Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Q891711 + U891711 = Unofficial MS07-017 + MS05-002 .ANI fix

* * * * * 1 votes

  • Please log in to reply
128 replies to this topic

#51
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag
eidenk:

The answer from the author:

'eidenk' wrote:

Unfortunately I did not make note of them but I will run the patch again
and will post them if those occasional GDI crashes arise again.

If I understand you well, the GDI resources are exclusively 16bits. Have
you got any knowledge of the 32bits part of the resources, which may not
be GDI but USER and SYSTEM. I understand that the 32bits resources are of
an arbitrary size far below their theoretical limit unlike 16bits ones and
that it should be eventually possible to set a larger amount of memory for
them quite easily for someone who's got the knowledge of those inner
workings.

--

TWEAKUI.CPL has a setting that turns on 'fault logging' - very useful for
that. I also start DrWatson.exe at boot-up time whenever I use Win98SE
(occasionally these days, it is mostly WinXP SP2 now).

Unfortunately, the answer is: not possible. GDI resources are from a
"combined" 16-bit and 32-bit heap in the GDI data segment. The 16-bit heap
is the real bottleneck. It is the same situation with USER resources, it
is just a different 16-bit/32-bit heap in the USER data segment. The level
of system resources is the lower value of either GDI or USER resources,
but not another heap.


Edited by MDGx, 16 December 2005 - 10:37 PM.



How to remove advertisement from MSFN

#52
mamas6667

mamas6667

    Newbie

  • Member
  • 36 posts
I've tried the official one old and new
Tihiy's TI891711
and now U891711
I'm sure U891711 is better than MSN's
But it still slows my system down(less responsive).
I think is the fact that KB891711.exe is running as a service(always)

Tihiy's TI891711 doesn't run KB891711.exe upon bootup.

So i will continue to use use Tihiy's TI891711, I'm a gamer and I need the resources.

PIII 450MHz 256MB
WIN 98SE, sesp21a-en.exe, 98SE2ME.EXE(ver 3.7), TI891711, 98KRNLUP.EXE

#53
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts

I've tried the official one old and new
Tihiy's TI891711
and now U891711
I'm sure U891711 is better than MSN's
But it still slows my system down(less responsive).
I think is the fact that KB891711.exe is running as a service(always)

Tihiy's TI891711 doesn't run KB891711.exe upon bootup.

So i will continue to use use Tihiy's TI891711, I'm a gamer and I need the resources.


true that TI891711 doesnt load a startup but TI891711 has weaker protection than U891711.

Quote from author of U891711:

----
"Tihiy's TI891711 is a nice piece of work, but, unfortunately, is no real
replacement since it offers only limited protection. 16-bit programs
including USER.EXE (!) can load animated cursor files, etc, and they
bypass TI891711.DLL completely, that is, there is zero protection."
----

The U891711 patch only slowed down my Win98 & ME computers slightly. So I didnt
noticed much of a performance drop with U891711.

#54
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts

The U891711 patch only slowed down my Win98 & ME computers slightly. So I didnt
noticed much of a performance drop with U891711.


the w98 machine I used was a pentium one [100 mhz] w/ 64 megs of ram
and the ME machine was a pentium 3 [766mhz] w/ 256 megs of ram

this was assuming I did NOT have any antivirus software installed or loaded at startup.
firewall & antivirus utilities gobble up more resources than U891711

Edited by erpdude8, 12 December 2005 - 01:23 PM.


#55
mamas6667

mamas6667

    Newbie

  • Member
  • 36 posts
Sorry to insist on using Tihiy's TI891711 patch, but playing online games(tactical ops, unreal tournament, etc..) I did notice a significant performance drop with U891711 and MSN was worst.
Also windows reaction time is slower, startup too.

The question now is what security risk am I in using TI891711 patch (will i get infected with viri)
"bypass TI891711.DLL completely, that is, there is zero protection."

PLS explain further, if u find some time!

#56
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag

Sorry to insist on using Tihiy's TI891711 patch, but playing online games(tactical ops, unreal tournament, etc..) I did notice a significant performance drop with U891711 and MSN was worst.
Also windows reaction time is slower, startup too.

The question now is what security risk am I in using TI891711 patch (will i get infected with viri)
"bypass TI891711.DLL completely, that is, there is zero protection."

PLS explain further, if u find some time!

The difference between U891711 and Tihiy's TI891711 patch is explained in U891711.TXT [see "AUTHOR'S NOTES" = NOTE #1]:
http://www.mdgx.com/files/U891711.TXT

Hope this helps.

#57
Acheron

Acheron

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 987 posts
  • OS:XP Pro x86
  • Country: Country Flag
Sorry I haven't tested this fix yet, but I have an important question.

Can anyone tell if KB891711.exe shows up in the Task list after pressing CTRL-ALT-DEL, using this patch?

It's important for me to have it hidden, so people won't kill it accidently and getting BSOD's.
Say no to bloatware. Download Nero Lite!

#58
bristols

bristols

    Advanced Member

  • Member
  • PipPipPip
  • 451 posts
  • OS:none specified
  • Country: Country Flag

Can anyone tell if KB891711.exe shows up in the Task list after pressing CTRL-ALT-DEL, using this patch?


Nope, it doesn't show up in the Windows Task List window. :)

#59
eidenk

eidenk

    MSFN Addict

  • Member
  • PipPipPipPipPipPipPip
  • 1,527 posts

DEMO
Proof-of-concept example demo of malformed animated cursor [.ANI]using 'LoadImage':
http://www.xfocus.net/flashsky/icoExp/
This applies *only* to Microsoft Internet Explorer 5.5 SP2 and newer:
http://www.mdgx.com/toy.htm#IEX
First try demo above without any update/patch/fix installed.
Then install official MS05-002 fix, reboot, and try the demo again.
Then install unofficial U891711 fix, reboot, and try the demo again.
Please notice differences in behavior between these 2 fixes.

http://www.mdgx.com/files/U891711.TXT

Can someone please explain what exactly the vulnerability is ? As clicking on any of the flashsky links with IE 5.5SP2 on WinME and without a patch running does not make me feel vulnerable to anything, really. If clicking on one of the link would, say, launch Notepad, I'd be scared.
Asus A8V Deluxe - Athlon 64 FX-55 2.6Ghz - 1GB DDRAM 400 - Windows ME (IE 5.5 SP2 Shell) + KernelEx 4.0 and Revolutions Pack 10

#60
PsycoUnc

PsycoUnc

    Member

  • Member
  • PipPip
  • 236 posts
-yes, I'd like a better demo, as well... it's a bit confusing to me, too...
(-there was one other test website, which was able to freeze up every Firefox window, with 100% cpu... which was annoying, but not a security threat...) ?

#61
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts

Can anyone tell if KB891711.exe shows up in the Task list after pressing CTRL-ALT-DEL, using this patch?


Nope, it doesn't show up in the Windows Task List window. :)


and it never does show up in the Close Program dialog box when pressing [Ctrl]+[Alt]+[Del].
you will need a utility like EndItAll (mentioned by the author of U891711) to safely shut down KB891711.exe (by selecting the Close option in EndItAll, not the Kill option)
using Coolkill, WinKill or Process Explorer to "kill" KB891711.exe will result in a BSOD.

#62
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag
More details from the author of U891711:

I noticed the discussion on TI891711.EXE the other day. There are more issues with Tihiy's patch than the one I pointed out originally.
I examined TI891711.DLL and the hex-patched USER32.DLL very closely before I came to the conclusion that TI891711.EXE was neat piece of work, but most definitely not a solution. Modifying KB891711.EXE (and Q891711.DLL) was the only way forward.

(1) It is possible to add another code segment to USER.EXE and move essential code from KB891711.EXE to this segment to avoid the very small performance penalty from KB891711.EXE running all the time. However, it would have to be done indvidually for all versions (1998, 2000, 2001, 2222-2231, 3000, 3001 - did I miss one?) and also all languages. I certainly lack the time for that.

(2) Tihiy's hex-patched USER32.DLL is for Win98SE only and has at least two bugs. One of the bugs is very serious - the relocation table is faulty, for example, b/c of missing entries for

BFC04DF4: 68 AC D5 C0 BF push BFC0D5AC

and so forth.

(3) To determine whether a file is malformed or not, just integer values have to be checked. TI891711.DLL uses a large number of (much slower) floating-point instructions almost exclusively. I was unable to figure out why.

(4) No protection from TI891711.DLL for 16-bit applications.

(5) A 32-bit application could call 'LoadImage' in USER.EXE directly through a procedure called thunking and so bypass TI891711.DLL, but this is an extremely unlikely scenario.

(6) No protection from TI891711.DLL, for example, when a 32-bit program uses 'LoadCursorFromFileA' in USER32.DLL.

(7) Functionality has been removed from the patched USER32.DLL 4.10.2231. IMO, this should not be done w/o a README.TXT file that explains it.



#63
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag
 

Edited by MDGx, 14 February 2006 - 01:35 AM.


#64
Petr

Petr

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 981 posts
  • OS:98SE
  • Country: Country Flag

U891711 Patch updated 1-5-2006:

KB891711.EXE 4.10.2224 appeared to be causing some performance degradation on
an older PC using Windows 98 SE.
Therefore KB891711.EXE was updated to use fixed GlobalMemory instead of movable GlobalMemory. This appears to improve things.

Please see top of this topic to download and install updated patch:
http://www.msfn.org/...showtopic=58780


It is bad that there are two different KB891711.EXE 4.10.2224 files with the same size and date.

Petr

#65
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag

U891711 Patch updated 1-5-2006:

KB891711.EXE 4.10.2224 appeared to be causing some performance degradation on
an older PC using Windows 98 SE.
Therefore KB891711.EXE was updated to use fixed GlobalMemory instead of movable GlobalMemory. This appears to improve things.

Please see top of this topic to download and install updated patch:
http://www.msfn.org/...showtopic=58780


It is bad that there are two different KB891711.EXE 4.10.2224 files with the same size and date.

Petr

I thought of that too, but I tested the updated patch with the newer file and installed it over the older one, and installed ok under Win98 SE + ME.

Hope this helps.

#66
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts
I'll try out the newly released U891711 patch as soon as I can get it. I'll let you know how well it did on the computers that I've tested.

#67
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag
U891711 Patch updated 2-14-2006:
When KB891711.EXE starts it registers itself as a Service Process and patches
USER.EXE. When a user logs off it stays on as a service process, but unpatches
USER.EXE and does not patch USER.EXE again when the same or another user logs
on. This means KB891711.EXE no longer provides protection.
Therefore KB891711.EXE was updated to build 4.10.2225 to fix this.
DrWatson can be used to reproduce this issue and verify that the fix works. It
lists USER.EXE as patched if there is protection from KB891711.EXE.
Please see top of this topic to download and install updated patch:
http://www.msfn.org/...showtopic=58780

Edited by MDGx, 14 February 2006 - 01:40 AM.


#68
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts
new U891711 patch has KB891711.exe 4.10.2225 but dated 10/4/2005 with time 10:25pm

THAT AINT GOOD ENOUGH! Microsoft can do a much better job modding system files by
changing BOTH the date and time (and version number). At least MS want to make it
easier for Windows users to distinguish between older and newer system files by changing
the version number, the date and time. the anonymous author of U891711 should make attempts of doing what MS does with modding system files.

I've just submitted changes to the KB891711.exe file to MDGx; corrected date to 2/11/2006
but still with 10:25pm as the time.

See here (my post from an older topic about kb891711):

Microsoft kb891711 for Windows 98/ME [version 1] had
Kb891711.exe ver. 4.10.2222 dated 2/22/2005, 6:07pm
Q891711.dll ver. 4.10.2222 dated 2/18/2005, 9:53am
<this one was known to cause problems on some W98/ME machines>

Microsoft kb891711 for Windows 98/ME [version 2] had
Kb891711.exe ver. 4.10.2223 dated 3/23/2005, 2:54pm
Q891711.dll ver. 4.10.2222 dated 3/18/2005, 4:54pm
<this one resolved many of the problems caused by the previous release>

see how Microsoft dates the files. Many times MS does a brilliant job giving newer dates/times of
newer builds of system files.

Edited by erpdude8, 14 February 2006 - 04:56 PM.


#69
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts
the author of U891711 needs to use more "common sense" when dating and versioning files.
when giving kb891711.exe 4.10.2224 a date of 10/4/2005, and you revise it as 4.10.2225
you absolutely do NOT date it 10/4/2005. that can cause major confusion to Windows users
because they can not tell if the file was modified or not.

If Microsoft were to do such a thing in not changing the date of when a file was modified and the file was given a different version number,
I would be critical of them too.

Edited by erpdude8, 17 February 2006 - 09:00 AM.


#70
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts
ok. I've done enough complaining about version 4.10.2225 of the KB891711.exe file having the same exact date as version 4.10.2224 of the KB891711.exe file [both builds 2224 and 2225 of KB891711.exe file were dated 10/4/2005 which is an abomination]. I've changed the date of build 2225 of the KB891711.exe file so it should now be dated 2/11/2006 with 10:25pm as the time. I've sent the revised U891711 fix to MDGx (the KB891711.exe file should be dated 2/11/2006 instead of 10/4/2005) but has not posted it up yet. Seems that the author of the U891711 fix forgot to change the date of the KB891711.exe file after he changed the build number from 2224 to 2225. It's barely inexcusable for newer builds of the U891711 files to have the same exact date as older builds.

#71
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag
 

Edited by MDGx, 28 September 2006 - 07:58 PM.


#72
Hu$tle

Hu$tle

    Junior

  • Banned
  • Pip
  • 86 posts
Windows KB891711 component has altered Windows system files.

Module Name: KB891711.EXE
Description: Windows KB891711 component
Version: 4.10.2225
Product: Microsoft® Windows® Operating System
Manufacturer: Microsoft Corporation

this is my Dr Watson report

#73
noguru

noguru

    Advanced Member

  • Member
  • PipPipPip
  • 307 posts

Windows KB891711 component has altered Windows system files.

Module Name: KB891711.EXE
Description: Windows KB891711 component
Version: 4.10.2225
Product: Microsoft® Windows® Operating System
Manufacturer: Microsoft Corporation

this is my Dr Watson report


Don't worry, it's supposed to do that. The official Ms patch works the same way.

#74
MDGx

MDGx

    98SE2ME + 98MP10

  • Super Moderator
  • 2,678 posts
  • OS:none specified
  • Country: Country Flag
 

Edited by MDGx, 20 November 2006 - 11:54 AM.


#75
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,139 posts


Windows KB891711 component has altered Windows system files.

Module Name: KB891711.EXE
Description: Windows KB891711 component
Version: 4.10.2225
Product: Microsoft® Windows® Operating System
Manufacturer: Microsoft Corporation

this is my Dr Watson report


Don't worry, it's supposed to do that. The official Ms patch works the same way.


in other words, it's normal for Dr Watson to report KB891711 "altering system files"
that dont bother me. win98se/winme will work just fine
ditto for official MS KB918547 patch

Edited by erpdude8, 04 October 2006 - 05:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN