Jump to content

UxTheme Signature Bypass


bigmuscle

Recommended Posts

1 minute ago, CKyHC said:

Folder C:\Program Files\AeroGlass can cause this problem? When I will have time I try to change folder to C:\AeroGlass. But it's very doubtfully...

The owner of C:\Program Files\AeroGlass is my account with administrator permissions. SYSTEM account have full rights. What permissions more folder must to have to work properly?

You're right, it shouldn't cause problems, I tried. Even having 2 aerohost instances doesn't cause injection problem on my end neither.

Link to comment
Share on other sites


It seems when there are permission issues, only these entries appear in logs:

[2017-01-25 02:59:38][0x2024:0x3E8] Installing DWM hook...
[2017-01-25 02:59:38][0x2024:0x3E8] User: SYSTEM
[2017-01-25 02:59:38][0x2024:0x3E8] Module: C:\AeroGlass\DWMGlass.dll

There is this convention that applications shouldn't write to their own directory, and this restriction on Program Files has been implemented by default at least since Windows XP, though a lot of people probably used admin account for everything. Before UAC was the thing, admin accounts get full access on program Files directory automatically.

So the worst that can happen probably is that Aero Glass can't write its logs. There is this catch, DWM doesn't run under SYSTEM account so once DWMGlass.dll is injected, it does everything under DWM's account. And there is some magic in there that lets it access user specific settings in registry.

Link to comment
Share on other sites

On my home comp with SSD AeroGlass installed in Program Files too.

The normal log is:

[2017-03-02 22:38:31][0x5AC:0x5B0] Installing DWM hook...
[2017-03-02 22:38:32][0x5AC:0x5B0] User: СИСТЕМА
[2017-03-02 22:38:32][0x5AC:0x5B0] Module: C:\Program Files\AeroGlass\DWMGlass.dll
[2017-03-02 22:38:33][0x5AC:0x5B0] C:\Program Files\AeroGlass\UxTSB.dll has been injected into winlogon.exe.

On other 2 comps error in UxTSB.dll injecting. And I don't know why...

Edited by CKyHC
Link to comment
Share on other sites

Hmmm, it's interesting... On my home comp in permissions to AeroGlass folder exists "Window Manager Group" with full rights.... But I don't know how to add this group to security permissions...

Tried these variants:

LOCAL SERVICE\Window Manager Group

NT SERVICE\Window Manager Group

How find and add this user?

On home note I scare to try to copy folder from main comp with security rights. On note didn't work loading from my flash drive... Tomorrow will try on working comp...

Edited by CKyHC
Link to comment
Share on other sites

Copied folder from my home comp to work... In folder rights now exists Window Manager Group. But nothing changes... Logon impossible...

I don't know why it happens... And what to do... And why in home comp it happens only if quick logon. And if slow than all works fine...

Any other thoughts? Maybe you can't reproduce it because I use Russian version of system?

Edited by CKyHC
Link to comment
Share on other sites

It fails at allocating memory in winlogon.exe's virtual address space to store path of the DLL to load, it's not connected to the fact that you're using Russian Windows, file permissions also shouldn't have anything to do with it, otherwise it wouldn't work at all on your home system, not even whey you slowly type password.

I was wondering if there exists a general purpose injector, but found nothing flexible enough for this task. Would be good to know if using some alternative produces any different results.

Link to comment
Share on other sites

1 hour ago, UCyborg said:

It fails at allocating memory in winlogon.exe's virtual address space to store path of the DLL to load, it's not connected to the fact that you're using Russian Windows, file permissions also shouldn't have anything to do with it, otherwise it wouldn't work at all on your home system, not even whey you slowly type password.

I was wondering if there exists a general purpose injector, but found nothing flexible enough for this task. Would be good to know if using some alternative produces any different results.

Tomorrow I will try to use UxStyle service. Just to make a difference...

Edited by CKyHC
Link to comment
Share on other sites

Installed UxStyle 0.242. Works fine. But I noticed that UxStyle creates 2 services.

1st (ImagePath=C:\Windows\unsignedthemes.exe) :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnsignedThemes]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
  5c,00,75,00,6e,00,73,00,69,00,67,00,6e,00,65,00,64,00,74,00,68,00,65,00,6d,\
  00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Unsigned Themes"
"Group"="AudioGroup"
"ObjectName"="LocalSystem"
"Description"="Enables the use of unsigned third-party themes."

2nd (ImagePath=\??\C:\WINDOWS\system32\Drivers\elytsxu.sys) :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uxstyle]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
  44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
  00,5c,00,44,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,6c,00,79,00,\
  74,00,73,00,78,00,75,00,2e,00,73,00,79,00,73,00,00,00
"Group"="File System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uxstyle\Parameters]
"EnableLogging"=dword:00000000
"LogFile"=""

Link to comment
Share on other sites

The second service is kernel-mode driver that does the actual patching. UxStyle doesn't work on Creators Update at all, it didn't work properly on November's Update neither. I wasn't the only person where it prevented graphics drivers from working on each boot: http://virtualcustoms.net/showthread.php/69833-Discovered-a-problem-with-UxStyle-Community-Edition-for-Windows-10 It needs updating. So until then, you're good with UxStyle.

PS:

Edited by UCyborg
Link to comment
Share on other sites

I just realized why you can't use unsigned theme on Creators Update without editing registry, the theme selection settings have been moved to Settings app. Manually injecting UxTSB.dll in SystemSettings.exe with Process Hacker 2 makes it work!

Edited by UCyborg
Link to comment
Share on other sites

Attached is a shortcut to the Personalization panel in Control Panel... Yes, it still exists.

PersonalizationShortcut.zip

EDIT: alternatively, you could make a new shortcut with the following command line:

explorer.exe ::{26EE0668-A00A-44D7-9371-BEB064C98683}\0\::{ED834ED6-4B5A-4BFE-8F11-A626DCB6A921}

Edited by Dblake1
Link to comment
Share on other sites

11 hours ago, CKyHC said:

With UxStyle didn't work glow on headers ribboned windows. Returning to UxTSB.dll through AppInit_DLL.

Because that's not the job of theme signature bypass tool. By original design, applications that draw controls on window frame, must then also draw window caption using DrawThemeText API. UxTSB.dll just hooks that function and if random application uses it for something else, you get unexpected results like these:

The cleanest solution for the most consistent experience accross applications is modifying theme to enable text glow like it was on Windows 7, take note of TEXTGLOWSIZE and GLOWINTENSITY properties:

McXdF28.png

Then set "Caption glow effect mode" in Aero Glass GUI to "Use theme settings". At least that is supposed to get you default Windows 7 behavior, the problem is the long-present bug in Aero Glass with text not being rendered at correct position. For now, I use the option that takes glow from atlas image, so I have one type of glow for regular windows and the other for ribboned windows. Though it's not connected to ribbons, it's the customized frame.

The other type you get is composited glow controlled by those two properties I mentioned. Aero Glass only overrides TEXTGLOWSIZE, so no glow if GLOWINTENSITY is 0. I think the glow from atlas image is exclusive to captions of regular windows. And so is custom colored caption text without UxTSB.dll in every process (AppInit_DLLs method).

53 minutes ago, CKyHC said:

Dblake1, this shortcut exists in Modern Settings - Personalization - Themes.

Not in Creators Update.

Link to comment
Share on other sites

4 hours ago, UCyborg said:

Not in Creators Update.

As I know, Creators Update is not officially released. Maybe in final release MS return this shortcut back... Or cuts old personalization dialog at all...

If this shortcut absent in Modern Settings, it allways can be found via old Control Panel... I used some tweak tool and add Personalization command in Right click menu on desktop just like in Windows 7.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...