Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 7 still can't install ESU security rollups while NTVDMx64 is installed #128

Closed
AngryDavid808 opened this issue Apr 12, 2021 · 15 comments
Closed

Windows 7 still can't install ESU security rollups while NTVDMx64 is installed #128

AngryDavid808 opened this issue Apr 12, 2021 · 15 comments

Comments

@AngryDavid808
Copy link

Hello, leecher1337, love your project and effort, hope you're safe and good.
I regret to inform you that the Windows 7 Update problem I told you about before last year is still present and I still can't update Windows 7 while NTVDMx64 is installed. Hope you can find a workaround for this issue. If you need any more details, please hit me with a message and thank you in advance.

Regards
David
@AngryDavid808
Copy link
Author

@leecher1337 😊😊

@leecher1337
Copy link
Owner

The issue is known, the ticket is still open, but I fear there is no way to fix it. The update process needs to replace conhost.exe, but it seems conhost.exe cannot be replaced (for reasons that are unknown) if the loader is running inside it .
Checking for a running update via registry doesn't seem to help as you may have experienced.
However, it's just a minor issue, it can easily be worked around by uninstalling ntvdmx64, updating Windows and then reinstalling it. Given the fact that there aren't so many updates that replace conhost.exe, I see this as a relatively low priority issue.

@AngryDavid808
Copy link
Author

AngryDavid808 commented May 14, 2021
edited
Loading

Very understandable, sir. I still appreciate your effort. Maybe you could try making the program read some sort of variable that indicates that Windows is updating, and once the variable is at a certain value, it'd end itself and not run for the time being. Just a thought

@leecher1337
Copy link
Owner

The easiest way to be on the safe side to just temporarily disable the loader without having to remove NTVDMx64 would be to remove it just from Appinit_DLLs key and then reboot.
If it just gets disabled during runtime, so that it doesn't inject into new processes, it may not be enough.
The fastest way to temporarily disable, would be to rename ldntvdm.dll in the AppInit_DLLs key of the following registry paths to some wrong filename (i.e. ldntvdm2.dll):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows

Then reboot and loader shouldn't get loaded.
Then after update is done, rename back to ldntvdm.dll, maybe reboot again and you are done.

You can extract the following 2 sections of install.bat and create 2 .bat files to enable and disable it with just a mouseclick to make it even easier:

add-appinit.cmd

@echo off
Setlocal EnableDelayedExpansion
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do set AppInit=%AppInit%%%s
echo %AppInit% | findstr /I /C:ldntvdm.dll >nul
if errorlevel 1 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d "%AppInit% ldntvdm.dll"
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do set AppInit=%AppInit%%%s
echo %AppInit% | findstr /I /C:ldntvdm.dll >nul
if errorlevel 1 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d "%AppInit% ldntvdm.dll"
set AppInit=

del-appinit.cmd

@echo off
Setlocal EnableDelayedExpansion
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do (
  for %%t in (%%s) do if not "%%t"=="ldntvdm.dll" set AppInit=!AppInit!%%t 
)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d "%AppInit%"
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do (
  for %%t in (%%s) do if not "%%t"=="ldntvdm.dll" set AppInit=!AppInit!%%t 
)

The reason why this cannot be done with just a simple .reg file is that you may have other AppInit_DLLs and these would be overwritten if you just make a .reg file that overwrites the AppInit_DLLs key.

@AngryDavid808
Copy link
Author

AngryDavid808 commented May 14, 2021
edited
Loading

I completely understand. So, if I get it right, I should first execute the add_appinit.cmd file, reboot, update, and then execute del_appinit.cmd at the end. Correct me if I'm wrong. Also, believe me, that's less trouble than having to uninstall the program and then reinstall it again. Many thanks for the help.

@leecher1337
Copy link
Owner

Wrong way round.. you want to DEL appinit (DISable it), then reboot, install update, and after you are done ADD appinit again (as you want to ENable it)

@AngryDavid808
Copy link
Author

Okay, thank you for the correction. The code itself kinda got me confused, sorry for the mix-up. In any case, I hope for the best of this amazing project, there're more critical bugs that need to be taken care of, I'm sure.

@AngryDavid808
Copy link
Author

AngryDavid808 commented May 20, 2021
edited
Loading

Okay, I found out about something interesting just now.
I was messing around with Autoruns, a program that is a part of the SysInternals Suite, doing simple stuff, changing startup settings, all that, when I decided to look up ldntvdm.dll (since I saw an AppInit entry and since ldntvdm.dll hooks into csrss.exe as you say upon startup, correct me if I'm wrong) and sure enough, it popped up!

My thought is that maybe I can just deactivate the dll from that program as an alternative way of preventing it from hooking into csrss.exe and locking it, causing updates to fail, instead of doing the same thing with batch files. Just thought it'd be nice to share what I found out about here.

20210520_032326.jpg

@leecher1337
Copy link
Owner

you can also use Autoruns to deactivate it, if you prefer, sure :-)
What is interesting is that you say it's the hook in CSRSS.EXE that does the blocking? I thought it may be the hooking of conhost.exe, as it always fails when trying to replace conhost.exe
Did you do some analysis leading to csrss.exe?

@AngryDavid808
Copy link
Author

AngryDavid808 commented May 20, 2021
edited
Loading

No. The program never specified which exe it's locking, I don't know, you told me which executable it locked. My bad. Sorry. You verified that the exe it's locking is conhost.exe, not csrss.exe.

EDIT: Checked back on Autoruns to find anything useful about ldntvdm.dll other than deactivating it, nothing really useful so far. Again, really sorry for the confusion, maybe my phasing was a bit bad or misleading. 😇

@leecher1337 leecher1337 mentioned this issue May 22, 2021
Closed
@leecher1337
Copy link
Owner

leecher1337 commented May 24, 2021
edited
Loading

Just as a note for myself regarding this bug:
poqexec.log

1d63bd8670f322a: 0, 0, 0, 0, StartTime ;
1d63bd8673ecdaf: 0, 0, 0, 0, EndTime ;
1d68534d263459f: 0, 0, 0, 0, StartTime ;
1d68534d51a576f: 0, 0, 0, 0, EndTime ;
1d685356bbf08bd: 0, 0, 0, 0, StartTime ;
1d685356cbb5a9a: 0, 0, 0, 0, EndTime ;
1d68535a84688a1: 0, 0, 0, 0, StartTime ;
1d68535a8d09871: 0, 0, 0, 0, EndTime ;
1d68537ae995df3: 0, 0, 0, 0, StartTime ;
1d68537ae995df3: 74c, c0000043, 2a2, 0, HardLinkFile ;\SystemRoot\WinSxS\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.24559_none_d2e4e50f31f32df1\conhost.exe, \??\C:\Windows\System32\conhost.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\wininit.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\winlogon.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\services.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\svchost.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\svchost.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\SearchIndexer.exe
1d68537b2518460: 0, 0, 0, 0, EndTime ;
1d68537cb9b7c37: 0, 0, 0, 0, StartTime ;

It seems that once a process opens a subprocess that uses conhost (i.e. starts cmd.exe), the loader opens a handle to conhost.exe in the parent process which never gets closed.

leecher1337 added a commit that referenced this issue May 24, 2021
@leecher1337
Bugfix for ldntvdm handle leak on symbol check leading to Windows upd…
1e22990 
…ates failing. #95 #131 #128

Loader now enforces ConhostV1 for all users so that NTVDM works for all users in system.
@leecher1337
Copy link
Owner

No feedback given by user, assuming fix worked.

@AngryDavid808
Copy link
Author

I'll test the fix out as soon as possible. Sorry for the delay, I was a bit busy lately. 🤝❤

@leecher1337
Copy link
Owner

Feel free to reopen issue should there still be any problems (which I doubt)

@AngryDavid808
Copy link
Author

Sorry for the very long delay. Just verified that your fix finally works, I no longer have to deactivate NTVDM to install updates. Thank you, leecher1337, I highly appreciate your effort. Keep it up! ✌❤❤

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leecher1337 @AngryDavid808