How to install unsigned drivers on Windows 7?

I'm trying to install FreeOTFE on 64bit Windows 7. FreeOTFE comes with many drivers for various encryption algorithms, that need to be installed.

Windows gives me the error, that since those aren't signed drivers, they won't be installed.

How do I turn those signature checks off, and back on?

I tried setting boot config values:

bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING OFF

But after a reboot, things were still the same.

All I know is, that I need to switch Windows into test mode, but how do I do that? The other alternative is to install a 3rd-party tool, to temporarily override the signature enforcement, but I don't really want that.

polemon

Posted 2011-09-08T02:37:35.380

Reputation: 2 531

Answers

There is information here on how to install FreeOTFE on Windows 7 x64 machines.

Although I experienced some kinks, these were the steps I needed to get it working:

Enable testsigning (on 64-bit machines);
- run a command prompt with admin rights;
  - type cmd in the start menu dialog, right-click and run as administrator;
- enable testsigning for your currently booted Windows installation by typing bcdedit.exe /set TESTSIGNING ON
Reboot your machine.
Make sure the FreeOTFE installer is not EFS encrypted (colored green in explorer).
- This is why the installation failed for me before. My AppData is EFS encrypted. Hence, the downloaded installer was also encrypted. So the installed driver files in the system32 were also encrypted. The drivers need to be loaded by SYSTEM, but SYSTEM does not have my personal encryption certificates so it cannot load the drivers.
Run the FreeOTFE installer as administrator (right-click, etc).

Tested on Windows 7 Pro x64 and Windows 7 Ultimate x64.

Note that FreeOTFE just mounts your LUKS drive. It does not give EXT4 support to Windows. What I did to use my LUKS volume both on Windows and Linux is use a LUKS container with an NTFS volume because it can be read/written by both Windows and Linux out of the box.

Just don't use EFS or NTFS Compression on the LUKS volume from within Windows, because ntfs-3g (Linux) cannot read that.

2015-02-25 edit

Note that FreeOTFE is discontinued. The fork that is now in active development is DoxBox.

Redsandro

Posted 2011-09-08T02:37:35.380

Reputation: 496

Thanks, this kinda helped. Installing FreeOTFE didn't get easier with this though. And sadly, I can't ask anyone else to go through those steps. It seems LUKS will stay only at Linux forever... – polemon – 2012-02-22T00:07:59.130

I just got it working on my new installation. LUKS drive mounted on Windows 7 x64. The only downside is "test mode" (or something) displayed on the botton right of the desktop. I've edited my answer to reflect the steps I needed to take. Hope it helps! – Redsandro – 2012-02-22T11:51:58.120

The following should help you. It's taken from the Kernel-Mode Code Signing Walkthrough, v1.1c, page 24. It refers to Windows Vista as Windows 7 hadn't been released at the time of writing. It applies to Windows 7 as well as Windows Vista.

Step 2: Enable the Kernel-Mode Test-Signing Boot Configuration Option Test-signed kernel-mode software cannot be loaded on a default Windows Vista system. The test-signing boot configuration option must be manually enabled before the kernel can verify test-signed drivers. To use the BCDEdit tool to enable the boot configuration test-signing option

Open an elevated command window by right-clicking the icon and clicking Run as Administrator.
Use the following command to enable test-signing:
bcdedit.exe /set TESTSIGNING ON

Note: BCDEdit is the new boot configuration editor and is included with Windows Vista and later versions of Windows. For more information on BCDEdit, see the white paper titled “Boot Configuration Data in Windows Vista.” When the BCDEdit option for test-signing is enabled, Windows Vista does the following:

Displays a watermark with the text “Test Mode” in all four corners of the desktop, to remind users the system has test-signing enabled.
The operating system loader and the kernel load drivers that are signed by any certificate. The certificate validation is not required to chain up to a trusted root certification authority. However, each driver image file must have a digital signature.

Hand-E-Food

Posted 2011-09-08T02:37:35.380

Reputation: 4 711