Jump to content


  • Posts

  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    United States

Everything posted by fdv

  1. Hi all, I had some problems with my hosting provider Sunday night. I had to move my site last night and haven't set it all back up again. So if you're trying to read pages or download files they won't be there for a night or two. Sorry for any disruption caused. BTW the advice not to upgrade to IE8 is because IE8 has extra files in its install. When an upgrade is performed on an existing install, there are no issues, but using HFSLIP plus my fileset plus IE8 results in problems due to TXTSETUP and IE.INF because they were never structured to handle the extra IE8 files. HFSLIP may report a success but the install might not work since the problem is that some of these extra files might get copied fine but they don't get registered as they should. As a result you run the risk of booting up for the first time and seeing no explorer. At one point I was working on separating IE.INF into IE6.INF and IE8.INF but never finished the work.
  2. I hope to help matters by chiming in. Maybe. Caps, you're going to get a LOT more mileage out of going to SP3. I mean, there's no way around the fact that your OS will be a lot less buggy. I made that edit to the DLL years and years ago and I forget what routine I changed... God I can't even remember the decompiler I used on SP2's dll to find out the sequence. if you want to do this, it's best to move to SP3, and if you are worried about Microsoft hard-coding themselves into the OS and overriding the HOSTS file, then edit dnsapi.dll to your liking. You'll block your own ability to reach microsoft.com for downloading updates if you do it wrong (you can always put them on a USB from another system) but the bottom line is that you will solve your problem, you'll be happier, you won't need to ask this anymore, you won't be fooling with a "dead" service pack anymore... there are only benefits. There is no solid reason not to switch, my friend. But even if you choose not to, it's been too long and I can't help, I don't have the tools anymore or the time to spare to do the same thing for SP1a.
  3. Anyone interested in INF format? You can mount the WIM and apply this and have 7 "remember" the settings I suppose. The line for directory contents is this: HKCR,"Folder\Shell\List Contents to text file\command",,,"%11%\cmd.exe /C DIR ""%1"" /B /O /S>""%1""""_contents list.txt""" It makes a printable file. My INF below adds a few useful items I use all the time in 7 like using the contig utility for defragging and remember those instructions all over the 'net to make a "god mode" icon on the desktop? That's in here too but I call it 'expanded control panel' (you'll see what I mean). Edit it as you will.... [version] Signature="$Windows NT$" [DefaultInstall] AddReg = ContextMenu [ContextMenu] ; Add "command-prompt-here" functionality when right-clicking a directory HKCR,"Drive\Shell\Command Prompt Here\command",,,"%11%\cmd.exe /k cd ""%1""" HKCR,"Directory\Shell\Command Prompt Here\command",,,"%11%\cmd.exe /k cd ""%1""" ; HKCR,"*\shell\runas",,,"Take Ownership" HKCR,"*\shell\runas","NoWorkingDirectory",,"" HKCR,"*\shell\runas\command",,,"cmd.exe /c takeown /f ""%1"" && icacls ""%1"" /grant administrators:F" HKCR,"*\shell\runas\command","IsolatedCommand",,"cmd.exe /c takeown /f ""%1"" && icacls ""%1"" /grant administrators:F" HKCR,"Directory\shell\runas",,,"Take Ownership" HKCR,"Directory\shell\runas","NoWorkingDirectory",,"" HKCR,"Directory\shell\runas\command",,,"cmd.exe /c takeown /f ""%1"" /r /d y && icacls ""%1"" /grant administrators:F /t" HKCR,"Directory\shell\runas\command","IsolatedCommand",,"cmd.exe /c takeown /f ""%1"" /r /d y && icacls ""%1"" /grant administrators:F /t" ; add advanced system properties to mycomp HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\AdvSysProp",,0x00020000,"Advanced System Properties" HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\AdvSysProp\command",,0x00020000,"control sysdm.cpl" ; add device manager to mycomp HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Devices",,0x00020000,"Device Manager" HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Devices","SuppressionPolicy",0x00010001,3c,00,00,40 HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Devices\command",,0x00020000,"%windir%\system32\mmc.exe /s %SystemRoot%\system32\devmgmt.msc /s" ; add the mega-control panel on mycomp HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\ExpCPL",,0x00020000,"Expanded Control Panel" HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\ExpCPL\command",,0x00020000,"%windir%\explorer.exe shell:::{ED7BA470-8E54-465E-825C-99712043E01C}" ; unused alternate for the exact same thing ;HKLM,"SOFTWARE\Classes\CLSID\{20d04fe0-3aea-1069-a2d8-08002b30309d}\shell\Expanded Control Panel\command",,,"%windir%\explorer.exe shell:::{ED7BA470-8E54-465E-825C-99712043E01C}" HKCR,"Folder\Shell\List Contents to text file\command",,,"%11%\cmd.exe /C DIR ""%1"" /B /O /S>""%1""""_contents list.txt""" ; contig HKCU,"Software\Sysinternals\C","EulaAccepted",0x00010001,01,00,00,00 HKCR,"Directory\shell\contig","",0x00020000,"Defrag Folder with Contig" HKCR,"Directory\shell\contig\command","",0x00020000,"%windir%\system32\contig.exe ""%L\*.*"" -v -s"
  4. How to. Hi all, this is inspired from a thread a while back. I recently needed to run some utils including Process Explorer while elevated and decided to finally put up a quick how-to on running Explorer while impersonating TI. Maybe it might be useful to some folks. Much credit to Joakim and the guys in that thread!
  5. In truth I always stuck the LBA in SYSSETUP.INF. From my version in my fileset: [infs.Always] syssetup.inf,SpecialInstall [specialInstall] AddReg = Special.Addreg [special.Addreg] HKLM,"SYSTEM\CurrentControlSet\Services\Atapi\Parameters","EnableBigLba",0x10001,01,00,00,00 ; enable large block addressing This way the LBA is accomplished neatly and immediately. I posted otherwise because I'd forgotten and this forced me to check!! Sorry about my misleading post above
  6. Ahhh! Okay, now I get you... catalogs. Since you are replacing a lot of binaries in a SP (of your own making) and not installing the CAT files that come with each hotfix, you might as well delete all of the listed CATs except the first two, NT5INF and NT5. That's how I did what I did and it worked. IIRC SP4.CAT can go too. FYI, I know you know this but for other people reading, if you wanted to make an unofficial SP where each file actually passed a signature verification, you would need to copy all of the CAT files in each hotfix and list them ALL under [ProductCatalogsToInstall]. I honestly forget what happens when you install no CATs at all. My hacked SETUPAPI.DLL turns off all signature checking and I use that in conjunction with the SFC.DLL hack. You can get both in my fileset. Since they are MSFT binaries permission is not mine to give, but if you wanted to use the ones from my fileset, I personally have no problem with that. Some part of me thinks that even with all of this you might still get a problem with a different WINTRUST. Worth checking into if it eliminates your error.
  7. To expand on my advice and clear something up, ALL of the HIVE* INF files execute during text setup. They all build the registry which is assembled prior to GUI. You do not need to add to SETUPREG.HIV. (Editing that file is a mess anyway). Look at the HIVE files in my fileset... look at all of the system tweaks I add (use Winmerge to compare). You can make a LOT of changes to the OS by editing these files edit: this is not 100% correct, see my post below about using SYSSETUP.INF for LBA, I misremembered what was in my own file
  8. tomasz86, I am not clear on the error you get with wintrust.dll, I did not see a specific description or screenshot of it. This dll is involved with digital certificates on a running OS, it is not involved with setup. To expand more on what acus said, do a global replace in both TXTSETUP and LAYOUT of ,_x, to ,, (comma underscore x comma ---> comma comma) Hacking SFC is handy but doesn't relate to wintrust. This may be handy for you, it is buried in my site edit: by "This dll is involved with digital certificates on a running OS, it is not involved with setup" I mean there is nothing you can do during setup to suppress errors from this dll later. An error thrown because of this means another dll that windows is attempting to verify is failing verification. So strictly speaking, another dll might be the actual problem.
  9. fdv

    Slipstreaming NT4 SP6a

    You don't need to re-apply SP6a. Wendy completed the INF. PM me for more detail.
  10. http://www.vorck.com/windows/hotfixes_2003.html Updated for Sept. Haven't gotten to June but I did link the June ISO. Rulman as usual if you want to check my list I will make any notes you want to add if I missed something or got something wrong.
  11. fdv

    FDV's website

    Hi all, I was applying for some jobs at some places that are a bit "uptight" and instead of taking time to edit out swear words from my material, I just took them down during the application process. It will all be going back up shortly.
  12. Okay. For those of you just tuning in, Joakim has actually managed to do what several folks including myself had said was not possible -- open a CMD prompt with TrustedInstaller permissions. Life happens fast, and so did this thread. Here's how to do it in one post. Thanks to all of you who contributed your wisdom. Like CoffeeFiend I'm also kind of lost as to how we managed to get here ------------ How to open a CMD prompt with TrustedInstaller permissions Install PSList - http://technet.microsoft.com/en-us/sysinternals/bb896682 or Install Procexp - http://technet.microsoft.com/en-us/sysinternals/bb896653 Install Session0Injectors from Payload Execution Tools v.2 - http://reboot.pro/files/file/171-payload-execution-tools/ Install netcat - http://www.securityfocus.com/tools/139 You must do the next part fairly quickly, because once you start the TrustedInstaller service, it's not going to run all day... it stays running for a short while and stops. Run services.msc Scroll to Windows Modules Installer Right click, select 'start' Open a command prompt and type pslist trustedinstaller and get the PID or launch ProcExp and get the PID Let's call that number '4321' (of course it will be different on your system) Let's also pick a port to run netcat on -- say '6789' "Now run netcat as a daemon serving cmd.exe for you on port 6789 by typing the following" Session0Cmd 4321 "nc -l -p 6789 -d -e cmd" (By the way, that -l is the letter l not the digit one. If your system is 64 bit Windows, you'll use Session0Cmd_x64 here)) If you got an error about an invalid PID, it means that the TrustedInstaller service stopped again. Go restart it. (When you do it will have yet another PID). "Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command" nc localhost 6789 Thanks again to Joakim for this bit of cleverness! (I'm sure you'll all let me know if I need to make edits...)
  13. a journey to dethrone the TrustedInstaller service Yeah... I should get back to what this thread was really about shouldn't I Thanks for the tip on padding out a SID's string. I need to stop being distracted and get back on track. But first lots of sleep as usual. I made notes, not in front of me, and only got where I got because of your solid recommendation on a good decompiler
  14. The problem I have with this schema is that -80- signifies that TI is a service. It runs in isolated session 0. An interacive logon is going to be -21- and a group is -32- (I think -- it's what I read here? But yet 32 is print operator? Confused ) In other words, Admins group is SID S-1-5-32-544 but TI is S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Wow, I started wanting to shut off digital signature checking in Win7 and I got SERIOUSLY sidetracked Anyway, you saw my other msg but other folks mightn't've. What I think the only real possibility is, is to open the list of files that reference the TI SID and change it to the admin group, and then pad out the extra spaces in the binary with 90's (noop). TI then "becomes" an actual user, AND TI still continues to run as a service because the EXE is still running (i.e. the service is running). I don't feel like trying it right now, but I might get to it at some point. Edit: more on point, I have had a look in the DLLs... there is some very naughty stuff you can do that I shall shut up about, but a curiosity was seeing a call to LAYOUT.INF. Huh?! I thought Win 7 was "redone"!
  15. He means that people used to think it was "impossible" to run Windows 98 without IE, then someone did it. Then it was "impossible " to run Windows 20o0 without IE, and someone did it. Then it was "impossible " to run Windows XP without IE, and someone did it. In other words, there is some exception to any rule -- if you say TI should not be stripped of any rights, he is saying that it might be possible to rig a system having done exactly that. What really troubles me is that no one has tried. I mean, just loading a hex editor and replacing the TI SID with the admin SID S-1-5-32-544 and padding out the extra characters should have been tried at some point, and yet no one has done it! TI honestly does not look like an "octopus," it only has a certain number of connections to and within the OS. It isn't really "everywhere." And yes, it's in the MSI. But it remains to be seen what happens if another SID is substituted. Edit, as usual. To explain further and give thoughts... The TI is actually a service, not a user. S-1-5-80 starts all service SIDs. As long as the service is running, will Windows be happy? If we replace it in terms of object ownership? Rip it out from every ACL? As long as the stupid exe runs as a service, maybe windows won't "know" and can be tricked. That's the nitty gritty of where jaclaz and I are going with this thought process.
  16. Oh! Sure, that will work too. I was thinking of piping it to a txt file but your bit here works better and is pretty creative! In truth I didn't spend much time on the idea though, because I really want to cover items 1 and 2 in my post, essentially "fix" the child objects. What I think I would have to do is use the 'reset children' command and then re-assign, with inheritance, permissions for System, Admin, and User. That's the problem with the reset children command, it seems to erase other non-owner permissions which is obviously a bit of a problem. Hoping for a better way.
  17. Hey, man! In answer to the first question, it'd be totally possible to export the registry's CLSID list, open it in notepad++, clean it up, and make a small batch file to go through every value. We want to find a way to not have to do that though. As for the second program, I'm not too sure it's any different but will look
  18. Not sure how it happened, but this thread ended up being "How to open a CMD prompt with TrustedInstaller permissions" Scroll to page 2, post 29, to see. Here below is my original message about taking the registry "back" from TrustedInstaller (there is a batch file below to do that, too). ---------------------ORIG MSG--------------------- This is a question about SetACL syntax but since it applies to TrustedInstaller I thought that the Win 7 forum will get greater exposure. It's also a mini-how to that will help a lot of you who loathe TrustedInstaller. Below you will find three commands that when executed in order, will strip a given key of TrustedInstaller. In order, number one makes Administrators the owner, number two assigns and propagates permissions for Administrators on the key and children, number three revokes TI permissions on the key. Here's the problem I have: I want to be able to: 1. cascade ownership right down through the entire registry from the root HKCR, HKCU etc etc etc keys 2. strip TI permissions from everything in the entire registry from the root HKCR, HKCU etc etc etc right down to every endpoint key I know there is a -rec yes option to recurse. Won't help scrub the entire registry though. setaclx64.exe -on "HKCR\CLSID\{CLSID VALUE}" -ot reg -actn setowner -ownr "n:S-1-5-32-544;s:y" setaclx64.exe -on "HKCR\CLSID\{CLSID VALUE}" -ot reg -actn ace -ace "n:S-1-5-32-544;p:full;s:y;i:so,sc;m:set;w:dacl" setaclx64.exe -on "HKCR\CLSID\{CLSID VALUE}" -ot reg -actn ace -ace "n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;p:full;s:y;i:so,sc;m:revoke;w:dacl" for {CLSID VALUE} put something like {a86ca2f1-af74-4a74-980b-e185d4ca01b0} Any ideas? Edit: I always edit my posts, and this one is no different. You must do this with an elevated command prompt. Also, FYI for everyone, the following files have the TI SID in them: bcdboot.exe bfsvc.exe COMPONENTS setupapi.dll winlogon.exe winsetup.dll wpd_ci.dll If you really wanted to render TI powerless you could load them up in a hex editor and change one digit of the SID or change it to admins(S-1-5-32-544) and pad out the rest of the string with 90 (noop). I haven't tried this yet.
  19. I feel like I'm at a full stop without a solid 64 bit debugger. I ran a list of exported functions but I don't see a reason to get into 32 bit. (I am using amd64 now and as it's been pointed out, it's the future). I tried ollydebug with a 64 bit plugin but it didn't work. IDA is amazing but wow, a thousand bucks!! I wish I could con my employer into buying it ;-) I don't know anything about x64 so I am wondering if I (we? I think you guys are in on this too I hope ) should bother with 32 bit and would any of that apply to the 64 bit dll? In other words, could we use the findings or would it be like starting from scratch?
  20. What is a good 64 bit debugger? I tried the Microsoft one and it's HORRIBLE. Tried DuxDebugger and it will not load DLLs. ? thx all yes btw I really need to look at exported functions, posting the entrypoint was in error. I need sleep
  21. @dencorso, thanks for the new PE fix. I am very behind the times! "The byte pattern in x64 should be different, and probably use 64-bit registers instead. " Whoops, yeah, I am a retard @coffeefiend - "You want the installer not to complain only? Or does that affect the installed OS as well?" It should skip the check. More than just not complain. I think I must have loaded the wrong binary. It was pretty late ;-) I thought patchguard was only for the kernel?? I gotta think this through and switch to the 64 bit version. I read the info on patchguard, I can't see that it applies to a setup DLL. I am wondering, is this DLL now only driver signature checking? I stumbed upon the following this morning: 7252A07A |. 68 C8504D72 PUSH setupapi.724D50C8 ; UNICODE "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464" (direct paste but which DLL I don't know. it's been a long day and I have been looking at all of them, the x86, the sxs, the wow64 so ignore that address?) This is the SID for Trusted Installer. I need to go to bed and haven't done anything with it but in this case I'd like to not only shut off digsig checking (sfc would be nice too) but I'd love to prevent TrustedInstaller from making itself the sole owner of my registry! This technique worked for the earlier OS's BTW and for a short while, before 7imo modified SYSSETUP, Nuhi was using this little trick in nLite to keep the OS from complaining about unsigned binaries (of any kind, drivers or OS files). So, much more work remains If anyone has any tips, clue me in! Many eyes looking can make this quick work. Provided the 64bit dll can be modified without Patchguard problems. What do you guys recommend for a 64bit debugger thx God this stuff takes so **** long... Note to self - click here to log in (since it's gone from the pages now?)
  22. Any of y'all want to try something for me? I aim to repeat my SETUPAPI.DLL hack that I did for Windows 2003 to allow for an install that shuts off signature checking. The idea is to be able to modify binaries and not have Windows complain or throw a terminal error. This is a theory. I don't have time to try it right now. (I am sick with an ear infection and have a burst eardrum and spent about four hours carefully mapping this out last night so I am not in the mood to check it right now, I have had enough for now, but I suppose you younger and more enterprising folks could try). You need to mount the INSTALL.WIM image and load a hex editor and take ownership of SETUPAPI.DLL and then open it in the hex editor. replace byte sequence 8B FF 55 8B EC with 33 C0 C2 0C 00 Should be the same for both the 32 and 64 bit SETUPAPI.DLLs. There is only one such sequence in both DLLs so there is no offset to worry about finding. The digsig check began with MOV EDI,EDI PUSH EBP etc etc in the Win Xp and 2003 binaries. The hack for those was simply to change it to XOR EAX,EAX RETN [whatever] The routine in the win7 followed the same pattern, but it was WAY earlier in the binary. Still, it does follow the pattern, so it's worth a shot. I have other ideas if this doesn't work. Anyway save and use modifype.exe to 'fix' the DLL and then put it back into your mounted directory. There is also a TrustedInstaller bit in the dll that I intend to explore as well, later. I get that TrustedInstaller is necessary but it would be nice if it didn't take ownership of my entire registry too... Thanks, whoever wants to give it a try fdv
  23. Hi all, can anyone suggest a hotfix list for Win7 that is continually edited to remove obsolete hotfixes? I personally keep a Win2003 fix list and I edit it to remove obsolete fixes that have been replaced by newer ones. It's a real pain to do this, so much so that I only update it every 2 or 3 months, and as far as I can tell, I'm the only guy doing it. I am hoping that as much of a pain it is to do, there is someone out there who does it for Win 7. Any tips are appreciated...
  • Create New...