_____ __ __ __ ____________ _____ ________

/ _ \ ____ / |_|__/ \ / \______ \/ _ \ \_____ \

/ /_\ \ / \ __| \ \/\/ /| ___/ /_\ \ _(__ <
/ | | | | | | |\ / | | / | \ / \
\____|____|___|__|__| |__| \__/\ / |____| \____|____/ /______ /
\/ \/
Let's activate later...
Version 3.4.6 for x64 and x86
--------------------------------------------------------------------
How to use:
Start AntiWPA3.cmd to install/uninstall the patch
What the patch modifies:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\No
tify\AntiWPA
is added to Registry
* File C:\windows\system32\AntiWPA.dll is added

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
data for "OOBETimer" is changed {=OOBE}
* rundll32 setupapi,InstallHinfSection DEL_OOBE_ACTIVATE 132 syssetup.inf
rundll32 setupapi,InstallHinfSection RESTORE_OOBE_ACTIVATE 132 syssetup.inf
is executed which will remove/restore WPA-links from the startmenu
How it works:
It tricks winlogon.exe to make it believe it was booted in safemode,thus, winlog
on skips
the WPA-Check. The trick is done by redirecting(=hooking) the windows function
(user32.dll!GetSystemMetrics(SM_CLEANBOOT{=0x43}) & ntdll.dll!NtLockProductActiv
ation)
in memory to antiwpa.dll so winlogon 'thinks' was booted in safemode.
*Note (...because some ppl were concered about): The patch do not alter any
files on harddisk nor the hooks affects any other exe or dll in memory than
winlogon.exe.
The patch auto-runs on each start before the WPA-check via:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AntiWPA
The hooks are applied when AntiWPA.dll!onLogon is called by winlogon.exe.
The Winlogon.exe file on the harddisk is not altered anymore.
Patching (API-Hooking) is done in memory, so there are no problems with
Windows System File Protection.
Installation is performed via AntiWPA.dll!DllRegisterServer ("regsvr32 AntiWPA.d
ll").
The file is copied to systemdir and the registrykeys are added.
(Note: AntiWPA.dll is no ActiveX selfregisterdll.)
Uninstallation is done via AntiWPA.dll!DllUnRegisterServer ("regsvr32 -u AntiWPA
.dll").

==================================================
F A Q - Frequently Asked Questions
==================================================

????????????????????????????????????????????????????????????????????????????????
How to check if it's really active
????????????????????????????????????????????????????????????????????????????????
check if antiwpa.dll is loaded
enter in console (cmd.exe)
TASKLIST /M /FI "MODULES eq antiwpa.dll"
Check and see if you have the Process Winlogon.exe as output
Forward date & reboot(or just Re-Login) to be really sure.

????????????????????????????????????????????????????????????????????????????????
Antiwpa.dll is loaded but it's still not working
????????????????????????????????????????????????????????????????????????????????
Don't be too much concered about the activation days counter.
If you forwarded date about 1 year & reboot and don't get any bad
message on login antiwpa3 is working.
Else get the debug version of Antiwpa install it and report about
your observation in the forum. It will help to narrow down the
problem & fix. You may also prepare some remote desktop connection
and send me a email so I may debug the problem on your machine.
And at last try out antiwpa2.

????????????????????????????????????????????????????????????????????????????????
I get the evaluation period has expired -
the computer will be shutdown into 1 hour.
????????????????????????????????????????????????????????????????????????????????
That is Windows Trial counter
Try NT Tweak Downloadable at http://free.pages.at/antiwpa/Other/TweakNT_1.21.zip
Try to remove the timebomb, I have used it many times and it works great.
If you are going to reinstall windows you can also
remove evaluation period from the setup-files:
0. copy files to Harddisk
1. on some running windows (2k,XP) start regedit.exe
2. set cursor on HKEY_LOCAL_MACHINE
3. Menu: File\'Load hive' and open [WINsetupdir]\i386\'SETUPREG.HIV'
4. enter 'tmp' as new hive name and navigate to
HKEY_LOCAL_MACHINE\tmp\ControlSet001\Services\setupdd
click on (default) and fill/overwrite it with 16 x '00' like that
'00 00 00 00 00 00 00 00'
'00 00 00 00 00 00 00 00'
5. navigate to HKEY_LOCAL_MACHINE\tmp and File\'UnLoad hive'
All details are there:
http://antiwpa.btwarehouse.org/forum/viewtopic.php?t=2&start=0&postdays=0&postor
der=asc&highlight=setupdd

????????????????????????????????????????????????????????????????????????????????
Antiwpa3 don't support windows vista - is there a other patch ?
????????????????????????????????????????????????????????????????????????????????
So far i've not created any real good solution:
Well there is a patch for slc.dll (Software Licensing Client) antiwpa-vista_v1.2
.zip
but it may cause unwanted sideeffect on other licenselimitation and it's heavily
version
depending.
One way can be to edit the underlaying licensedata:
The data of the values slc.dll!SLGetWindowsInformationDWORD querys are stored un
der
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions [ProductPolic
y=]
http://antiwpa.btwarehouse.org/forum/viewtopic.php?t=211
which might offer to remove other limitation as well
Or just a classic patch of winlogon.exe - as antiwpa2 did. To get rid of the WPA
-Check at
logon that will be the best way without any sideeffects.

????????????????????????????????????????????????????????????????????????????????
I have Install AntiWPA 2.00. Should I uninstall it to update?
????????????????????????????????????????????????????????????????????????????????
They both work well. They both target the same function in
Winlogon.exe, so it s running well - don t touch it (Never touch a running system.)

????????????????????????????????????????????????????????????????????????????????
Do I have to reinstall every AntiWPA 3 after I've installed a servicepack ?
????????????????????????????????????????????????????????????????????????????????
No, you don't need to. The patch isn t undone by service packs anymore.
Since it doesn't modify winlogon.exe, it's no problem if winlogon.exe is
replaced by a new version.

????????????????????????????????????????????????????????????????????????????????
What is the difference between AntiWPA 2 & AntiWPA 3?
????????????????????????????????????????????????????????????????????????????????
AntiWPA 2 directly modified winlogon.exe (on hard disk) to make it skip
over the product activation check.
AntiWPA 3 intercepts (in memory via API-Import-Hooking) winlogon.exe's request t
o
the OS whether Windows was booted into Safe-Mode or not.
It makes the OS always return "yes", even if Windows is running in 'normal mode'
,
winlogon is thinking it's running in safemode and skips the product activation c
heck.
I advice to use antiwpa3 because it is easier to use and 'servicepack-resistent'
.
To be complete there is one thing to mention (please ignore if you understand):
Code inside Winlogon:
If GetIsInNormalMode() then <-Attackpoint of AntiWPA3
If DoWPACheckAndReturnIfSucceed() <-Attackpoint of AntiWPA2
Everythings all right! Go On...
else
Stop due to WPA-Error
EndIf
else
It's safemode WPACheck! Go On...
EndIf
...
as you see AntiWPA3 depends of some specific programming logic.
So if there is just 'If DoWPACheckAndReturnIfSucceed()' without
'If GetIsInNormalMode()' in front AntiWPA3 won't avoid activation call.

????????????????????????????????????????????????????????????????????????????????
How do I integrate it into Windows Setup?
????????????????????????????????????????????????????????????????????????????????

That solution was given by [fs]. Thanks for sharing it! Original thread:
http://antiwpa.btwarehouse.org/forum/viewtopic.php?t=116

Open [Setuppath]\I386 (use it in following as workdir)

create a file called "SETTINGS.INF" Put this info in it:
>>>
[Version]
Signature=$CHICAGO$
[AddReg]
; This tells XP setup to process antiwpa.inf at 13min from finishing installatio
n
HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\Infs",1,,"rundll32 set
upapi,InstallHinfSection DefaultInstall 128 ..\Windows\AntiWPA\antiwpa.inf"
<<<
open TXTSETUP.SIF
and add the follow ...text... under the following [section]
(if you add the text at the beginning, the middle or at tbe end don't matter
as long it stays inside that section)
[WinntDirectories]
...
; this creates a temporary folder called antiwpa in %windir%
140 = AntiWPA
...
[SourceDisksFiles] enter these lines:
...
; this file gets copied to temp location %windir%\antiwpa
antiwpa.dll = 1,,,,,,,140,0,0
; this file gets copied to temp location %windir%\antiwpa
antiwpa.inf = 1,,,,,,,140,0,0
; this file stays on CDrom, it only used to load antiwpa.inf
settings.inf = 1,,,,,,_x,,3,3
...

[HiveInfs.Fresh]
...
; this loads settings.inf at the end of XP setup in DOS mode
AddReg = settings.inf,Addreg
...

create a file called "ANTIWPA.INF" and put this info in it:

>>>
[version]
signature="$CHICAGO$"
[DefaultInstall]
CopyFiles = AntiWPA.Files
AddReg = AntiWPA.Reg
RegisterDLLs = ANTIWPA.REG.DLL
[DestinationDirs]
; 11 = %windir%\system32
AntiWpa.Files.Inf = 11
[AntiWPA.Files]
AntiWPA.dll
[AntiWPA.Reg]
; This step is optional, when enabled it removes Activation shortcut in startmen
u
HKLM,"%RunOnceEx%\install01",,,"AntiWPA"
HKLM,"%RunOnceEx%\install01",1,,"%11%\regsvr32.exe antiwpa.dll /s"
; This step removes the %windir%\AntiWPA directory and all it's content
HKLM,"%RunOnceEx%\Zcleanup",1,,"%11%\cmd.exe /c rd /S /Q %10%\antiwpa"
[ANTIWPA.REG.DLL]
11,,antiwpa.dll, 1
[Strings]
RunOnceEx = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
<<<
Done now check if the following files are inside the I386 dir
ANTIWPA.DLL, ANTIWPA.INF, SETTINGS.INF, TXTSETUP.SIF
Now burn your AntiWPA integrated CD.
To make it bootable extract bootblock(should be 2KB) from any bootable
win(nt,2k,xp,2k3) setupCD/ISO with isobluster and burn it with bootcd default
options (4 Startsek; load at:07C0).
Hint: create an iso & mount it in a Virtual PC like VMWare to test CDBoot
---------------------------------------------------
And to draw some other solution posted by some guest:
1. Copy CD content to C:\WindowsCD\
2. Use setupmgr.exe to create an answer file
add the following in the "Run Once" section of setup manager:
"%SYSTEMDRIVE%\antiwpa.dll"
Unattend.txt/winnt.sif should now include the following section:
[GuiRunOnce]
Command0="regsvr32 /s %SYSTEMDRIVE%\antiwpa.dll"
Edit the [Unattended] section, changing OemPreinstall=No to
OemPreinstall=Yes
copy winnt.sif to the C:\WindowsCD\i386 folder
3. copy antiwpa.dll to C:\WindowsCD\$oem$\$1\ (Create Folder)
Note: All files contained in the "\$oem$\$1" folder will be
copied to the C: drive during installation.

Before-WPA-emergency console:
-----------------------------
This will setup some kind of emerency console. The program specified in
CmdLine will be run before the normal logonscreen and before the WPA-Check.
Now you don't need to boot in safemode if something went wrong.
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
"SetupType"=dword:00000002
"CmdLine"=""C:\Total Commander\TOTALCMD.EXE"
Deny the user 'system' writeaccess(Set value) on HKEY_LOCAL_MACHINE\SYSTEM\Setup
or the system change SetupType value after each logon.
You can use explorer.exe as CmdLine but note it might cause problems later.

Reseting the Activation Trial:

------------------------------
Simply execute 'rundll32.exe syssetup,SetupOobeBnk'.
That is some kind of offical way to rest the Activation Trial.
Take Care it will work only work for about 4 times.
A 'total reset' is not very userfriend and described in detail here.
http://free.pages.at/antiwpa/src/doc/Details%20about%20the%20WPA.htm

Just to draw the picture you will need to export HKLM\System to a

tmp reg-hive file. Import that reg-hive(or structure) file to delete
HKLM\System\WPA and the Rest
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion "LicenseInfo"=""
HKLM\SECURITY\Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}
system32\WPA.DBL
shutdown window and copy/overwite the reg-hivefile to system32\config\system
from an other OS or the Windows-CD recovery console.
========================================================
A (boring) Step by Step to do a manual Install
========================================================
To do a Clean Uninstall:
1. Click on Start\Execute [Or press Winkey+R] and Enter
regsvr32 antiwpa.dll -u
-> you should get DllUnregisterServer succeded
2. Reboot
3. In the Explorer to c:\Windows\system32 and delete antiwpa.dll
(Note it's important to use the explorer which is an 64-bit app because 32bi
t apps like the TotalCommander won't see the real system32-folder)
Now do an Manuall install:
1. open the Antiwpa-V3.4.3\AMD64 dir
2. run "regsvr32 antiwpa.dll"
Step by Step:
 copy antiwpa.dll to c:\
Start\Execute and enter 'Cmd.exe'enter to open dos-console:
c:
cd \
regsvr32 antiwpa.dll
-> you should get DllregisterServer succeded
Check antiwpa.dll install itself correctly
1. now there should be antiwpa.dll in c:\Windows\system32
2. reboot
3. run "Start"\Execute 'Cmd.exe' and enter
TASKLIST /M /FI "MODULES eq antiwpa.dll"
Check if you get the Process Winlogon.exe as output
(to ensure antiwpa.dll is loaded and is really active)
Check the installation
1. Forward your date about 1 year and reboot
2. if you can login there is no doubt that antiwpa is really working
else boot in safemode and restore your date and run ("Start"\Execute)
rundll32.exe syssetup,SetupOobeBnk
to reset the trial (but beware the this trick will only work for about 4 ti
mes!)
3. but I hope now everything is working
If not setup the windows RemoteDesktop connection and mail connectioninfos to cw
2k ät gmx.de
===========================================================================

AntiWPA.dll was done by

______ ________ ______ __ __ _______ ____ _______
| | | | |__ | |/ | | | || | |_ _|
| ---| | | | __| < & | || |_ | |
|______|________|______|__|\__| |___|___||_______||___|
<http://antiwpa4.tk>
<http://free.pages.at/antiwpa>
<http://antiwpa.btwarehouse.org/forum>
[email protected]
<CW2K>
---------------------------------------------------------------
History:
3.4.6 readme.txt updated
'How do I integrate it into Windows Setup?' and
'windows vista not support' section added
3.4.6 updated antiwpa-site-url in readme.txt
Changed API-hook order maybe now it will also work on vista
3.4.4 Bugfix: Rename 32-bit dir back to x86\
Minor: readme updates
Added IA64 Version
3.4.3 Baseaddress change to 0x5000 0000 to avoid to need to relocating the Dll
3.4.2 Bugfix: Relocating the Dll failed - set writeflag to .text-section to fix
3.4 Now it uses import hooks (instead of export ones): Disam part is not need
anymore - Dll size reduced
3.3 Install/Uninstall routine for OOBE-Fix and remove activate-links added to
AntiWPA.dll
3.2 Internal version (Not released)
3.1 Install/Uninstall routine via regsvr32 added to AntiWPA.dll
Version info added to AntiWPA.dll
3.0 BETA initial Release

====== Outtakes (obsulated stuff) =========

????????????????????????????????????????????????????????????????????????????????
How do I integrate it into Windows Setup?
????????????????????????????????????????????????????????????????????????????????
I haven't done/tried this yet.
What you would have to do is manage these tasks somehow:
1. Add antiwpa.dll to the installation package
2. make it execute once "regsvr32 /s antiwpa.dll"
(or "rundll32 antiwpa.dll, DllRegisterServer")
http://forums.cjb.net/antiwpa3-about47.html for more about
Thanks to Hackedout for his solution. Let me summarized it:

1. Copy i386 folder from the cd C:\i386

2. Execute "makecab.exe antiwpa.dll"
Copy compressed file antiwpa.dl_ to C:\i386
3. Edit the following files from i386:
DOSNET.INF [Files]
...
d1,a_pnt518.ppd
d1,antiwpa.dll <-insert that line
d1,aaaamon.dll
...
HIVESFT.INF [AddReg]
search for 'Winlogon\Notify\cscdll' & insert the lines so it will look like that
:
...HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify",,0x000000
12
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa",,0x0
0000012
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa","DLL
Name",0x00000002,"antiwpa.dll"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa","Asy
nchronous",0x00010003,0
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa","Imp
ersonate",0x00010001,0
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa","Log
on",0x00000002,"onLogon"
...HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll",,0
x00000012

TXTSETUP.SIF [SourceDisksFiles]
search for 'aaaamon.dll' ...
...a_pnt518.ppd = 1,,,,,,,,3,3
antiwpa.dll = 1,,,,,,,2,0,0
..aaaamon.dll = 1,,,,,,,2,0,0

4. Make sure that these files were saved/copied to C:\i386

Antiwpa.dl_
DOSNET.INF
HIVESFT.INF
TXTSETUP.SIF
Done!
Some (untested) proposals - if someone confirms that they work
I will finally include them in the instructions
* To make antiwpa.dll to remove the activationlinks from the start menu
add the following line to 'HIVESFT.INF'
HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce","antiwpa",0x00000002
,"regsvr32 antiwpa.dll /s"
OR !!! (but this is more experimental) replace the line
HKLM,"SYSTEM\Setup","SetupType",0x00010003,1
with
HKLM,"SYSTEM\Setup","SetupType",0x00010003,2
HKLM,"SYSTEM\Setup","CmdLine",0x00000002,"regsvr32 antiwpa.dll /s"
theoretical it should start antiwpa-install instead of the OOBE-Let's activat
e at first start
so it works you can also leave out the 'HKLM,Winlogon\Notify'-part
* leave out the 'DOSNET.INF'-part I seem be unnecessary and to only cause an
file not found error in the 'dos' file coping stage
Visit http://www.kammerl.de/ascii/AsciiSignature.php ASCII Text Signature Genera
tor.