To disable KMCS in Windows 7 64 bit, What is the difference between
- bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
- bcdedit.exe -set TESTSIGNING ON
Are both necessary or either one to load unsigned drivers?
Thanks for your help - Daniel
I believe support for DDISABLE_INTEGRITY_CHECKS to be completely removed (there are various windows updates that remove it). The only way to load unsigned drivers on Win7 64bit is if you enable test signing and leave it enabled for as long as you need the drivers.
According to the offical documentation, nointegritychecks
command is ignored by Windows 7 and Windows 8:
nointegritychecks [ on | off ]
Disables integrity checks. Cannot be set when secure boot is enabled. This value is ignored by Windows 7 and Windows 8.
Since /set nointegritychecks on
is an alias to -set loadoptions DDISABLE_INTEGRITY_CHECKS
, I make an assumption that this command is obsoleted and no longer works.
So the answer to your question would be that only bcdedit.exe -set TESTSIGNING ON
makes any sense in Windows 7 64 bit. It switches Windows to the "Test Mode" and adds a watermark at the bottom right corner of the desktop.
NO they still work. I always run them both. after reboot will see your OS version and test mode in bottom rt corner. can also use compatibility mode to try to force or use unsigned drivers and try under an older OS (typically works best with xp sp 3 compat mode. I have been running them in all OS, Win 7, Win 8.1, Win 10 and Win Server 2012r2. You can take a look at your bcd entries and they will be listed there also.
Test signing only concerns KMCS, while integrity checks are about the more broad general code integrity (and they would also run on the 32-bit version).
The long story short is that while the former just takes cares of enforcing the certificate rules, the later is an absolute assload of self-integrity tests, reciprocal checks between the OS loader and the boot manager and last but not least boot files verification.
It is there that they do partially overlap, but of course there is more than just boot-start drivers (and even there, while surely every properly signed image is still a valid binary too, not all .sys files with a correct checksum will necessarily have a WHQL signature or similar - if at all).
I'm just unsure on the minutiae of disabling CI. Like, even with that I believe unsigned drivers still wouldn't be allowed (only testsigned ones if any). So, is it just a remnant of some Vista RTM days guide, or was it a requirement for DSEO and friends?