Anti Wpa 3 Documentation

_____          __   __ __      ____________  _____    ________
/  _     ____ /  |_|__/      /  ______   /  _     _____ 
/  /_  /       __|     //   /|     ___/  /_      _(__  <
/    |    |   |  |  | |  |        / |    |  /    |      /      
____|____|___|__|__| |__| __/  /  |____|  ____|____/ /______  /
/                              /
Let’s activate later…
Version 3.4.6 for x64 and x86

How to use:
Start AntiWPA3.cmd to install/uninstall the patch

What the patch modifies:
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyAntiWPA
is added to Registry

* File C:windowssystem32AntiWPA.dll is added

* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents]
data for “OOBETimer” is changed {=OOBE}

* rundll32 setupapi,InstallHinfSection DEL_OOBE_ACTIVATE 132 syssetup.inf
rundll32 setupapi,InstallHinfSection RESTORE_OOBE_ACTIVATE 132 syssetup.inf
is executed which will remove/restore WPA-links from the startmenu

How it works:

It tricks (hooks user32.dll! GetSystemMetrics(SM_CLEANBOOT{=0x43}) & ntdll.dll!NtLockProductActivation)
winlogon.exe to make it believe it was booted in safemode,thus, winlogon skips
the WPA-Check. *Note (…because some ppl were concered about): The hooks *ONLY*
affect winlogon.exe! They *DO NOT* affect any other exe or dll.

The patch auto-runs on each start before the WPA-check via:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyAntiWPA

The hooks are applied when AntiWPA.dll!onLogon is called by winlogon.exe.
The Winlogon.exe file on the harddisk is not altered anymore.
Patching (API-Hooking) is done in memory, so there are no problems with
Windows System File Protection.

Installation is performed via AntiWPA.dll!DllRegisterServer (“regsvr32 AntiWPA.dll”).
The file is copied to systemdir and the registrykeys are added.
(Note: AntiWPA.dll is no ActiveX selfregisterdll.)
Uninstallation is done via AntiWPA.dll!DllUnRegisterServer (“regsvr32 -u AntiWPA.dll”).

F A Q  – Frequently Asked Questions

How to check if it’s really active
check if antiwpa.dll is loaded
enter in console (cmd.exe)
TASKLIST /M /FI “MODULES eq antiwpa.dll”
Check and see if you have the Process Winlogon.exe as output

I have Install AntiWPA 2.00. Should I uninstall it to update?
They both work well. They both ‘target’ the same function in
Winlogon.exe, so it’s running well – don’t touch it (Never touch a running system.)

Do I have to reinstall every AntiWPA 3 after I’ve installed a servicepack ?
No, you don’t need to. The patch isn’t undone by service packs anymore.
Since it doesn’t modify winlogon.exe, it’s no problem if winlogon.exe is
replaced by a new version.

What is the difference between AntiWPA 2 & AntiWPA 3?
AntiWPA 2 directly modified winlogon.exe (on hard disk) to make it skip
over the product activation check.
AntiWPA 3 intercepts (in memory via API-Import-Hooking) winlogon.exe’s request to
the OS whether Windows was booted into Safe-Mode or not.
It makes the OS always return “yes”, even if Windows is running in ‘normal mode’,
winlogon is thinking it’s running in safemode and skips the product activation check.

How do I integrate it into Windows Setup?
I haven’t done/tried this yet.
What you would have to do is manage these tasks somehow:
1. Add antiwpa.dll to the installation package
2. make it execute once “regsvr32 /s antiwpa.dll”
(or “rundll32 antiwpa.dll, DllRegisterServer”) for more about

Thanks to Hackedout for his solution. Let me summarized it:

1. Copy i386 folder from the cd C:i386

2. Execute “makecab.exe antiwpa.dll”
Copy compressed file antiwpa.dl_ to C:i386

3. Edit the following files from i386:

DOSNET.INF     [Files]

d1,antiwpa.dll    <-insert that line

search for ‘WinlogonNotifycscdll’ & insert the lines so it will look like that:

…HKLM,”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify”,,0x00000012
HKLM,”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyantiwpa”,,0x00000012
HKLM,”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyantiwpa”,”DLLName”,0x00000002,”antiwpa.dll”
HKLM,”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyantiwpa”,”Asynchronous”,0x00010003,0
HKLM,”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyantiwpa”,”Impersonate”,0x00010001,0
HKLM,”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyantiwpa”,”Logon”,0x00000002,”onLogon”
…HKLM,”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll”,,0x00000012

TXTSETUP.SIF   [SourceDisksFiles]
search for ‘aaaamon.dll’ …

…a_pnt518.ppd = 1,,,,,,,,3,3
antiwpa.dll = 1,,,,,,,2,0,0
..aaaamon.dll = 1,,,,,,,2,0,0

4. Make sure that these files were saved/copied to C:i386



Some (untested) proposals – if someone confirms that they work
I will finally include them in the instructions
*  To make antiwpa.dll to remove the activationlinks from the start menu
add the following line to ‘HIVESFT.INF’
HKLM,”SOFTWAREMicrosoftWindowsCurrentVersionRunOnce”,”antiwpa”,0x00000002,”regsvr32 antiwpa.dll /s”

OR !!! (but this is more experimental) replace the line
HKLM,”SYSTEMSetup”,”CmdLine”,0x00000002,”regsvr32 antiwpa.dll /s”
theoretical it should start antiwpa-install instead of the OOBE-Let’s activate at first start
so it works you can also leave out the ‘HKLM,WinlogonNotify’-part

*  leave out the ‘DOSNET.INF’-part I seem be unnecessary and to only cause an
file not found error in the ‘dos’ file coping stage


And to draw some other solution posted by some guest:

1. Copy CD content to C:WindowsCD

2. Use setupmgr.exe to create an answer file
add the following in the “Run Once” section of setup manager:

Unattend.txt/winnt.sif should now include the following section:
Command0=”regsvr32 /s %SYSTEMDRIVE%antiwpa.dll”

Edit the [Unattended] section, changing OemPreinstall=No to

copy winnt.sif to the C:WindowsCDi386 folder

3. copy antiwpa.dll to C:WindowsCD$oem$$1 (Create Folder)
Note: All files contained in the “$oem$$1” folder will be
copied to the C: drive during installation.

Before-WPA-emergency console:

This will setup some kind of emerency console. The program specified in
CmdLine will be run before the normal logonscreen and before the WPA-Check.
Now you don’t need to boot in safemode if something went wrong.

“CmdLine”=””C:Total CommanderTOTALCMD.EXE”

Deny the user ‘system’ writeaccess(Set value) on HKEY_LOCAL_MACHINESYSTEMSetup
or the system change SetupType value after each logon.
You can use explorer.exe as CmdLine but note it might cause problems later.

Reseting the Activation Trial:
Simply execute ‘rundll32.exe syssetup,SetupOobeBnk’.
That is some kind of offical way to rest the Activation Trial.
Take Care it will work only work for about 4 times.
A ‘total reset’ is not very userfriend and described in detail here.

Just to draw the picture you will need to export HKLMSystem to a
tmp reg-hive file. Import that reg-hive(or structure) file to delete
HKLMSystemWPA and the Rest
HKLMSOFTWAREMicrosoftWindows NTCurrentVersion “LicenseInfo”=””
shutdown window and copy/overwite the reg-hivefile to system32configsystem
from an other OS or the Windows-CD recovery console.

A (boring) Step by Step to do a manual Install

To do a Clean Uninstall:
1. Click on StartExecute [Or press Winkey+R] and Enter
regsvr32 antiwpa.dll -u
-> you should get DllUnregisterServer succeded
2. Reboot
3. In the Explorer to c:Windowssystem32 and delete antiwpa.dll
(Note it’s important to use the explorer which is an 64-bit app because 32bit apps like the TotalCommander won’t see the real system32-folder)

Now do an Manuall install:
1. open the Antiwpa-V3.4.3AMD64 dir
2. run
regsvr32 antiwpa.dll
well one way to do this is to copy antiwpa.dll to c: then click on
StartExecute and enter ‘Cmd.exe’ ein dos-console enter
regsvr32 antiwpa.dll
-> you should get DllregisterServer succeded

Check the installation
1. now go c:Windowssystem32 and check if antiwpa.dll was successfully copied.
2. reboot
3. run “Start”Execute ‘Cmd.exe’ and enter
TASKLIST /M /FI “MODULES eq antiwpa.dll”
Check if you get the Process Winlogon.exe as output
(this will ensure that antiwpa.dll is loaded and is really active)

Check the installation
1. Forward your date about 1 year and reboot
2. if you can login there is no doubt that antiwpa is really working
if not boot in safemode restore your date and run (“Start”Execute)
rundll32.exe syssetup,SetupOobeBnk
to reset the trial (but beware the this trick will only work for about 4 times!)
3. but I hope now everything is working

If not setup the windows RemoteDesktop connection and mail connectioninfos to cw2k ät


AntiWPA.dll was done by
______ ________ ______ __  __        _______  ____   _______
|      |  |  |  |__    |  |/  |      |   |   ||    | |_     _|
|   —|  |  |  |    __|     <   &   |       ||    |_  |   |
|______|________|______|__|__|      |___|___||_______||___|



3.4.6 updated antiwpa-site-url in readme.txt
Changed API-hook order maybe now it will also work on vista

3.4.4 Bugfix: Rename 32-bit dir back to x86
Minor: readme updates
Added IA64 Version

3.4.3 Baseaddress change to 0x5000 0000 to avoid to need to relocating the Dll

3.4.2 Bugfix: Relocating the Dll failed – set writeflag to .text-section to fix

3.4   Now it uses import hooks (instead of export ones): Disam part is not need anymore – Dll size reduced

3.3   Install/Uninstall routine for OOBE-Fix and remove activate-links added to AntiWPA.dll

3.2   Internal version (Not released)

3.1  Install/Uninstall routine via regsvr32 added to AntiWPA.dll
Version info added to AntiWPA.dll

3.0 BETA   initial Release

Visit ASCII Text Signature Generator.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: