
  • Then bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS

The third opportunity suggests disabling the signature verification of Windows 8 drivers when the computer boots. This feature is very convenient if you just need to test the driver.

So, when booting we enter on the F8 key in the boot menu of the system, and there we select the boot just with the cancellation of driver signature verification - Disable driver signature enforcement. When the system boots, you can install any drivers, with or without signatures, they will not be checked. Here, however, you need to understand that this feature only works until the system is rebooted.

The fourth option provides for the use of the local group policy editor of the operating system, although it does not work in full on all versions of Windows. We act as follows - in the Main menu of the system we select “Run” and in the line for execution type gpedit.msc. We start the program of the group policy opening a window with the same name. In the window on the left, go successively along the path of the folders - “User Configuration” - “Administrative Templates” - “System”. Next, select "Driver Installation" and the "Digital Signature" parameter, which must be changed.

To change or double click on the parameter with the mouse or select the text on the left - “Change parameter”. To disable, select the switch "Off" and accept the changes (OK button or "Apply"). The inclusion of all the “Group Policy” settings in the work takes place without rebooting the system, although if there are any doubts, you can also reboot, at the same time once again checking in what state the parameter is.

Pay attention to one feature - switch "Warn". His choice when using a driver without a signature will allow, nevertheless, to complete the installation of the driver, only it will not be accepted for work anyway.

Well, the last, already radical possibility is to force the driver to sign, which can also be done via the command line using the pnputil utility:

  • pnputil –a. The "full name" is a string in the format:
  • : /.

Conclusion

Influencing the policy of the operating system with digital signatures of drivers, it is necessary to understand that you interfere with the operation of the system itself, change its environment, first of all security. And it's not so much about viruses, it's about the correctness of the “left” driver that is supposed to be used. Errors in the implementation of the driver can be cleaner than the most dangerous virus. The result is the same - the complete inoperability of the system and the need to reinstall it. Nevertheless, manipulating the work with this internal protection tool is very useful for understanding the mechanism of the operating system itself.