Code signing does not do what you apparently think it does. They can’t block it unless it’s a windows store app/universal app, which is sandboxed. And that’s exactly what they do for those apps. Tim Sweeney ranted about this quite vocally!
I never said code signing DID do that. Of course it didn't, there were no secret high performance Microsoft only APIs in the first place. I said it COULD have easily been used to do that. E.g. make special API/syscall to unlock restricted APIs, Windows checks the signing status of the executable making the call and only grants permissions if it is signed by MS.
It's actually also not true that Microsoft only ever blocked things based on signing cert from the Windows Store/UWP platform. Windows Defender Smart Screen blocked/blocks apps from running without user intervention unless it was either extremely well known or was signed (and even then if it was new you might still get caught by it).
> E.g. make special API/syscall to unlock restricted APIs, Windows checks the signing status of the executable making the call and only grants permissions if it is signed by MS.
