Skip to main content

Patches for Vista SP2 RTM build 18005

 Universal Theme Patcher Open Source Now! 

Because I have no free time to update these patch for a few months, so I plan to open the source code of the "Universal Theme Patcher". 

The source code includes a console program for demo the patch engine.
You can migrate it to your own project freely.
In your final tool, add a link to deepxw is recommended.

Source code link:

XPize and Vize are well-known 3rd party theme of Windows. It will try to use this patch engine.
Posted by deepxw at 00:46   |   244 comments

 My blog will be frozen in next few months 

I can not reply all comments, I would like to say sorry to those friends who have written a message here.

1) Blogger has been blocked by FW. I am very difficult to open the site, even if I use a proxy.

2) I am preparing for a exam, so I do not have much free time.
Posted by deepxw at 00:25   |   112 comments

 Sign PE file with certificate by programing 

Someone needs this function, so I post it.

First, you need to creat a *.cer and *.pvk by makecert.exe.

#pragma comment (lib, "Cryptui.lib")

// Function: SignFile
// Purpose: Sign PE file with certificate. (*.pvk and *.cer)
// Arguments:
// pszExeFile [in] The PE file name.
// pszPvkFile [in] The private key file name. (*.pvk)
// pszCertFile [in] The certificate file name. (*.cer, *.spc)
// Returns:
// If success, return TURE.
// Notes:
// Last modified: 2009.01.20

BOOL SignFile(LPTSTR pszExeFile, LPTSTR pszPvkFile, LPTSTR pszCertFile)
BOOL bResult;

pvkFileInfo.pwszPvkFileName = pszPvkFile;
pvkFileInfo.pwszProvName = NULL;
pvkFileInfo.dwProvType = PROV_RSA_FULL;

pvkInfo.pwszSigningCertFileName = pszCertFile;
pvkInfo.pPvkFileInfo = &pvkFileInfo;

signInfo.dwSize = sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_INFO);
signInfo.pwszFileName = pszExeFile;
signInfo.dwSigningCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_PVK;
signInfo.pSigningCertPvkInfo = &pvkInfo;
signInfo.pwszTimestampURL = NULL;
signInfo.dwAdditionalCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_ADD_CHAIN;
signInfo.pSignExtInfo = NULL;

bResult = CryptUIWizDigitalSign(CRYPTUI_WIZ_NO_UI, NULL, NULL, &signInfo, NULL);

return bResult;

} // SignFile()
Posted by deepxw at 00:15   |   61 comments

 How To Remove Watermark By Programing 

Some friends asked me how to remove the watermark by programming, now, I have post a demo to google code. You can found the source code at

Main steps:
Load the user32.dll.mui into memory by API LoadLibraryEx().
Find the string table by FindResourceEx(), and load it by LoadResource(), LockResource().

Look up the watermark string in string table, we can get the string virtual address and length, then calculate the string offset base the module address, and we get the file offset.
Map the file to memory, just simple zero the watermark string.
In order to make the procedure simple, so use the simplest method.

Finally, re-check sum the file.
OK, all done.

Code snippet:

// Load string from resource with special langID
BOOL LoadStringExx(
HINSTANCE hInst, // Hinstance of lib
WORD wLangID, // Language ID of resource
PRES_STRING_INFO pInfo // Pointer to the string info

HRSRC hFindRes; // Handle of the resources has been found
HGLOBAL hLoadRes; // Handle of the resources has been loaded
LPVOID pRes; // Pointer to the resources
UINT nBlockID; // String block ID

pInfo->dwFileOffset = 0; // String offset in the file
pInfo->dwBytes = 0; // String length, in bytes
pInfo->pszText = NULL;

nBlockID = pInfo->uStringID / 16 + 1;

// find the string block
hFindRes = FindResourceEx(hInst, RT_STRING, MAKEINTRESOURCE(nBlockID), wLangID);
if(!hFindRes )

hLoadRes = LoadResource(hInst, hFindRes);
if(!hLoadRes )

pRes = LockResource(hLoadRes);
if(!pRes )

WCHAR* pParse = (WCHAR *)pRes; // Pointer to the String block
UINT nIndex = pInfo->uStringID % 16; // Calculate the string index
int nLen;

// 16 strings per block
for( i = 0; i < (nIndex & 15); i++ )
pParse += 1 + (int)*pParse;

// OK, we get it
nLen = (UINT)*pParse; // The length of the target string.
pParse += 1; // Pointer to the target string

// Main point, calculate the string offset
pInfo->dwFileOffset = (DWORD) ( (DWORD_PTR)pParse - (DWORD_PTR)hInst ) + 1;
pInfo->dwBytes = nLen * sizeof(WCHAR);

// allocate memory
pInfo->pszText = (LPWSTR)MALLOC((nLen + 1) * sizeof(WCHAR));
if (!pInfo->pszText)

// copy string for return
CopyMemory((LPVOID)pInfo->pszText, (LPVOID)pParse, pInfo->dwBytes);
*(PWCHAR)((DWORD_PTR)pInfo->pszText + pInfo->dwBytes) = 0;

// Clean up, free memory

if (pRes)

if (hFindRes)

// if pointer is null, we return a NULL string
if (!pInfo->pszText)
pInfo->pszText = (LPWSTR)MALLOC(sizeof(WCHAR));
pInfo->pszText[0] = 0;

return TRUE;

} // LoadStringExx()
Posted by deepxw at 00:10   |   71 comments

 Say Bye To Half-open TCP Connections Limit In Vista/2008 SP2 

Good news from Microsoft!

At May 6, 2009, In this article, Microsoft confirm that:
By default, the half-open TCP connections limit is disabled in Windows Server 2008 with Service Pack 2 (SP2) and in Windows Vista with Service Pack 2 (SP2). 

Thank for this, my doubts about RateLimit long time ago has been solved by Microsoft's answer.

Last year, I found a case. In Vista, I can simply modify the value "TcpCreateAndConnectTcbRateLimitDepth" from 1 to 0 in the kernel memory, and then the Half-open TCP connections limit has been removed immediately!
But I am not sure whether this is a safe method. so, in tcp-z, this function never be active. TCP-Z only show this value.

After Vista 16670 and Windows 7 6956, Microsoft strangely set TcpCreateAndConnectTcbRateLimitDepth to 0 in default.
In latterly version of TCP-Z, it will show a lock icon to distinguish these difference.

Now, Microsoft answer: It's safe! and provide a simple modification method by registry.
When you add a registry entry "EnableConnectionRateLimiting", and set to 1 or 0, it will switch TcpCreateAndConnectTcbRateLimitDepth between 1/0 synchronously.
You can see the changes in the graph of TCP-Z.
After TcpCreateAndConnectTcbRateLimitDepth change to 1, Windows will calculate the create rate and do the limitation. In testing you can see the value is limited to 11.

This registry entry only works in Windows Server 2008 with SP2 / Windows Vista with SP2 / Window 7. 

It is time to retire for me!

Full article in

How to enable the half-open TCP connections limit in Windows Vista with Service Pack 2 and in Windows Server 2008 with Service Pack 2


By default, the half-open TCP connections limit is disabled in Windows Server 2008 with Service Pack 2 (SP2) and in Windows Vista with Service Pack 2 (SP2). This article describes how to impose the half-open TCP connections limit in Windows Server 2008 with SP2 and in Windows Vista with SP2. The limit is ten connections.

Note In Windows Server 2008 and in Windows Vista with Service Pack 1 (SP1), the system allows for a maximum of ten half-open TCP connections at any time.


How to enable the half-open TCP connections limit

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To enable the half-open TCP connections limit in Windows Server 2008 with SP2 or in Windows Vista with SP2, set the value of the EnableConnectionRateLimiting DWORD registry entry to 1 (0x00000001).

To do this, follow these steps:

1) Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.

If you are prompted for an administrator password or for confirmation, type your password, or click Continue.

2) Locate and then double-click the following registry key:

3) In the Value data box, type 1, and then click OK.

4) Exit Registry Editor.
5) Restart the computer.

Comment by deepxw: In fact, It's no need to restart computer.
Posted by deepxw at 20:48   |   644 comments

 Remote Desktop Test In Windows 2008 STD 

OS: Windows Server 2008 standard edition, with SP1.

In default, 2k8 std only allow allow 2 users in active.
Administrator log in console, and user t2 log in by RDP.
When user t1 try to log in to 2k8, Windows will prompt you need to disconnect one of t2/administrator. After t1 log in, and t2 has been kick away.

Fortunately, the "Universal Termsrv.dll Patch" can still works under Windows 2008.
After patch the file Termsrv.dll, it can allow 7 users log in and active at the same time.

Thanks for the help of Elias Hantzakos, so I was able to complete this test.
Posted by deepxw at 21:44   |   67 comments

 Patches for Vista SP2 RTM build 18005 

File version: 6.0.6002.18005 (lh_sp2rtm.090410-1830), 32bit(x86) & 64bit(x64).

Universal Theme Patcher, V1.5, works;
Universal Tcpip.sys Patch, V1.2.0.12 works;
Universal Termsrv.dll Patch V1.0b, works;
TCP-Z, V2.6.2.75, works.

Go to download page ...


All the patches I wrote is universal!

This patch is not a normal patch, it has a little intelligence, able to find the correct offset by signature. So this patch can works for so many version of system files, even the file in the future.

In most cases, this type of patch does not need to upgrade with the update of Microsoft.
If the patch show the Patched Status of file is No/Yes, it means the patch can works!
On the other hand, "Unknown" means it can't works.
Posted by deepxw at 12:32   |   284 comments

Popular posts from this blog

Hidden Wiki

Welcome to The Hidden WikiNew hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!!
Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it.
The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with.
Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction - Clearnet search engine for Tor Hidden Services (allows you to add new sites to its database). DuckDuckGo - A Hidden S…


Good News [May 08, 2015]: IDM developers got smarter, but the crackers are always a step ahead. Follow this article and send an email to if you are desperate. I can NOT post any crack here for legal reasons. Happy Downloading with IDM. ;) *********** first tip is to use latest crack for idm from idm universal web crack and make sure u are using all latest vers I am sure many of us are too much dependent on Internet Download Manager a.k.a. IDM. The main reason didn’t permanently switch to linux was IDM. I mainly use it for batch downloading and download streaming videos. Till yesterday, IDM was working fine with me (of course with fake serial numbers, keygen, crack, patch etc. which could be found with little effort). But few days ago, with the latest update version 6.18 build 7 (released on Nov 09, 2013) Internet Download Manager was literally had a breakthrough and crushed all the serial numbers, …

DoubleAgent Attack Turns Your Antivirus Into Malware And Hijacks Your PC

Short Bytes: Cybellum security researchers have uncovered a new attack mechanism that can be used to take control of your antivirus and turn it into a malware. Called DoubleAgent, this attack exploits an old and undocumented vulnerability in Windows operating system. This Zero Day code injection technique affects all major antivirus vendors and has the power to hijack permissions. The security researchers from Cybellum have found a new technique that can be used by the cybercriminals to hijack your computer by injecting malicious code. This new Zero-Day attack can be used to take full control over all the major antivirus software. Instead of hiding from the antivirus, this attack takes control of the antivirus itself. Called DoubleAgent, this attack makes use of a 15-year-old legitimate feature of Windows (read vulnerability)–that’s why it can’t be patched. It affects all versions of Microsoft Windows. Cybellum blog mentions that this flaw is still unpatched by most antivirus v…