Jump to content

How to protect your UACD - Ulitimate Guide

Recommended Posts

This will hopefully be the ulitimate 1-2-3 type guide for protecting your copy of UACD. This guide is based on (a summary as it were) this post. This process works, but can cause damage to your current install if mis-used. So you have been warned. let us begin:

1) Download the attachment at the end of this post.

2) Extract contents to a temp folder.

3) Move PKUnzip into $OEM$\$1 dir

4) Move ProtectUA.cmd and Protect.vbs into $OEM$\$$\system32

5) Run Analyze.vbs from the desktop to get the BIOS ID code of your machine

6) Edit ProtectUA.vbs (DON'T RUN IT) Place the code that is shown into the

Dim arrayAllowedHosts(1)
arrayAllowedHosts(0) = "xxxxxxxxxxxxxxxxxxxx"
arrayAllowedHosts(1) = "xxxxxxxxxxxxxxxxxxxx"

section of the code as shown above. Copy it exactely!

7) Repeat steps 5 and 6 for every computer you wish to use the UACD on. If you wish to use this on more than two computers then the above code can be added to by simply adding more arrayAllowedHosts, like so

Dim arrayAllowedHosts(2)
arrayAllowedHosts(0) = "xxxxxxxxxxxxxxxxxxxx"
arrayAllowedHosts(1) = "xxxxxxxxxxxxxxxxxxxx"
arrayAllowedHosts(2) = "xxxxxxxxxxxxxxxxxxxx"

Remember that all arrays start at 0, so Dim arrayAllowedHosts(3), will allow you 4 arrayAllowedHosts.

8) In $OEM$\$1 create a zip file called Protect.zip. This should contain any .cmd files and .reg files that you use during your install. This zip shoul be password protected/encrypted. (I used Zip 2.0 encrypotion in Winzip, 128 and 256bit AES encrytion did not seem to work with PKUNZIP)

9) It should be noted that PKUNZIP only works with 8.3 naming convention so that any names longer than 8.3 will be trunkcated when extracted. (I renamed all my .cmd and .reg files to 8.3 to get round this problem, you can also use $$Rename to change the file names back to what they were, but I have been unable to locate an example of the syntax used)

10) Once you have password protected ths zip file the password must be entered into the appropriate section in the ProtectUA.vbs file

Const wmiRestartForce = 4

Dim arrayAllowedHosts(1)

You need to keep the " " around your password or it won't work!

11) Once all this has been done you should be ready to setup your RunOnceEx.cmd. The calling of the ProtextUA.cmd must be the 1st operation in the RunOnceEx.cmd because the zip file has to be extracted before any further .cmds can be called. NOTE: the zip file will be extracted to the root of the C: drive so you will need to take this into account when calling .cmds and .reg files in the RunOnceEx.cmd. Here is an example of the 1st few lines on my RunOnceEx.cmd

@echo off

SET KEY=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

REG ADD %KEY% /V TITLE /D "Installing Applications" /f

REG ADD %KEY%\001 /VE /D "Preparing Installation Profile..." /f
REG ADD %KEY%\001 /V 1 /D "%SystemDrive%\Windows\System32\ProtectUA.CMD" /f

REG ADD %KEY%\002 /VE /D "Inital Registry Changes and Tweaks" /f
REG ADD %KEY%\002 /V 1 /D "REGEDIT /S %systemdrive%\musicMov.reg" /f
REG ADD %KEY%\002 /V 2 /D "%systemdrive%\NWIcon.vbs" /f

12) Once you have done all of this and made sure that the correct password and bios ID's are in the VBS file you should be ready to run a test install. If you are installing on a VM you will need the BIOS ID of the VM, for this install XP with out the secuirty protection and run Analyze.vbs for the BIOS ID and add to the ProtectUA.vbs

13) Burn, test and pray.

14) If it works which it should everything should install as usual and nothing untoward should happen, if this is the case then great. There is one final test after that, which is to go into the ProtectUA.vbs file and change the BIOS ID of your test machine to an incorrect BIOS ID, just changing one number should do.

15) Burn and test again, this time the install should fail after the 1st part of RunOnceEx.cmd has been complated, your machine should restart and then moan that NTLDR is missing.

16) Once everything is working, the VBS code needs to be encrypted to complete the security. Download and install the Windows Script Encoder and also encrypt.cmd from the bottom of the post. Copy your ProtectUA.vbs to the root of C:\ and run encrypt.cmd. ProtectUA.vbs must be in the Root of C:\ for this to work. This should produce ProtectUA.vbe. Edit ProtectUA.cmd. Change

REM Start Machine Authentication and wait for its end


REM Start Machine Authentication and wait for its end

Then in $OEM$\$$\system32 replace ProtectUA.vbs with ProtectUA.vbe.

17) Burn and test.


I have a few notes that may be of use to anyone who tries this.

1) Your C: root will end up with all your .cmd and .reg files after the install, and these need the cleanup.cmd edited to be removed. Use

del %0

at the end of the cleanup.cmd to remove itself

2) Remeber the 8.3 naming convention. This was my major bugbear when I 1st tried this as my zip was called ProtectUA.zip (Which was suggested in the other post) which is too long for 8.3 I spent ages banging my head trying to figure it out, this is why I now use a zip called Protect.zip. I have edited the code to reflect this and the updated versions are attached to this post. If you read the other post and come accross the Protection.zip by all means download but you'll have to change the code yourself.

Many Thanx to Martin Zugec and MOONLIGHT SONATA for the ideas and the code.

Post back any results you get and anywhere where the guide is a bit thin on the ground and I'll add to it if necessary.

Use this post for trouble-shooting as the main post is probably now best left for development purposes.



v1 - Orginal

v1.1 - Stated that it was a summary. Added Changelog.

v1.2 - Added points 16), 17) and removed Notes 3). Added encrypt.cmd as an attachment.

v1.3 - Mentioned " in Password and changed a few things at request of MOON



Edited by rikgale
Link to comment
Share on other sites

If I understand this right, this is a summary of the 'main topic'?

Thanks, it's very interesting, but because I had lost the track of the main topic, things were becoming quite complicated: big topic, with many huge posts that were not always related to the protection of an UWXPCD.

Thanks again for this summary :)

P.S.: and thanks to all those who contributed to it, of course!!! ;)

Link to comment
Share on other sites

Yes this is a summary, I have edited the post to state this. Indeed the original post is now moving away from security having completed what it set out to do.

A few additions I would like to see are:

1) the inclusion of a box that pops up to tell the user that they have installed that copy of UAXP on a machine for which it was not intended.

Actually that's the only thing

Link to comment
Share on other sites

2rikgale: thx dude for this guide, hope so more people will use it now :)

But I have to say one thing - you MUST encrypt your vbs file, because the protection is really weak if you dont use it (password is in plaintext and anybody can edit it and add their own identifier inside...).

About $$Rename.txt, the syntax is followin:

Short_name_1 = "Long_name_1[$$]"
Short_name_2 = "Long_name_2[$$]"

so for example

D = "Documents and settings$$"

If you are interested, I could create script that will automatically create this files (in fact I already have that code somewhere)

Link to comment
Share on other sites


nice guide. I've not checked your modifications to the code till now. One point for all the users of this method as well as those who run .cmd files that have very vital instructions set, please use Quick Batch File Compiler to change your .cmd files to .exe files and in doing so use the option of running the .EXE as ghost application(means no command window will ever be displayed; one step ahead of CMDOW) and also set a difficult to guess "decompiler" password so that decompiling the .exe back to the parent .cmd is peacefully restricted.

Link to comment
Share on other sites

  • 2 months later...
  • 8 months later...
  • 9 months later...


I read everything about this an what can I say it's perfect. I just tested my UAXP in VMware and it works 100%

I have run the code from GUIRunOnce because RunOnceEx interfear with IE7.

A solution more agressive beside ntldr could be to add in the script a code to delete the mbr, erase partitions maybe only C:\ , not to cause damage on the others or something like this but I don't know if it could be done. I have searched the net but I didn't find anything

What do u think?

Link to comment
Share on other sites


well, i'm apprehensive if erasing parttion, preferably C:\ is possible at that stage being already working from C:\. However, erasing mbr or editing mbr may be possible thanks to some 3rd-party command-line tool and of course thanks to GOD! With that script you can think for deleting some vital Windows resource directories and even Documents and Settings (though, about latter i'm not too sure), so that loading Windows next time is hardly possible.

About mbr edit/delete - i'll start searching net from now on.


Link to comment
Share on other sites

  • 8 months later...

I have found a way to delete the mbr with a 3rd party tool just like you said, it'a freeware app called mbrwiz.exe

It's a DOS command line based app

Just add this line after ntldr line

ObjShell.Run ("C:\mbrwiz.exe /Wipe=2"), 0, True

You can use other argument specified on the site http://mirror.href.com/thestarman/asm/mbr/MBRWiz.html

Edited by adrianbodor
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...