Windows Server 2003 (NT 5.2.3790.0) build guide
Win2K3 extra patches
Identify as Windows XP instead of Windows 2000
Updates string formatter to identify the OS name in systeminfo and msinfo32 as Windows XP instead of Windows 2000.
--- a/admin/wmi/wbem/providers/win32provider/providers/systemname.cpp
+++ b/admin/wmi/wbem/providers/win32provider/providers/systemname.cpp
@@ -372,7 +372,7 @@ CHString CSystemName::GetLocalizedName(void)
#else
if( IsWinNT5() )
{
- if ( IsWinNT51() )
+ if ( IsWinNT51() || IsWinNT52() )
{
if (VER_SUITE_PERSONAL & t_ku.SuiteMask())
{
Support for SHA-2 RSA signatures in crypt32.dll
Support for SHA-2 RSA certificate signatures was added in XP SP3 only. Without this patch, modern certificates (like ISRG Root X1 from Let’s Encrypt) won’t be verified.
--- a/ds/security/cryptoapi/pki/certstor/oidinfo.cpp
+++ b/ds/security/cryptoapi/pki/certstor/oidinfo.cpp
@@ -140,6 +140,11 @@ static CCRYPT_OID_INFO PubKeyAlgTable[] = {
// Signature Algorithm Table
//--------------------------------------------------------------------------
static const ALG_ID aiRsaPubKey = CALG_RSA_SIGN;
+static const DWORD rgdwRsaSha2Sign[] = {
+ CALG_RSA_SIGN,
+ 0,
+ PROV_RSA_AES
+};
static const DWORD rgdwMosaicSign[] = {
CALG_DSS_SIGN,
CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG |
@@ -160,12 +165,17 @@ static const DWORD rgdwDssSign[] = {
OID_INFO_LEN, pszOID, pwszName, CRYPT_SIGN_ALG_OID_GROUP_ID, aiHash, \
sizeof(rgdwExtra), (BYTE *) rgdwExtra
+#define RSA_SHA2_SIGN_ALG_ENTRY(pszOID, pwszName, aiHash) \
+ SIGN_EXTRA_ALG_ENTRY(pszOID, pwszName, aiHash, rgdwRsaSha2Sign)
#define DSS_SIGN_ALG_ENTRY(pszOID, pwszName) \
SIGN_EXTRA_ALG_ENTRY(pszOID, pwszName, CALG_SHA1, rgdwDssSign)
static CCRYPT_OID_INFO SignAlgTable[] = {
RSA_SIGN_ALG_ENTRY(szOID_RSA_SHA1RSA, L"sha1RSA", CALG_SHA1),
RSA_SIGN_ALG_ENTRY(szOID_RSA_MD5RSA, L"md5RSA", CALG_MD5),
+ RSA_SHA2_SIGN_ALG_ENTRY("1.2.840.113549.1.1.11", L"sha256RSA", CALG_SHA_256),
+ RSA_SHA2_SIGN_ALG_ENTRY("1.2.840.113549.1.1.12", L"sha384RSA", CALG_SHA_384),
+ RSA_SHA2_SIGN_ALG_ENTRY("1.2.840.113549.1.1.13", L"sha512RSA", CALG_SHA_512),
DSS_SIGN_ALG_ENTRY(szOID_X957_SHA1DSA, L"sha1DSA"),
RSA_SIGN_ALG_ENTRY(szOID_OIWSEC_sha1RSASign, L"sha1RSA", CALG_SHA1),
RSA_SIGN_ALG_ENTRY(szOID_OIWSEC_sha1RSASign, L"shaRSA", CALG_SHA1),
It also probably requires relatively modern rsaenh.dll, but the one provided by win2003_x86-missing-binaries_v2.7z should be enough. Binary only, yes.
Remove “For testing purposes only” message from desktop
Just skip the check for test certificate (which you probably use for builds).
--- a/windows/core/ntuser/kernel/init.c
+++ b/windows/core/ntuser/kernel/init.c
@@ -3100,7 +3100,7 @@ BOOL xxxUpdatePerUserSystemParameters(
/*
* Desktop Build Number Painting
*/
- if (USER_SHARED_DATA->SystemExpirationDate.QuadPart || gfUnsignedDrivers) {
+ if (0 && (USER_SHARED_DATA->SystemExpirationDate.QuadPart || gfUnsignedDrivers)) {
gdwCanPaintDesktop = 1;
} else {
FastGetProfileDwordW(pProfileUserName, PMAP_DESKTOP, L"PaintDesktopVersion", 0, &gdwCanPaintDesktop, dwPolicyFlags);
Disable waiting for network in ported winlogon
Just reorders some stuff and disables the network check (which is not really needed). For those who still use the ported version of winlogon (Winlogon200X_v3c.zip).
--- a/ds/security/gina/winlogon/wlxutil.c
+++ b/ds/security/gina/winlogon/wlxutil.c
@@ -2578,6 +2578,9 @@ VOID WaitForServices(
HANDLE hDsReindexEvent ;
ULONG SamWaitTime = 15000 ;
+ DWORD fWaitForNetwork;
+ HKEY hKey;
+ DWORD cbData, dwType;
if ( pTerm->SafeMode )
{
@@ -2587,6 +2590,30 @@ VOID WaitForServices(
StatusMessage(FALSE, 0, IDS_STATUS_SYSTEM_STARTUP );
WaitForServiceToStart( TEXT("SamSs"), SamWaitTime);
+ StatusMessage (TRUE, 0, IDS_STATUS_RPCSS_START);
+ WaitForServiceToStart (TEXT("RpcSs"), 120000);
+
+ fWaitForNetwork = FALSE;
+ if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE,
+ TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"),
+ 0,
+ KEY_READ,
+ &hKey ) == ERROR_SUCCESS )
+ {
+ cbData = sizeof(fWaitForNetwork);
+ RegQueryValueEx( hKey,
+ TEXT("WaitForNetwork"),
+ NULL,
+ &dwType,
+ (LPBYTE)&fWaitForNetwork,
+ &cbData );
+ RegCloseKey( hKey );
+ }
+
+ if ( !fWaitForNetwork ) {
+ return;
+ }
+
if ( pTerm->SafeMode )
{
//
@@ -2615,9 +2642,6 @@ VOID WaitForServices(
StatusMessage (FALSE, 0, IDS_STATUS_NET_START);
WaitForServiceToStart (SERVICE_NETLOGON, 120000);
- StatusMessage (TRUE, 0, IDS_STATUS_RPCSS_START);
- WaitForServiceToStart (TEXT("RpcSs"), 120000);
-
StatusMessage (TRUE, 0, IDS_STATUS_MUP_START);
WaitForMUP (120000);
Fixes for decompiled winlogon
This version of winlogon (ds.zip_decompiled_XPSP1_winlogon.zip) can’t be built without additional fixes. Moreover, it has some controversial stuff which can be easily removed.
- Everything in
licensingis completely unnecessary. It contains a lot of unreadable disassembled code (and it’s explained why in the included readme file). This directory can be easily removed with some code changes. - Smartcard logon (
sclogon2.c) is incomplete and conflicts with definitions fromsclgnrpc.h. I decided to just remove it intead of trying to fix. - Windows 3.1 migration code is incomplete and of course it’s not needed at all. Moreover, even the ported version of winlogon doesn’t have it (it was replaced with stubs, so I did the same).
- Some minor fixes here and there to make it buildable.
--- a/ds/security/gina/winlogon/sas.c
+++ b/ds/security/gina/winlogon/sas.c
@@ -10,8 +10,6 @@
#include <tsperf.h>
#include <rdfilter.h>
-#include "../../licensing/explib/checkstatus.h"
-
#define SHELL_RESTART_TIMER_ID 100
//#define EVENT_SHELL_RESTARTED (1002 | 0x40000000)
@@ -1294,13 +1292,10 @@ LRESULT SASWndProc(
if ( pTerm->UserLoggedOn &&
!IsLocked( pTerm->WinlogonState ))
{
- DWORD val = 0;
- if (!sub_1043104(978, &val) && val) {
StartApplication(pTerm,
szDesktop,
pTerm->pWinStaWinlogon->UserProcessData.pEnvironment,
szTaskMgr);
- }
}
return(0);
}
@@ -1814,6 +1809,7 @@ LRESULT SASWndProc(
DWORD dwType, dwSize;
+#if 0
if (wParam == 977) {
DWORD val = 0;
// licensing check timer
@@ -1836,6 +1832,7 @@ LRESULT SASWndProc(
SetTimer(hwnd, 976, 3600000, NULL);
return 0;
}
+#endif
if (wParam != SHELL_RESTART_TIMER_ID) {
break;
--- a/ds/security/gina/winlogon/sources
+++ b/ds/security/gina/winlogon/sources
@@ -75,7 +75,6 @@ SOURCES= \
secboot.c \
notify.c \
sc.c \
- sclogon2.c \
wlxutil.c \
jobwait.c \
samwait.c \
@@ -115,8 +114,6 @@ TARGETLIBS= \
$(DS_GLOBAL_LIB_PATH)\wxapisrv.lib \
$(SHELL_LIB_PATH)\shguidp.lib \
$(SDK_LIB_PATH)\uuid.lib \
- $(SECURITY_LIB_PATH)\sclgnrpc.lib \
- $(SDK_LIB_PATH)\sclogon.lib \
$(SDK_LIB_PATH)\advapip.lib \
$(DS_LIB_PATH)\rsa32.lib \
$(DS_LIB_PATH)\bignum.lib \
@@ -125,12 +122,6 @@ TARGETLIBS= \
$(NET_LIB_PATH)\mprp.lib \
$(SDK_LIB_PATH)\psapi.lib \
$(SDK_LIB_PATH)\version.lib \
- ..\..\licensing\shortsig\$(O)\shortsig.lib \
- ..\..\licensing\shortsig00\$(O)\shortsig00.lib \
- ..\..\licensing\lib\$(O)\license.lib \
- ..\..\licensing\pidlib\$(O)\pidlib.lib \
- ..\..\licensing\explib\$(O)\explib.lib \
- ..\..\licensing\liclib\$(O)\liclib.lib \
$(SDK_LIB_PATH)\oleaut32.lib \
$(WINDOWS_LIB_PATH)\user32p.lib \
$(SDK_LIB_PATH)\ws2_32.lib \
--- a/ds/security/gina/winlogon/termutil.c
+++ b/ds/security/gina/winlogon/termutil.c
@@ -790,6 +790,7 @@ DWORD CALLBACK DeferredTSNotify(LPVOID pVoid) {
HANDLE HandlesToWait[2];
DWORD dwWaitResult = WAIT_FAILED;
HANDLE hTermSrvReadyEvent;
+ BOOLEAN pfIsRedirected;
ASSERT(g_Console); // line 2050
ASSERT(g_hUserLogoffEvent); // line 2051
@@ -824,7 +825,8 @@ DWORD CALLBACK DeferredTSNotify(LPVOID pVoid) {
g_TSNotifyData.UserName,
L"",
0,
- &g_pTerminals->MuGlobals.UserConfig))
+ &g_pTerminals->MuGlobals.UserConfig,
+ &pfIsRedirected))
{
DebugLog((DEB_ERROR, "FAILED DeferredTSNotify - _WinStationNotifyLogon\n"));
dwResult = GetLastError();
@@ -1295,6 +1297,7 @@ int MultiUserLogonAttempt(
PDOMAIN_CONTROLLER_INFO DcInfo = NULL ;
DWORD Error;
BOOLEAN WinStaResult;
+ BOOLEAN pfIsRedirected;
ASSERT(!g_hDeferredTSNotifyThread); // line 1518
@@ -1525,11 +1528,11 @@ int MultiUserLogonAttempt(
if (!IsAppServer()) {
WinStaResult = _WinStationNotifyLogon(
(BOOLEAN)TestTokenForAdmin(hToken), hToken, pMprInfo->pszDomain,
- pMprInfo->pszUserName, L"", 0, &pTerm->MuGlobals.UserConfig);
+ pMprInfo->pszUserName, L"", 0, &pTerm->MuGlobals.UserConfig, &pfIsRedirected);
} else {
WinStaResult = _WinStationNotifyLogon(
(BOOLEAN)TestTokenForAdmin(hToken), hToken, pMprInfo->pszDomain,
- pMprInfo->pszUserName, pMprInfo->pszPassword, 0, &pTerm->MuGlobals.UserConfig);
+ pMprInfo->pszUserName, pMprInfo->pszPassword, 0, &pTerm->MuGlobals.UserConfig, &pfIsRedirected);
}
if (!WinStaResult) {
LONG error;
--- a/ds/security/gina/winlogon/win31mig.c
+++ b/ds/security/gina/winlogon/win31mig.c
@@ -114,6 +114,7 @@ Windows31Migration(
PTERMINAL pTerm
)
{
+#if 0
HANDLE ImpersonationHandle;
WIN31_MIGRATION_DIALOG DialogInfo;
DWORD Win31MigrationFlags;
@@ -151,6 +152,8 @@ Windows31Migration(
Win31MigrationDlgProc,
(LPARAM)&DialogInfo
);
+#endif
+ return FALSE;
}
@@ -188,6 +191,7 @@ Win31MigrationDlgProc(
LPARAM lParam
)
{
+#if 0
PWIN31_MIGRATION_DIALOG pDialogInfo = (PWIN31_MIGRATION_DIALOG) GetWindowLongPtr(hDlg, GWLP_USERDATA);
HANDLE ImpersonationHandle;
UINT idFocus = (UINT) -1;
@@ -331,6 +335,7 @@ Win31MigrationDlgProc(
break; // Fall through to do default processing
// We may have validated part of the window.
}
+#endif
// We didn't process the message
return(FALSE);
--- a/ds/security/gina/winlogon/winlogon.c
+++ b/ds/security/gina/winlogon/winlogon.c
@@ -1180,7 +1180,6 @@ int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
InitializeUserProfile();
}
- SclogonInit();
if (!g_fHelpAssistantSession)
{
BaseInitAppcompatCacheSupport();
@@ -1693,7 +1692,6 @@ VOID PostSetupShutdown(PTERMINAL pTerm, SHUTDOWN_ACTION Action) {
VOID MiscInitialization (PTERMINAL pTerm)
{
- DWORD Win31MigrationFlags;
DWORD SetupShutdownRequired;
@@ -1744,6 +1742,7 @@ VOID MiscInitialization (PTERMINAL pTerm)
}
+#if 0
if (!IsWin9xUpgrade()) {
//
// Check to see if there is any WIN.INI or REG.DAT to migrate into
@@ -1762,6 +1761,7 @@ VOID MiscInitialization (PTERMINAL pTerm)
InitSystemFontInfo();
}
}
+#endif
//
--- a/ds/security/gina/winlogon/wlx.c
+++ b/ds/security/gina/winlogon/wlx.c
@@ -14,7 +14,6 @@
#include <commctrl.h>
#define NO_COMMCTRL_ALLOCFCNS
#include <comctrlp.h>
-#include "../../licensing/explib/checkstatus.h"
#define _MSGINA_
#include <msginaexports.h>
#include <shellapi.h>
@@ -83,7 +82,6 @@ extern TCHAR szNoPageFile[];
TCHAR szAdminName[ MAX_STRING_BYTES ];
BOOL g_fReadyForShutdown = FALSE;
-HANDLE dword_1075C6C = NULL;
HINSTANCE hShell32Module = NULL;
HANDLE g_hEventReconnect = NULL;
@@ -1479,7 +1477,6 @@ DoStartShell(
WCHAR szDesktop[MAX_PATH];
PWINDOWSTATION pWS = pTerm->pWinStaWinlogon;
UINT ErrorMode ;
- BOOL fWPABlockedShell = FALSE;
HANDLE hUserLogonEvent;
@@ -1535,6 +1532,7 @@ DoStartShell(
InitMultimediaForStartShell(pTerm);
}
+#if 0
if (dword_1075C6C && WaitForSingleObject(dword_1075C6C, 0)) {
fWPABlockedShell = TRUE;
} else {
@@ -1575,9 +1573,7 @@ DoStartShell(
CloseHandle(dword_1075C6C);
}
dword_1075C6C = NULL;
-
- if (!fWPABlockedShell)
- {
+#endif
StatusMessage(TRUE, 0, IDS_STATUS_RESTORE_NET);
@@ -1683,9 +1679,7 @@ DoStartShell(
SetErrorMode( ErrorMode );
- }
-
- return fWPABlockedShell ? FALSE : StartStatus ;
+ return StartStatus;
}
//+---------------------------------------------------------------------------
@@ -3241,17 +3235,6 @@ MainLoop(PTERMINAL pTerm)
fIsIdleLogonTimeoutDisabled = IsIdleLogonTimeoutDisabled();
}
- if (g_Console) {
- dword_1075C6C = CreateEvent(NULL, FALSE, FALSE, NULL);
- if (dword_1075C6C == NULL) {
- return;
- }
- if (!QueueUserWorkItem(sub_10470D2, (PVOID)dword_1075C6C, 0)) {
- return;
- }
- SetTimer(pTerm->hwndSAS, 977, 60000, NULL);
- }
-
//
// Start profile mapping APIs
//
@@ -3620,10 +3603,6 @@ MainLoop(PTERMINAL pTerm)
if (WlxResult == WLX_SAS_ACTION_LOGON)
{
- sub_10432CC(978, 0);
- sub_10432CC(977, 0);
- SetTimer(pTerm->hwndSAS, 977, 60000, NULL);
-
if (IsPerOrProTerminalServer() && !pTerm->MuGlobals.field_E68 &&
(IsActiveConsoleSession() || !g_fHelpAssistantSession))
{