Disable PatchGuard and Driver Signature Enforcement at boot time
2.5k
Stars
401
Forks
19
Open issues
3
Contributors
AI Analysis
EfiGuard is a UEFI bootkit for x64 Windows that patches the boot process to disable PatchGuard and Driver Signature Enforcement at startup, supporting Windows Vista SP1 through Windows 11. It is a specialized security/research tool designed for advanced users, security researchers, and developers who need to load unsigned drivers or study kernel protection mechanisms—not for general-purpose Windows administration or end-user deployment.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
UEFI bootkit for disabling Windows kernel protections; specialized security research tool with modest, sustained adoption
EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot chain at runtime to disable PatchGuard and Driver Signature Enforcement (DSE). Built for security researchers, kernel developers, and users needing to load unsigned drivers or modify kernel behavior on locked-down systems. Adoption appears concentrated in security research and reverse engineering communities rather than mainstream enterprise or consumer use. The project demonstrates active maintenance as of June 2026, with careful engineering around UEFI boot stages and graceful failure handling.
EfiGuard was created in March 2019 as part of the UEFI bootkit ecosystem for Windows kernel modification. It emerged alongside similar tools (Chaos-Rootkit, Nidhogg, BestEdrOfTheMarket) in a space where researchers and tool developers sought robust alternatives to older kernel-patching methods, particularly after PatchGuard became more difficult to bypass from within the kernel.
The project has accumulated 2,465 stars over ~7 years with stable but slow growth (11 stars in the last 7 days as of June 2026). This flat growth pattern is consistent with a specialized tool serving a niche community. The last push on 2026-06-17 indicates the project is not dormant, but the growth trajectory suggests it has reached a stable plateau rather than expanding into new user bases. Repository forks (397) are moderate relative to star count, typical of tools downloaded for reference rather than actively maintained in production.
Adoption not verified in README or metadata. No deployment statistics, user testimonials, or documented production environments mentioned. The tool's nature (kernel modification, anti-cheat bypass capability, DSE circumvention) makes public production disclosure unlikely even if adoption exists. Security researchers and some niche gaming/modding communities may use it, but evidence is not publicly available.
Likely uses multi-stage UEFI driver architecture: firmware-level interception of bootmgfw.efi, bootmgr.efi, and winload.efi with runtime instruction decoding via Zydis disassembler for pattern-robust patching. Appears to include both passive driver mode and explicit loader application. README indicates careful boot-stage sequencing and error recovery before ExitBootServices is called, suggesting robust state management. Specific implementation details cannot be verified from README alone.
Not documented in README. No mention of automated testing, fuzzing, or validation suite. The README describes manual graceful error handling and debugger output capability, but formal test coverage is absent from documentation.
Last push 2026-06-17 (18 days ago relative to 2026-07-05) indicates active but infrequent maintenance. README is comprehensive and up-to-date. The project does not appear abandoned, but the slow commit cadence and minimal recent star gain suggest the author is maintaining rather than actively expanding the project. GPL-3.0 license visible; no indication of abandoned status.
ADOPT IF: you are a security researcher, kernel developer, or reverse engineer needing to disable PatchGuard/DSE on Windows x64 systems without runtime vulnerability to newer protections, and you understand UEFI boot mechanics and can manage the associated legal/support risks. AVOID IF: you require mainstream vendor support, automated testing, high-volume production deployment, or are developing commercial software without explicit security research justification. MONITOR IF: you depend on DSE bypass for a niche product and HVCI/hypervisor enforcement is not yet deployed on target systems; the technical approach is sound but adoption signals are weak and competitive alternatives may emerge.
Independent dimensions
Mainstream potential
2/10
Technical importance
7/10
Adoption evidence
2/10
- Cannot bypass HVCI/HyperGuard; renders the tool non-functional on systems with hypervisor-enforced code integrity, a trend in modern Windows deployments.
- Adoption not verified; actual user base and incident reports are unknown. Community size is unclear, limiting peer review and bug detection.
- Legal and vendor support exposure: disabling DSE and PatchGuard violates Windows security model and may breach user agreements; anti-virus/anti-cheat vendors may flag it as malicious or block its use.
- Slow growth and infrequent maintenance could indicate shrinking relevance as Windows kernel protections evolve; compatibility with future Windows versions uncertain.
- Checked kernel support absent; limits utility for kernel debugging workflows and may break on future Windows debug builds.
EfiGuard will likely remain a specialized research tool with stable but modest adoption. It may gradually lose utility as HVCI deployment increases and alternative boot-time attack surfaces are closed. The project will probably continue to receive maintenance patches for new Windows versions but is unlikely to expand into mainstream use.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- C++
- License
- GPL-3.0
- Last updated
- 3w ago
- Created
- 89mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Open pull requests
No open pull requests.
Top contributors
Similar repos
ZeroMemoryEx/Chaos-Rootkit
Chaos-Rootkit is an x64 Ring 0 Windows kernel rootkit designed for educational...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
2.5k | +6 | C++ | 8/10 | 3w ago |
|
|
2.4k | — | C++ | 7/10 | 2w ago |
|
|
1.9k | — | C++ | 7/10 | 2w ago |
|
|
1.1k | — | C++ | 7/10 | 2mo ago |
|
|
3.1k | — | Java | 7/10 | 3mo ago |
|
|
1.5k | — | C++ | 8/10 | 4w ago |
Similar star count; both are UEFI bootkits. Nidhogg appears slightly more popular. Direct feature comparison not possible from README alone, but both target kernel-level protections.
Lower adoption; similar technical domain. EfiGuard's focus on Windows boot chain may offer different scope or complexity tradeoffs.
Overlapping goal (circumvent enforcement) but likely different attack vector. defender-control may target runtime protection disable rather than boot-time patching.
UEFI reference implementation; much larger ecosystem but serves firmware developers, not end-user kernel modification. EfiGuard builds on UEFI abstractions; not a direct competitor.
Older DSE bypass techniques that EfiGuard improves upon or offers alternatives to. EfiGuard appears designed as a more robust successor in some use cases.

