Windows 7 still can't install ESU security rollups while NTVDMx64 is installed

[AngryDavid808]

Hello, leecher1337, love your project and effort, hope you're safe and good. I regret to inform you that the Windows 7 Update problem I told you about before last year is still present and I still can't update Windows 7 while NTVDMx64 is installed. Hope you can find a workaround for this issue. If you need any more details, please hit me with a message and thank you in advance.

Regards David

[AngryDavid808]

@leecher1337 😊😊

[leecher1337]

The issue is known, the ticket is still open, but I fear there is no way to fix it. The update process needs to replace conhost.exe, but it seems conhost.exe cannot be replaced (for reasons that are unknown) if the loader is running inside it . Checking for a running update via registry doesn't seem to help as you may have experienced. However, it's just a minor issue, it can easily be worked around by uninstalling ntvdmx64, updating Windows and then reinstalling it. Given the fact that there aren't so many updates that replace conhost.exe, I see this as a relatively low priority issue.

[AngryDavid808]

Very understandable, sir. I still appreciate your effort. Maybe you could try making the program read some sort of variable that indicates that Windows is updating, and once the variable is at a certain value, it'd end itself and not run for the time being. Just a thought

[leecher1337]

The easiest way to be on the safe side to just temporarily disable the loader without having to remove NTVDMx64 would be to remove it just from Appinit_DLLs key and then reboot. If it just gets disabled during runtime, so that it doesn't inject into new processes, it may not be enough. The fastest way to temporarily disable, would be to rename ldntvdm.dll in the AppInit_DLLs key of the following registry paths to some wrong filename (i.e. ldntvdm2.dll):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows

Then reboot and loader shouldn't get loaded. Then after update is done, rename back to ldntvdm.dll, maybe reboot again and you are done.

You can extract the following 2 sections of install.bat and create 2 .bat files to enable and disable it with just a mouseclick to make it even easier:

add-appinit.cmd

@echo off
Setlocal EnableDelayedExpansion
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do set AppInit=%AppInit%%%s
echo %AppInit% | findstr /I /C:ldntvdm.dll >nul
if errorlevel 1 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d "%AppInit% ldntvdm.dll"
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do set AppInit=%AppInit%%%s
echo %AppInit% | findstr /I /C:ldntvdm.dll >nul
if errorlevel 1 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d "%AppInit% ldntvdm.dll"
set AppInit=

del-appinit.cmd

@echo off
Setlocal EnableDelayedExpansion
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do (
  for %%t in (%%s) do if not "%%t"=="ldntvdm.dll" set AppInit=!AppInit!%%t 
)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d "%AppInit%"
set AppInit=
for /F "skip=2 tokens=2*" %%r in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs') do (
  for %%t in (%%s) do if not "%%t"=="ldntvdm.dll" set AppInit=!AppInit!%%t 
)

The reason why this cannot be done with just a simple .reg file is that you may have other AppInit_DLLs and these would be overwritten if you just make a .reg file that overwrites the AppInit_DLLs key.

[AngryDavid808]

I completely understand. So, if I get it right, I should first execute the add_appinit.cmd file, reboot, update, and then execute del_appinit.cmd at the end. Correct me if I'm wrong. Also, believe me, that's less trouble than having to uninstall the program and then reinstall it again. Many thanks for the help.

[leecher1337]

Wrong way round.. you want to DEL appinit (DISable it), then reboot, install update, and after you are done ADD appinit again (as you want to ENable it)

[AngryDavid808]

Okay, thank you for the correction. The code itself kinda got me confused, sorry for the mix-up. In any case, I hope for the best of this amazing project, there're more critical bugs that need to be taken care of, I'm sure.

[AngryDavid808]

Okay, I found out about something interesting just now. I was messing around with Autoruns, a program that is a part of the SysInternals Suite, doing simple stuff, changing startup settings, all that, when I decided to look up ldntvdm.dll (since I saw an AppInit entry and since ldntvdm.dll hooks into csrss.exe as you say upon startup, correct me if I'm wrong) and sure enough, it popped up!

My thought is that maybe I can just deactivate the dll from that program as an alternative way of preventing it from hooking into csrss.exe and locking it, causing updates to fail, instead of doing the same thing with batch files. Just thought it'd be nice to share what I found out about here.

[leecher1337]

you can also use Autoruns to deactivate it, if you prefer, sure :-) What is interesting is that you say it's the hook in CSRSS.EXE that does the blocking? I thought it may be the hooking of conhost.exe, as it always fails when trying to replace conhost.exe Did you do some analysis leading to csrss.exe?

[AngryDavid808]

No. The program never specified which exe it's locking, I don't know, you told me which executable it locked. My bad. Sorry. You verified that the exe it's locking is conhost.exe, not csrss.exe.

EDIT: Checked back on Autoruns to find anything useful about ldntvdm.dll other than deactivating it, nothing really useful so far. Again, really sorry for the confusion, maybe my phasing was a bit bad or misleading. 😇

[leecher1337]

Just as a note for myself regarding this bug: poqexec.log

1d63bd8670f322a: 0, 0, 0, 0, StartTime ;
1d63bd8673ecdaf: 0, 0, 0, 0, EndTime ;
1d68534d263459f: 0, 0, 0, 0, StartTime ;
1d68534d51a576f: 0, 0, 0, 0, EndTime ;
1d685356bbf08bd: 0, 0, 0, 0, StartTime ;
1d685356cbb5a9a: 0, 0, 0, 0, EndTime ;
1d68535a84688a1: 0, 0, 0, 0, StartTime ;
1d68535a8d09871: 0, 0, 0, 0, EndTime ;
1d68537ae995df3: 0, 0, 0, 0, StartTime ;
1d68537ae995df3: 74c, c0000043, 2a2, 0, HardLinkFile ;\SystemRoot\WinSxS\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.24559_none_d2e4e50f31f32df1\conhost.exe, \??\C:\Windows\System32\conhost.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\wininit.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\winlogon.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\services.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\svchost.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\svchost.exe
1d68537b2518460: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume2\Windows\System32\SearchIndexer.exe
1d68537b2518460: 0, 0, 0, 0, EndTime ;
1d68537cb9b7c37: 0, 0, 0, 0, StartTime ;

It seems that once a process opens a subprocess that uses conhost (i.e. starts cmd.exe), the loader opens a handle to conhost.exe in the parent process which never gets closed.

[leecher1337]

No feedback given by user, assuming fix worked.

[AngryDavid808]

I'll test the fix out as soon as possible. Sorry for the delay, I was a bit busy lately. 🤝❤

[leecher1337]

Feel free to reopen issue should there still be any problems (which I doubt)

[AngryDavid808]

Sorry for the very long delay. Just verified that your fix finally works, I no longer have to deactivate NTVDM to install updates. Thank you, leecher1337, I highly appreciate your effort. Keep it up! ✌❤❤