Windows 10 Anniversary Permanently Disable LockScreen Patch

Search This thread

darkfires

Member
Jan 2, 2008
22
5
Hi guys,

I decompiled the file that was causing the key to be set back on (AllowLockScreen) and successfully disabled it. The culprit is in C:\windows\system32\LogonController.dll

You will need to get a hex editor to do this. This is for the 64-bit version, 10.0.14393.0, with md5sum of 3a12a4ce74b958564c0e4346869fcd8c.

This address location jump to file location 0x156EE, It should look like this:
75 4A 48 8B 8C 24 etc
Change the 75 to 74 (jump not zero to jump zero), save it and replace the LogonController.dll in your system folder.

You'll have to take ownership and then rename the file, and drop the new one in its place. Reboot and voila!

Some details of what is going on:
.text:0000000180016270 ; __int32 __fastcall CProcessStateManager::put_IsLockScreenAllowed(CProcessStateManager *__hidden this, unsigned __int8)
.text:0000000180016270 [email protected]@@[email protected] proc near

text:00000001800162E4 call cs:__imp_RegCreateKeyExW
.text:00000001800162EA mov ebx, eax
.text:00000001800162EC test eax, eax

This line below is what we're patching:
.text:00000001800162EE jnz short loc_18001633A
.text:00000001800162F0 mov rcx, [rsp+78h+hKey] ; hKey
.text:00000001800162F8 lea rax, [rsp+78h+Data]
.text:0000000180016300 mov [rsp+78h+samDesired], 4 ; cbData
.text:0000000180016308 lea r9d, [rsi+3] ; dwType
.text:000000018001630C xor r8d, r8d ; Reserved
.text:000000018001630F mov qword ptr [rsp+78h+dwOptions], rax ; __int32
.text:0000000180016314 lea rdx, aAllowlockscree ; "AllowLockScreen"
.text:000000018001631B call cs:__imp_RegSetValueExW
.text:0000000180016321 mov rcx, [rsp+78h+hKey] ; hKey
.text:0000000180016329 mov ebx, eax
.text:000000018001632B cmp rcx, 0FFFFFFFF80000002h
.text:0000000180016332 jz short loc_18001633A
.text:0000000180016334 call cs:__imp_RegCloseKey
 

darkfires

Member
Jan 2, 2008
22
5
Patched DLL

I've uploaded a patched 64-bit DLL, in addition to disabling the LockScreen it also disables quite a few of the Telemetry functions. Seems to actually boot slightly faster with the extra telemetry disabled.
 

Attachments

  • LogonController.rar
    230.6 KB · Views: 324

darkfires

Member
Jan 2, 2008
22
5
Patched DLL v2

The first version I posted only prevented windows from re-enabling the lock screen if it was already disabled. This version also disables it if it was enabled.
 

Attachments

  • LogonControllerv2.rar
    230.6 KB · Views: 459

dobbelina

Member
Sep 23, 2013
14
1
Hi darkfires!

Love your stuff!
I think you posted elsewhere on the net the final v.3 fix for this that is:
(This is better than what's posted in the first thread)
Code:
0xBF50 48 89 5C 24 08 -> C3 90 90 90 90

It works perfect for me except one small caveat, and that is that returning from "Sleep" sometimes give you a black screen?.
Hitting the keyboard a few times solves that issue as the login screen then "re-appears".
Any other way to patch this dll, adressing this issue to make it "perfect"?

I was wondering, what disassembler tool did you use to get this output?:
.text:00000001800162EE jnz short loc_18001633A
.text:00000001800162F0 mov rcx, [rsp+78h+hKey] ; hKey
.text:00000001800162F8 lea rax, [rsp+78h+Data]
.text:0000000180016300 mov [rsp+78h+samDesired], 4 ; cbData
.text:0000000180016308 lea r9d, [rsi+3] ; dwType
.text:000000018001630C xor r8d, r8d ; Reserved
.text:000000018001630F mov qword ptr [rsp+78h+dwOptions], rax ; __int32
.text:0000000180016314 lea rdx, aAllowlockscree ; "AllowLockScreen"
.text:000000018001631B call cs:__imp_RegSetValueExW
.text:0000000180016321 mov rcx, [rsp+78h+hKey] ; hKey
.text:0000000180016329 mov ebx, eax
.text:000000018001632B cmp rcx, 0FFFFFFFF80000002h
.text:0000000180016332 jz short loc_18001633A
.text:0000000180016334 call cs:__imp_RegCloseKey
Would be nice to get some newbie tips on this as this stuff interests me, thanks ! :)
 
Last edited:

darkfires

Member
Jan 2, 2008
22
5
Hi darkfires!

Love your stuff!
I think you posted elsewhere on the net the final v.3 fix for this that is:
(This is better than what's posted in the first thread)
Code:
0xBF50 48 89 5C 24 08 -> C3 90 90 90 90

It works perfect for me except one small caveat, and that is that returning from "Sleep" sometimes give you a black screen?.
Hitting the keyboard a few times solves that issue as the login screen then "re-appears".
Any other way to patch this dll, adressing this issue to make it "perfect"?

I was wondering, what disassembler tool did you use to get this output?:

Would be nice to get some newbie tips on this as this stuff interests me, thanks ! :)
Hi,

Sorry I didn't get a notification anyone had replied to this thread for some reason! I posted an updated version here that fixes black screen http://repo.ezzi.net/nolock/. And I used IDA to decompile it, send me a PM if you're interested in a copy of it. I had to target a totally different function than what I originally was.

I actually started out by targeting the difference from pre-anniv which was automatically setting the registry key. So that worked in most cases but not all, and instead I targeted the function that checked the key instead and made it return false every time.

As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience :)
 

dobbelina

Member
Sep 23, 2013
14
1
Hi,

Sorry I didn't get a notification anyone had replied to this thread for some reason! I posted an updated version here that fixes black screen http://repo.ezzi.net/nolock/. And I used IDA to decompile it, send me a PM if you're interested in a copy of it. I had to target a totally different function than what I originally was.

I actually started out by targeting the difference from pre-anniv which was automatically setting the registry key. So that worked in most cases but not all, and instead I targeted the function that checked the key instead and made it return false every time.

As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience :)
Hi again

And thanks for the updated info!
I actually figured out you were using IDA in my quest to dig deeper.
I got a copy, and I really like the graphical overview which makes it easy to navigate between the numerous functions.
This machine language stuff is not as easy to digest though lol! :eek:

But thanks for the pointers.
Btw, I was wrong about your patch causing a blackscreen!
This one:0xBF50 48 89 5C 24 08 -> C3 90 90 90 90

It had nothing to do with the patch, but was/is a quirk with VMware when going into sleep mode.
The patch works 100% perfect.
The Home version uses the same dll, I have checked, same MD5.

I'll get back in this thread when I have done some more studying.
It's not that much that the lockscreen is bothering me,
It's just the challenge to get rid of it that's firing me up, because MS decided they should decide it for us.

//EDIT

Would this be the same place to patch 32Bit version as well?:
6rmxvt.jpg


Thanks! :victory:
 
Last edited:

dobbelina

Member
Sep 23, 2013
14
1
Hi hi ! :laugh:

Patch for the 32bit
File version 10.0.14393.0 (Anniversary Edition)
MD5 Original LogonController.dll:
cdcc698bc43848baa789c3a7060167fd

Is:Offset:0x1C680 8B FF -> C3 90

Patched dll attached.
 

Attachments

  • LogonControllerx86.zip
    198.7 KB · Views: 101
Last edited:

dobbelina

Member
Sep 23, 2013
14
1
Hi all!

This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.

It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!

20u7vh2.jpg


It automatically creates a backup of your old LogonController.dll.

Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0ByXxjI18DZC5YTZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)

Architecture x64
https://drive.google.com/open?id=0ByXxjI18DZC5aEd4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)

That's it folks ! ;)
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !
 
Last edited:

darkfires

Member
Jan 2, 2008
22
5
Awesome job man! You learn quick :)

You could also combine both arch's into a single script if you wanted, just check %PROCESSOR_ARCHITECTURE% == AMD64 for 64, if you're using C or whatever GetSystemInfo() should do it as well. I was going to make an auto-patcher but haven't had much free time lately as I would have hoped, so I am thrilled to see you did that! I'm not sure how the one you wrote works but it's not entirely safe to assume the location of the patch will never change in newer versions. I was looking into making something that downloaded the associated pdb from microsoft and verify the function location from that (that's how IDA is able to put useful labels on the functions), which would make it dynamically work if the offset ever did change. So I would recommend you make another script that is easy to run from advanced recovery command prompt that would restore the original if it ever changed and they couldn't login, just in case. However I think it's safe to say it's very unlikely this would be a problem until their next major build (the only reason it changed this time was to fix a security vulnerability)

Keep up the great work!

Hi all!

This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.

It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!

It automatically creates a backup of your old LogonController.dll.

Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0ByXxjI18DZC5YTZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)

Architecture x64
https://drive.google.com/open?id=0ByXxjI18DZC5aEd4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)

That's it folks ! ;)
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !
 

dobbelina

Member
Sep 23, 2013
14
1
Awesome job man! You learn quick :)

You could also combine both arch's into a single script if you wanted, just check %PROCESSOR_ARCHITECTURE% == AMD64 for 64, if you're using C or whatever GetSystemInfo() should do it as well. I was going to make an auto-patcher but haven't had much free time lately as I would have hoped, so I am thrilled to see you did that! I'm not sure how the one you wrote works but it's not entirely safe to assume the location of the patch will never change in newer versions. I was looking into making something that downloaded the associated pdb from microsoft and verify the function location from that (that's how IDA is able to put useful labels on the functions), which would make it dynamically work if the offset ever did change. So I would recommend you make another script that is easy to run from advanced recovery command prompt that would restore the original if it ever changed and they couldn't login, just in case. However I think it's safe to say it's very unlikely this would be a problem until their next major build (the only reason it changed this time was to fix a security vulnerability)

Keep up the great work!
Hi darkfires!

I know I could have bundled the two architectures and
script it to choose the right one but I was lazy!
I noticed that the patch offset was the same in the updated dll in KB3189866, that's why I made the "Autopatcher".
There are 2 safety features in the patch engine preventing
a bad patch, and that is 1. filename, and 2. filesize.
There is a third option to calculate filehash, but i opted out on that one, as you couldn't apply the patch to any new version of the dll.
If there's a new update coming later on, and the offset changed(Or they re-wrote it totally) I hope fingers crossed that the patch engine errors out.
Your idea to d/l the associated pdb from microsoft and verify the function location would be awesome!
Easily done over a cup of coffe right!? :laugh:

Regarding scripting for recovery purposes I think a small tutorial is the best
option.
Most people wouldn't know how to navigate to a recovery script in the first place, ha ha lol!

Basically I tell them this:
Boot from install media, press SHIFT + F10 at first screen, then at cmd prompt, type D:
(it usually is)
cd windows
cd system 32
del LogonController.dll
ren LogonController.bak LogonController.dll
This is quite straightforward, and off course it's really nice that the patch utility
makes this backup file, otherwise I wouldn't use it.

Always nice to get your feedback!
 
Last edited:

dobbelina

Member
Sep 23, 2013
14
1
I bundled the 2 architectures into 1 installer script.
It's now very easy to use, Just run Install.cmd as Administrator.
I also made a restore script.
To restore the backed up LogonController.dll run Restore.cmd as Administrator.

Works for both Home & Pro and all Languages 32bit & 64bit.
Architecture x86
(Patches Offset:0x1C680 8B FF -> C3 90)

Architecture x64
(Patches Offset:0xBF50 48 89 5C 24 08 -> C3 90 90 90 90)

LogonController_Patch.zip
(Use d/l arrow up in the right corner to get the zip file)

As a safety feature you can't apply a patch twice, as you would then overwrite the backup file.
The script looks for LogonController.bak in the system32
folder which is the backupfiles name.
In the future, if MS updates the dll file, manually delete
that backupfile in order to run the autopatcher again.
 
Last edited:
  • Like
Reactions: MICHELE.GALEOTTI

MagicAndre1981

Senior Member
Jun 21, 2015
157
19

hotter

Senior Member
Feb 25, 2008
108
8
Hi all!

This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.

It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!

20u7vh2.jpg


It automatically creates a backup of your old LogonController.dll.

Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0ByXxjI18DZC5YTZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)

Architecture x64
https://drive.google.com/open?id=0ByXxjI18DZC5aEd4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)

That's it folks ! ;)
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !

This patcher does not work anymore with new windows update. I get error: "There was an error applying patch: 0x80070057 (The parameter is incorrect.)"
Can you fix it? Win10 version 1607 build 14393.1480

---------- Post added at 01:43 PM ---------- Previous post was at 01:42 PM ----------

As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience :)

So should I use this code replace or the first post one 75 -> 74?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    I bundled the 2 architectures into 1 installer script.
    It's now very easy to use, Just run Install.cmd as Administrator.
    I also made a restore script.
    To restore the backed up LogonController.dll run Restore.cmd as Administrator.

    Works for both Home & Pro and all Languages 32bit & 64bit.
    Architecture x86
    (Patches Offset:0x1C680 8B FF -> C3 90)

    Architecture x64
    (Patches Offset:0xBF50 48 89 5C 24 08 -> C3 90 90 90 90)

    LogonController_Patch.zip
    (Use d/l arrow up in the right corner to get the zip file)

    As a safety feature you can't apply a patch twice, as you would then overwrite the backup file.
    The script looks for LogonController.bak in the system32
    folder which is the backupfiles name.
    In the future, if MS updates the dll file, manually delete
    that backupfile in order to run the autopatcher again.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone