[UxTheme Signature Bypass]

The second service is kernel-mode driver that does the actual patching. UxStyle doesn't work on Creators Update at all, it didn't work properly on November's Update neither. I wasn't the only person where it prevented graphics drivers from working on each boot: http://virtualcustoms.net/showthread.php/69833-Discovered-a-problem-with-UxStyle-Community-Edition-for-Windows-10 It needs updating. So until then, you're good with UxStyle.

PS:

[UxTheme Signature Bypass]

It fails at allocating memory in winlogon.exe's virtual address space to store path of the DLL to load, it's not connected to the fact that you're using Russian Windows, file permissions also shouldn't have anything to do with it, otherwise it wouldn't work at all on your home system, not even whey you slowly type password.

I was wondering if there exists a general purpose injector, but found nothing flexible enough for this task. Would be good to know if using some alternative produces any different results.

[UxTheme Signature Bypass]

It seems when there are permission issues, only these entries appear in logs:

[2017-01-25 02:59:38][0x2024:0x3E8] Installing DWM hook...
[2017-01-25 02:59:38][0x2024:0x3E8] User: SYSTEM
[2017-01-25 02:59:38][0x2024:0x3E8] Module: C:\AeroGlass\DWMGlass.dll

There is this convention that applications shouldn't write to their own directory, and this restriction on Program Files has been implemented by default at least since Windows XP, though a lot of people probably used admin account for everything. Before UAC was the thing, admin accounts get full access on program Files directory automatically.

So the worst that can happen probably is that Aero Glass can't write its logs. There is this catch, DWM doesn't run under SYSTEM account so once DWMGlass.dll is injected, it does everything under DWM's account. And there is some magic in there that lets it access user specific settings in registry.

[Aero Glass for Win8.1+ v1.5.2]

Correct settings in .msstyles really gives you working composited text glow. Aero Glass GUI "Use theme settings" option with theme defined text glow size is also the most consistent variant because the text caption text will be look identical across application, whether they use plain window frame or draw their own controls on it before drawing caption with DrawThemeText API.

Unless for example you want custom colored caption text. But I think it boils down to the fact that these things are unofficial extensions that were never intended by Microsoft so the original design doesn't account for them. Glow effect baked in theme atlas image you get with "Use atlas image" is also Aero Glass exclusive concept if I'm not mistaken.

There is another issue with "Use theme settings" on 1.5.2 besides being rendered at incorrect position. Setting glow size to 0 means 0 instead of theme defined size.

[UxTheme Signature Bypass]

1 minute ago, CKyHC said:

Folder C:\Program Files\AeroGlass can cause this problem? When I will have time I try to change folder to C:\AeroGlass. But it's very doubtfully...

The owner of C:\Program Files\AeroGlass is my account with administrator permissions. SYSTEM account have full rights. What permissions more folder must to have to work properly?

You're right, it shouldn't cause problems, I tried. Even having 2 aerohost instances doesn't cause injection problem on my end neither.

[UxTheme Signature Bypass]

On 28. 2. 2017 at 6:02 AM, UCyborg said:

Just for informational purposes, UxTSB no longer works with Insider build 15042.

Correction: themes still work on newer insider builds, just selecting them under Themes doesn't work, have to manually set path to .msstyles in registry then it works after re-logging in.

[OldNewExplorer 1.1.9]

On 21. 2. 2017 at 5:13 PM, Anime4000 said:

On 27. 1. 2017 at 10:53 PM, vr2008 said:

I'm using this program more than a year since version 1.1.7 on windows 10 enterprise x64 and since the first day I have an annoying problem. And that is the details pane suddenly disappears until I restart explorer.exe from task manager. Even the most recent version (1.1.8.2) didn't fix the issue and it happens again. also after disappearing details pane, the hard drive grouping titles disappear too and just the numbers remain.

I have same issue, really annoying, I had to reset explorer.exe everytime

Do any of you have "Launch folder windows in a separate process" enabled in File Explorer Options? It's been a while since I've seen this bug and I did turn this on some time ago, maybe enabling it helps. Though it might also depend on Explorer usage pattern. Unless you have always at least one Explorer window open, this option makes the explorer.exe instance that hosts those windows restart every once in a while, so maybe it proves to be a viable workaround.

[Aero Glass for Win8.1+ v1.5.2]

@Tusticles
Thanks for the hint! I found the most important properties are under Windows & Captions Buttons -> Aero -> Window.

We can only hope that at least bugs in Aero Glass will be fixed sometime.

[Aero Glass for Win8.1+ v1.5.2]

@Lum
Strange, Hyper-V presence shouldn't change hardware ID. At least it doesn't happen on my end.

@Tusticles
Which theme you're using that has this type of glow you get in the first screenshot?

[UxTheme Signature Bypass]

OK, I understand now that running aerohost via srvany doesn't solve DLL injection problem. So we're still at the dead end...

[UxTheme Signature Bypass]

Disable option in Task Scheduler doesn't stop it if it's already running, must select End and then Disable. That's the only possibility for ending up with 2 running aerohost instances I could think of. So if you just select disable in Task Scheduler and run the script to install it as service, you end up with 2 instances. But after a reboot, you should have only 1 aerohost started by srvany.exe.

[Aero Glass ThemeAtlas]

15 hours ago, dhjohns said:

Ultra Uxtheme Patcher is not a virus.  It is a program which replaces the orginal themeui.dll, UXInit.dll, and uxtheme.dll files in System32 with patched ones.  It creates backups of your originals, and renames theme with a .bak extension.  It is also reversable (uninstallable.)  If you install Windows 10 in a VM, and run the patcher you can copy these files to a folder.  Then, you do not need the patcher to replace them.  Simply take ownership of the original files, rename, and replace them yourself.  Of course, if you have no idea what you are doing, and do not follow other patching steps, or use the wrong themes for your build, you can definitely log on to an unusable desktop.

Indeed, anti-virus programs love to flag useful non-malicious stuff for various reasons. Check out this blog post: http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/ File system modifications can certainly be malicious, not in this case though, and the warning on the website about total Windows breakage is just so you don't blame the author if something goes wrong.

It's true however that using custom themes always carries a small risk of breaking something. What happens if Windows Update replaces those files with originals and you don't switch back to stock theme until files are re-patched? You won't make it to your desktop because Windows rather commits suicide instead of falling back to stock theme.

Big Muscle's theme signature bypass DLLs lasted for quite some time, they just broke now with Creators Update.

It's a wild goose chase with custom themes in general, need to keep up with how they change under the hood. From Anniversary Update to Creators Update in its current state, it seems they haven't changed drastically under the hood.

[UxTheme Signature Bypass]

So it really works now? Starting aerohost.exe with the method I posted? You said you did disable the scheduled task the first time. I can confirm Pipe error occurs if you try to run 2 aerohost.exe instances.

[UxTheme Signature Bypass]

It's hard to say. Type of disk and passworded vs passwordless account could be influencing factors in your particular case. Would be interesting to know what happens if you set passwords on those 2 computers you said don't have passwords. Apparently that extra time it takes to type in password helps on your computer with SSD. My machines have regular HDDs and using passwordless account works fine.

All this still doesn't explain why VirtualAllocEx fails. Just access denied is not verbose enough. Does UxStyle work on your end? I suggested it some time ago as its different approach might work, the only problem is that it still needs some fixes; not working on build 10586 and Creators Update builds, in some scenarios its service has to be restarted for the themes to work again and it's been said its driver doesn't load on UEFI systems with Secure Boot due to signing requirements.

[UxTheme Signature Bypass]

44 minutes ago, CKyHC said:

Why? I want install it in Program Files. Only UxTSB didn't work. Permissions to folder set as normal folder like in any other folder.

Just an idea. Interestingly, on Windows 8.1 majority of log entries don't appear, while on Windows 10 they do, so something changed in that regard. Either way, I don't think that problem would be solved by changing aerohost.exe into service. There is nothing particularly special about services, just that they interact with Service Control Manager.

Would the problem occur on completely fresh bare-bones Windows installation? I don't have any other ideas besides maybe some 3rd party software interfering somehow. I have 4 different machines at home and none of them have this issue. Sorry, can't help you with this one.

[UxTheme Signature Bypass]

2 hours ago, CKyHC said:

[2017-03-03 14:14:56][0x1190:0x2BDC] Module: C:\Program Files\AeroGlass\DWMGlass.dll

Install AeroGlass in C:\AeroGlass.

[UxTheme Signature Bypass]

Exactly, applications that are run under SYSTEM account run indefinitely unless you fully shut down or reboot the system. This just makes it independent from the Task Scheduler so maybe it starts sooner. Better solution would be modifying aerohost.exe to accept service events.

srvany.exe is the wrapper that can make any application run as the service, but it is obsolete and has number of limitations. It's true that you can't make aerohost.exe directy run as the service with sc create. https://www.coretechnologies.com/products/AlwaysUp/srvany.html Then you have paid solutions like FireDaemon Pro or AlwaysUp. Those are the must if you want to run eg. a game server which wasn't coded as the service. There is also free NSSM.

I can't really say if this helps with anything as I can't reproduce the injection problem on my end neither, but those are the only ways to run non-service application like it was the service. If it actually helps, judging by UxStyle source code, it doesn't seem it would take a lot of effort to turn aerohost.exe into real service.

[UxTheme Signature Bypass]

If it helps anyone, I wrote a small batch script that runs aerohost.exe as a service with the help of the srvany.exe wrapper mentioned few posts above. Just extract both files and run InstallAGService as admin. And do stop Aero Glass task beforehand from Task Scheduler and disable/delete it.

If you want to delete the service:

sc stop aerohost
sc delete aerohost

Then only the wrapper, which is copied to either Windows\System32 or Windows\SysWOW64 remains.

AeroGlassAsService.zip

[UxTheme Signature Bypass]

Just for informational purposes, UxTSB no longer works with Insider build 15042. UltraUXThemePatcher is updated to support it. Old .msstyles for Anniversary Update still work with minor glitches, I only noticed some outlines being visible inside the window while in Peek Desktop.

This build doesn't have the watermark. Maybe theme related things won't see further changes. But 1 month is still plenty of time to flip everything upside-down. No symbols to see Aero Glass in action, but again, nothing crashes. Says it runs in always-glass mode, though it looks more like no-glass mode.

[UxTheme Signature Bypass]

New injection method by DWMGlass.dll doesn't require signed DLL, something else can go wrong. Microsoft's official opinion is that there is no reliable method for injecting a DLL in a running process, if that has something to do with it. At least, their own Detours library version 1.5 had a function for DLL injection, which I believe, under the hood utilized the CreateRemoteThread method, like DWMGlass.dll.

The only bad thing that happened once on my end were tons of VirtualAllocEx errors in debug.log and at the time it seemed like logon process was aborted, second logon attempt worked, but apparently, things can go worse for unknown reasons.

Good point about the signing, AppInit_DLLs method would work with secure boot if UxTSB.dll was signed, just the fact that it lands in almost every process is a bit of an overkill. They wrote long time ago on MSDN they may remove it in the future. Good point about UxStyle as well, I forgot about the driver that has to be signed.

Late edit: Actually, AppInit_DLLs is completely disabled when Secure Boot is active.

[UxTheme Signature Bypass]

A bit off-topic, but UxStyle seems to work on Win10 latest build 14393 at first glance, though no luck on build 10586 and the word is it doesn't work on newer Insider builds. There have been reports about certain issues, but no new commits. None of the people that forked it changed anything either. Just bringing it up because its different approach might bypass winlogon-loop problem. If only someone with the knowledge addressed its issues.

[Text overflow & broken themes on title bar with win10 14393]

Text problem is due to a bug in Aero Glass v1.5.2 which hasn't been fixed yet. For the theme atlas problem, you need a Win10 14393 (Anniversary Update) compatible atlas.

[text glow atlas theme for windows 10]

There is another type of glow effect besides the one from the atlas image, composited glow effect. If you find the theme where setting Caption glow effect mode to Use theme settings in Aero Glass GUI produces glow, you should be able to get same type of glow in Ribbon windows. I know for certain such themes exists for Windows 8.1 and 7. Composited glow effect is what you get out of the box on Windows 7.

[Aero Glass for Win8.1+ 1.5.1]

Compatibility modes only hook legacy GetVersion and GetVersionEx APIs, Firefox uses VerifyVersionInfo. There is a bunch of CSS stuff in there that adjust UI differently if ran on Windows 10. Supposedly whole capability for querying OS version using CSS was implemented so the UI can adjust according to the used OS.

I'd really like to know where exactly Windows caches manifests. Because just saving the file with Resource Hacker didn't change anything. Only when the modified date changes on the .exe it will re-read the manifest. When you put back the original modified date, it will use original manifest.

[Aero Glass for Win8.1+ 1.5.1]

I removed Windows 10 GUID from firefox.exe's manifest with Resource Hacker, then altered firefox.exe's last modified date by opening it and saving it again with Notepad++ for Windows to register new manifest (Resource Hacker doesn't do it). It's better to change the date with BulkFileChanger. Logging off might also be sufficient on recent Windows 10 builds.

Now it thinks it runs on Windows 8.1 and behaves just like it does on said OS.