MDGx Posted December 3, 2005 Author Share Posted December 3, 2005 (edited) U891711 update:Author's note:KB891711.EXE and Q891711.DLL do not use any GDI functions or GDI objects.Therefore, it is highly unlikely that any image/icon editing tools crashes arecaused directly by any of the unofficial or official versions. Nor would Iexpect the changes in the 'LoadImage' function to be the direct cause. GDI.EXE(all Win98 + WinME versions) has serious bugs that often lead to heapcorruption when GDI resources drop below 10%. However, this corruption maymanifest itself only much, much later when GDI resource levels are againhigher or even at more than 70%. Edited December 3, 2005 by MDGx Link to comment Share on other sites More sharing options...
eidenk Posted December 3, 2005 Share Posted December 3, 2005 All I can say is that I never experience a GDI crash with any of the many image editing programs I use except sometimes when I run this patch.I use my computer enough to be able to assess that.On my system (WinME) I get GDI crashes only when I try to go below 0% but this affects all standard applications of course. I have been testing stability in this respect by running scores of applications until reaching 1 or 2% of free resources left. The system remains rock stable. Closing most of the apps then frees most of the resources and the system never GDI crashed afterwards.If I recall well, some GDI stability problems already begin to arise on Win98SE below 30%. Maybe what is written above by the U891711 author applies to Win98SE but certainly not to WinME which has apparently benefited from great improvement in this respect.What I am interested in, with respect to resources, is whether the possibilty exist to increase the size of the available resources by hacking/patching certain system files and have, say, the double to start with, which would allow to run more applications at once without falling in the red. Link to comment Share on other sites More sharing options...
erpdude8 Posted December 3, 2005 Share Posted December 3, 2005 All I can say is that I never experience a GDI crash with any of the many image editing programs I use except sometimes when I run this patch.I use my computer enough to be able to assess that.On my system (WinME) I get GDI crashes only when I try to go below 0% but this affects all standard applications of course. I have been testing stability in this respect by running scores of applications until reaching 1 or 2% of free resources left. The system remains rock stable. Closing most of the apps then frees most of the resources and the system never GDI crashed afterwards.If I recall well, some GDI stability problems already begin to arise on Win98SE below 30%. Maybe what is written above by the U891711 author applies to Win98SE but certainly not to WinME which has apparently benefited from great improvement in this respect.What I am interested in, with respect to resources, is whether the possibilty exist to increase the size of the available resources by hacking/patching certain system files and have, say, the double to start with, which would allow to run more applications at once without falling in the red.I have a HP pavilion machine with pre-installed ME, I used to have those GDI problems several years ago. I just got rid of the apps that have caused those GDI crashes; some apps I have upgraded to reduce the chances of the GDI problems from happening. I no longer have those GDI problems anymore, regardless whether I had the U891711 patch or not. it's usually those 3rd party apps that arent written well and more likely to cause those GDI crashes. Link to comment Share on other sites More sharing options...
MDGx Posted December 5, 2005 Author Share Posted December 5, 2005 eidenk:Here's U891711 author's answer to your comments:I am afraid the brief answer to 'eidenk's' question is: virtuallyimpossible w/o a major revamp of GDI.EXE. More details below.------------------------------------------'eidenk' wrote:All I can say is that I never experience a GDI crash with any of the manyimage editing programs I use except sometimes when I run this patch.I use my computer enough to be able to assess that.On my system (WinME) I get GDI crashes only when I try to go below 0% butthis affects all standard applications of course. I have been testingstability in this respect by running scores of applications until reaching1 or 2% of free resources left. The system remains rock stable. Closingmost of the apps then frees most of the resources and the system never GDIcrashed afterwards.If I recall well, some GDI stability problems already begin to arise onWin98SE below 30%. Maybe what is written above by the U891711 authorapplies to Win98SE but certainly not to WinME which has apparentlybenefited from great improvement in this respect.What I am interested in, with respect to resources, is whether thepossibilty exist to increase the size of the available resources byhacking/patching certain system files and have, say, the double to startwith, which would allow to run more applications at once without fallingin the red.--The amount of GDI resources is largely determined by the GDI 16-bit datasegment. This 16-bit segment is limited to 64 KByte. Unfortunately, thereis no easy way to increase it as a 16-bit offset can only address 65536bytes max. GDI.EXE 4.90.3000 has fewer bugs and is far more stable than,for example, 4.10.2225, but it still is very buggy. Fatal GDI heapcorruption shows up mainly in three ways, (1) a GPF in GDI.EXE, (2) a GPFin USER.EXE, and (3) a BSOD in KERNEL32.DLL (address depends on theversion of KERNEL32.DLL). Depending on the system configuration, (3) &even (2) may happen more often than (1). Before fatal heap corruptionoccurs, some GDI objects may not have been used and/or freed properly (inparticular, when resource levels drop below 10% - even with 4.90.3000!)and the system may still appear 'rock solid', may never crash or may onlycrash when the system is shut down.Please post original crash error messages if you have them. I have not hadany real GDI.EXE crash in a long, long time and it did not change after Iinstalled KB891711.EXE 4.10.2222. What I suspect here is the following:'LoadImage' is called thousands of times by most applications and thesystem itself and so is the code in KB891711.EXE/Q891711.DLL. This maytrigger some bug in the 16-bit subsystem, a bug that is there all thetime, but is almost never triggered unless KB891711.EXE is running. Forexample, KB891711.EXE allocates and releases additional GlobalMemorythrough the 16-bit subsystem (KRNL386.EXE) whenever 'LoadImage' is called.Hope this helps. Link to comment Share on other sites More sharing options...
eidenk Posted December 6, 2005 Share Posted December 6, 2005 Please post original crash error messages if you have them.Unfortunately I did not make note of them but I will run the patch again and will post them if those occasional GDI crashes arise again.If I understand you well, the GDI resources are exclusively 16bits. Have you got any knowledge of the 32bits part of the resources, which may not be GDI but USER and SYSTEM. I understand that the 32bits resources are of an arbitrary size far below their theoretical limit unlike 16bits ones and that it should be eventually possible to set a larger amount of memory for them quite easily for someone who's got the knowledge of those inner workings. Link to comment Share on other sites More sharing options...
MDGx Posted December 7, 2005 Author Share Posted December 7, 2005 (edited) eidenk:The answer from the author:'eidenk' wrote:Unfortunately I did not make note of them but I will run the patch againand will post them if those occasional GDI crashes arise again.If I understand you well, the GDI resources are exclusively 16bits. Haveyou got any knowledge of the 32bits part of the resources, which may notbe GDI but USER and SYSTEM. I understand that the 32bits resources are ofan arbitrary size far below their theoretical limit unlike 16bits ones andthat it should be eventually possible to set a larger amount of memory forthem quite easily for someone who's got the knowledge of those innerworkings.--TWEAKUI.CPL has a setting that turns on 'fault logging' - very useful forthat. I also start DrWatson.exe at boot-up time whenever I use Win98SE(occasionally these days, it is mostly WinXP SP2 now).Unfortunately, the answer is: not possible. GDI resources are from a"combined" 16-bit and 32-bit heap in the GDI data segment. The 16-bit heapis the real bottleneck. It is the same situation with USER resources, itis just a different 16-bit/32-bit heap in the USER data segment. The levelof system resources is the lower value of either GDI or USER resources,but not another heap. Edited December 17, 2005 by MDGx Link to comment Share on other sites More sharing options...
mamas6667 Posted December 9, 2005 Share Posted December 9, 2005 I've tried the official one old and newTihiy's TI891711 and now U891711I'm sure U891711 is better than MSN'sBut it still slows my system down(less responsive).I think is the fact that KB891711.exe is running as a service(always)Tihiy's TI891711 doesn't run KB891711.exe upon bootup.So i will continue to use use Tihiy's TI891711, I'm a gamer and I need the resources.PIII 450MHz 256MBWIN 98SE, sesp21a-en.exe, 98SE2ME.EXE(ver 3.7), TI891711, 98KRNLUP.EXE Link to comment Share on other sites More sharing options...
erpdude8 Posted December 10, 2005 Share Posted December 10, 2005 I've tried the official one old and newTihiy's TI891711 and now U891711I'm sure U891711 is better than MSN'sBut it still slows my system down(less responsive).I think is the fact that KB891711.exe is running as a service(always)Tihiy's TI891711 doesn't run KB891711.exe upon bootup.So i will continue to use use Tihiy's TI891711, I'm a gamer and I need the resources.true that TI891711 doesnt load a startup but TI891711 has weaker protection than U891711.Quote from author of U891711:----"Tihiy's TI891711 is a nice piece of work, but, unfortunately, is no realreplacement since it offers only limited protection. 16-bit programsincluding USER.EXE (!) can load animated cursor files, etc, and theybypass TI891711.DLL completely, that is, there is zero protection."----The U891711 patch only slowed down my Win98 & ME computers slightly. So I didntnoticed much of a performance drop with U891711. Link to comment Share on other sites More sharing options...
erpdude8 Posted December 12, 2005 Share Posted December 12, 2005 (edited) The U891711 patch only slowed down my Win98 & ME computers slightly. So I didntnoticed much of a performance drop with U891711.the w98 machine I used was a pentium one [100 mhz] w/ 64 megs of ramand the ME machine was a pentium 3 [766mhz] w/ 256 megs of ramthis was assuming I did NOT have any antivirus software installed or loaded at startup.firewall & antivirus utilities gobble up more resources than U891711 Edited December 12, 2005 by erpdude8 Link to comment Share on other sites More sharing options...
mamas6667 Posted December 14, 2005 Share Posted December 14, 2005 Sorry to insist on using Tihiy's TI891711 patch, but playing online games(tactical ops, unreal tournament, etc..) I did notice a significant performance drop with U891711 and MSN was worst.Also windows reaction time is slower, startup too.The question now is what security risk am I in using TI891711 patch (will i get infected with viri)"bypass TI891711.DLL completely, that is, there is zero protection."PLS explain further, if u find some time! Link to comment Share on other sites More sharing options...
MDGx Posted December 15, 2005 Author Share Posted December 15, 2005 Sorry to insist on using Tihiy's TI891711 patch, but playing online games(tactical ops, unreal tournament, etc..) I did notice a significant performance drop with U891711 and MSN was worst.Also windows reaction time is slower, startup too.The question now is what security risk am I in using TI891711 patch (will i get infected with viri)"bypass TI891711.DLL completely, that is, there is zero protection."PLS explain further, if u find some time!The difference between U891711 and Tihiy's TI891711 patch is explained in U891711.TXT [see "AUTHOR'S NOTES" = NOTE #1]:http://www.mdgx.com/files/U891711.TXTHope this helps. Link to comment Share on other sites More sharing options...
Acheron Posted December 15, 2005 Share Posted December 15, 2005 Sorry I haven't tested this fix yet, but I have an important question.Can anyone tell if KB891711.exe shows up in the Task list after pressing CTRL-ALT-DEL, using this patch?It's important for me to have it hidden, so people won't kill it accidently and getting BSOD's. Link to comment Share on other sites More sharing options...
bristols Posted December 16, 2005 Share Posted December 16, 2005 Can anyone tell if KB891711.exe shows up in the Task list after pressing CTRL-ALT-DEL, using this patch?Nope, it doesn't show up in the Windows Task List window. Link to comment Share on other sites More sharing options...
eidenk Posted December 16, 2005 Share Posted December 16, 2005 DEMOProof-of-concept example demo of malformed animated cursor [.ANI]using 'LoadImage':http://www.xfocus.net/flashsky/icoExp/This applies *only* to Microsoft Internet Explorer 5.5 SP2 and newer:http://www.mdgx.com/toy.htm#IEXFirst try demo above without any update/patch/fix installed.Then install official MS05-002 fix, reboot, and try the demo again.Then install unofficial U891711 fix, reboot, and try the demo again.Please notice differences in behavior between these 2 fixes.http://www.mdgx.com/files/U891711.TXTCan someone please explain what exactly the vulnerability is ? As clicking on any of the flashsky links with IE 5.5SP2 on WinME and without a patch running does not make me feel vulnerable to anything, really. If clicking on one of the link would, say, launch Notepad, I'd be scared. Link to comment Share on other sites More sharing options...
PsycoUnc Posted December 16, 2005 Share Posted December 16, 2005 -yes, I'd like a better demo, as well... it's a bit confusing to me, too... (-there was one other test website, which was able to freeze up every Firefox window, with 100% cpu... which was annoying, but not a security threat...) ? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now