Tuesday, February 2, 2010

Advapi32 patch for Windows 7, 32-bit and 64-bit

It has been a log time since my last posting about the release candidate for Windows 7. I was quite busy since then and I couldn't find time to come up with a patch.
Luckily, one reader of this blog, Natko Kalisnik, spent time working on this and he contacted me recently to share his findings. Hi approach is different from the one I usually follow (his is more prudent) but it leads to the same result.
Without getting into more details, here it is for a 64-bit version of Windows 7. For the 32-bit version, just take the patch for the dll in SysWOW64.

cryptsp.dll 32-bit in SysWOW64, version 6.1.7600.16385 :
- At offset 0x3CF4 : change 0F to 90
- At offset 0x3CF5 : change 85 to E9

Its new SHA256 hash value is :

cryptsp.dll 64-bit in System32, version 6.1.7600.16385 :
- At offset 0x32E3 : change C3 to DB
- At offset 0x337D : change C3 to DB
- At offset 0x33C4 : change C3 to C4

And its new SHA256 hash value is :

Just a last word about the how to apply this patch for new comers.
Some manifest files must be updated using the new hash values. They are located under C:\Windows\winsxs\Manifests :
For 32-bit : x86_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_2933c430682017d9.manifest

For 64-bit : amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f.manifest

The hash value to be modified is in the XML node dsig:DigestValue.

Also, you need to replace cryptsp.dll with the patched one in the following folders under C:\Windows\winsxs :
For 32-bit : x86_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_2933c430682017d9

For 64-bit : amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f

This is sufficient for having a running patched system. For a more complete patch, you can have a look at the directory C:\Windows\winsxs\Backup : it contains copies of the manifest files and dlls that you can also patch.


sfdev said...

this seems to be wrong... (checked and rechecked...)

cryptsp.dll 64-bit in System32, version 6.1.7600.16385 :
- At offset 0x32E3 : change C3 to DB
- At offset 0x337D : change C3 to DB
- At offset 0x33C4 : change C3 to C4

I've got the same version (6.1.7600.16385)on a 64bit Windows7 but the values at these offsets are:
- At offset 0x32E3 : 40
- At offset 0x337D : A5
- At offset 0x33C4 : CC

Mounir IDRASSI said...

What you are seeing is due to the fact that you are opening the file directly from c:\windows\system32, and since your hex viewer is a 32-bit application, Windows loads the copy of cryptsp found in SysWOW64 instead of the one you want to open!!

Copy the cryptsp.dll from c:\windows\system32 to your desktop for example and rename it cryptsp_64.dll. Then open it with your hex viewer. You will find that the offsets and values are correct!


sfdev said...

thank you

Fadeev A. B. said...

Mounir, thank you much for your blog and for information about advapi32 patches!!! It's very difficult to find any info about CSP developing, and especially about test signing, and advapi32 patches. And it's difficult to find your blog... Good work!

Mounir IDRASSI said...

Thank you for your feedback! I'm happy my patches were useful to you.

Sandor Feldi, Jr. said...

Does anyone else experience loss of sound (Realtek) after editing these cryptsp.dll and manifest files after rebooting? Makes no sense to me, but that is what happens, I've rechecked the procedure and the modification a few times.

Eduardo said...


I'm experiencing the same sound problems, both playback and recording devices stopped working after the patch. Did you find any solution to this?