Windows OS has several watermarks that appear when certain situations warrant it so. One of them is the Test Mode watermark. This watermark may appear in the bottom right part of your Windows desktop if you install an application whose drivers are not digitally signed by Microsoft and if they are still in the testing phase.
What is Test Mode in Windows
Most are familiar with For testing purposes only, Evaluation copy, Safe Mode, etc watermarks. The Test Mode is not so familiar a watermark, however!
The TESTSIGNING boot configuration option determines whether Windows 7 or Vista will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers will not load on 64-bit versions of Windows Vista and later versions of Windows.
For 64-bit versions of Windows 11/10/8/7/Vista the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on 32-bit versions of Windows Vista and later versions of Windows, explains Microsoft.
The TESTSIGNING boot configuration option is enabled or disabled through the BCDEdit command.
To enable test-signing, use the following BCDEdit command:
Bcdedit.exe -set TESTSIGNING ON
To disable test-signing, use the following BCDEdit command:
Bcdedit.exe -set TESTSIGNING OFF
To use BCDEdit, you must be a member of the Administrators group on the system and run the command from an elevated command prompt. To open an elevated Command Prompt window, create a desktop shortcut to Cmd.exe, right-click the Cmd.exe shortcut, and select Run as administrator
When the BCDEdit option for test-signing is enabled, Windows does the following:
- Displays a watermark with the text “Test Mode” in all four corners of the desktop, to remind users the system has test-signing enabled. However, starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.
- The operating system loader and the kernel load drivers that are signed by any certificate. The certificate validation is not required to chain up to a trusted root certification authority. However, each driver image file must have a digital signature.
As mentioned earlier, this watermark may appear if you install an application whose drivers are not digitally signed by Microsoft and they are still in the test phase. You can of course use sigverif command to check if there are any unsigned drivers and to which application/device they are tied with.
Remove Test Mode watermark in Windows
If, in the rare eventuality, you get to see the Test Mode | Windows | Build watermark on the bottom right part of your Windows desktop, for reasons unknown to you, you may have to re-enable driver checking first. Open a Command Prompt as an Administrator and enter the following commands:
bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS
Hit Enter. Now type:
bcdedit.exe -set TESTSIGNING OFF
Hit Enter.
Alternatively, you can also use Microsoft Fix it 50756 from KB2509241 to remove the Test Mode watermark easily.
Should help!
wow nice info baby
Beware! Rootkit type “Necurs.a” hidden malware started to use the “bcdedit.exe -set TESTSIGNING ON” command to be able to infect 64-bit versions of Windows 7 and Vista during the late spring 2011 period.
This way the hackers do not have to steal a genuine driver signing cert (from Realtek, Marvell or any other vendor) to be able to inject code into the OS kernel. They can now sign off their own in test mode, with just a small corner notice appearing on Windows 7 desktop.
I can’t comprehend why Microsoft devs failed to restrict the TESTSIGNING functionality to the speifically developer-minded “Windows Check/Debug” editions. There is zero reason to allow by-passing Patch Guard and other important 64-bit defenses on common use home and office computers! It is like building a huge fortress with trenches around and posting a notice to say the draw-bridge crank is accessed under the rug.
i know this is an old post but i typed in both pf these commands and got process succesful messages or whatever they say, but when i closed the command box, the watermark was still there. and i did run it as admin
You would need to restart, drivers are loaded at boot which is what bcdedit changes, boot preferences, after a restart it will boot with driver signing enabled, I have seen options for driver signing also come up when pressing F8 on boot, the option is to disable it, so you may find the option to enable it there too if it is already disabled
On ok gotcha, I’ll check when I’m back home again, I can’t remember if it worked or not lol
The instructions are partially wrong. “CopyBcdedit.exe” is not correct; it should be “Bcdedit.exe”
Thanks. Don’t know how that ‘copy’ crept it. Edited.
If you want to preserve TEST MODE but remove the watermark, then just use the following app http://www.4shared.com/zip/qPtZmujZce/RemoveWatermark_20090509.html
Seems to me that you are not removing just the watermark but removing the test mode itself.
So the name of thread should be “Removing test mode”
“For 64-bit versions of Windows 7 & Vista the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on 32-bit versions of Windows Vista and later versions of Windows, explains MSDN.”
Oh thank you so much for this. I’ve spent about 4 days already trying to figure out how to load an unsigned driver and now at least I can be sure that I cannot. I’ve been through gpedit.msc, these cmd commands and others… the f8 at bootup, and choosing “disable signing” option, NOTHING will get an unsigned driver on my system. OK. Few things about this:
1. I’m trying to get a realtek audio driver on my system, downloaded from their website. I was directed to realtek’s website from my motherboard’s drivers listing. So what I’m doing isn’t “unsafe” but they should still provide a signed one. They aren’t some community project or something.
2. Since it’s the AC’97 driver, I figure I might be able to download it from Microsoft’s download site directly, assuming I can search for it effectively. Might be better off using google.
3. I don’t think this was thoroughly thought out by Microsoft. There are several options one can set, in expectation of being able to do this. It wastes a lot of IT time and money to leave them active, and apparently functioning with positive messages like “command successful” and such. At least at the F8 screen, they should have a note that says you cannot do that ever so there is an end to the searching. This way people spend hours and days looking for solutions that every website says will work, but does not.
4. The “unsigned driver” warning (red warning) should have the message that this will never be allowed on the current system, if that is true, and a link to a search option for looking at the MS downloads that are similar. Kind of like the crash detection and information message that then gives you a solution if one is available.
But seriously, this was a mistake on MS’s part. People will do dumb things like I did and accidentally uninstall a driver instead of disable it, and then it doesn’t even show up if you check all the places you should check for “show hidden devices” (there are at least 3 of these too!), and you’re stuck looking for a disk, or downloading a new copy of a driver. Not to mention, people need not make any mistakes. Drivers get corrupted all the time. If such a heavyhanded action is needed, then it should have a smoother recovery option.
Speaking of recovery, by the time you realize it happened to someone in your organization, it’s too late to try “recovering” to an earlier working version. They’ve been ignoring it or trying to fix it for weeks themselves. It’s not very likely that you will have a clean earlier restore point to work with unless you recently made one manually, or automated it and have several versions saved.
Well I realize you said this 5 years ago, but a lot of people fall into the “everyone should do it this way” trap with computers. The reason is, that stuff happens and people at home and in IT departments spend way too much wasted time trying to fix what can’t be fixed. Those options are there and they don’t work anyway (see my previous comment), misleading people into thinking they can fix something they cannot. And as a result your concern is already addressed. In 64-bit, no option in the world will allow unsigned drivers onto the system. So, no more worries, but lots more problems. You can either have security or efficiency, not both. As a fellow Hungarian, you should know that already. Our shared history proves it.