Ximonite

It's from BlackWingCat's extended kernel, but it calls ole32.CoTaskMemAlloc directly instead of calling a function that calls it with LoadLibraryA and GetProcAddress. Also, here's the matching implementation of GetCurrentProcessExplicitAppUserModelID: mov edx, [esp+AppID] test edx, edx jz short loc1 mov eax, lpString test eax, eax jz short loc_7D04A866 push eax ; lpString call ds:lstrlenW inc eax add eax, eax push eax call ds:CoTaskMemAlloc mov [edx], eax mov eax, lpString push eax ; lpString2 push dword ptr [edx] ; lpString1 call ds:lstrcpyW xor eax, eax retn 4 loc1: mov eax, 80004005h retn 4 GetCurrentProcessExplicitAppUserModelID.hex

I have already looked at what functions it needs and there were only a few missing in ntoskrnl. I also noticed that it requires WinUSB. Both of these will be added to KernelXE when they are confirmed working.

PAE Update: I have decided that I will add PAE support to KernelXE v0.2.3 instead of saving it for v0.2.4. This means the expected release of KernelXE will be pushed back, but I think PAE is worth the wait. Here is some decompiled code for one of the modifications I have already made to try to add PAE support: Original: LessThan16Mb = 1; for ( i = *(_UNICODE_STRING **)&RegistryPath[1].Length; i != &RegistryPath[1]; i = *(_UNICODE_STRING **)&i->Length ) { v10 = *(_DWORD *)&i[1].Length; if ( v10 != 6 && v10 != 22 && (unsigned int)i[1].Buffer + *(_DWORD *)&i[2].Length > 0x1000 ) { LessThan16Mb = 0; break; } } dword_8001A4E4 = 0x40; v11 = 0x10000; v12 = HalpAllocPhysicalMemory(RegistryPath, 0x1000000, 0x10, 1); if ( !v12 ) v11 = 0; PhysicalAddress.QuadPart = v12; dword_8001A4F4 = 0; NumberOfBytes = v11; if ( MEMORY[0xFFDF027D] ) { dword_8001A504 = 0x4000; v13 = 0x30000; v14 = HalpAllocPhysicalMemory(RegistryPath, 0xFFFFFFFF, 0x30, 1); if ( !v14 ) v13 = 0; dword_8001A510 = v14; dword_8001A514 = 0; dword_8001A508 = v13; } HalpCallbackRecord.State = 0; KeRegisterBugCheckCallback(&HalpCallbackRecord, HalpBugCheckCallback, 0, 0, "ACPI 1.0 - APIC platform MP"); } result = HalpInitMP(DriverObject, RegistryPath); if ( DriverObject == (PDRIVER_OBJECT)1 ) result = HalpEnableNMI(); LOBYTE(result) = 1; return result; } Modified: LessThan16Mb = 1; for ( i = *(_UNICODE_STRING **)&RegistryPath[1].Length; i != &RegistryPath[1]; i = *(_UNICODE_STRING **)&i->Length ) { v10 = *(_DWORD *)&i[1].Length; if ( v10 != 6 && v10 != 22 && (unsigned int)i[1].Buffer + *(_DWORD *)&i[2].Length > 0x1000 ) { LessThan16Mb = 0; break; } } dword_8001A4E4 = 0x4000; v11 = 0x30000; v12 = HalpAllocPhysicalMemory(RegistryPath, 0xFFFFFFFF, 0x30, 1); if ( !v12 ) v11 = 0; PhysicalAddress.QuadPart = v12; dword_8001A4F4 = 0; NumberOfBytes = v11; HalpCallbackRecord.State = 0; KeRegisterBugCheckCallback(&HalpCallbackRecord, HalpBugCheckCallback, 0, 0, "ACPI 1.0 - APIC platform MP"); } result = HalpInitMP(DriverObject, RegistryPath); if ( DriverObject == (PDRIVER_OBJECT)1 ) result = HalpEnableNMI(); LOBYTE(result) = 1; return result; }

I am currently checking to see if this is the issue, which I have a feeling it is, since this sounds like something that could cause these kinds of issues. In my other post, I am just saying that I haven't confirmed anything as definitely causing the issue.

Can you see the hardware IDs of these unknown devices? If you can and they are PCI or USB IDs, put them into DeviceHunt to see the name of the device, then use that to find drivers.

I definitely have been through driver issues with this specific NIC. It's present in my Dell XPS M1210, which I run Windows 98 SE on. Even on Windows 98 SE, it's not guaranteed that any Windows 98 SE driver will work. I would recommend trying these drivers. The SYS file is from the Windows NT 4 v4.37 drivers and the INF file is from the Windows 98 v4.28 drivers and customized by me specifically to work with the NDIS 4.0 driver.

Status Update: I am mostly ready to release Beta 3 of KernelXE. Here is what I have done so far: kernel32: Removed "mov edi, edi" from the beginning of some functions. ntdll: I reset development for ntdll and started from "scratch" (WildBill's ntdll). Added exports for: NtLockProductActivationKeys RtlLogStackBackTrace _swprintf Added functions: NtDeleteBootEntry NtModifyBootEntry NtAddBootEntry NtEnumerateBootEntries NtQueryBootEntryOrder NtQueryBootOptions NtSetBootEntryOrder NtSetBootOptions NtEnumerateSystemEnvironmentValuesEx NtTranslateFilePath NtQuerySystemEnvironmentValueEx NtSetSystemEnvironmentValueEx RtlDllShutdownInProgress RtlInterlockedCompareExchange64 RtlInterlockedPushListSList RtlIsCriticalSectionLockedByThread RtlNewSecurityObjectWithMultipleInheritance RtlGetLastNtStatus RtlGetLastWin32Error EtwEventRegister EtwpCreateEtwThread RtlRunOnceComplete Nt/ZwReleaseKeyedEvent (Code redirection to ntoskrnl) RtlInitializeConditionVariable RtlInitializeSRWLock RtlRunOnceInitialize RtlWakeAllConditionVariable RtlWakeConditionVariable _CIcos _CIlog _CIsin _CIsqrt _alloca_probe_16 _alloca_probe_8 ntoskrnl: Added functions: Nt/ZwReleaseKeyedEvent (Not exported, added to KiServiceTable) ExfAcquirePushLockExclusive ExfAcquirePushLockShared ExfReleasePushLock Added exports for: ObSetSecurityObjectByPointer SeTokenObjectType NtAssignProcessToJobObject NtCreateJobObject NtOpenJobObject NtQueryFullAttributesFile NtQueryInformationJobObject NtQueryInformationThread NtSetInformationJobObject NtTerminateJobObject ZwAssignProcessToJobObject ZwCreateJobObject ZwOpenJobObject ZwQueryFullAttributesFile ZwQueryInformationJobObject ZwSetInformationJobObject ZwTerminateJobObject NtOpenThread To-do before release: kernel32: Try a few things to maybe fix CreateActCtxW ntkrnlmp, ntkrnlpa, ntkrpamp: Everything done to ntoskrnl Plans for future: Fix Dependency Walker and CFF Explorer crashes (this one has been around since the original KernelXE and I still haven't figured out why they happen) Add PAE through "/PAE" in boot.ini

Try booting into DOS mode. That's what I do and it always works.

Monitor drivers aren't gonna cause major issues, even if installing the wrong ones. They don't need any drivers to work, the only thing you would notice when installing the wrong drivers is that the colors may be slightly off. I use Driver Booster when using a new hardware/OS combo and I save which drivers Driver Booster installs for later.

SDI definitely installs incompatible drivers sometimes. I have had SDI install a wrong driver that completely bricks an install multiple times, and one of these times was on Vista. I haven't had any issues with Driver Booster besides a few Windows 2000 specific ones. I generally don't like IObit but Driver Booster is an actually decent program.

I have Comcast, and it has a data cap of 1TB. What I have is advertised as 70 megabit, but is usually a bit over 80 megabit, and in the middle of the night, may even go over 100 megabit. Upload speeds change all the time. Sometimes, it's less than 1 megabit and sometimes, it's over 10 megabit. When the upload speed is fast or slow is completely random. The monthly bill moves around a bit month per month, but is always between $74 and $77. Update: Remembered wrong. It's actually between $84 and $87.

How is Malwarebytes not an antivirus?

It's definitely 32 bit. On my KernelXE test machine, it gets past "This program is not a valid Win32 application" and displays an error with whatever missing function it tries to run first.

Based on the fact that Nomen mentioned using Intel Application Accelerator and said they are Pentium 3 and 4 machines, it's safe to assume that the chipsets are Intel 8xx chipsets. The BIOS may or may not have an effect. I don't know enough about BIOSes to know what determines if a BIOS can boot from a drive over 137GB. All I can say for sure is that Windows NT 4 will be fine if you use a driver that supports LBA-48, like the one included in Intel Application Accelerator.

I used your advice and discovered what could be the problem. I found that GetSystemInfo and QueryPeformanceCounter are called by functions in a different section in my kernel32, but not BlackWingCat's kernel32, and every program that crashes calls these functions. I tried moving GetSystemInfo to .patch and QueryUnbiasedInterruptTime to .text and see if that fixes the issue, and now some new programs generate these errors. One of them happens to be winlogon.exe Then, I found an empty area in .text so I put everything that calls GetSystemInfo in this blank space. This fixed the winlogon.exe error, but not the original errors with Dependency Walker and CFF Explorer.

The issue is in Windows NT 4's ATA driver, so using a 3rd party ATA driver like the one included in Intel Application Accelerator will completely remove the need to fix the issue in your situation.

I will keep this in mind, but I want to spend all my time on kernel32 right now, since I need to fix CreateActCtxW, which is an important function that lots of programs use. I also want to figure out the generated errors messages when trying to open CFF Explorer and Dependency Walker. When using IDA 5.0, I found the errors they generated. CFF Explorer: The instruction at 0x0 referenced memory at 0x0. The memory could not be read (0x00000000 -> 0x00000000) Dependency Walker: The instruction at 0x893 referenced memory at 0x893. The memory could not be read (0x00000893 -> 0x00000893)

DirectX 9.0c December 2006 is the last version that officially supports Windows 98 (FE and SE). Unofficially, DirectX 9.0c August 2007 works on vanilla Windows 98 SE. Links: DirectX 9.0c December 2006 Unofficial DirectX 9.0c August 2007

I host private development versions of KernelXE files on mega.nz

M.2 and it's an A1000, not an A100. My mistake.

Windows Server 2003 also has the Fls functions, and those ones are probably easier to port to XP. I haven't done anything with the SleepConditionVariable functions yet, but I plan to use code from XomPie for those functions. I was originally going to use the Windows Server 2003 Fls functions in KernelXE R2 but ended up using One Core API's implementation since it's the closest implementation to the Windows Server 2003 function that doesn't use __SEH_prolog and __SEH_epilog.

Replacing the W at the end of CreateActCtxW with "_" was enough for explorer.exe to load. I still get the "generated errors" message when trying to run Dependency Walker and CFF Explorer. The functions you mention happen to be the functions I had the least confidence in, except for EncodePointer and DecodePointer.

No, but there are some exclusive things in WildBill's files that I don't know enough about to be able to move them to BlackWingCat's dlls.

That's definitely bound to cause issues. Mixing BlackWingCat and WildBill files is not a good idea.

I forgot most of the update numbers too since I made a WildBill update collection that includes everything. I install SP5, Update Rollup 2, and the WildBill Update Collection on my test computer. Have you been able to replicate the issues I have on my test PC and do you have any idea what could be causing these issues?