Menu
homeInternet

How to check the digital signature of drivers. Digital driver signature as a means of increasing system security

Modern operating systems are not easy to install drivers; they require that these drivers have a special digital signature. Sometimes you have to bypass this requirement and install drivers without a digital signature. If you want to install some special device in Windows 7 or you have a non-proprietary driver, then you have to bypass digital signature verification and require that this Windows function be disabled.

Unfortunately, Windows 7 does not allow you to disable checking digital signatures of drivers as easily as previous versions of this operating system (for example, XP). Before downloading the driver for any device, you will definitely be required to digitally identify the program in terms of its signature. If Windows 7 does not detect the signature and the driver fails verification, the most likely behavior of the OS will be to disable the device.

On the one hand, the need to have branded drivers in Windows 7 is an urgent need, but on the other hand, very often such programs do not pass verification and the user is faced with the task of installing a driver bypassing system protection.

Sometimes the digital signature in Windows 7 turns out to be a yoke. How can I make sure that this procedure does not interfere with driver installation? In other words, how to disable digital signature verification and avoid the appearance of a system message similar to the one in the picture below:

Let's look at possible alternatives.

A special way to boot the system

In Windows 7, there is one interesting opportunity to completely abandon signature verification - we are talking about a special system boot option. This function can be disabled when the OS starts by pressing the F8 key. As a result, the familiar system menu appears, in which you need to select the item “Disable mandatory driver signature verification” or in the English version - “Disable Driver Signature Enforcement”. As soon as you log into Windows this way, all checks will be removed. In order not to be unfounded, we present the corresponding picture:

However, this method has one drawback. You can boot in this way and test the equipment. But as soon as you log into the system in the usual way, the installation of the equipment will fail. So this option can only be offered for testing.

Applying a special group policy

Another option is to enable a specific Group Policy. You need to do it like this:

  • Go to the Group Policy Editor. To do this, in the “Run” window of the “Start” menu, type the command gpedit.msc.
  • In the left panel we find a section called “User Configuration->Administrative Templates->System->Driver Installation”.
  • In the panel on the right, double-click on “Code Signing for Device Drivers”.
  • An options window will appear, in which you need to set the “Enabled” switch at the top, and select the “Ignore” value at the bottom, as in the figure:

This will allow you to completely disable the digital signature of drivers in Windows 7 and install any hardware without problems. This option does not suffer from the disadvantages of the alternative above. If you complete the installation, you can be sure that it will be saved even after the system is rebooted.

Working with the command line

As always, the Windows console comes to the rescue. With its help, you can disable an unnecessary function like this:

  • We go to the console using the command cmd in the “Run” window.
  • We type the following sequence of commands:

(after each of them press “Enter”).

Then we restart the computer and admire the result. This is exactly what we needed.

Another thing is that installing unsigned drivers is by no means a safe undertaking. Whether you need to do this or not is up to you to decide. After all, installing this kind of system programs can result in the crash of the operating system. It’s good if you can roll back the system to its original state in safe mode.

But this does not always work out. The most reasonable solution is to look for signed device drivers, and don’t fool yourself. This can be done on the websites of manufacturers of specific equipment. It happens that we don’t even think about going to the company website, but grab the first system programs we come across on the first website we come across.

To prevent this from happening, carefully read the user manual that comes with any peripheral - they will probably point you in the right direction.

We wish you good luck in this matter!

Driver digital signature is a special mark that is added to system files (most often drivers) to increase the level of computer protection. With its help, the user and Windows itself can identify the software manufacturer (as well as other characteristics). In other words, this is a kind of driver authentication. However, the main thing that the digital signature of drivers allows is to check whether the file has been subject to any changes. This is done so that the user cannot accidentally download and install drivers on Windows 7 under the guise of a verified file. However, sometimes it becomes necessary to disable this function.

The digital signature is applied by the manufacturer (or publisher) and guarantees the device’s compatibility with the Windows 7 operating system.

The absence of a digital signature may mean the following:

  • The drivers have not passed the security check.
  • The software was published or produced by an unverified company (with a low level of trust).
  • The drivers have been modified from outside (for example, infected with malware).
  • The manufacturer does not guarantee that drivers will work correctly with different versions of the Windows operating system.

Therefore, it is most logical to install only those drivers that have a digital manufacturer’s mark. However, this does not always completely guarantee user safety. Likewise, its absence does not always mean a clear threat to the system.

Why disable authentication?

The presence of a digital signature on a driver or any other system file, by default, allows the system to perceive such programs as “safe”. But, as we have already found out, this is not always the case. If you are going to install a driver from an unverified source, then during installation Windows will give you a system notification that will tell you: “The driver you are about to install is not signed.”

There is no single correct and reliable way to find out whether the drivers have been changed or whether the file is infected. Unfortunately, Windows is designed in such a way that even if the user selects the “install anyway” option, there is a risk that the system will not allow this. Therefore the device will not work.

  1. There is no other source to download drivers.
  2. You download drivers from the manufacturer's official website, but for some reason they do not have an electronic mark.
  3. Install drivers from a licensed disk.
  4. You are using a rare device whose manufacturers have released drivers without a digital signature.

In any case, installing unauthenticated drivers is recommended only as a last resort if there is no other alternative.

How does the verification take place?

Before you turn off authentication, it's worth understanding how it works. For this purpose, Windows 7 provides a special system utility, sigverif. To run this application, follow these steps:

Problems with installing drivers without an electronic mark

If you install files without a digital signature, it will be marked with a yellow exclamation mark in the device manager.

However, its presence does not always mean that the problem is the lack of an electronic signature. Therefore, in addition to the icon with an exclamation mark, the status should contain an additional system notification explaining the reason for this behavior of the device.

Another system notification may indicate the problem of the lack of an electronic signature. Therefore, if you are sure that you have downloaded a working driver distribution, but they are not installed, the problem may be with the digital mark. Therefore, in order for the device to work, you must disable authentication.

If you still urgently decide to disable electronic signature verification, then the first thing you need to do is run the “Run” system utility. For this:


Cannot find gpedit.msc

If you see a system notification that the gpedit.msc system utility cannot be found, then your version of Windows does not include it.


The peculiarity of this method is that it allows you to install all programs without an electronic mark once, immediately after turning on the computer. After the next reboot of the device, the settings will return to their original position. However, any files you install will continue to work. Therefore, if you again need to install any files without a signature, you must repeat this procedure again. This method is suitable for those who need to install multiple drivers without having to change security settings again.

Whether it is necessary to disable the security check of installed programs (with an electronic mark) is up to everyone to decide. Of course, sometimes you can’t do without it. We strongly recommend that you turn off the scan only in extreme cases and install drivers from official websites and licensed disks.

In contact with

Let's look at how to disable checking digital signatures of drivers. If you try to install a file without such a signature, errors may occur or the system may refuse to install. The only way to solve the problem is to disable the function.

To find where the digital signature settings window is located in your operating system, follow the instructions that apply to your operating system. After deactivating the option, you can easily install any programs and libraries that do not have a signature ID.

Why is a driver digitally signed?

A digital signature is a so-called mark on a file or library that guarantees its security. It is necessary so that the user can find out about the origin and developer of the application. The signature is also verified by the operating system itself at the initial stage of installation of any executable file.

If this attribute is missing or certain errors are found in it, the installation will not begin, and the user will be notified of the possible danger that may result from using an unidentified program.

The digital signature is displayed in a pop-up window as soon as the user starts installing the executable file. In this window, you must give the OS additional permission to run the installation wizard. Here you can see the name of the certificate. It is indicated after the program name. The figure below shows an example of displaying the User Account Control window, in which the application's digital signature is the Publisher field.

Rice. 1 – example of a program certificate verification window

The digital signature is embedded not only in standard applications and system libraries. It can also be found in driver software. A driver is a program that is responsible for configuring the operation of PC hardware components and devices connected to it (video card, mouse, keyboard, printer, microphone, etc.). As a rule, all drivers are installed through the Device Manager window. It allows you to configure automatic configuration updates for any connected device.

Often users download drivers from third-party sources. Some of them may be custom (unofficial), so a certified signature is almost always missing in such files. In this case, the computer will detect the absence of an identifier and you will not be able to complete the installation.

Also, configuration errors may occur on Windows. Because of this, even a driver with an official digital signature can be identified as a potential security threat to the PC. 64-bit versions of the OS immediately block installation and delete the application file if the digital signature is not detected.

The Windows error window that appears may indicate one of the following problems:

  • “No driver signature”;
  • “The system cannot verify the program manufacturer”;
  • "Windows requires a digitally signed driver."

Rice. 2 – example of a Windows Security error window

The easiest solution to the problem is to disable digital signature verification. The process for configuring this setting may vary depending on the version of Windows installed on your computer.

Before disabling this feature, the user must be aware of all possible threats to the operating system and computer. The system may not recognize the signature due to its forgery or unsafe content. In most cases, it's best to avoid using apps without a digital ID.

Disabling the function in Windows 7

In Windows 7, the system Group Policy Editor is responsible for the option to enable/disable signature verification. Its window can be opened using the command line. Follow the instructions:

  • Open the Run window by pressing the Win and R buttons simultaneously;
  • Enter the command shown in the figure and click OK;

Rice. 3 – command to open a window with a Windows policy group

  • In the window that appears, open the “User Configuration” tab. Then click on “Administrative Templates”. In the “System” tab, click on the “Driver Installation” option;
  • In the right part of the window, select “Digital signing of devices”;

Rice. 4 – “Driver Installation” tab in the OS Group Policy window

  • Disable ID verification in the new window and save your changes.

Rice. 5 – disable scanning for Windows 7

Instructions for Windows 8 and 8.1

For both versions of Windows 8, disabling driver signature verification works the same way. As in the previous option, you need to work with the Local Group Policy Editor. Enter the gpedit.msc command in the Run window to open the Settings window or enable the Policy Editor through the Control Panel. Next, follow these steps:

  • On the left side of the window, go to the “System” directory, as shown in the figure below, and go to the driver installation policy folder. In the right part of the system window, click on the “Digital signature” item with the right mouse button.

Rice. 6 – check option status

  • Click on "Edit";
  • In the new window, select the “Enabled” option, and then set the “Options” column to “Skip”;
  • Click OK and exit the Group Policy Editor.

Now, even after rebooting the operating system, checking for a digital signature will not be enabled. To enable the function, go back to the system editor window and configure the verification parameter.

Rice. 7 – disable scanning in Windows 8 and 8.1

Another way to disable the function is to use the command line. You can disable the option by entering one simple command. Go to the Run window and launch Command Line using the cmd line:

Rice. 8 – command to activate the line

In the window that opens, enter the command shown in the figure below. To re-enable the option, change the identifier OFF to ON.

Rice. 9 – command to disable signature verification

Instructions for Windows 10

Most of the functions and parameters of the new Windows 10 are similar to the eighth version of the system. Disabling the option to constantly check digital driver IDs can be done in the Group Policy window:

  • Go to the editor as shown in the instructions for Windows 8;
  • Open the window for enabling/disabling signature verification;
  • Select "Disabled";
  • Leave the field empty in the parameters column;
  • Save your changes.

Rice. 10 – disable the option in Windows 10

If there is no zero (empty) value in the drop-down list, select “Skip”. To deactivate using the command line, you need to use two commands. The first is for loading options, the second is for disabling the function. Both commands and the order in which they are executed are shown in the figure below:

Rice. 11 – Disable using Command Line in Windows 10

Disabling Windows Defender

Newer versions of Windows OS (8.1 and 10) have a built-in defender, which also checks the security level of any executable file. Sometimes, simply disabling digital signature verification may not be enough, because Defender may identify the file as dangerous. In this case, it will be immediately deleted or quarantined (depending on the defender settings).

Fig. 12 – Windows Defender main window

If, after disabling driver signature verification, a system window appears about unsafe content in a file, you must disable the Windows Defender service to continue installing it. Follow the instructions:

  • Open a Windows Defender window;
  • Check the utility's operating status, and then click on the “Options” tab;
  • You will be redirected to Windows System Settings. In it you need to disable the real-time protection and cloud protection options.

Fig. 13 - disabling Windows protection

Installing drivers without a digital signature should only be done if you are absolutely sure that the file is safe. For example, if you are a developer and have created an application that does not yet have a signature.

The installation file is reliable if you downloaded it from the developer's site. Often the latest driver versions may be incorrectly detected by the digital signature verification server. This indicates that the developer has not yet entered the identifier data into the system or that work on improving the driver is still active. In this case, disabling signature verification and protector will not cause any damage to the installed operating system.

Disabling the function via BIOS

You can disable the signature verification function through the BIOS while loading the operating system. This method is only suitable for those drivers that install components without the need to further reboot the device. Follow the instructions:

  • Turn on your computer and activate the BIOS. To do this, in the first few seconds after pressing the Power key, click on F8 or another key that is indicated in the boot window;
  • Navigate the menu using the up and down keys. Selecting is pressing the Enter key. Go to the advanced boot options window;
  • Select "Disable Driver Signature Verification".

Fig. 14 - disabling scanning in BIOS

As a result of selecting this field, Windows will reboot and start in a mode that does not provide for checking the digital signature of the driver software. You can now install the component. The installation error and prohibition window will not appear.

It is worth noting that this mode will only be active until the next computer restart. Make sure that the driver is working correctly, otherwise it may be deactivated after turning on the system again. If the warning window still appears during the installation phase, simply close it and the process will continue automatically without changes.

Create a digital signature manually

If for some reason you were unable to disable the function or the system still requires a digital signature of the installation file, you should assign this identifier to the driver yourself. You can use a number of special applications for this.

DSEO is a popular utility for installing and editing digital signatures for any type of software. Follow the instructions:

  • After installing DSEO, open the program as an administrator;
  • In the main window, select Test Mode and go to the next window by pressing the Next button;
  • Click on the Sign a System Mode option to sign a specific system file and click on Next again;
  • In the pop-up window, select the file for which a suitable digital signature will be created and click OK;
  • Wait for the process to finish running and close the program.

Now you can install the selected driver on your computer.

Fig. 15 – working in the DSEO program

Video instructions

Disabling digital signature verification of Windows 7 x64 drivers

How to disable driver digital signature verification in Windows

It cannot be said that the digital signature of the driver is akin to that widow of a retired lieutenant who flogged herself, but analogies simply suggest themselves. To the question: “What is a digital signature of drivers and why is it needed?” - the answer will be very simple. Firstly, this is a certain sequence of codes inserted into the code of the driver program by its developer himself, and which the operating system (in this case, Windows) knows about (or knows the algorithm for obtaining these codes).

Ways to disable digital signature verification of Windows drivers.

And secondly, it’s already quite simple and clear: when a driver is installed in the system, it checks its digital signature for authenticity. If everything matches, then the installation continues. If it doesn’t match, then, of course, it stops. The very idea of ​​a digital signature is not new at all; it has been used for a long time (and is still used today, although more advanced mechanisms for protecting against distortion have long been developed) in information transmission systems and was often called a “checksum”. In the simplest version, it was simply a byte-by-byte “modulo 2 addition” of the entire contents of the file.

Well, then politics comes into play - for starters, the business policy of equipment manufacturing companies and, accordingly, drivers. The device has been developed, its driver has been developed, now the developer just needs to convince Microsoft to insert information about this driver into Windows so that it recognizes the device and its driver from this particular manufacturer. After all, there are plenty of third-party competing developers who can develop their own driver for the same device - better or worse, it doesn’t matter, the main thing is that it’s illegal, and therefore unacceptable for use in the system.

Further. A driver is a program, and thus subject to viruses. Moreover, such a program is an unkillable card for viruses, because the driver will be launched in any case, and by the system itself. But the virus “does not know” the digital signature of the driver, and Windows will check the authenticity of the signature every time it is installed - this is a way to protect against drivers infected with viruses and another advantage of a digital signature.

But, on the other hand, there are, indeed, plenty of drivers from “third companies” that significantly exceed the official ones in their characteristics. But they do not have a digital signature, which means they cannot be installed unless you disable driver digital signature verification in Windows. And this possibility is provided by Microsoft itself; it did not “burn bridges behind itself” here. By default, Windows boot options provide for mandatory verification of the driver’s digital signature, but this can be canceled if, of course, you understand the danger to which the system is exposed - either from a crookedly written “non-native” driver or from viruses.

A small nuance - incidentally

Disabling driver signature verification in Windows 10 or any other version is so important that some developers include it as a prerequisite for the functioning of their program. This is usually how all sorts of gaming applications behave. Here is a good example – games from the 4Game service. At the dawn of the service, it was necessary to first download a special client for drivers, but over time they decided to simply build everything necessary into browsers. This change led to a radical change in the protection policy, which was called “Frost”.

The only problem is that the new policy does not work without first disabling mandatory driver signature verification. Here, however, you will have to “turn off” your questions about how an official service can offer to disable the official system protection against piracy and viruses. But, in the end, Microsoft itself provides this opportunity. Well, then the developer’s policy in this case is not included in the current subject of the proceedings, especially if Microsoft is “not against it.”

Ways to disable driver digital signature verification

There are several ways to solve the problem of how to disable digital signature of drivers in Windows 7, 8 and all subsequent versions. Many of them are very similar to each other. The first possibility is that you will need to work on a computer with system administrator rights. We start working with the command line - go to the Main menu of the system by clicking the “Start” button. Then select “My Programs” and “Standard”. In the list that opens - “Command Line”. In the “black window” that opens, in the prompt line, enter:

  • bcdedit.exe /set nointegritychecks ON to disable mandatory driver signature checking.

To enable the check again, use a similar line, but with “OFF”:

  • bcdedit.exe /set nointegritychecks OFF

Why disabling the check is ON, and enabling it is OFF can be understood from the name of the parameter used - “nointegritychecks”, which translates as “without carrying out internal checks”.

Another possibility is also to use the bcdedit.exe system utility on the command line. But here we act in two stages. First, type and run the utility with the value of the loadoptions parameter:

  • bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS

Then with the value of the signature testing parameter testsigning:

  • bcdedit.exe -set testsigning ON

It is imperative to wait until the “Operation completed successfully” message appears in the command window; it may appear after a short delay. Driver digital signature verification is now disabled. In order for the signature verification to work again, enter the same commands, but in reverse order and with different parameter values:

  • First bcdedit.exe -set testsigning OFF
  • Then bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS

The third option suggests disabling Windows 8 driver signature verification when the computer boots. This feature is very convenient if you just need to test the driver.

So, when loading, press the F8 key to enter the system boot menu, and there we select the boot with the cancellation of driver signature enforcement - Disable driver signature enforcement. When the system boots, you can install any drivers, with or without signatures, they will not be checked. Here, however, you need to understand that this feature only works until the system is rebooted.

The fourth option involves using the operating system's local group policy editor, although it does not work fully on all versions of Windows. We proceed as follows - in the Main menu of the system, select “Run” and in the line to execute type gpedit.msc. We launch the Group Policy program, which opens the window of the same name. In the window on the left, go sequentially along the folder path - “User Configuration” - “Administrative Templates” - “System”. Next, select “Driver Installation” and the “Digital Signature” parameter, which needs to be changed.

To change, either double-click on the parameter with the mouse or select the inscription on the left - “Change parameter”. To disable, select the “Disabled” switch and accept the changes (OK or “Apply” button). All Group Policy settings are enabled without rebooting the system, although if you have any doubts, you can reboot and at the same time check the status of the setting again.

We pay attention to one feature - the “Warn” switch. Selecting it when using an unsigned driver will nevertheless allow you to complete the driver installation, but it will not be accepted for work anyway.

Well, the last, already radical option is to forcefully sign the driver, which can also be done via the command line using the pnputil utility:

  • pnputil –a<полное имя файла драйвера>. By “full name” we mean a string in the format:
  • <диск>:<путь по папкам>/<имя файла>.<расширение файла>

Conclusion

When influencing the operating system's operating policy with digital driver signatures, you need to understand that you are interfering with the operation of the system itself, changing its environment, primarily security. And it’s not so much a matter of viruses, it’s a matter of the correct operation of the “left” driver that is supposed to be used. Errors in driver implementation can be worse than the most dangerous virus. The result is the same - complete inoperability of the system and the need to reinstall it. Nevertheless, manipulating this internal security tool is very useful for understanding the functioning of the operating system itself.

Digital signatures in Windows 7

Digital signature is an electronic tag that can be added to files for security purposes. It allows you to identify the publisher of a file (file authenticity) and determine whether the file has been modified (file integrity).

Digital signatures are commonly used by hardware manufacturers to sign device drivers. A digitally signed driver is a driver that has been published by a trusted publisher and has been tested to be compatible with the operating system installed on the computer.

If a file contains an incorrect digital signature (or no digital signature at all), this may mean that the file was published by an untrusted publisher or has been modified (for example, infected with a virus). Having a correct digital signature does not always guarantee the absence of malicious code, and its absence does not necessarily pose a threat to system security, but you should still be wary of files with an incorrect or missing signature.

Digital signature verification

IN Windows 7 there is a special utility for checking digital signatures sigverif.exe. To launch it you need to go to the search menu bar Start dial sigverif.exe and press Enter

In the program window, click Begin and it automatically checks system files for signatures.

The test result is saved to a text file sigverif.txt. It is stored in the folder General documents, you can also view it directly from the program window by clicking on the button Additionally.

Disabling digital signature verification

IN Windows 7 requirements for installed drivers have been significantly tightened, and any installed driver must have a digital signature, verified and certified Microsoft. Before downloading and installing the device driver Windows will check its digital signature, and if the driver is not signed, will issue a warning

You can ignore this warning and install the driver, but it will not work anyway. If you install an unsigned driver in Device Manager, the device will be marked with an exclamation mark and contain an error message.

The driver digital signature verification policy is designed to improve the reliability and stability of the operating system, but sometimes it becomes necessary to install an unsigned driver. Fortunately, in Windows 7 You can disable digital signature verification. There are several ways to do this:

Disable verification of driver digital signatures when loading through the boot menu. To do this, press the F8 key when loading the OS. To boot without checking digital signatures, select “Disable mandatory driver signature verification”

Then you can download and install the necessary drivers. However, this mode is intended solely for testing and the next time you boot in normal mode, the installed driver will not work.

To load continuously in test mode, you can use the command line utility bcdedit. To do this, open a command prompt with administrator rights

And sequentially enter 2 commands:

bcdedit -set loadoptions DDISABLED_INTEGRITY_CHECKS

bcdedit -set TESTSIGNING ON

After each command is executed, a success message should appear. Now you can restart your computer and install the necessary drivers.

To disable test mode, enter the following commands on the command line:

bcdedit -set loadoptions ENABLE_INTEGRITY_CHECKS

bsdedit -set loadoptions TESTSIGNING ON

Important: if a message is displayed stating that the command is unknown, then instead of a hyphen (-), keys can be written using a slash (/).

And finally, you can simply disable verification of driver digital signatures through Group Policy. To launch the Group Policy snap-in, enter the command in the Start menu in the search bar gpedit.msc and press Enter. In the policy menu go to User Configuration\Administrative Templates\System\Driver Installation and select the policy " Digital signature of device drivers".

In the window that appears, enable the policy and specify the Skip option as the system action when unsigned drivers are detected.

After the reboot, the policy will be applied and you will be able to download and install any drivers, including unsigned ones.