You're probably correct. I was just saying that there's no need for the entire Windows installation to be signed, as jrockway implied. Such a requirement would be nearly impossible (and would require scanning the entire OS at startup to verify the signature).