WildBill

If you go to my PE Tool thread, toward the bottom is a rather long list of all of the API's that were added with the latest KB2393802 and KB2408429 patches. EncodePointer and DecodePointer are in the list, and I've tested them pretty thoroughly. The API's to watch out for are the SxS activation context API's: I've been working like crazy to add them to KB2393802-v9, but it's an enormous job. Let's hope Gecko v.13 doesn't need them.

Add it to the to-do pile, LOL. A little update, since I've been silent for quite a while. For the past few months I've been working just about every day on getting SxS support into 2k, which would let us have all of the kernel32 .....ActCtx API routines. I *think* I'm nearing completion, but there have been so many layers to this onion I'm reluctant to say for sure. So far I had to expand the PEB and TEB structures in the kernel, expand internal timer and wait structures, upgrade how the kernel handles work items, add a ton of routines to ntdll, add a bunch to kernel32 (and upgrade even more), upgrade basesrv, add sxs.dll from the latest XP hotfix, and I'm still not done yet. At present I'm eyeball-deep in kernel32's CreateProcessInternalW, which needs to be upgraded before I can complete the internal connections in basesrv. And then, we'll see if the onion has more layers to unwrap. So far, nothing seems to be broken per se, and 2k nicely creates and populates the WINNT\winsxs folder automatically, but Adobe Reader 9 barfs with an MSVC error. This is because it's detecting the new ActCtx routines and (now thinking it's on an XP machine) trying to create an activation context using CSRSS, which is why I have to upgrade basesrv. But I can't complete that until I upgrade CreateProcessInternalW to give basesrv the extra information it needs to do that. I have all of the extra code I need into basesrv at the moment, but the new stuff isn't connected and can't be until this kernel32 change is done. All I can say is, thank God for ReactOS. Their source has been invaluable in figuring out some of the structures involved.

New patch posted: MS11-038 Vulnerability in OLE Automation Could Allow Remote Code Execution (critical). You can find it on the master list...

One caveat about MS011-013: while I believe I've faithfully ported the patch and it seems to work fine, from my analysis I'm not certain that MS took the patch quite far enough. Maybe I'm just being paranoid, but I might take a second look at their patch tomorrow as I'm not convinced that they fully closed the security hole... Edit...false alarm, it looks okay

Another day, another version MS11-020 v6 is posted, with the following changes: - incorporates KB907868 (kerberos length-validation HBR) - incorporates MS11-013 (KB2496930: Vulnerabilities in Kerberos Could Allow Elevation of Privilege) - incorporates MS11-014 (KB2478960: Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege) The samsrv HBR will take quite a while to analyze, and I have some higher priorities at the moment, e.g. adding vDbgPrintEx to ntoskrnl, et.al. and porting MS11-034 (which will also take a while to analyze). These priorities are open to change, of course, especially if anyone else wants to determine the necessary changes to samsrv in the meantime...

I'll see about adding vDbgPrintEx when I can. In other news, I have a local version of MS11-020 that has a kerberos that's based on the HBR version, but it looks like analyzing samsrv is going to take significantly longer. I might release an interim one with the upgraded kerberos one in the meantime (the HBR merely adds a length check on incoming messages).

Hmm. I just realized that my MS11-012 patch actually does require MS11-011; it just doesn't do so explicitly. I'm going to have to release *another* MS11-011 with the new win32k.sys removed (so to get the new win32k.sys functions people should upgrade MS11-012 instead if they haven't done so already). As for kerberos.dll and samsrv.dll, is there an HBR that has those other versions? Ignore the scratched-out part...getting all these hotfixes mixed up in my head...

Just to be ultra-safe I also just posted MS11-012 V7, which has the new win32k.sys that I added to MS11-011 V8. This probably still has the slipstreaming issues that V6a had, but at least there is now no possibility of overwriting the newer win32k.sys from MS11-011 V8 with an older one. Both hotfixes now contain win32k.sys 5.0.2195.7401.

Due to a bug in one of the new kernel routines (thanks, Bristols for finding it), I've had to post MS11-011 V8. This one also adds a new version of win32k.sys: I had originally wanted to wait until I posted MS11-034 (KB2506223) to add routines to win32k.sys, but analysis is showing that there are quite a lot of changes in MS11-034 such that it will take a while to complete. I'd really like to see if people can get the ATI v11 drivers working, so this one includes win32k.sys with some functions added. As such, I've also added a requirement that MS11-012 (KB2479628) first be installed (which I'm not happy about...this is why I held off on adding win32k.sys until now). Hopefully this won't create a problem as there is no circular dependency and this hotfix will warn you to install KB2479628 if need be. Anyhow, here's the new list of additions: ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe KeAcquireInterruptSpinLock KeReleaseInterruptSpinLock InterlockedPushEntrySList InterlockedPopEntrySList RtlInt64ToUnicodeString RtlIntegerToUnicode RtlClearBit RtlTestBit RtlSetBit ZwQueryInformationThread......already there, added it to the export table IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names) PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work) PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work) _vsnwprintf _aulldvrm RtlGetVersion KeFlushQueuedDpcs DbgPrintEx ntdll.dll RtlIpv4StringToAddressA RtlIpv4StringToAddressW RtlIpv4StringToAddressExA RtlIpv4StringToAddressExW RtlIpv4AddressToStringA RtlIpv4AddressToStringW RtlIpv4AddressToStringExA RtlIpv4AddressToStringExW RtlIpv6StringToAddressA RtlIpv6StringToAddressW RtlIpv6StringToAddressExA RtlIpv6StringToAddressExW RtlIpv6AddressToStringA RtlIpv6AddressToStringW RtlIpv6AddressToStringExA RtlIpv6AddressToStringExW RtlInitializeGenericTableAvl RtlIsGenericTableEmptyAvl RtlGetElementGenericTableAvl RtlNumberGenericTableElementsAvl RtlInsertElementGenericTableAvl RtlDeleteElementGenericTableAvl RtlEnumerateGenericTableLikeADirectory RtlLookupElementGenericTableAvl RtlEnumerateGenericTableWithoutSplayingAvl RtlEnumerateGenericTableAvl RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlInterlockedPushEntrySList RtlInterlockedPopEntrySList RtlInterlockedFlushSList RtlQueryDepthSList RtlInitializeSListHead LdrLockLoaderLock LdrUnlockLoaderLock LdrAddRefDll RtlComputePrivatizedDllName_U RtlValidateUnicodeString RtlDuplicateUnicodeString RtlDowncaseUnicodeChar RtlFindCharInUnicodeString RtlpEnsureBufferSize RtlMultiAppendUnicodeStringBuffer RtlAppendPathElement LdrEnumerateLoadedModules RtlRandomEx RtlUnhandledExceptionFilter2 RtlUnhandledExceptionFilter RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlGetNtVersionNumbers DbgPrintEx (Fixed version) _vsnwprintf _lfind _aulldvrm _alldvrm RtlpNotOwnerCriticalSection RtlpApplyLengthFunction RtlCopyOutOfProcessMemoryStreamTo RtlLockMemoryStreamRegion RtlUnlockMemoryStreamRegion RtlNtPathNameToDosPathName RtlGetLengthWithoutLastFullDosOrNtPathElement RtlCreateBootStatusDataFile RtlComputeCrc32 RtlCaptureContext RtlLockBootStatusData RtlUnlockBootStatusData RtlGetSetBootStatusData RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table) RtlAddMemoryStream RtlReleaseMemoryStream RtlQueryInterfaceMemoryStream RtlReadOutOfProcessMemoryStream RtlRevertMemoryStream RtlCloneMemoryStream RtlCommitMemoryStream RtlSetMemoryStreamSize RtlWriteMemoryStream RtlSeekMemoryStream RtlCopyMemoryStreamTo RtlReadMemoryStream RtlStatMemoryStream RtlInitMemoryStream RtlFinalReleaseOutOfProcessMemoryStream RtlInitOutOfProcessMemoryStream RtlSetLastWin32ErrorAndNtStatusFromNtStatus RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names) bootvid.dll VidSetVgaPalette (used by the bootskin code) kernel32.dll DecodePointer (forwarded export to NTDLL.RtlDecodePointer) EncodePointer (forwarded export to NTDLL.RtlEncodePointer) InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList) InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList) InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList) QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList) InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead) GetModuleHandleExA GetModuleHandleExW IsWow64Process IsWow64Message GetProcessHandleCount GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry) SetDllDirectoryA SetDllDirectoryW GetDllDirectoryA GetDllDirectoryW AttachConsole TzSpecificLocalTimeToSystemTime SetClientTimeZoneInformation IsValidUILanguage GetSystemWow64DirectoryA GetSystemWow64DirectoryW SetHandleContext GetProcessId GetSystemTimes CreateMemoryResourceNotification QueryMemoryResourceNotification AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler) RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler) RtlCaptureStackBackTrace SetThreadUILanguage LZStart GetExpandedNameA GetExpandedNameW LZInit LZDone LZCreateFileW LZOpenFileA LZOpenFileW LZSeek LZRead LZClose LZCloseFile LZCopy CopyLZFile GetVolumePathNamesForVolumeNameW GetVolumePathNamesForVolumeNameA GetHandleContext GetCPFileNameFromRegistry EnumerateLocalComputerNamesW EnumerateLocalComputerNamesA CreateSocketHandle CreateNlsSecurityDescriptor AddLocalAlternateComputerNameW AddLocalAlternateComputerNameA RemoveLocalAlternateComputerNameW RemoveLocalAlternateComputerNameA SetLocalPrimaryComputerNameW SetLocalPrimaryComputerNameA RtlCaptureContext win32k.sys EngIsSemaphoreOwned EngClearEvent EngBugCheckEx (forwards to NTOSKRNL.KeBugCheckEx) EngAllocSectionMem EngFreeSectionMem EngMapSection I'm prepared to release a new version of MS11-012 that also contains the new win32k.sys just to be safe, but I'm not sure which version is best to use as a starting point: the last one I released or tomasz's updated version. Any recommendations?

Thanks, it turned out to be easy to find with the info you sent me (I missed a LEAVE instruction on AttachConsoleInternal). A V8 will be out shortly...

Here is the boot screen I'm using on my Win2k laptop (with MS11-011 installed to enable native bootskin support). I can't claim to have created it -- I only modded it to add the "Starting Windows" text. Unfortunately most boot skins cater to XP and above, but hopefully that will change now bootskin.bmp

I've been running Avast 6.0.1289.0 on 2k for a while now with no problems. I had no idea they said it was only for XP.

I found that my implementation of DbgPrintEx in ntdll was incorrect and would corrupt the stack, so I've posted MS11-011 V7 with a fixed version. I've also added DbgPrintEx to ntoskrnl, et. al. and RtlCaptureContext to kernel32. The new master additions list for V7 is below: ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe KeAcquireInterruptSpinLock KeReleaseInterruptSpinLock InterlockedPushEntrySList InterlockedPopEntrySList RtlInt64ToUnicodeString RtlIntegerToUnicode RtlClearBit RtlTestBit RtlSetBit ZwQueryInformationThread......already there, added it to the export table IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names) PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work) PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work) _vsnwprintf _aulldvrm RtlGetVersion KeFlushQueuedDpcs DbgPrintEx ntdll.dll RtlIpv4StringToAddressA RtlIpv4StringToAddressW RtlIpv4StringToAddressExA RtlIpv4StringToAddressExW RtlIpv4AddressToStringA RtlIpv4AddressToStringW RtlIpv4AddressToStringExA RtlIpv4AddressToStringExW RtlIpv6StringToAddressA RtlIpv6StringToAddressW RtlIpv6StringToAddressExA RtlIpv6StringToAddressExW RtlIpv6AddressToStringA RtlIpv6AddressToStringW RtlIpv6AddressToStringExA RtlIpv6AddressToStringExW RtlInitializeGenericTableAvl RtlIsGenericTableEmptyAvl RtlGetElementGenericTableAvl RtlNumberGenericTableElementsAvl RtlInsertElementGenericTableAvl RtlDeleteElementGenericTableAvl RtlEnumerateGenericTableLikeADirectory RtlLookupElementGenericTableAvl RtlEnumerateGenericTableWithoutSplayingAvl RtlEnumerateGenericTableAvl RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlInterlockedPushEntrySList RtlInterlockedPopEntrySList RtlInterlockedFlushSList RtlQueryDepthSList RtlInitializeSListHead LdrLockLoaderLock LdrUnlockLoaderLock LdrAddRefDll RtlComputePrivatizedDllName_U RtlValidateUnicodeString RtlDuplicateUnicodeString RtlDowncaseUnicodeChar RtlFindCharInUnicodeString RtlpEnsureBufferSize RtlMultiAppendUnicodeStringBuffer RtlAppendPathElement LdrEnumerateLoadedModules RtlRandomEx RtlUnhandledExceptionFilter2 RtlUnhandledExceptionFilter RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlGetNtVersionNumbers DbgPrintEx (Fixed version) _vsnwprintf _lfind _aulldvrm _alldvrm RtlpNotOwnerCriticalSection RtlpApplyLengthFunction RtlCopyOutOfProcessMemoryStreamTo RtlLockMemoryStreamRegion RtlUnlockMemoryStreamRegion RtlNtPathNameToDosPathName RtlGetLengthWithoutLastFullDosOrNtPathElement RtlCreateBootStatusDataFile RtlComputeCrc32 RtlCaptureContext RtlLockBootStatusData RtlUnlockBootStatusData RtlGetSetBootStatusData RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table) RtlAddMemoryStream RtlReleaseMemoryStream RtlQueryInterfaceMemoryStream RtlReadOutOfProcessMemoryStream RtlRevertMemoryStream RtlCloneMemoryStream RtlCommitMemoryStream RtlSetMemoryStreamSize RtlWriteMemoryStream RtlSeekMemoryStream RtlCopyMemoryStreamTo RtlReadMemoryStream RtlStatMemoryStream RtlInitMemoryStream RtlFinalReleaseOutOfProcessMemoryStream RtlInitOutOfProcessMemoryStream RtlSetLastWin32ErrorAndNtStatusFromNtStatus RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names) bootvid.dll VidSetVgaPalette (used by the bootskin code) kernel32.dll DecodePointer (forwarded export to NTDLL.RtlDecodePointer) EncodePointer (forwarded export to NTDLL.RtlEncodePointer) InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList) InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList) InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList) QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList) InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead) GetModuleHandleExA GetModuleHandleExW IsWow64Process IsWow64Message GetProcessHandleCount GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry) SetDllDirectoryA SetDllDirectoryW GetDllDirectoryA GetDllDirectoryW AttachConsole TzSpecificLocalTimeToSystemTime SetClientTimeZoneInformation IsValidUILanguage GetSystemWow64DirectoryA GetSystemWow64DirectoryW SetHandleContext GetProcessId GetSystemTimes CreateMemoryResourceNotification QueryMemoryResourceNotification AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler) RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler) RtlCaptureStackBackTrace SetThreadUILanguage LZStart GetExpandedNameA GetExpandedNameW LZInit LZDone LZCreateFileW LZOpenFileA LZOpenFileW LZSeek LZRead LZClose LZCloseFile LZCopy CopyLZFile GetVolumePathNamesForVolumeNameW GetVolumePathNamesForVolumeNameA GetHandleContext GetCPFileNameFromRegistry EnumerateLocalComputerNamesW EnumerateLocalComputerNamesA CreateSocketHandle CreateNlsSecurityDescriptor AddLocalAlternateComputerNameW AddLocalAlternateComputerNameA RemoveLocalAlternateComputerNameW RemoveLocalAlternateComputerNameA SetLocalPrimaryComputerNameW SetLocalPrimaryComputerNameA RtlCaptureContext

I couldn't find any other obvious problems aside from the ones above so I've posted MS11-020 V5. Hopefully it will help...it's working for me, at least, though I'm not running ZoneAlarm. Also, I added exports for the following functions: IcmpCreateFile IcmpCloseHandle IcmpSendEcho IcmpSendEcho2 IcmpParseReplies do_echo_rep do_echo_req register_icmp Win2k is a bit different from XP in that all of this functionality is in a separate icmp.dll instead of in iphlpapi.dll, so the exports above are just forwarded exports to the routines in icmp.dll. It shouldn't make any difference to applications since the PE loader automatically resolves forwarded exports.

Thanks. It looks like something is giving it an invalid pointer on an IOCTL_TCP_QUERY_INFORMATION_EX request. Hopefully it will be simple to find. Edit: so far I've found one definite bug in iphlpapi.dll (missing reloc) and potentially some thread-safety issues in it (XP forces device queries to be thread-safe whereas 2k does not). I want to check out the other files before I post an update. I'm going to be going out to dinner in a little bit so the update might not be until late tonight. I've also found a missing reloc in srvsvc.dll (this new version of the PE Tool makes those much easier to find).

I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?

Strange. As far as I know, the patch doesn't do anything with resources. I took a pass through kernel32, ntdll, and ntoskrnl to see if I could spot any Unicode strings that weren't being freed, but so far everything looks okay. Are you seeing high memory usage for certain apps after a long time? Are you seeing it on both UP and MP processors? I'd probably need a lot more info before I'd know where to look, much less know that the patch itself is causing it. I have it installed here, so I'll keep an eye out for memory leaks, but to date I've had no problems.

MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).

That was exactly what I needed: the first four dwords are 0xC0000005 (access violation), 0, 0 (null address accessed), 0x782B15DC (address where it was caused). The problem was obvious once I looked at it (actually, there were 2 occurrences of the problem). I'll post an update later today.

Can you post the info from the event? If it has the address where it happened I could try to hunt it down.

I posted MS11-011 V6, which includes the KB915985 hotfix as well as the fix in blackwingcat's v2, with one exception: the HBR also has a change to RtlCallQueryRegistryRoutine that the hotfix doesn't mention, but my patch completely replaces it (and routines that call it) with the version from XPSP3. If it winds up being changed in XP then I can change it as well, but I figure the best thing to do is to leave RtlCallQueryRegistryRoutine alone. The ntdll version is 5.0.2195.7082, which should make slipstreaming happy. I also found a couple more routines that could go into ntdll, so here's the new additions list: ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe KeAcquireInterruptSpinLock KeReleaseInterruptSpinLock InterlockedPushEntrySList InterlockedPopEntrySList RtlInt64ToUnicodeString RtlIntegerToUnicode RtlClearBit RtlTestBit RtlSetBit ZwQueryInformationThread......already there, added it to the export table IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names) PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work) PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work) _vsnwprintf _aulldvrm RtlGetVersion KeFlushQueuedDpcs ntdll.dll RtlIpv4StringToAddressA RtlIpv4StringToAddressW RtlIpv4StringToAddressExA RtlIpv4StringToAddressExW RtlIpv4AddressToStringA RtlIpv4AddressToStringW RtlIpv4AddressToStringExA RtlIpv4AddressToStringExW RtlIpv6StringToAddressA RtlIpv6StringToAddressW RtlIpv6StringToAddressExA RtlIpv6StringToAddressExW RtlIpv6AddressToStringA RtlIpv6AddressToStringW RtlIpv6AddressToStringExA RtlIpv6AddressToStringExW RtlInitializeGenericTableAvl RtlIsGenericTableEmptyAvl RtlGetElementGenericTableAvl RtlNumberGenericTableElementsAvl RtlInsertElementGenericTableAvl RtlDeleteElementGenericTableAvl RtlEnumerateGenericTableLikeADirectory RtlLookupElementGenericTableAvl RtlEnumerateGenericTableWithoutSplayingAvl RtlEnumerateGenericTableAvl RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlInterlockedPushEntrySList RtlInterlockedPopEntrySList RtlInterlockedFlushSList RtlQueryDepthSList RtlInitializeSListHead LdrLockLoaderLock LdrUnlockLoaderLock LdrAddRefDll RtlComputePrivatizedDllName_U RtlValidateUnicodeString RtlDuplicateUnicodeString RtlDowncaseUnicodeChar RtlFindCharInUnicodeString RtlpEnsureBufferSize RtlMultiAppendUnicodeStringBuffer RtlAppendPathElement LdrEnumerateLoadedModules RtlRandomEx RtlUnhandledExceptionFilter2 RtlUnhandledExceptionFilter RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlGetNtVersionNumbers DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint) _vsnwprintf _lfind _aulldvrm _alldvrm RtlpNotOwnerCriticalSection RtlpApplyLengthFunction RtlCopyOutOfProcessMemoryStreamTo RtlLockMemoryStreamRegion RtlUnlockMemoryStreamRegion RtlNtPathNameToDosPathName RtlGetLengthWithoutLastFullDosOrNtPathElement RtlCreateBootStatusDataFile RtlComputeCrc32 RtlCaptureContext RtlLockBootStatusData RtlUnlockBootStatusData RtlGetSetBootStatusData RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table) RtlAddMemoryStream RtlReleaseMemoryStream RtlQueryInterfaceMemoryStream RtlReadOutOfProcessMemoryStream RtlRevertMemoryStream RtlCloneMemoryStream RtlCommitMemoryStream RtlSetMemoryStreamSize RtlWriteMemoryStream RtlSeekMemoryStream RtlCopyMemoryStreamTo RtlReadMemoryStream RtlStatMemoryStream RtlInitMemoryStream RtlFinalReleaseOutOfProcessMemoryStream RtlInitOutOfProcessMemoryStream RtlSetLastWin32ErrorAndNtStatusFromNtStatus RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names) bootvid.dll VidSetVgaPalette (used by the bootskin code) kernel32.dll DecodePointer (forwarded export to NTDLL.RtlDecodePointer) EncodePointer (forwarded export to NTDLL.RtlEncodePointer) InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList) InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList) InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList) QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList) InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead) GetModuleHandleExA GetModuleHandleExW IsWow64Process IsWow64Message GetProcessHandleCount GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry) SetDllDirectoryA SetDllDirectoryW GetDllDirectoryA GetDllDirectoryW AttachConsole TzSpecificLocalTimeToSystemTime SetClientTimeZoneInformation IsValidUILanguage GetSystemWow64DirectoryA GetSystemWow64DirectoryW SetHandleContext GetProcessId GetSystemTimes CreateMemoryResourceNotification QueryMemoryResourceNotification AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler) RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler) RtlCaptureStackBackTrace SetThreadUILanguage LZStart GetExpandedNameA GetExpandedNameW LZInit LZDone LZCreateFileW LZOpenFileA LZOpenFileW LZSeek LZRead LZClose LZCloseFile LZCopy CopyLZFile GetVolumePathNamesForVolumeNameW GetVolumePathNamesForVolumeNameA GetHandleContext GetCPFileNameFromRegistry EnumerateLocalComputerNamesW EnumerateLocalComputerNamesA CreateSocketHandle CreateNlsSecurityDescriptor AddLocalAlternateComputerNameW AddLocalAlternateComputerNameA RemoveLocalAlternateComputerNameW RemoveLocalAlternateComputerNameA SetLocalPrimaryComputerNameW SetLocalPrimaryComputerNameA

I'm taking a look at KB915985 and I'll see if I can push out a V6 with a higher version number. It looks like the changes in the HBR are pretty simple.

When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically. Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

Hmm. That doesn't make any sense...I checked ntdll and the routine is there and it's in the export table. I also downloaded the patch and it matches what I uploaded. Did you install it normally or slipstream it? I'm not able to test slipstreaming, but I'm typing this on a laptop with V5 installed. I tested the patch on both a uniprocessor and a multiprocessor installation. The ntdll you should have after installing the patch is version 5.0.2195.7010, 531,728 bytes, MD5 hash AB3331B195F0430945E0BADDA30112A3.

MS11-011 V5 is now posted, and it includes just about everything I could add to kernel32 and ntdll without major pain in the process. The complete list of additions is now: ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe KeAcquireInterruptSpinLock KeReleaseInterruptSpinLock InterlockedPushEntrySList InterlockedPopEntrySList RtlInt64ToUnicodeString RtlIntegerToUnicode RtlClearBit RtlTestBit RtlSetBit ZwQueryInformationThread......already there, added it to the export table IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names) PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work) PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work) _vsnwprintf _aulldvrm RtlGetVersion KeFlushQueuedDpcs ntdll.dll RtlIpv4StringToAddressA RtlIpv4StringToAddressW RtlIpv4StringToAddressExA RtlIpv4StringToAddressExW RtlIpv4AddressToStringA RtlIpv4AddressToStringW RtlIpv4AddressToStringExA RtlIpv4AddressToStringExW RtlIpv6StringToAddressA RtlIpv6StringToAddressW RtlIpv6StringToAddressExA RtlIpv6StringToAddressExW RtlIpv6AddressToStringA RtlIpv6AddressToStringW RtlIpv6AddressToStringExA RtlIpv6AddressToStringExW RtlInitializeGenericTableAvl RtlIsGenericTableEmptyAvl RtlGetElementGenericTableAvl RtlNumberGenericTableElementsAvl RtlInsertElementGenericTableAvl RtlDeleteElementGenericTableAvl RtlEnumerateGenericTableLikeADirectory RtlLookupElementGenericTableAvl RtlEnumerateGenericTableWithoutSplayingAvl RtlEnumerateGenericTableAvl RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.) RtlInterlockedPushEntrySList RtlInterlockedPopEntrySList RtlInterlockedFlushSList RtlQueryDepthSList RtlInitializeSListHead LdrLockLoaderLock LdrUnlockLoaderLock LdrAddRefDll RtlComputePrivatizedDllName_U RtlValidateUnicodeString RtlDuplicateUnicodeString RtlDowncaseUnicodeChar RtlFindCharInUnicodeString RtlpEnsureBufferSize RtlMultiAppendUnicodeStringBuffer RtlAppendPathElement LdrEnumerateLoadedModules RtlRandomEx RtlUnhandledExceptionFilter2 RtlUnhandledExceptionFilter RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers) RtlGetNtVersionNumbers DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint) _vsnwprintf _lfind _aulldvrm _alldvrm RtlpNotOwnerCriticalSection RtlpApplyLengthFunction RtlCopyOutOfProcessMemoryStreamTo RtlLockMemoryStreamRegion RtlUnlockMemoryStreamRegion RtlNtPathNameToDosPathName RtlGetLengthWithoutLastFullDosOrNtPathElement RtlCreateBootStatusDataFile RtlComputeCrc32 RtlCaptureContext RtlLockBootStatusData RtlUnlockBootStatusData RtlGetSetBootStatusData RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table) RtlAddMemoryStream RtlReleaseMemoryStream RtlQueryInterfaceMemoryStream RtlReadOutOfProcessMemoryStream RtlRevertMemoryStream RtlCloneMemoryStream RtlCommitMemoryStream RtlSetMemoryStreamSize RtlWriteMemoryStream RtlSeekMemoryStream RtlCopyMemoryStreamTo RtlReadMemoryStream RtlStatMemoryStream RtlInitMemoryStream RtlFinalReleaseOutOfProcessMemoryStream RtlInitOutOfProcessMemoryStream bootvid.dll VidSetVgaPalette (used by the bootskin code) kernel32.dll DecodePointer (forwarded export to NTDLL.RtlDecodePointer) EncodePointer (forwarded export to NTDLL.RtlEncodePointer) InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList) InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList) InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList) QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList) InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead) GetModuleHandleExA GetModuleHandleExW IsWow64Process IsWow64Message GetProcessHandleCount GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry) SetDllDirectoryA SetDllDirectoryW GetDllDirectoryA GetDllDirectoryW AttachConsole TzSpecificLocalTimeToSystemTime SetClientTimeZoneInformation IsValidUILanguage GetSystemWow64DirectoryA GetSystemWow64DirectoryW SetHandleContext GetProcessId GetSystemTimes CreateMemoryResourceNotification QueryMemoryResourceNotification AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler) RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler) RtlCaptureStackBackTrace SetThreadUILanguage LZStart GetExpandedNameA GetExpandedNameW LZInit LZDone LZCreateFileW LZOpenFileA LZOpenFileW LZSeek LZRead LZClose LZCloseFile LZCopy CopyLZFile GetVolumePathNamesForVolumeNameW GetVolumePathNamesForVolumeNameA GetHandleContext GetCPFileNameFromRegistry EnumerateLocalComputerNamesW EnumerateLocalComputerNamesA CreateSocketHandle CreateNlsSecurityDescriptor AddLocalAlternateComputerNameW AddLocalAlternateComputerNameA RemoveLocalAlternateComputerNameW RemoveLocalAlternateComputerNameA SetLocalPrimaryComputerNameW SetLocalPrimaryComputerNameA