FORUMS
Remove All Ads from XDA

Windows 10 Anniversary Permanently Disable LockScreen Patch

22 posts
Thanks Meter: 4
 
By darkfires, Junior Member on 7th August 2016, 11:29 PM
Post Reply Email Thread
Hi guys,

I decompiled the file that was causing the key to be set back on (AllowLockScreen) and successfully disabled it. The culprit is in C:\windows\system32\LogonController.dll

You will need to get a hex editor to do this. This is for the 64-bit version, 10.0.14393.0, with md5sum of 3a12a4ce74b958564c0e4346869fcd8c.

This address location jump to file location 0x156EE, It should look like this:
75 4A 48 8B 8C 24 etc
Change the 75 to 74 (jump not zero to jump zero), save it and replace the LogonController.dll in your system folder.

You'll have to take ownership and then rename the file, and drop the new one in its place. Reboot and voila!

Some details of what is going on:
.text:0000000180016270 ; __int32 __fastcall CProcessStateManager:ut_IsLockScreenAllowed(CPro cessStateManager *__hidden this, unsigned __int8)
.text:0000000180016270 [email protected]@@UEA [email protected] proc near

text:00000001800162E4 call cs:__imp_RegCreateKeyExW
.text:00000001800162EA mov ebx, eax
.text:00000001800162EC test eax, eax

This line below is what we're patching:
.text:00000001800162EE jnz short loc_18001633A
.text:00000001800162F0 mov rcx, [rsp+78h+hKey] ; hKey
.text:00000001800162F8 lea rax, [rsp+78h+Data]
.text:0000000180016300 mov [rsp+78h+samDesired], 4 ; cbData
.text:0000000180016308 lea r9d, [rsi+3] ; dwType
.text:000000018001630C xor r8d, r8d ; Reserved
.text:000000018001630F mov qword ptr [rsp+78h+dwOptions], rax ; __int32
.text:0000000180016314 lea rdx, aAllowlockscree ; "AllowLockScreen"
.text:000000018001631B call cs:__imp_RegSetValueExW
.text:0000000180016321 mov rcx, [rsp+78h+hKey] ; hKey
.text:0000000180016329 mov ebx, eax
.text:000000018001632B cmp rcx, 0FFFFFFFF80000002h
.text:0000000180016332 jz short loc_18001633A
.text:0000000180016334 call cs:__imp_RegCloseKey
 
 
8th August 2016, 06:42 AM |#2  
OP Junior Member
Thanks Meter: 4
 
More
Patched DLL
I've uploaded a patched 64-bit DLL, in addition to disabling the LockScreen it also disables quite a few of the Telemetry functions. Seems to actually boot slightly faster with the extra telemetry disabled.
Attached Files
File Type: rar LogonController.rar - [Click for QR Code] (230.6 KB, 308 views)
9th August 2016, 05:30 AM |#3  
OP Junior Member
Thanks Meter: 4
 
More
Patched DLL v2
The first version I posted only prevented windows from re-enabling the lock screen if it was already disabled. This version also disables it if it was enabled.
Attached Files
File Type: rar LogonControllerv2.rar - [Click for QR Code] (230.6 KB, 446 views)
13th August 2016, 09:15 PM |#4  
Senior Member
Thanks Meter: 19
 
More
for me it doesn't work. I only get a spinning ring progress at logon in VM
9th September 2016, 02:28 AM |#5  
Junior Member
Thanks Meter: 1
 
More
Hi darkfires!

Love your stuff!
I think you posted elsewhere on the net the final v.3 fix for this that is:
(This is better than what's posted in the first thread)
Code:
0xBF50 48 89 5C 24 08 -> C3 90 90 90 90
It works perfect for me except one small caveat, and that is that returning from "Sleep" sometimes give you a black screen?.
Hitting the keyboard a few times solves that issue as the login screen then "re-appears".
Any other way to patch this dll, adressing this issue to make it "perfect"?

I was wondering, what disassembler tool did you use to get this output?:
Quote:

.text:00000001800162EE jnz short loc_18001633A
.text:00000001800162F0 mov rcx, [rsp+78h+hKey] ; hKey
.text:00000001800162F8 lea rax, [rsp+78h+Data]
.text:0000000180016300 mov [rsp+78h+samDesired], 4 ; cbData
.text:0000000180016308 lea r9d, [rsi+3] ; dwType
.text:000000018001630C xor r8d, r8d ; Reserved
.text:000000018001630F mov qword ptr [rsp+78h+dwOptions], rax ; __int32
.text:0000000180016314 lea rdx, aAllowlockscree ; "AllowLockScreen"
.text:000000018001631B call cs:__imp_RegSetValueExW
.text:0000000180016321 mov rcx, [rsp+78h+hKey] ; hKey
.text:0000000180016329 mov ebx, eax
.text:000000018001632B cmp rcx, 0FFFFFFFF80000002h
.text:0000000180016332 jz short loc_18001633A
.text:0000000180016334 call cs:__imp_RegCloseKey

Would be nice to get some newbie tips on this as this stuff interests me, thanks !
10th September 2016, 09:19 PM |#6  
OP Junior Member
Thanks Meter: 4
 
More
Quote:
Originally Posted by dobbelina

Hi darkfires!

Love your stuff!
I think you posted elsewhere on the net the final v.3 fix for this that is:
(This is better than what's posted in the first thread)

Code:
0xBF50 48 89 5C 24 08 -> C3 90 90 90 90
It works perfect for me except one small caveat, and that is that returning from "Sleep" sometimes give you a black screen?.
Hitting the keyboard a few times solves that issue as the login screen then "re-appears".
Any other way to patch this dll, adressing this issue to make it "perfect"?

I was wondering, what disassembler tool did you use to get this output?:

Would be nice to get some newbie tips on this as this stuff interests me, thanks !

Hi,

Sorry I didn't get a notification anyone had replied to this thread for some reason! I posted an updated version here that fixes black screen http://repo.ezzi.net/nolock/. And I used IDA to decompile it, send me a PM if you're interested in a copy of it. I had to target a totally different function than what I originally was.

I actually started out by targeting the difference from pre-anniv which was automatically setting the registry key. So that worked in most cases but not all, and instead I targeted the function that checked the key instead and made it return false every time.

As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience
11th September 2016, 11:34 AM |#7  
Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by darkfires

Hi,

Sorry I didn't get a notification anyone had replied to this thread for some reason! I posted an updated version here that fixes black screen http://repo.ezzi.net/nolock/. And I used IDA to decompile it, send me a PM if you're interested in a copy of it. I had to target a totally different function than what I originally was.

I actually started out by targeting the difference from pre-anniv which was automatically setting the registry key. So that worked in most cases but not all, and instead I targeted the function that checked the key instead and made it return false every time.

As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience

Hi again

And thanks for the updated info!
I actually figured out you were using IDA in my quest to dig deeper.
I got a copy, and I really like the graphical overview which makes it easy to navigate between the numerous functions.
This machine language stuff is not as easy to digest though lol!

But thanks for the pointers.
Btw, I was wrong about your patch causing a blackscreen!
This one:0xBF50 48 89 5C 24 08 -> C3 90 90 90 90

It had nothing to do with the patch, but was/is a quirk with VMware when going into sleep mode.
The patch works 100% perfect.
The Home version uses the same dll, I have checked, same MD5.

I'll get back in this thread when I have done some more studying.
It's not that much that the lockscreen is bothering me,
It's just the challenge to get rid of it that's firing me up, because MS decided they should decide it for us.

//EDIT

Would this be the same place to patch 32Bit version as well?:


Thanks!
12th September 2016, 02:57 PM |#8  
Junior Member
Thanks Meter: 1
 
More
Hi hi !

Patch for the 32bit
File version 10.0.14393.0 (Anniversary Edition)
MD5 Original LogonController.dll:
cdcc698bc43848baa789c3a7060167fd

Is:Offset:0x1C680 8B FF -> C3 90

Patched dll attached.
Attached Files
File Type: zip LogonControllerx86.zip - [Click for QR Code] (198.7 KB, 100 views)
14th September 2016, 09:19 PM |#9  
Junior Member
Thanks Meter: 1
 
More
Hi all!

This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.

It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!



It automatically creates a backup of your old LogonController.dll.

Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0By...TZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)

Architecture x64
https://drive.google.com/open?id=0By...Ed4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)

That's it folks !
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !
14th September 2016, 10:24 PM |#10  
OP Junior Member
Thanks Meter: 4
 
More
Awesome job man! You learn quick

You could also combine both arch's into a single script if you wanted, just check %PROCESSOR_ARCHITECTURE% == AMD64 for 64, if you're using C or whatever GetSystemInfo() should do it as well. I was going to make an auto-patcher but haven't had much free time lately as I would have hoped, so I am thrilled to see you did that! I'm not sure how the one you wrote works but it's not entirely safe to assume the location of the patch will never change in newer versions. I was looking into making something that downloaded the associated pdb from microsoft and verify the function location from that (that's how IDA is able to put useful labels on the functions), which would make it dynamically work if the offset ever did change. So I would recommend you make another script that is easy to run from advanced recovery command prompt that would restore the original if it ever changed and they couldn't login, just in case. However I think it's safe to say it's very unlikely this would be a problem until their next major build (the only reason it changed this time was to fix a security vulnerability)

Keep up the great work!

Quote:
Originally Posted by dobbelina

Hi all!

This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.

It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!

It automatically creates a backup of your old LogonController.dll.

Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0By...TZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)

Architecture x64
https://drive.google.com/open?id=0By...Ed4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)

That's it folks !
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !

15th September 2016, 12:14 PM |#11  
Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by darkfires

Awesome job man! You learn quick

You could also combine both arch's into a single script if you wanted, just check %PROCESSOR_ARCHITECTURE% == AMD64 for 64, if you're using C or whatever GetSystemInfo() should do it as well. I was going to make an auto-patcher but haven't had much free time lately as I would have hoped, so I am thrilled to see you did that! I'm not sure how the one you wrote works but it's not entirely safe to assume the location of the patch will never change in newer versions. I was looking into making something that downloaded the associated pdb from microsoft and verify the function location from that (that's how IDA is able to put useful labels on the functions), which would make it dynamically work if the offset ever did change. So I would recommend you make another script that is easy to run from advanced recovery command prompt that would restore the original if it ever changed and they couldn't login, just in case. However I think it's safe to say it's very unlikely this would be a problem until their next major build (the only reason it changed this time was to fix a security vulnerability)

Keep up the great work!

Hi darkfires!

I know I could have bundled the two architectures and
script it to choose the right one but I was lazy!
I noticed that the patch offset was the same in the updated dll in KB3189866, that's why I made the "Autopatcher".
There are 2 safety features in the patch engine preventing
a bad patch, and that is 1. filename, and 2. filesize.
There is a third option to calculate filehash, but i opted out on that one, as you couldn't apply the patch to any new version of the dll.
If there's a new update coming later on, and the offset changed(Or they re-wrote it totally) I hope fingers crossed that the patch engine errors out.
Your idea to d/l the associated pdb from microsoft and verify the function location would be awesome!
Easily done over a cup of coffe right!?

Regarding scripting for recovery purposes I think a small tutorial is the best
option.
Most people wouldn't know how to navigate to a recovery script in the first place, ha ha lol!

Basically I tell them this:
Boot from install media, press SHIFT + F10 at first screen, then at cmd prompt, type D:
(it usually is)
cd windows
cd system 32
del LogonController.dll
ren LogonController.bak LogonController.dll
This is quite straightforward, and off course it's really nice that the patch utility
makes this backup file, otherwise I wouldn't use it.

Always nice to get your feedback!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes