5

I'm writing a security application which validates many security rules and policies on user machines. I need to implement a test method that returns true when Windows 8's Secure Boot feature is enabled, or false when it disabled.

I searched for information and I saw that this is a BIOS feature. So my question is: is it possible to get the status of Windows 8 Secure Boot using C# code? If yes, how?

Secure Boot from BIOS

Update: See the answer of @magicandre1981, It's important to mention that the state registry key exists only when secure boot feature is supported. If you're not finding this key on your machine, probably your machine doesn't support secure boot.

to check secure boot status / support go to run - > msinfo32.exe and search for "Secure Boot State"

Ofir
  • 5,049
  • 5
  • 36
  • 61
  • 3
    I think you'll end up P/Invoking [`GetFirmwareEnvironmentVariableEx`](http://msdn.microsoft.com/en-us/library/windows/desktop/jj204593(v=vs.85).aspx), but I've not tried it myself so unable to provide more of a steer or an actual tested answer. – Damien_The_Unbeliever Aug 11 '13 at 14:27
  • 2
    There's a [Confirm-SecureBootUEFI](http://technet.microsoft.com/en-us/library/jj603041.aspx) PowerShell cmdlet. You can [decompile](http://stackoverflow.com/questions/266250/can-we-see-the-source-code-for-powershell-cmdlets) cmdlets to see which Windows / .NET API's it calls. – CodeCaster Aug 15 '13 at 09:54

2 Answers2

9

MSinfo32.exe read the value UEFISecureBootEnabled from the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State.

enter image description here

On my system SecureBoot is disabled and return value is 0. So I assume that 1 means enabled.

magicandre1981
  • 27,895
  • 5
  • 86
  • 127
  • I don`t have state key in my machine. Inside SecureBoot key i have "avaliable updates" and (defualt) keys. I change secure boot configuration in my bios and didn`t see any change. – Ofir Aug 20 '13 at 04:49
  • there is a key State. Here you have the value. I'll insert a picture. – magicandre1981 Aug 20 '13 at 17:08
  • I'm sorry, I didn't see it and you right. marked as answer, thanks. – Ofir Aug 21 '13 at 04:01
  • Yes, I turned on secure boot through BIOS and now it 1 - exactly like you assumed – Ofir Aug 21 '13 at 04:08
  • I test it on 2 more machines. the State key is not exists in every machine. I'm not sure why – Ofir Oct 24 '13 at 07:36
  • what is msinfo32.exe telling you on those systems? – magicandre1981 Oct 24 '13 at 17:09
  • what fields do you want to know? – Ofir Oct 27 '13 at 06:39
  • @Ofir the value if secure boot is enabled or not: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-94-73-metablogapi/1411.image_5F00_0A7E7B6E.png http://blogs.technet.com/b/home_is_where_i_lay_my_head/archive/2013/09/18/enabling-secure-boot-in-windows-8.aspx – magicandre1981 Oct 27 '13 at 06:41
  • "Secure Boot State: Unsupported" Is there any way to check by code if a machine supports secure boot? – Ofir Oct 27 '13 at 06:42
  • unsupported means the system has UEFI, but doesn't support secure boot. So it not there and acts like disabled. – magicandre1981 Oct 27 '13 at 06:43
  • 1
    I assuming that when secure boot is not supported the state key is not exists at all. when its disabled the state key value is 0 – Ofir Oct 27 '13 at 06:46
  • yes, I also think this. I only have a device with UEFI which supports Secure Boot. My older PC is still BIOS. – magicandre1981 Oct 27 '13 at 06:47
  • A colleague just told me that in Windows 10 Pro, modifications of the registry key are not put back after you change the SecureBoot setting in BIOS. On his machine the value was set to 1 (he says, he did not change it) and SecureBoot was off anyway ... – Florian Straub Oct 12 '18 at 07:09
2

Good code for Windows 10 too of course and should handle most conditions including legacy or missing key and exception, as well the future.. Prints to console whilst also returning the flag for batch or script use:

using System;
using Microsoft.Win32;

namespace CheckSecureBoot
{
    class Program
    {
        static int Main()
        {
            int rc = 0;
            string key = @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State";
            string subkey = @"UEFISecureBootEnabled";
            try
            {
                object value = Registry.GetValue(key, subkey, rc);
                if (value != null)
                    rc = (int)value;
            }
            catch { }
            Console.WriteLine($@"{subkey} is {(rc >= 1 ? "On" : "Off")} ({rc.ToString()})");
            return rc;
        }
    }
}
mattjs
  • 144
  • 1
  • 5