Ftk Imager Could Not Start Driver May 2026

Security tools like Windows Defender, McAfee, CrowdStrike, Carbon Black, or SentinelOne often flag forensic mounting drivers as "potentially unwanted" or "suspicious kernel activity."

For enterprise EDRs, you may need your security team to whitelist the FTK Imager driver hash.

FTK Imager is a cornerstone tool in the digital forensics and e-discovery community. Developed by AccessData, this free tool allows investigators to create forensic images of hard drives, USB drives, memory sticks, and other media without altering the original evidence. It is revered for its speed, reliability, and ability to mount images as logical drives. ftk imager could not start driver

However, even the most robust tools encounter roadblocks. One of the most persistent and frustrating errors that forensic analysts face is: "FTK Imager could not start driver" (sometimes accompanied by the variant: "Could not create the driver service: Access is denied – Please check your user permissions").

This error typically occurs when a user attempts to mount a forensic image (E01, DD, or AFF) as a physical or logical drive using FTK Imager’s Image Mounting feature. When the driver fails to start, the mounting process halts, preventing access to the evidence. For investigators on a tight deadline, this can bring work to a standstill. For enterprise EDRs, you may need your security

In this long-form article, we will dissect why this error happens, provide step-by-step solutions, explore security contexts (including Windows 10 and 11), and discuss preventive maintenance to ensure FTK Imager runs smoothly.

Check:

Get-SystemDriver -Name ADImagerDriver | fl *

Look for Signer – if missing or "Test Sign", modern Windows blocks load.

Open Command Prompt as Administrator and run: Check: Get-SystemDriver -Name ADImagerDriver | fl *

bcdedit /set testsigning on

Restart your computer. You will see "Test Mode" in the bottom-right corner.

✅ FTK Imager will now work.
⚠️ To revert later: bcdedit /set testsigning off