Windows 10: Testing /INTEGRITYCHECK using self signed exe

I am using /INTEGRITYCHECK linker option for enforcing digital signature check. For testing this property, I created a test certificate using makecert, added it as trusted publisher. Then signed the exe with /INTEGRITYCHECK using this certificate. But when I try to run it, it is getting blocked by Windows Defender.

Is it possible to test the /INTEGRITYCHECK option using a self signed test certificate? Or an authorized certificated is needed for testing also?

:)

 

Test Sign mode

Hi Koutz,

The test mode message indicates that the test signing mode of the operating system is started on the computer. The test signing mode may start if an installed program is in a test phase because it uses drivers that are not digitally signed by Microsoft.

I'd like to know some details of the concern to help provide the appropriate resolution. Kindly answer the following question below:

• Which build and version of Windows 10 are you running?
• Is BitLocker enabled on your computer?

For you to disable the test mode, you will need to run it as an administrator. To do this:

• Search cmd on the taskbar then right-click on
  Command Prompt then select Run as administrator.
  If you are prompted by a User Account Control window, tap or click Yes.
  
• In the Command Prompt window, type the following command, and then press Enter:bcdedit -set TESTSIGNING OFF
  
• After you see the confirmation, close the Command Prompt window.
• Save any unsaved work, and then restart the computer.

If it still wouldn't disable the test mode, I suggest that you enable the built-in administrator account so you can disable this feature. Please note that you will be using this solely for troubleshooting purposes only. I do recommend disabling this after
the troubleshooting to avoid messing up your computer's functionality.

To enable the built-in administrator account, follow these steps:

• Type cmd in the search bar, right-click Command Prompt, and then click
  Run as Administrator.
• When you are prompted by User Account Control, click Continue.
  
• At the command prompt, type net user administrator /active:yes, and then press Enter.
• Type net user administrator <Password>, and then press Enter.
  
  Note In this command, <Password> represents the actual password that you want to set for the administrator account.
• Type exit, and then press Enter.
• Log off the current user account.
• Log back in with the admin account then disable the test mode by following the steps above or you can refer to this
  link.

To disable the built-in administrator account, follow these steps:

• Type cmd in the search bar, right-click
  Command Prompt, and then click Run as Administrator.
• When you are prompted by User Account Control, click Continue.
  
• At the command prompt, type net user administrator /active:no, and then press Enter.
• Type exit, and then press Enter.
• Log off the current user account.

Update us with the results.

 

Is it possible to load a self-signed driver on Windows 10 without Test Mode?

I am referring to the latest x64 build of Windows 10 Pro version 1809. The machine in question can have Secure Boot either enabled or disabled, and is capable of custom secure boot keys.

The driver in question must be loaded at boot, and is one I have written for my personal use on my daily-driver laptop, hence I am hesitant to use Test Mode for security reasons, or to go through the hassle and cost of a paid certificate.

Is there some sort of facility to load a driver signed by my own key, where said key can be manually trusted in Windows and in Secure Boot, without blanket-allowing all drivers (i.e. Test Mode)?

There is an article that suggests this is possible - Licensed Driver Signing in Windows 10 - however there is a tidbit at the bottom that, for me, invalidates the approach:

Has anyone been successful in persistently loading a self-signed driver using this or a similar approach?