Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


bigmuscle

UxTheme Signature Bypass

Recommended Posts

1 minute ago, CKyHC said:

Folder C:\Program Files\AeroGlass can cause this problem? When I will have time I try to change folder to C:\AeroGlass. But it's very doubtfully...

The owner of C:\Program Files\AeroGlass is my account with administrator permissions. SYSTEM account have full rights. What permissions more folder must to have to work properly?

You're right, it shouldn't cause problems, I tried. Even having 2 aerohost instances doesn't cause injection problem on my end neither.

Share this post


Link to post
Share on other sites

It seems when there are permission issues, only these entries appear in logs:

[2017-01-25 02:59:38][0x2024:0x3E8] Installing DWM hook...
[2017-01-25 02:59:38][0x2024:0x3E8] User: SYSTEM
[2017-01-25 02:59:38][0x2024:0x3E8] Module: C:\AeroGlass\DWMGlass.dll

There is this convention that applications shouldn't write to their own directory, and this restriction on Program Files has been implemented by default at least since Windows XP, though a lot of people probably used admin account for everything. Before UAC was the thing, admin accounts get full access on program Files directory automatically.

So the worst that can happen probably is that Aero Glass can't write its logs. There is this catch, DWM doesn't run under SYSTEM account so once DWMGlass.dll is injected, it does everything under DWM's account. And there is some magic in there that lets it access user specific settings in registry.

Share this post


Link to post
Share on other sites

On my home comp with SSD AeroGlass installed in Program Files too.

The normal log is:

[2017-03-02 22:38:31][0x5AC:0x5B0] Installing DWM hook...
[2017-03-02 22:38:32][0x5AC:0x5B0] User: СИСТЕМА
[2017-03-02 22:38:32][0x5AC:0x5B0] Module: C:\Program Files\AeroGlass\DWMGlass.dll
[2017-03-02 22:38:33][0x5AC:0x5B0] C:\Program Files\AeroGlass\UxTSB.dll has been injected into winlogon.exe.

On other 2 comps error in UxTSB.dll injecting. And I don't know why...

Edited by CKyHC

Share this post


Link to post
Share on other sites

Hmmm, it's interesting... On my home comp in permissions to AeroGlass folder exists "Window Manager Group" with full rights.... But I don't know how to add this group to security permissions...

Tried these variants:

LOCAL SERVICE\Window Manager Group

NT SERVICE\Window Manager Group

How find and add this user?

On home note I scare to try to copy folder from main comp with security rights. On note didn't work loading from my flash drive... Tomorrow will try on working comp...

Edited by CKyHC

Share this post


Link to post
Share on other sites

Copied folder from my home comp to work... In folder rights now exists Window Manager Group. But nothing changes... Logon impossible...

I don't know why it happens... And what to do... And why in home comp it happens only if quick logon. And if slow than all works fine...

Any other thoughts? Maybe you can't reproduce it because I use Russian version of system?

Edited by CKyHC

Share this post


Link to post
Share on other sites

It fails at allocating memory in winlogon.exe's virtual address space to store path of the DLL to load, it's not connected to the fact that you're using Russian Windows, file permissions also shouldn't have anything to do with it, otherwise it wouldn't work at all on your home system, not even whey you slowly type password.

I was wondering if there exists a general purpose injector, but found nothing flexible enough for this task. Would be good to know if using some alternative produces any different results.

Share this post


Link to post
Share on other sites
1 hour ago, UCyborg said:

It fails at allocating memory in winlogon.exe's virtual address space to store path of the DLL to load, it's not connected to the fact that you're using Russian Windows, file permissions also shouldn't have anything to do with it, otherwise it wouldn't work at all on your home system, not even whey you slowly type password.

I was wondering if there exists a general purpose injector, but found nothing flexible enough for this task. Would be good to know if using some alternative produces any different results.

Tomorrow I will try to use UxStyle service. Just to make a difference...

Edited by CKyHC

Share this post


Link to post
Share on other sites

Installed UxStyle 0.242. Works fine. But I noticed that UxStyle creates 2 services.

1st (ImagePath=C:\Windows\unsignedthemes.exe) :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnsignedThemes]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
  5c,00,75,00,6e,00,73,00,69,00,67,00,6e,00,65,00,64,00,74,00,68,00,65,00,6d,\
  00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Unsigned Themes"
"Group"="AudioGroup"
"ObjectName"="LocalSystem"
"Description"="Enables the use of unsigned third-party themes."

2nd (ImagePath=\??\C:\WINDOWS\system32\Drivers\elytsxu.sys) :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uxstyle]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
  44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
  00,5c,00,44,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,6c,00,79,00,\
  74,00,73,00,78,00,75,00,2e,00,73,00,79,00,73,00,00,00
"Group"="File System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uxstyle\Parameters]
"EnableLogging"=dword:00000000
"LogFile"=""

Share this post


Link to post
Share on other sites

The second service is kernel-mode driver that does the actual patching. UxStyle doesn't work on Creators Update at all, it didn't work properly on November's Update neither. I wasn't the only person where it prevented graphics drivers from working on each boot: http://virtualcustoms.net/showthread.php/69833-Discovered-a-problem-with-UxStyle-Community-Edition-for-Windows-10 It needs updating. So until then, you're good with UxStyle.

PS:

Edited by UCyborg

Share this post


Link to post
Share on other sites

I just realized why you can't use unsigned theme on Creators Update without editing registry, the theme selection settings have been moved to Settings app. Manually injecting UxTSB.dll in SystemSettings.exe with Process Hacker 2 makes it work!

Edited by UCyborg
  • Upvote 1

Share this post


Link to post
Share on other sites

With UxStyle didn't work glow on headers ribboned windows. Returning to UxTSB.dll through AppInit_DLL.

Edited by CKyHC

Share this post


Link to post
Share on other sites

Attached is a shortcut to the Personalization panel in Control Panel... Yes, it still exists.

PersonalizationShortcut.zip

EDIT: alternatively, you could make a new shortcut with the following command line:

explorer.exe ::{26EE0668-A00A-44D7-9371-BEB064C98683}\0\::{ED834ED6-4B5A-4BFE-8F11-A626DCB6A921}

Edited by Dblake1
  • Upvote 1

Share this post


Link to post
Share on other sites

Dblake1, this shortcut exists in Modern Settings - Personalization - Themes.

Share this post


Link to post
Share on other sites
11 hours ago, CKyHC said:

With UxStyle didn't work glow on headers ribboned windows. Returning to UxTSB.dll through AppInit_DLL.

Because that's not the job of theme signature bypass tool. By original design, applications that draw controls on window frame, must then also draw window caption using DrawThemeText API. UxTSB.dll just hooks that function and if random application uses it for something else, you get unexpected results like these:

The cleanest solution for the most consistent experience accross applications is modifying theme to enable text glow like it was on Windows 7, take note of TEXTGLOWSIZE and GLOWINTENSITY properties:

McXdF28.png

Then set "Caption glow effect mode" in Aero Glass GUI to "Use theme settings". At least that is supposed to get you default Windows 7 behavior, the problem is the long-present bug in Aero Glass with text not being rendered at correct position. For now, I use the option that takes glow from atlas image, so I have one type of glow for regular windows and the other for ribboned windows. Though it's not connected to ribbons, it's the customized frame.

The other type you get is composited glow controlled by those two properties I mentioned. Aero Glass only overrides TEXTGLOWSIZE, so no glow if GLOWINTENSITY is 0. I think the glow from atlas image is exclusive to captions of regular windows. And so is custom colored caption text without UxTSB.dll in every process (AppInit_DLLs method).

53 minutes ago, CKyHC said:

Dblake1, this shortcut exists in Modern Settings - Personalization - Themes.

Not in Creators Update.

Share this post


Link to post
Share on other sites
4 hours ago, UCyborg said:

Not in Creators Update.

As I know, Creators Update is not officially released. Maybe in final release MS return this shortcut back... Or cuts old personalization dialog at all...

If this shortcut absent in Modern Settings, it allways can be found via old Control Panel... I used some tweak tool and add Personalization command in Right click menu on desktop just like in Windows 7.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...