Windows Test Mode: Enabled after Factory Recovery

[Modifyinc]

I noticed today my Windows 7 Pro x64 version of windows is running in Test Mode. Not sure how long it has been in this mode and I just didn't notice it, because I had a shortcut icon sitting in the bottom right corner that pretty much made it impossible to see. Well today I moved that icon and noticed it. I googled it and discovered its purpose and why someone might want to use it. Unfortunately, none of the reasons explained why it would be enabled on a system without the user explicitly enabling it, and on a 64bit OS.

Also, none of the results made any reference to it as something to be concerned about. If it's enabled they tell you how to disable it. I'm sorry, but I'm concerned how a Windows 7 64bit system can enable Test Mode on its own. I'm thinking a rootkit or some other type of malware has possibly compromised my system. I had just removed Cryptwall 3.0 from my system, so you can understand why I was concerned when I seen my system was in Test Mode. How do I know whether or not the Test Mode allowed the malware into my system. If I didn't enable it, then I'm thinking the malware did.

So to be extra safe, I restored my system to factory settings and chose NOT to restore any of my personal files. Guess what I noticed after the factory restore in the bottom right corner of my screen: Test Mode.

Can someone please explain how this is possible? Is the setting saved in the boot configuration data or something? If so, is this not restored during a factory restore? Could malware have compromised the manufacturer's Recovery process?

Mike

 

[SIW2]

admin cmd prompt:

bcdedit /set TESTSIGNING OFF

 

[Modifyinc]

admin cmd prompt:

bcdedit /set TESTSIGNING OFF

This did not address any part of my question, but only reinforced my prior statement that people seem only want to offer how to disable it. Page after page explains how to disable it, but not one page explains how it might have become enabled without user interaction. I'm beginning to think the reason is because no one truly knows anything else about it.

I know how to disable it, what I don't know is how it became enabled in the first place and can stay enabled after a Factory reset.

Mike

 

[GokAy]

I had to run in test mode for a couple of years in my previous install due to enabling SLI on a non-supported motherboard. Never had an issue with malware. You can however scan with Malwarebytes Anti-Malware free (enable rootkit scanning in settings - detection). I would guess recovery partition not affected by a malware.

Unfortunately I don't know why test mode persisted after a recovery.

 

[torchwood]

As your rig is a custom build i'd be more concerned about where you got your OS from, especially if you bought it online.

I would suggest you follow the advice in the Windows Update/Activation Sub forum, and post the results for analysis.

Roy

Note looking back at your earlier problems is this an upgrade install?

This was also an indication of rootkit necurs.a

 

[Layback Bear]

Read this tutorial. Good information that might be helpful.

http://www.sevenforums.com/tutorial...ws-7-build-7601-watermark-remove-desktop.html

According to Microsoft, the test mode watermark can appear if the test signing mode is started on the computer. This test mode may occur if an application whose drivers are not digitally signed by Microsoft is installed and still in the test phase. Microsoft added test mode to Windows so that users can test programs without having to provide an authentication certificate.

The TESTSIGNING boot configuration option determines whether Windows Vista and later versions of Windows will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers will not load by default on 64-bit versions of Windows Vista and later versions of Windows.

For 64-bit versions of Windows Vista and later versions of Windows, the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on 32-bit versions of Windows Vista and later versions of Windows.

 

[torchwood]

Test mode was introduced for the testing stages of W7 and included in Vista updates, somewhat like the current upgrade path to W10, see my last line in previous post certainly looking more likely

Roy

 

[Modifyinc]

As your rig is a custom build i'd be more concerned about where you got your OS from, especially if you bought it online.

I would suggest you follow the advice in the Windows Update/Activation Sub forum, and post the results for analysis.

Roy

Note looking back at your earlier problems is this an upgrade install?

This was also an indication of rootkit necurs.a

What made you think my PC was custom built, I never mentioned that? It's a Dell All-in-One that was shipped directly from Dell, so I'm not too concerned about where the OS came from. Test Mode was not enabled when I received it a year or so ago. It was just recently I noticed it, and it was a coincidence I noticed it after only finding out I had CryptWall 3.0 ransomware on my computer. I never enabled Test Mode, so I figured my system at some point became compromised and the Test Mode was enabled by malicious code or similar. I mean how else could it? It doesn't enable by itself; Microsoft clearly states on 64bit machines it is not enabled by default.

I mentioned I did a Factory restore in my post, so no upgrade install. The system came preinstalled with W7 Pro x64 w/ SP1. All I did was perform a Factory restore and noticed the Test Mode was still enabled when it completed the Factory restore. Of course I disabled it immediately, but I'm still questioning why it persisted across a Factory reinstall.

Mike

 

[Modifyinc]

Read this tutorial. Good information that might be helpful.

http://www.sevenforums.com/tutorial...ws-7-build-7601-watermark-remove-desktop.html

According to Microsoft, the test mode watermark can appear if the test signing mode is started on the computer. This test mode may occur if an application whose drivers are not digitally signed by Microsoft is installed and still in the test phase. Microsoft added test mode to Windows so that users can test programs without having to provide an authentication certificate.

The TESTSIGNING boot configuration option determines whether Windows Vista and later versions of Windows will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers will not load by default on 64-bit versions of Windows Vista and later versions of Windows.

For 64-bit versions of Windows Vista and later versions of Windows, the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on 32-bit versions of Windows Vista and later versions of Windows.

Thank you, but I have already read that piece, and honestly, it's why I'm so concerned with it being enabled on my system.

The first statement says, "According to Microsoft, the test mode watermark can appear if the test signing mode is started on the computer."

It doesn't directly address how the mode can be started other than mentioning the user. So one is left to assume, if he/she didn't enable it, then malicious code on a compromised system must be the culprit. And to top it off, it is persistent across a Factory reinstall. Can someone can confirm if this is by design?

Seriously, how else could one see this?

Mike

 

[gregrocker]

Seriously, Factory install is the worst possible install of Win7 one can have, as bad as being badly infected. Avoid this and all other problems by doing a perfect Clean Reinstall Windows 7 which will stay that way as long as you stick with only the steps, tools and methods given. Over 1.5 million consumers have used the tutorial without a single complaint. They have the best installs of WIn7 in the world. You have the worst. Next will come the locusts.

 

[Layback Bear]

I did read your complete post and that includes the last line.

From the tutorial.

This test mode may occur if an application whose drivers are not digitally signed by Microsoft is installed and still in the test phase.

 

[Ztruker]

What made you think my PC was custom built, I never mentioned that? It's a Dell All-in-One that was shipped directly from Dell, so I'm not too concerned about where the OS came from.

Perhaps the information you entered in your System Specs??

 

[torchwood]

change your cp

I thought it was a custom build as thats what you've got on your CP

So You were hacked, Im pretty sure you've still got remnants, thats why your still getting Test mode

Go to the security subforum and repost with ALL the info you have.

Roy