Disarming 9841's timebomb

Discuss Windows Vista/Server 2008 to Windows 10.
Post Reply
Jake harrison
User avatar
Posts: 62
Joined: Fri Dec 20, 2019 11:51 am
Location: Brisbane, Australia

Disarming 9841's timebomb

Post by Jake harrison »

Hi, I've recently been trying to boot 9879 on the current date and have successfully stopped 9879 from complaining about expired certificates by replacing the boot partition with 9845's one and setting advanced options to always show up before the OS attempts to boot, this way I can select disable driver signature enforcement and the OS no longer complains about expired certificates. the only problem I now face is a few seconds into booting I get a bsod that says process1_initialization_failed. are there any potential fixes for this and or any possible reasons that the BSOD is appearing. thanks for reading and any help with this topic would be much appreciated :).
Last edited by Jake harrison on Fri Jan 29, 2021 12:51 pm, edited 1 time in total.

Voyambar
Posts: 113
Joined: Wed Sep 25, 2019 10:12 pm

Re: Disarming 9879's timebomb

Post by Voyambar »

Well you replaced the boot partition, I don't think there's really anyway to fix that. What VM software are you using?

Jake harrison
User avatar
Posts: 62
Joined: Fri Dec 20, 2019 11:51 am
Location: Brisbane, Australia

Re: Disarming 9879's timebomb

Post by Jake harrison »

Voyambar wrote:
Wed Jan 27, 2021 10:29 pm
Well you replaced the boot partition, I don't think there's really anyway to fix that. What VM software are you using?
Vmware Workstation 12, I've figured out that smss.exe, csrss.exe, services.exe and lsass.exe have to be integrity checked on boot no matter what. Because of this I switched to 9841 and used 9845s smss.exe, csrss.exe and services.exe and lsass.exe on 9841 and then unsigned everything else in system32 and now get another bsod this time it was 0x000021a.
Last edited by Jake harrison on Thu Jan 28, 2021 5:45 pm, edited 1 time in total.

Voyambar
Posts: 113
Joined: Wed Sep 25, 2019 10:12 pm

Re: Disarming 9879's timebomb

Post by Voyambar »

Jake harrison wrote:
Thu Jan 28, 2021 12:11 am
Voyambar wrote:
Wed Jan 27, 2021 10:29 pm
Well you replaced the boot partition, I don't think there's really anyway to fix that. What VM software are you using?
Vmware Workstation 12, I've figured out that smss.exe, csrss.exe and services.exe and lsass.exe have to be integrity checked on boot no matter what. Because of this I switched to 9841 ad used 9845s smss.exe, csrss.exe and services.exe and lsass.exe on 9841 and then unsigned everything else in system32 and now get another bsod this time it was 0x000021a.
Have you tried other VM software perchance? I'd also recommend not modifying or replacing those files so that way integrity check passes

Jake harrison
User avatar
Posts: 62
Joined: Fri Dec 20, 2019 11:51 am
Location: Brisbane, Australia

Re: Disarming 9879's timebomb

Post by Jake harrison »

No, i have not tried other vm software since the bsods are certainly from unsigning all the files in system32. i just need to know what important files need to be signed in order for the system to boot successfully. also the reason im replacing 9841s files with 9845s ones is because the 9845 ones are test signed so they work on the current date and are close enough to 9841 that they work and the system can boot with them, leaving 9841s critical boot files will cause the system to complain about expired certificates thats why im replacing them with the test signed 9845 ones if this makes sense.

Voyambar
Posts: 113
Joined: Wed Sep 25, 2019 10:12 pm

Re: Disarming 9879's timebomb

Post by Voyambar »

Why can't you just resign the original files as test signed? You could also try replacing the certificates in question

Jake harrison
User avatar
Posts: 62
Joined: Fri Dec 20, 2019 11:51 am
Location: Brisbane, Australia

Re: Disarming 9879's timebomb

Post by Jake harrison »

Voyambar wrote:
Thu Jan 28, 2021 6:59 pm
Why can't you just resign the original files as test signed? You could also try replacing the certificates in question
I wish it were as simple as resigning each file, but unfortunately iirc changing the signature will change the sha checksum and make the file fail the integrity check.

yourepicfailure
User avatar
Donator
Posts: 1317
Joined: Mon Jul 23, 2012 9:40 pm
Location: Lufthansa DC-10

Re: Disarming 9879's timebomb

Post by yourepicfailure »

Oh my lord...

Clearly you're getting 0xc21a because 9845's csrss isn't compatible with a significantly newer build.
Strip all the certificates with sign tool and use an offline method to turn on:
DisableIntegrityChecks
AllowPrereleaseSignatures
DisableCodeIntegrityChecks

In BCD. Enjoy.

Good luck finding a certificate to use to sign the binaries.
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"
Image
You will never tear me from the grasp of the Pentium M!

Jake harrison
User avatar
Posts: 62
Joined: Fri Dec 20, 2019 11:51 am
Location: Brisbane, Australia

Re: Disarming 9879's timebomb

Post by Jake harrison »

yourepicfailure wrote:
Fri Jan 29, 2021 10:32 am
Oh my lord...

Clearly you're getting 0xc21a because 9845's csrss isn't compatible with a significantly newer build.
Strip all the certificates with sign tool and use an offline method to turn on:
DisableIntegrityChecks
AllowPrereleaseSignatures
DisableCodeIntegrityChecks

In BCD. Enjoy.

Good luck finding a certificate to use to sign the binaries.
Im using 9841 now with 9845's csrss and it boots just fine its just some other files need to be integrity checked i dont know what ones they are though.

yourepicfailure
User avatar
Donator
Posts: 1317
Joined: Mon Jul 23, 2012 9:40 pm
Location: Lufthansa DC-10

Re: Disarming 9841's timebomb

Post by yourepicfailure »

The csrss was in reference to you using it on 9879.

Did you try what I recommended?
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"
Image
You will never tear me from the grasp of the Pentium M!

Jake harrison
User avatar
Posts: 62
Joined: Fri Dec 20, 2019 11:51 am
Location: Brisbane, Australia

Re: Disarming 9841's timebomb

Post by Jake harrison »

yourepicfailure wrote:
Fri Jan 29, 2021 8:13 pm
The csrss was in reference to you using it on 9879.

Did you try what I recommended?
Yes, but still no success, I think its possible if I find out what files need to have a valid signature on boot, like csrss.exe and services.exe.

yourepicfailure
User avatar
Donator
Posts: 1317
Joined: Mon Jul 23, 2012 9:40 pm
Location: Lufthansa DC-10

Re: Disarming 9841's timebomb

Post by yourepicfailure »

I am going to guess to also did not strip the certificates with signtool.

I do not understand why you insist on maining TP.
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"
Image
You will never tear me from the grasp of the Pentium M!

Jake harrison
User avatar
Posts: 62
Joined: Fri Dec 20, 2019 11:51 am
Location: Brisbane, Australia

Re: Disarming 9841's timebomb

Post by Jake harrison »

yourepicfailure wrote:
Sat Jan 30, 2021 6:42 am
I am going to guess to also did not strip the certificates with signtool.

I do not understand why you insist on maining TP.
I'm not doing this to main these builds I'm doing it for people who want to use these builds without setting the date back and just for the sake of experimenting. I Did striped every file in the system32, syswow64 & windows folders but doing so will cause a bsod because some files need to be checked for a valid signature no matter what even if you have nointegritychecks, driver signature enforcement disabled, all I need to know is what files these are then i believe i could boot on the current date.

Voyambar
Posts: 113
Joined: Wed Sep 25, 2019 10:12 pm

Re: Disarming 9841's timebomb

Post by Voyambar »

Jake harrison wrote:
Sat Jan 30, 2021 8:29 am
yourepicfailure wrote:
Sat Jan 30, 2021 6:42 am
I am going to guess to also did not strip the certificates with signtool.

I do not understand why you insist on maining TP.
I'm not doing this to main these builds I'm doing it for people who want to use these builds without setting the date back and just for the sake of experimenting. I Did striped every file in the system32, syswow64 & windows folders but doing so will cause a bsod because some files need to be checked for a valid signature no matter what even if you have nointegritychecks, driver signature enforcement disabled, all I need to know is what files these are then i believe i could boot on the current date.
Well I would say no average joe would try out a beta build because average joe's don't even know what a VM is. Its useful and fun to experiment with it but as an actual project for people, eh...no.

They told you what to do though, unless you can somehow get Microsoft's actual internal signing tool you're out of luck and to obtain it would probably involve violating the law

yourepicfailure
User avatar
Donator
Posts: 1317
Joined: Mon Jul 23, 2012 9:40 pm
Location: Lufthansa DC-10

Re: Disarming 9841's timebomb

Post by yourepicfailure »

That and you need a valid certificate to sign it with.
Signtool.exe would suffice for the signing part. Good luck "acquiring" a valid certificate to use.

Of course you could get a legal developer certificate yourself if you have the connections. But binaries marked as "system" require a Microsoft private certificate. Nothing more, nothing less.
"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off"
Image
You will never tear me from the grasp of the Pentium M!

Post Reply