{
	"id": "2261bb0b-051f-46aa-9f64-f389bc14ccc5",
	"created_at": "2026-04-06T00:16:29.475393Z",
	"updated_at": "2026-04-10T13:11:41.824746Z",
	"deleted_at": null,
	"sha1_hash": "561652418039b64e8311933b15008b4bdcd4551c",
	"title": "Installing an Unsigned Driver During Development and Test - Windows drivers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45420,
	"plain_text": "Installing an Unsigned Driver During Development and Test -\r\nWindows drivers\r\nBy EliotSeattle\r\nArchived: 2026-04-05 22:47:52 UTC\r\nBy default, 64-bit versions of Windows Vista and later versions of Windows will load a kernel-mode driver only if\r\nthe kernel can verify the driver signature. However, this default behavior can be disabled during early driver\r\ndevelopment and for non-automated testing. Developers can use one of the following mechanisms to temporarily\r\ndisable load-time enforcement of a valid driver signature. However, to fully automate testing of a driver that is\r\ninstalled by Plug and Play (PnP), the catalog file of the driver must be signed. Signing the driver is required\r\nbecause Windows Vista and later versions of Windows display a driver signing dialog box for unsigned drivers\r\nthat require a system administrator to authorize the installation of the driver, potentially preventing any user\r\nwithout the necessary privileges from installing the driver and using the device. This PnP driver installation\r\nbehavior cannot be disabled on Windows Vista and later versions of Windows.\r\nWindows Vista and later versions of Windows support the F8 Advanced Boot Option -- \"Disable Driver Signature\r\nEnforcement\" -- that disables load-time signature enforcement for a kernel-mode driver only for the current\r\nsystem session. This setting does not persist across system restarts.\r\nAttaching an active kernel debugger to a development or test computer disables load-time signature enforcement\r\nfor kernel-mode drivers. To use this debugging configuration, attach a debugging computer to a development or\r\ntest computer, and enable kernel debugging on the development or test computer by running the following\r\ncommand:\r\nbcdedit -debug on\r\nTo use BCDEdit, the user must be a member of the Administrators group on the system and run the command\r\nfrom an elevated command prompt. To open an elevated Command Prompt window, create a desktop shortcut to\r\nCmd.exe, select and hold (or right-click) the shortcut, and select Run as administrator.\r\nHowever, there are situations in which a developer might need to have a kernel debugger attached, yet also need to\r\nmaintain load-time signature enforcement. For example, when a driver stack has an unsigned driver (such as a\r\nfilter driver) that fails to load it may invalidate the entire stack. Because attaching a debugger allows the unsigned\r\ndriver to load, the problem appears to vanish as soon as the debugger is attached. Debugging this type of issue\r\nmay be difficult.\r\nIn order to facilitate debugging such issues, the kernel-mode code signing policy supports the following registry\r\nvalue:\r\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test\r\nPage 1 of 2\n\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\DebugFlags\r\nThis registry value is of type REG_DWORD, and can be assigned a value based on a bitwise OR of one or more\r\nof the following flags:\r\n0x00000001\r\nThis flag value configures the kernel to break into the debugger if a driver is unsigned. The developer or tester can\r\nthen choose to load the unsigned driver by entering g at the debugger prompt.\r\n0x00000010\r\nThis flag value configures the kernel to ignore the presence of the debugger and to always block an unsigned\r\ndriver from loading.\r\nIf this registry value does not exist in the registry or has a value that is not based on the flags described previously,\r\nthe kernel always loads a driver in kernel debugging mode regardless of whether the driver is signed.\r\nNote  This registry value does not exist in the registry by default. You must create the value in order to debug the\r\nkernel-mode signature verification.\r\nSource: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test\r\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test"
	],
	"report_names": [
		"installing-an-unsigned-driver-during-development-and-test"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434589,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/561652418039b64e8311933b15008b4bdcd4551c.pdf",
		"text": "https://archive.orkl.eu/561652418039b64e8311933b15008b4bdcd4551c.txt",
		"img": "https://archive.orkl.eu/561652418039b64e8311933b15008b4bdcd4551c.jpg"
	}
}