How to make a tcpip.sys patch without press F8
Wednesday, January 14, 2009
A friend of mine asked me, how to make a Vista tcpip.sys File Patch not needing press F8 key.
This is not difficult, just sign tcpip.sys with a test signature.
More information about tcpip.sys File Patch, you can visit: TCP/IP Patcher Compare Technical Features.
http://deepxw.blogspot.com/2008/12/on-internet-there-are-all-kinds-of-tcp.html
Here is detail of patch tcpip.sys with test signature, perhaps these will help you.
1) All operation needs "Run as Administrator".
2) Set testsigning to on:
Bcdedit -set TESTSIGNING ON
All tcpip.sys File Patch must do this; otherwise, BSOD will occur after tcpip.sys has been modified.
After Testsigning on, "Test Mode" will dispaly in the 4 corners of desktop.
You can get rid of it through modify "user32.dll.mui". The string ID is 738 & 723.
3) Reboot, check if testsigning is on correctly. (This step is optional.)
You can check it by bcdedit, or check it in the registry.
4) Modify half open connection limited value in file "tcpip.sys".
First, make a temporary copy of tcpip.sys for modify.
You can disassemble tcpip.sys and get the limited offset.
In tcpip.sys, asm code like this:
NT5: mov _ActiveOpenProgressThreshold, 0Ah
NT6: cmp edx, 0Ah
NT5, you can set new value up to 0xFFFFFFFF.
NT6, new value is up to 0xFF! Only 1 byte available for use!
If you are a lazy guy, you can get these offset by the TCP-Z tool. In "patch" tab, you can get the limited offset.
Default, TCP-Z does not show the file offset.But you can run tcpz.exe with argument: tcpz.exe -showoffset.
5) Re-Checksum tcpip.sys.
You can use setcsum.exe.
Or do it in your program by API CheckSumMappedFile().
6) Create a test certificate by the makecert.exe tool.
Makecert -r -pe -ss PrivateCertStore -n "CN=TcpipCert" tcpipcert.cer
7) Sign tcpip.sys with the signtool.exe.
signtool sign /a /s PrivateCertStore /n "TcpipCert" tcpip.sys
You can verify the signature of tcpip.sys:
signtool verify tcpip.sys
Because our signature is not a valid signature, so signtool will report "File not valid".
If returns "A certificate chain processed", it means the Test Signature is OK.
8) Now copy the temporary tcpip.sys to driver folder, overwrite the original tcpip.sys.
Before copy, takeown and icacls tcpip.sys is required.
9) All done, restart your computer to take effect!
Posted by deepxw at 18:00 |
Labels: Patcher
10 comments:
Posts
Regarding Windows 7 (x86), if anyone has successfully managed to replace the default tcpip.sys, please post. I tried it last week, replacing not only the one in the Drivers directory, but also the two in the Winsxs directories, but upon booting Win7, the new Startup Repair *always* ran, told me there was a problem, and replaced the file (somehow) with the original one.
The thing is very smart, and it defeated me. So while I didn't have a problem doing this with Vista, Win7 is much more difficult.
I tried, it is no problem.
look:
win7_x86_7000_mod_tcpip.sys.png
Main point:
Sign tcpip.sys with a test signature;
Set testsigning on with bcedit.
Signing wouldn't matter for this problem, since the file was different than the original and would always be, and that's all that Win7 needs to know to want to replace it.
Did your Win7 installation have the hidden 200MB recovery partition? Mine did, and I now know that it's what does repairs like this. If there's any way to tell it to ignore a certain file for good, I don't know what it is (this is not to be confused with disabling driver signing checking, which is unrelated). It may be impossible for all I know.
Since Vista never had a recovery partition (it was a manual process via DVD), this wasn't a problem there.
I expect your system does not have this partition. You only get it on certain kinds of clean installs.
My Win7 is on a virtual machine. It also have a hidden 200MB recovery partition.
After I replace tcpip.sys, the system does not prompt the repair window at boot time.
All seem to have no problem.
I record a video, and upload to here:
http://www.rayfile.com/files/384892f3-e493-11dd-9f9e-0014221b798a/
Wow, that's really interesting. I wonder what the other variable is then, since the crazy thing was very persistent here. I imagine it might actually be useful in most normal cases where a system has an actual corrupt file(s), but not in this case. I'll try it on another system once I get it going.
Do you bother to replace the two files in Winsxs too? I did, but maybe I shouldn't have.
On an unrelated note, I didn't know VMWare had a recording function. That's great, and it's tempting to switch to it now.
I just replace one file in \drivers.
You can try to restore the two files in winsxs.
Yes, VMWare has recording function.
Recording in windows, video quality is good.
But recording at boot time, video quality is bad.
Hi Deepxw
Thanks for all your suggestions - replacing the tcpipsys will be really good! But I don't quite get your instructions - I'm new to W7 and wondered if you can elaborate a little more in how to do it - or create another video exactly with step-by-step instructions - your video you have already uploaded is excellent!
Thanks in advance...
Thans your suggestion!
I have to create a tcpip.sys File Patch, it will be avalibled at some time later.
Fantastic! My P2P progs aren't working properly so I can't see the football!!
Cheers!
Hello can u make it clearer so i can understand clearly. sorry for my bad english.