Windows 8 CPU Feature Patch (Bypass Windows 8 CPU feature checks)

Discussion in 'MDL Projects and Applications' started by Jan1, Aug 3, 2013.

  1. Dioptimizer

    Dioptimizer MDL Novice

    Nov 2, 2013
    8
    0
    0
    Intel(R) Pentium(R) 4 CPU 2.80GHz
    DDR 2,25Gb

    After clean install from ISO and patch my Windows 8.1 Pro via W8CPUFeaturePatch v1.5 - does not work Windows Defender window the system its not shows:(. And after i made fresh update and again patch (need again patch winload.exe and ntoskrnl.exe after update) - the window does not shows:(.

    May be for this window needs some missing CPU instructions?

    P.S.
    I need this window to properly Turn OFF the Windows Defender
     
  2. shell64

    shell64 MDL Novice

    Nov 29, 2015
    5
    0
    0
    maybe try this raymond . cc/blog/how-to-disable-uninstall-or-remove-windows-defender-in-vista/
     
  3. tfwmdl

    tfwmdl MDL Novice

    Feb 18, 2010
    14
    2
    0
    This patch has never supported Windows 10, and Jan1 haven't visited this forum in ages, so you're SOL.
     
  4. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,987
    2,610
    90
    Windows 10 relies too much on those CPU features now, so it wouldn't make a lot of sense, anyway...
     
  5. Dioptimizer

    Dioptimizer MDL Novice

    Nov 2, 2013
    8
    0
    0
    This W8 patch support Windows 10 Insider Preview (only up to 10122 build, i.e. next build 10130 already do not work).
    If you want to use this OS, here are some of my remarks:
    • Works only option "Remove PAE check" and "Remove SSE2 and NX check" in W8CPUFeaturePatch.
    • This patch will can't to find needed signature in winload.exe file (with last supported build 10122) if you try to use "Remove winload patchguard x86/Remove winload patchguard of Windows 8.1 x64" option, therefore, you need to use a third-party patch like PatchPAE3 (option with description: This will patch the loader to disable signature verification.)
    • In the Build 10122 have date time limit validation in kernel, i.e. you must set the date on year 2015(the year of release of this build) in BIOS - otherwise OS will not start.
     
  6. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,703
    15,817
    340
    Its time to unstick this thread.

    :rolleyes:
     
  7. weest044

    weest044 MDL Novice

    Jun 24, 2016
    3
    1
    0
    Can you please share that PatchPAE3?
    Patch that I found can't patch winload. It says:
    Input file version: 10011
    Unsupported loader version.
     
  8. mycop5

    mycop5 MDL Novice

    Jun 2, 2015
    1
    0
    0
    Report.
    My processor does not support the Lahw / sahw (64 bit instructions)
    7 64 and 8 64 worked fine but since 8.1, Microsoft, as always, has put a pig.
    I made a patch Remove various CPU feature checks in Windows 8.1 x64 and winload for 64 bit Windows 8.1 - works well.
    version windows 10240 - possible patch NTSOKRNL
    1511 build 10586 - possible patch NTSOKRNL
    v1607 - not work
    v1703 - NTOSKRNL patch is possible but windows does not load. = (
    patching winload not worked on all this system and you have to press F8 and disable driver signature verification.
    ATTENTION disable via BCDEDIT enter recovery mode otherwise it will be loaded continuously.
     
  9. Dioptimizer

    Dioptimizer MDL Novice

    Nov 2, 2013
    8
    0
    0
    Here is a detailed description of the work this patch:
    _ttp://forum.ru-board.com/topic.cgi?forum=55&bm=1&topic=13064#1
    (sorry, only Russian)
     
  10. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0

    Patch code note for PIIX 4 (82371 AB)

    WIN8 HAL.DLL
    F 6 45 8 C 01 0 F 85 8 B 00 00 00 F 6 45 8 C 02

    F 6 45 8 C 01 90 90 90 90 90 90 F 6 45 8 C 02

    WIN8 NTOSKRNL.EXE
    81CE00000004 B9140101C0 E809 FBECFF

    81 CE 00 00 000 4 B 9 15 000 1 C 0 E 809 F BECF F

    WIN 8.1 HAL.DLL
    F6 C3 01 75 36 F6 C3 02 74 07

    F6 C3 01 90 90 F6 C3 02 74 07

    WIN 8.1 NTOSKRNL.EXE
    81 CE00000004 B 9140101 C 0 E 8206 BECFF

    81 CE00000004 B9150001C0 E8206 BECFF

    Screenshot
    ttp://i.imgur.com/oR3dE1d.jpg
    ttp://i.imgur.com/tTTCYVt.jpg
    Fake Pentium II (SSE 2, SSE 3)
    i440FX, 82371SB (PIIX3)
    Microsoft Basic Display Driver

    In case of Windows 8.1 there is a possibility of mossing with Winlogon without SSE 2.

    Source of this patch
    The following link is a Japanese site
    Install Windows 8.1 on Athlon XP machines
    ttp://note.chiebukuro.yahoo.co.jp/detail/n336031
    Challenge the limit of low spec in Windows 8! Part 2
    ttp://mevius.5ch.net/test/read.cgi/win/1364399790/

    Windows 8 can be started with Pentium III by applying the above patch.
    You can also start Windows 8 with QEMU or Vmware (standard BIOS).
     
  11. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    Avoid PIIX4 check by remodeling Hal.DLL and Ntoskrnl.exe.
    Patch code note for PIIX 4 (82371 AB)

    WIN8 HAL.DLL
    F6 45 8C 01 0F 85 8B 00 00 00 F6 45 8C 02

    F6 45 8C 01 90 90 90 90 90 90 F6 45 8C 02

    WIN8 NTOSKRNL.EXE
    81CE00000004 B9140101C0 E809FBECFF

    81CE00000004 B9150001C0 E809FBECFF

    WIN8.1 HAL.DLL
    F6 C3 01 75 36 F6 C3 02 74 07

    F6 C3 01 90 90 F6 C3 02 74 07

    WIN8.1 NTOSKRNL.EXE
    81CE00000004 B9140101C0 E8206BECFF

    81CE00000004 B9150001C0 E8206BECFF
     
  12. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    PIIX4 PATCH

    ■ Install on Athlon XP's FMV-NB16CA

    Let's examine hal.dll / halmacpi.dll first.

    HalpInterruptInitSystem
    800476BB push 5Ch
    HalpDpStartProcessor
    80049239 push 5Ch
    *HalpPiix4Detect
    *8004A637 push 5Ch
    HalpInterruptSwapProcessorIdentifiers
    8004ACD0 push 5Ch
    HalpAddDevice
    8004E2C9 push 5Ch
    HalpReportResourceUsage
    800578A8 push 5Ch
    *HalpPiix4Detect
    *80058174 push 5Ch
    HalpAcpiInitializePmRegisters
    8005A3FB push 5Ch

    It is said that Windows 8 does not support 82371 AB (PIIX 4), but IGP 320 + M 1535 chipset also produces HAL_INITIALIZATION_ FAILED.

    Rewriting the location of HalpPiix4Detect to Push 50 changed to PAGE_FAULT_IN_NONPAGED_AREA, so we could identify the location.

    Search for 85c078408b9d54fffffff6c301 and rewrite it as 0003298D - 909090909090 and save it. Recalculate and write the checksum.


    call HalpGetChipHacks@16; HalpGetChipHacks(x,x,x,x)
    test eax, eax
    js short loc_8004A5C4
    mov ebx, [ebp+var_AC]
    test bl, 1
    jnz loc_8004A626 (0F8593000000 --> 909090909090)
    test bl, 2
    jz short loc_8004A59F
    mov _HalpDisableHibernate, 1
     
  13. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    And Bypassing RDMSR

    "><Ntoskrnl.exe avoids freezing trying to read MSR>

    RDMSR@4
    8DP and 8.1 are identical
    mov ecx, 0C0010114h
    call @ RDMSR @ 4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz


    8DP works even if you fill call @RDMSR@4.
    When filled with 8.1, 0x0000000 A black screen occurs.

    890dac2d5e00e920aaffff3c02
    loc - 63 A 6 E 3:
    cmp al, 2
    jnz loc - 631 A 4
    0F 85 B9 AA FF FF
    90 E9 B9 AA FF FF
    Try to force JMP (right then do not do RDMSR)
    But it seems not to be good. Black screen with 0000000 A


    I put 0C0010114h in ECX and RDMSR
    Using this number freezes MSR Editor of Crystal CPUID.

    This is a value that can not be used with this hardware.


    According to the information of CPU-Z
    mobile AMD Athlon (tm) XP 2200+
    MSR 0xC0010114 0x8279D6C0 0xFFFFFF37
    MSR 0xC0010015 0x00000000 0x06031000
    MSR 0xC0010042 0x000D0D0D 0x00150603
    MSR 0xC0010041 0x00000000 0x00110D03


    AMD FX (tm) -4100 Quad-Core Processor looks something like this
    MSR 0xC0010114 0x00000000 0x00000018


    0x000000114 (EDX = 0x00000000 EAX = 0x00000000)
    Let's rewrite it.

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 14 01 00 00


    Black screen was displayed at 0x0000000A.

    The meaning is an intrusion into the page address.

    EBX and ECX may change due to rewriting, so it may become amusing.


    I will try to rewrite it to MSR 0xC0010015 in a place where there is no harm


    mov ecx, C0010015h
    call @RDMSR@4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz loc - 631 A4
    jmp loc_63519E


    With PE tool

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 15 00 01 C0
     
  14. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    And Bypassing RDMSR

    "><Ntoskrnl.exe avoids freezing trying to read MSR>

    RDMSR@4
    8DP and 8.1 are identical
    mov ecx, 0C0010114h
    call @ RDMSR @ 4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz


    8DP works even if you fill call @RDMSR@4.
    When filled with 8.1, 0x0000000 A black screen occurs.

    890dac2d5e00e920aaffff3c02
    loc_63A6E3:
    cmp al, 2
    jnz loc - 631 A 4
    0F 85 B9 AA FF FF
    90 E9 B9 AA FF FF
    Try to force JMP (right then do not do RDMSR)
    But it seems not to be good. Black screen with 0000000 A


    I put 0C0010114h in ECX and RDMSR
    Using this number freezes MSR Editor of Crystal CPUID.

    This is a value that can not be used with this hardware.


    According to the information of CPU-Z
    mobile AMD Athlon (tm) XP 2200+
    MSR 0xC0010114 0x8279D6C0 0xFFFFFF37
    MSR 0xC0010015 0x00000000 0x06031000
    MSR 0xC0010042 0x000D0D0D 0x00150603
    MSR 0xC0010041 0x00000000 0x00110D03


    AMD FX (tm) -4100 Quad-Core Processor looks something like this
    MSR 0xC0010114 0x00000000 0x00000018


    0x000000114 (EDX = 0x00000000 EAX = 0x00000000)
    Let's rewrite it.

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 14 01 00 00


    Black screen was displayed at 0x0000000A.

    The meaning is an intrusion into the page address.

    EBX and ECX may change due to rewriting, so it may become amusing.


    I will try to rewrite it to MSR 0xC0010015 in a place where there is no harm


    mov ecx, C0010015h
    call @RDMSR@4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz loc - 631 A4
    jmp loc_63519E


    With PE tool

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 15 00 01 C0
     
  15. ChrisEric1

    ChrisEric1 MDL Novice

    Mar 29, 2019
    1
    0
    0
    #220 ChrisEric1, May 18, 2019
    Last edited: May 18, 2019
    Windows 10 Build 10240???

    Also, can someone make a patch for the xddm/xpdm(whatever it is) for windows 8 windows 10