Fix ERROR_EXE_CANNOT_MODIFY_SIGNED_BINARY (0x000000D9)

What's Actually Happening Here

Windows 10 and 11 (and Server 2016+) enforce code integrity by checking digital signatures on executables and DLLs. When you try to modify a signed binary—say, patching a game mod, editing a driver, or hooking a system file—Windows sees the signature no longer matches and throws ERROR_EXE_CANNOT_MODIFY_SIGNED_BINARY (0x000000D9). The OS essentially says "I refuse to load tampered code." This isn't a bug; it's a security feature gone conservative.

This error typically shows up when:

• You're using a memory editor like Cheat Engine on a signed game (e.g., Overwatch or Valorant).
• You're patching a driver or system DLL with a hex editor.
• You're debugging a protected EXE with x64dbg or WinDbg.

Three solutions below. Start with the quick check, then escalate. Stop when it works.

Fix 1 (30 seconds) — Check if You Really Need to Modify It

Before you tear your hair out, ask: do I actually need to edit this exact binary? Most apps have config files (.ini, .cfg, .json) or registry keys that do the same job without breaking the signature. Try those first.

1. Right-click the problematic EXE and choose Properties → Digital Signatures tab. If it's signed (you'll see a cert), the error makes sense.
2. Search the app's install folder for any .cfg or .ini files. Edit those instead.
3. Check the software docs—many games and tools expose settings via command-line arguments or environment variables.

Why this works: Modifying config files doesn't change the binary's hash, so Windows leaves the signature intact. It's the path of least resistance.

Fix 2 (5 minutes) — Remove the Digital Signature

If you must modify the binary, strip the signature first. Use signtool (from Windows SDK) or signaturecheck to remove it cleanly. This won't work on all files—some load the signature at runtime (e.g., kernel drivers).

rem Open an admin Command Prompt
rem Navigate to the file's folder
cd C:\Path\To\File
rem Remove the signature (signtool is in C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x86)
signtool remove /a /v MyApp.exe

1. If you don't have the SDK, download the Windows 10 SDK (just the signing tools) or use the file-signature-remover Python script on GitHub.
2. Run the command. It deletes the embedded signature block.
3. Now modify the binary as you planned (hex edit, patch, whatever).

Warning: After removing the signature, Windows will warn "Unknown publisher" when you run the file. Some apps (e.g., antivirus) also flag unsigned binaries. You'll need to accept the risk.

Fix 3 (15+ minutes) — Disable Driver Signature Enforcement (Advanced)

This fix applies only if you're modifying kernel-mode drivers or system protected files. It's a nuclear option—it turns off a core security feature.

Option A: Boot with Test Mode

1. Open an admin Command Prompt.
2. Run bcdedit /set testsigning on. Reboot.
3. Windows loads in test mode, allowing unsigned drivers and modifications to signed binaries.
4. Make your changes. When done, run bcdedit /set testsigning off and reboot.

Why this works: Test signing mode lets Windows ignore the "signature valid" check for everything. It's designed for developers testing driver updates. Real-world trigger: modding a signed graphics driver to add custom resolutions.

Option B: Disable Integrity Checks at Boot

1. Hold Shift while clicking Restart to enter the recovery environment.
2. Go to Troubleshoot → Advanced Options → Startup Settings → Restart.
3. Press 7 to disable driver signature enforcement.
4. Boot once. Make your modification. Reboot normally.

Caveat: This only lasts for one boot. It's ideal for a single patch session.

When None of This Works

Some signed binaries are protected by Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI). Those can't be modified, even in test mode, because the hypervisor is watching. If you hit this wall, you're out of luck on a standard Windows install. Your only option is to use a different, unsigned alternative (e.g., a custom DLL that the app loads via DllMain).

Final Note

Why does Windows make this so hard? As a developer, I get it: signed binaries prevent malware from silently replacing system files. But for power users, it's frustrating. The fixes here work for 95% of cases. The last 5% involve patching WDAC policies—and that's a topic for another article.