In this post I’d like to talk about the x86 memory restriction in Windows.
As you may already know, every 32bit build of Windows operating system can’t handle more than 4GB of memory and part of it is already used by the operating system to map hardware peripherals I/O addresses and system-related stuff. This results in even less available memory than the 4GB specified before.
In x86 architecture, each virtual memory address is translated to its relative physical one using specific hardware tables that keep track of virtual/physical map. These tables always used 32bit pointers to address the entire physical memory range and the CPU’s physical memory bus always used 32 lines. These choices restricted the amount of supported memory up to 4GB.
To overcome this architectural limit, Intel decided to implement a new technology called Physical Address Extension, allowing modern CPUs to address up to 64GB of memory. x86 CPUs are now composed by 36 lines – 52 on a full x64 CPU – and, from a low level technical perspective, each page table entry pointer supports a 64 bit pointer.
x86 PAE Linear address translation scheme (noteworthy is Linear address still 32 bits wide, and the number “40” printed in scheme: 40 bit can address a total of 2^40 pages. Pages are 2^12 bytes wide = 2^52 total maximum bytes)
The question raised here is: why current 32bit operating systems still don’t support more than 4GB of memory, even if PAE is available?
Official explanations from Microsoft can be found online on many websites. Basically they are telling us that some kernel mode drivers are incompatible with higher memory locations and, anyway, high memory is used to map physical peripherals. Readers can check out this article and this article.
While it’s true that some older drivers could be incompatible with high physical memory addresses due to the fact that they could use the highest bits of a plain 64 bit physical address for other goals (which is a behavior that goes against Microsoft’s guidelines anyway), is this the only reason why Microsoft doesn’t support more than 4GB on their 32bit builds of Windows? Or is there something more, e.g. licensing restrictions used to sell more Windows 64bit builds and less 32bit builds?
While analyzing Windows 8’s EFI loader, I got into a call located inside the function MmInitializeNucleus, called by MmInitSystem. This call contains the licensing verification that allow or deny Windows to support more than 4GB of memory.
A snap of internal Nt kernel memory initialization subroutines that queries license information to determine how much maximum physical memory system should been able to use.
If the system is not a server, the ntQueryLicenseValue, called with Kernel‐WindowsMaxMemAllowedx86 parameter, returns the value 0x100000. This value is then stored as a system-wide variable and used inside the MmInitSystem function. 0x100000 in hex is 1048576 in dec which, multiplicated by 4KB (size of pages) returns 4GB. If we change that value from 0x100000 to 0x1000000 (16777216 in dec), Windows will be able to see all 64GB of memory.
Screenshot of 32bit Windows 8 Release Preview that is able to use all available Memory (even above 4 GB boundaries)
I have developed a specific bootkit that patches on-the-fly the Windows kernel and changes that specific value. The tool is compatible with Windows Vista/7/8 (release preview) 32 bit builds. Clearly this bootkit is just for testing purposes and it’s not intended to be used on stable systems, as the Windows kernel is being patched and its integrity could be compromised, causing potential system crashes (though this is just a disclaimer, I didn’t get into any kind of trouble while testing it over our 32 bit systems).
Each patched 32 bit operating system has been able to detect and use even more than 4GB of memory, and everything went just fine.
DISCLAIMER:
This software and its documentation are free and come “as is” with absolutely no guarantee and no support. The software is just for research purposes and it must be used only on testing environment. This software could potentially break your operating system by overwriting the Master Boot Record, thus preventing it from actually running. Don’t use this software unless you know exactly what you are doing. Use at your own risk.
If you accept this, download the tool from the following link: DOWNLOAD
That’s interesting… And it would be much more interesting with a link to a download 😛
I’m not sure what this article is trying to tell me. If the attempt was to blame Microsoft about the decision to not turn on by default the PAE technology, the topic is already well-explained in the first link you quoted in your post.
Quoting Mark Russinovich:
“However, by the time Windows XP SP2 was under development, client systems with more than 4GB were foreseeable, so the Windows team started broadly testing Windows XP on systems with more than 4GB of memory. Windows XP SP2 also enabled Physical Address Extensions (PAE) support by default on hardware that implements no-execute memory because its required for Data Execution Prevention (DEP), but that also enables support for more than 4GB of memory.
What they found was that many of the systems would crash, hang, or become unbootable because some device drivers, commonly those for video and audio devices that are found typically on clients but not servers, were not programmed to expect physical addresses larger than 4GB. As a result, the drivers truncated such addresses, resulting in memory corruptions and corruption side effects. Server systems commonly have more generic devices and with simpler and more stable drivers, and therefore hadn’t generally surfaced these problems. The problematic client driver ecosystem led to the decision for client SKUs to ignore physical memory that resides above 4GB, even though they can theoretically address it.”
The answer you’re looking for is already written in these words! x86 Windows OSs could actually handle more tha 4GB of physical memory, but Microsoft decided to turn the PAE off by default on client SKUs because <>
On a server platform there’s no such diversity of available drivers nor there are people installing and uninstalling on a daily basis software and drivers. So, on a server-based environment, is safer to enable PAE technology (<>)
They tried to enable it by default on Windows XP SP2 but at that time there were just too many incompatible drivers.
This is a case of “nothing new under the hood”
So if I only have server-compatible harware on my client, this patch should be ok, right? Otherwise, a server could crash with PAE support enabled.
Hi Claudio! That’s not totally correct. The main point here is that server systems often don’t need specific peripherals drivers like audio drivers, specific video card drivers enabling 3D features and so on to be installed. They are those kind of drivers that sometimes resulted to be incompatible with PAE technology, thus causing BSOD. Just to be clear: that’s not a problem of PAE, nor it’s a problem of Windows itself. It’s rather a problem of who developed such drivers.
This is the reason why PAE has been mostly used in server environments instead of client environments.
Hope this makes sense for you!
Hi CR3REG!
In all x86 Windows client, starting from Windows Xp SP2, PAE is enabled by default, trust in me… MS decided for “discutible” reasons that Physical memory above 4 GB will be disabled… Even on Windows XP SP3 we can implement the same patch, but is a bit more difficult because on Xp SP3 (very old OS in my opinion), Os Loader inside NTLDR pass the total amount of supported physical memory to Nt Kernel in a hidden parameter… making Reverse Engineering a bit challenge.
If you try for example to install a Windows Server 2003 Enterprise machine with more then 4 GB of RAM and with the same drivers of a Windows Xp SP3 client machine, you can discover yourself that the system will be very stable and will exploits all memory… The question is: is MS really really sure that enabling all memory let the system became unstable?? Or is only a License limit??? It’s not my job to answer this question, even if I have in mind an answer…
We are corrently working to publish a safer Bootkit (still for “testing” purpose by the way)…
Regards,
Andrea
I don’t know if you are already aware of it, but the same Windows license key is valid for both 32 and 64 bit. Do you want to use more than 4GB of RAM? then install Windows x64 and use your license key.
Clearly if you don’t have a legit Windows license key then it’s worthless even talking about it, you’ll just download a pirated copy of Windows x64 instead of the x86.
Sorry, I’m still missing your point and I don’t understand why I should need to patch Windows kernel (something that you shouldn’t do if you want your system as stable as possible) while you can just install the x64 build
Hi,
I used the unawave tutorial successfully for 1 year now – without any problems. I would like to update to windows 8 release s I got it from technet today – but I do not want to loose my 16 GB memory in my 32bit Windows.
Could you please mail me your little prog?
Thanks,#
Josef
Hi! Our tool is ready since 9th August 2012. Now we are all in holiday. I think that maybe next week it will be available to public.
Have a nice holiday!
Regards,
Andrea
The blog post has been updated with the download link
altro articolo molto interessante, grazie.
(mi perdonerete se scrivo in italiano, vero?)
:))
Ciao NV25!
Non preoccuparti, nessun problema se scrivi in italiano… Comunque grazie mille per il complimento. Se provi anche il tool allegato scoprirai che la teoria funziona… Se trovassi il tempo di migliorarla ne uscirà anche una versione compatibile con i sistemi di recovery per HP, ASUS, e via dicendo…
Regards,
Andrea
E’ stato testato anche sulla rtm di window 8?
grazie
Si si, sulla RTM di Windows 8 funziona (o almeno dovrebbe) bene. Gli unici problemi riscontrati riguardano le copie di Windows attivate con i cosìdetti Activator (loader) e i PC Laptop della HP con funzione di ripristino integrato (utilizzano infatti un proprio codice di startup). Questi sono tutti problemi che, nel caso ci sia richiesta sufficiente, sistemeremo nella prossima release…
Comunque confermo che Windows 8 RTM x86 soffre dello stesso identico limite di memoria dei suoi predecessori e che, con questo tool, è possibile bypassare il limite…
Regards,
Andrea
this tool (BootkitInstaller) not works in windows 7 sp1 professional
windows 8 enterprise (build 9200) detect more than 4gb ram but has some booting problem after 2 days
Hi Iqbal!
Could you give us more details? The available Memory tool was tested in all x86 Windows version (Windows 8 included) and resulted incompatible only with cracked (illegal copies) of Windows (issue resolved with new internal version, not published until some requests from you as customers)…
Could you give me details on your Windows 7 OS? Is it activated with an external activator program? Is it original or not already activated? Is installed on a UEFI system??
Thank you
Andrea
windows 7 sp1 professional cracked with daz loader not work with this BootkitInstaller
my
asus p8h67-m
4gb ddr3 ram
fully supported with windows 8 pro (9200)
is there any command line switches, i want to use as unattended mode( in oobe.cmd or in setupcomplete.cmd)
location of 4gb ram limit in windows 8 iso, how to remove ram limit directly from windows 8 iso
Salve,
Complimenti per gli articoli molto interessanti.
Una puntualizzazione và fatta, queste estensioni sono presenti dal
Pentium Pro (PAE) e dal Pentium III (PSE-36).
Il fatto che non si è mai usata , almeno a livello desktop è una limitazione dei chipset che non hanno mai dato il supporto (sempre a livello desktop) per quantità di memoria maggiori di 4GB.
Anzi prima il limite era molto più basso, ad esempio il mio vecchio Pentium III con northbridge VIA , supporta al massimo 1.5GB di memoria.
Adesso le cose sono cambiate, ma i sistemi, soprattutto windows ci mettono un pò per adeguarsi, se considerate che il Loader di windows (NTLDR) nella fase di boot ancora cerca gli slot EISA, un Bus oramai obsoleto da secoli :-).In ogni caso credo che spingano per far passare tutti all’illusione dei 64 bit( in realtà anche qui i chipset e le varie cpu non supportano tutti questi bit per l’indirizzamneto, di solito sono implementati solamente 39 o 40 bit), in realtà queste cpu non sono delle vere cpu a 64bit, usano dei prefissi sui codici operativi per urilizzare i registri interni a 64 bit,insomma tutto fumo negli occhi 🙂
Permettimi di chiarire che l’illusione dei 64bit, come la definisci tu, si traduce nella realtà di un Virtual Address Space di 8TB per ogni processo a 64bit contro un limitato VAS da 2GB per ogni processo e per il kernel stesso di un Windows a 32bit, con tutti problemi del caso.
Per applicazioni mission critical e con moli di dati notevoli (DB,transazionali,rendering), questo è un vantaggio assoluto, non illusorio, per non dire poi che un OS a 64bit può supportare (al momento) fino a 2TB di RAM.
Let me clarify that the so called 64bit illusion, as you wrote, is actually translated in a 8TB Virtual Address Space for each 64bit process, compared to a limited 2GB VAS in for each process and the kernel itself in a 32bit Windows system.
For mission critical applications (DB, transactional, rendering) this is an absolute advantage, not to mention that a 64bit Windows OS can address (at the moment) up to 2TB of RAM.
8TB di memoria ?
Woww… peccato che nessuna scheda madre sul mercato ha tale quantitativo di memoria installabile..
Se parli di memoria virtuale, significa che il sistema operativo
ad ogni Page Fault Exception si rivolge alla memoria di massa
(Hard Disk) per prelevare il resto del codice da eseguire, quindi
nessun vantaggio in termini di prestazioni.
Maggiore indirizzamento virtuale non significa migliore, anzi
per me significa peggiore nell caso dell’architettura Intel.
Ribadisco che gli attuali processori spacciati per 64bit non sono
processori a 64bit ma sono ancora dei processori a 32 bit con
un estensione a 64 bit, questo significa che sono stati implementati
dei prefissi nei codici operativi (opcode) per permettere di memorizzare nei registri interni della cpu un dato a 64 bit invece che a 32 bit.
Per quanto riguarda il bus dati , tale bus è a 64 bit dal Pentium PRO
ma nessuno ha mai spacciato tali processori per dei processori a 64 bit.
Inoltre ribadisco che attualmente non tutti i bit sono implementati,(Mi riferisco all ‘indirizzamento fisico non virtuale).
Scusami ma sono programmatore Assembly da molti anni, e sviluppo sistemi operativi, quindi ci capisco qualcosa..
Perchè ti stupisci degli 8TB di VAS per singolo processo? Se affermi di essere un programmatore Assembly che sviluppa OS, mi sembra il minimo che tu abbia chiari questi concetti.
E quindi dovresti anche apprezzare il miglioramento in termini di ordini di grandezza in un OS a 64bit per le risorse kernel, tipo PTE, paged & non paged pool e per le varie cache interne.
Mi spiace contraddirti, ma in realtà esistono già sistemi server che arrivano a 2TB di RAM, per applicazioni DB transazionali mission critical sono decisamente utili, ed è solo questione di tempo perché quel valore cresca ancora.
Il codice di tali applicazioni non è mai così esteso, sono i dati che occupano VAS, quindi avere 2TB di RAM come vedi è decisamente utile e un OS a 32bit non ce la farebbe mai.
Da che mi ricordo (e.g.: 8088 vs 8086 o 386/486SX vs 386/486DX) la denominazione di 16/32 bit è stato sempre riferita alla dimensione dei registri ( soprattutto l’IP visto che determinava il VAS) e delle opcode in grado di usarli completamente, non del datapath – su Wikipedia ne danno una definizione più precisa
http://en.wikipedia.org/wiki/64-bit_computing
Hai ragione a dire che al momento gli attuale processori x64 sono limitati, ma non sono fumo negli occhi, per un OS x64 stiamo sempre parlando di un VAS da 256TB (48bit e nemmeno completamente sfruttati), mica bruscoli
http://msdn.microsoft.com/en-us/library/windows/hardware/hh439648(v=vs.85).aspx
Un processore a 32bit non è né mai sarà in grado di gestire un tale spazio di indirizzi virtuali o fisici, nemmeno il buon vecchio Pentium Pro che per primo utilizzò la PAE per arrivare a 64GB di RAM.
Sono un sistemista/architetto/IT Manager da una ventina d’anni ed ho veramente apprezzato il passaggio ai 64bit, mi ha decisamente facilitato la vita, non è fumo negli occhi quando devi gestire DB da 150GB…
Hai ragione i sistemi a 2TB di RAM sono già una realtà (per pochi), forse non ho mai preso in considerazione il lato server quindi nell’ultimo periodo sono rimasto un pò indietro, rimane il fatto che gli attuali processori della Intel ( architettura x86) non sono processori a 64 bit 😛
Itanium della Intel è un processore a 64 bit, ma è stato completamente un flop.
Comunque in breve è chiaro che ci sono sempre stati i cosidetti Supercomputer, ma io cercavo di fare dei discorsi più reali,
più vicini alla gente comune e tornando all’articolo in questione,
la ragione per cui i sistemi microsoft hanno avuto tale limite
è dovuto al fatto che a livello desktop tali quantitativi di memoria
installabili non si sono mai visti nè in passato ne tutt’oggi.
Riguardo a discorso della virtualizzazione, io ho sempre in mente l’efficenza e l’ottimizzazione, perchè sperimento sul campo,
non mi interessa ciò che dicono gli altri.
Quindi riassumendo, i processori a 64bit sono fumo negli occhi perchè non sono dei reali processori a 64bit , a te hanno dei risolto dei problemi, ma non chiamarli processori a 64 bit, sono processori a 32 bit con una estensione che permette l’uso di registri a 64 bit.
L’opcode che usano crea anche molti problemi di velocità, arrivano addirittura ad avere 16 byte per una singola istruzione, contro un solo byte o 2 byte dei 16 bit, quindi con 16 byte, lavorando a 16 bit, io sono in vantaggio di 8 istruzioni rispetto ad una sola istruzione a 64bit, che può essere una semplice istruzione di Addizione.
In fine un esempio:
anche a me sono utili i driver che ho della mia scheda grafica, altrimenti non vedrei niente, sò che sono driver di merda, ma sono l’unica possibilità che ho per vedere qualcosa sullo schermo 🙂
Permettimi un appunto: non so che background ingegneristico tu abbia, ma se una CPU possiede registri a 64bit, datapath a 64bit e opcode a 64bit, anche se derivata da una architettura a 32bit, è a tutti gli effetti definita come CPU a 64bit, non sono solo io ad affermarlo
http://en.wikipedia.org/wiki/64-bit_computing
http://en.wikipedia.org/wiki/X86-64
Certo che avrai vantaggi di velocità (forse) a lavorare con opcode a 16bit con dati a 16bit, ma solo su vere CPU a 16bit e con OS a 16bit, perchè questo mi ricorda i problemi di pipelining e pre-fetching che queste opcode a 16bit causavano già su CPU a 32bit, figuriamoci 64bit.
Vuoi mettere che complicazioni devi introdurre quando devi lavorare con int32, int64 o datatype ancora più complessi?
Una opcode a 64bit carica tutto quello che occorre in un GPR in un unico ciclo di clock, una CPU a 16bit deve fare i numeri da circo per ottenere lo stesso risultato, per non menzionare le operazioni che coinvolgono tali dati…
E tali vantaggi di velocità comunque si annulleranno appena avrai bisogno di gestire quantità di dati notevoli, come invece una CPU + OS a 64bit ti permettono.
Portatili o workstation con 8 o 16GB di RAM non sono più lontani dalla portata degli utenti normali, quindi le CPU a 64bit e relativi OS sono la naturale evoluzione, definire tutto ciò “fumo negli occhi” è veramente riduttivo a mio avviso.
Non ci siamo proprio, non sò come fartelo capire..
I primi registri a 64 bit implementati dalla intel nella loro architettura furono le stensioni multimediali MMX, un set di istruzioni
che già comprendevano registri a 64 bit, seguiti poi dalle estensioni
SSE ,SSE 2 etc…
Addirittura le nuove estensioni hanno registri a 256 bit (AVX).
Lascia stare il background ingegneristico, non c’entra niente tutto ciò.
Un altro esempio:
Quando ero adolescente ( anni 80) andava di moda modificare i motorini
in particolare la Vespa della piaggio, chi possedeva una versione
di Vespa con cilindrata 50 , di solito con poche modifiche ( marmitta
cilindro pistone etc…) potevi raggiungere una velocità di 70/75 KMh,
mi ricordo che i più arditi le portavano anche a 100/110..
Spero che questo esempio sia calzante,era semplicemente una Vespa modificata..
pensa ai processori della Intel attuali come dei processori modificati, in realtà non sono , come si dice in gergo ‘Native’,
ma sono degli adattamenti, tutto questo per la guerra commerciale
che c’è tra Intel e AMD..
Intel per primo ideò una architettutra del tutto nuova vera a 64bit con il Processore Itanium, ma ciò comportava problemi di compatibilità
di cui Intel non ha tenuto conto, ovvero non andava più bene con la precedente architettura, pensa a buttare al cesso 30 di software che era stato sviluppato per l’architettura x86.
AMD allora in maniera intelligente, sfruttando il clamoroso FLOP di Intel, adattò l’attuale architettura x86 ai 64 bit senza andare a discapito della compatibilità.
Gli attuali processori x86 ancora partono a 16 bit, poi li devi switchare a 32 bit, e poi devi abilitare il cosidetto Longmode, ovvero i 64bit, ma nota che una volta che sei in modalita ‘Long’ puoi
ancora fare girare il software a 32 bit e 16bit modalità protetta.
Una bella invenzione non c’è che dire, AMD è stata intelligente.
Di contro se prendi una vera CPU a 64 bit nnon ti permette di far girare software a 16/32 bit, non avrebbe senso, perchè mai.
Insieme alla CPU Itanium intel inventò anche il cosideto EFI BIOS, ovvero una volta che si ha un vero processore a 64bit c’è’ bisogno anche di un nuovo BIOS, perchè siamo ancora con quello a 16 bit degli anni 80.
Attualmente anche quello del EFI (UEFI) BIOS è un adattamento, perchè di base finchè i processori della Intel partono a 16 bit ci sarà ancora il vecchio bios come strato sotto l’estensione EFI, comunque questa è un altra storia, detto cosi è anche riduttivo.
Il fatto è che rompere con la compatibilità non è semplice, bisognerebbe riscrivere tutto da zero, chi mai si prenderebbe tutta questa responsabilità ?
Comunque da come ti esprimi mi sembra di capire che sei un programmatore ad alto livello, scusa ma per me i veri programmatori sono solo quelli che programmano in Assembly, gli altri sono dilettanti, non ho capito bene cosa volevi dire con la pipeline, ti consiglio di lasciare stare wikipedia e di iniziare a fare dei Test da solo se voui capire come funzionano le cose, a me non la danno a bere neanche quelli della Intel, io mi fido solo dei miei esperimenti 🙂
Thanks for your boolkit, it is very attractive idea.
Actually, it is not working on Windows 8 Pro Mce 32bit, even it is not booting.
When I installed your Mbr patch, the system didn’t start the booting process anymore, just stop suddenly when accessed Mbr routines.
I had to boot from Usb disk, to restore my Mbr with your bootkit (thanks), so my system works again.
But, do you have any idea, why can not patch my Mbr and why can not boot?
Hi Tataniko!
I personally tested Bootkit with Windows 8 and it worked fine…
The only issues that it could raise is if you have a Windows Activation crack enabled. Could you give me some details about your configuration? (CPU Hard-Disk, memory,…)
Btw tomorrow I will retest it on a fresh Windows 8 MCE installation…
Hi Andrea,
thanks for your reply. I use a legal activated Windows 8 MCE, without any crack or hack on my Asus K73BR:
– 17’3 LED
– AMD E-450 CPU
– ATI 7470 GPU
– 320GB HDD
– 4GB DDR3 1333
My root constants only 3 files
– bootmgr
– pagefiles
– swapfile
a
I don’t use any boot manager, I installed your bootkit, and after restart, and my PC stops suddenly when access your microcode in MBR.
Thank you for information!
I have just obtained an MCE copy of Windows 8. Tomorrow I will try it and get what’s wrong… In the meantime this morning I tested Bootkit with a clean copy of Windows 8 Pro x86, and all worked fine… I am wondering why Bootkit doesn’t work with your configuration… Some strange SCSI controller maybe? Have you tried with a clean USB key?
Btw I will let you know how does it work with MCE edition…
Regards,
Andrea
Hi Andrea,
thanks for your effort to make a good bootkit. I am wondering, your solution why not get more publicity, because it is a very good solution, and it is much better and easer than kernel hack.
I red somewhere, the Windows 8 MBR is much different and complicated than other, and if Windows 8 was activated once, then MBR microcode will sign and validate the winload.exe. I don’t know, this is true or not, but this is a reasonable explanation, why not boot my Windows 8 MCE.
Thanks again,
Tataniko
Hi Andrea,
Finally, I figured out, what is the problem.
The standard of UEFI uses “Secure Boot” option, and when Windows 8 was fully activated, the “Secure Boot” option became enabled.
So it is impossible to install any Bootkit or Boot manager.
User must deactivate “Secure Boot” in Windows 8 or in Bios.
Regards:
Tataniko
Hi All!
Bootkit was tested correctly with a copy of Windows 8 MCE x86 on the following physical machine:
– Asus P8Z77-V LE Socket 1155
– 24 GB DDR3 RAM (2 x 8 GB slot + 2 x 4 GB slot)
– Intel Core i7 3770 @ 3,40 Ghz
Test machine, when rebooted, has successfully recognized and used entire 24 GBs of physical RAM.
There are some points to clarify:
– This release works only with classicals BIOS, not UEFI bios. If system is UEFI-based, you have to install both Windows and Bootkit with traditional Compatible BIOS booting way. In ASUS MBs this equals to enable CSM boot option. If we will have some requests we can implement even a UEFI Bootkit in next releases.. (it’s a totally different architecture)
– Secureboot is activated and enable ONLY on UEFI systems, that use UEFI boot modality. In this kind of system our bootkit WILL CERTAINLY NOT WORK. Reader could identify UEFI Windows 8 installations using Disk Management MMC Plugin (that show at least 2 hidden partition, named Recovery and EFI System).
At the time of this wrinting, there is NO way to enable Secure Boot on a BIOS system.
– Only certainly rare kinds of drivers doesn’t work with this huge available Physical Address space (like Intel old HD Graphics ones)
– The current release of bootkit is NOT compatible with Boot Windows Activators (loaders)
Andrea
Hi Andrea,
I’d like to request another Bootkit version for UEFI Bios, because lot of new generation motherboards and notebooks have this kind of microcode, and unfortunately many of them including mine have not any option in Bios to disable Secure Boot.
Thank you very much:
tataniko
Hi Andrea,
finally I managed to use your Bootkit. It is working well, I changed in Bios SATA mode from AHCI to IDE and now it is working. Thank you, I can access whole 4GB memory now.
But my machine seems kind of slow down when accessing data from Hard drive and this is an issue with the SATA drives being in IDE mode.
Is it possible to use your Bootkit in Sata AHCI mode?
Thank you again:
tataniko
ASUS laptop N61JQ-A1 i7 720 here and after this bootkit installed my system do not boot. Black screen with invite. I have to reinstall my backup with acronis and re_write my kms licence (legal one…)
Like tataniko I have to ask you if Is it possible to use your Bootkit in Sata AHCI mode?
best regards
oooops I have windows 8 enterprise RTM 9200
Hi Mike and Tataniko!
Yes, Bootkit is compatible with SATA AHCI and RAID controllers. I have tested it with an Intel Z77 (Series 7) AHCI controller and works well…
By the way I’ve seen that we have enough requests for this release. Next month (if all goes fine) I will (re)start testing and develop a new stable version compatible even with AHCI (as a free-time project). We need some testers. If some of you would like to test our releases just tell me and you will be contacted.
Regards,
Andrea
I also want to test new loader.
No problem for testing.. but I do not understand why I have to reinstall my kms licence (enterprise – legal) after acronis backup… I did it but I do not understand why I have to do that ? Anyway ready for testing… best regards
and Thank You Andrea 😎
hello
I just noticed that UHCI is disabled in my bios (ASUS N61JQ i7 720 4GB laptop) then it normally would have run your bootkit ? but he didn’t and I have black screen with invite on windows 8 boot..
any clue ??
May be because my windows 8 manager (Yamicsoft) enable UHCI (registry tweak UHCI enabled) ?
thanks for reply
Woooooo I DID IT !!!!!
First I put your bootkit on usb drive, I uncheked UHCI on my Yamicsoft windows 8 manager and left my UHCI bios option uncheched too.
Rebooted with usb key and bootkit, after that windows reboot with 4GB :-)))
I dont know about stability, I will check but I used W7 before with kernel modded without any trouble.
I have to reinstall my Acronis boot now…
Thank you so much you are GENIUS
Hello
When rebooting without usb key I still have the 4GB limitation (2.93GB) ? is that normal ? booting bootkit from usb key is not final ?
Yes, that is normal. USB Installation is for testing purposes and comfort. In that way if something goes wrong, You have only to remove it and reboot as usual. For permanent installation you have to install RAM Bootkit as new replacement MBR. You have answered yourself initial question: the reason why Bootkit didn’t work for your configuration… Our bootkit indeed was not tested with external Boot managers (like Yamicsoft one). These characteristics are all part of “wish list” that you, readers could ask… XD
Thank you very much for “you are GENIUS”. I really appreciate it. But, trust in me, there are a lot of things that I still have to learn… 🙂 XD
Kind regards,
Andrea
I installed the bootkit permanently now, all is ok. it was not clear that the usb install is just a “try”. People must have to read this thread… Yes, genius is this bootkit, and you !
Thanks.
Best regards
Hi,
We were testing your solution on Virtual Machine running Windows 8 Pro. The virtual machine we gave 3.91GB RAM as the physical machine has 4GB RAM. When windows was first installed it showed 3.91GB (3.00GB Usable). Installed all windows updates available until today and activated windows using: http://mediafire.com/?k0y6ylc00a141cc
Installed your solution to MBR and we can confirm that it is working as expected and now the full 3.91GB RAM are used by the OS. Thanks for your great work.
Hi. I used your bootkit and it worked fine in 2 day. But after that, my computer cant boot. I used my win8 disc to repair the MBR and now it works fine. I really want to be able to use fully of my 4GB ram. I use Win 8 Enterprise with legal key. Do you have any suggestion for me?
Thank you very much
Hi Andrea
I reinstalled my Acronis Startup Recovery Manager Acronis True Image Home – http://www.acronis.com/company/inpress/2007/03-15-boot-loader-3.html ) on my system and your rootkit disappear when rebooting only 2.93GB available.
I Uninstal Acronis Boot manager and rootkit reappeared…
Windows 8 Enterprise. KMS legal licence.
Any clue about this ?
Best regards
ooops I mean Bootkit and NOT rootkit… sorry for this lapsus linguae
So I installed and ran on my Windows 7 pro Sp1 machine. Program ran fine and it booted up as normal after disabling data execution prevention on the BIOS but I am still showing a max ram of 3gig.
Program is showing that it is installed and running.
Any thoughts?
After installing this patch on W8 x32 I have blinking cursor on right corner (I have to restore my mbr to get W8 boot). On VMware it worked fine. How can I fix it? Thanks
When you get to command prompt during repairs run this:
bcdboot c:Windows /s c: /l en-us
Hi Andrea,
can you explain what “Bootkit” is realty doing ?
In your blog text you wrote:
“I have developed a specific bootkit that patches on-the-fly the Windows kernel”
Q1: Means “on-the-fly” that Windows kernel is not patched physically ?
Q2: And if Microsoft updates the Windows kernel will the “on-the-fly” patch still works ?
And how does it work “on-the-fly” ?
In your comment “1:39 pm on December 15, 2012” you wrote:
“For permanent installation you have to install RAM Bootkit as new replacement MBR.”
Q3: Is the MBR (Master boot record) changed (add additional code) so that the Windows kernel is changed “on-the-fly” ?
Q4: And is really MBR changed or is PBR (Partition boot record) changed ?
Hi NiFu and others!
Sorry for delay but we were in holiday (I personally gone to Zurich and repose a little).
Btw we are happy :-), we didn’t expect this kind of interesting in our test bootkit. I have just started to work on a new more stable release compatible even with UEFI. I am happy to answer your questions:
Q1. “on-the-fly” means that NO PHYSICAL files are patched on disk but they are modified only in memory by my application. Bootkit code alters Windows kernel file only when there are fully loaded in memory.
Q2. YES, the answer is positive, Microsoft updates still works. The worst issue that could arise is that bootkit stop works, but OS remain fully functional. This is indeed the “ON-THE-FLY” approch: if my code pinpoints some coherency errors, it refuses to modify memory.
Q3. MBR code is totally changed. My bootkit has a “starter” part, that loads real Bootkit program, and obviously a main code part.
Q4. Is really a MBR, not a PBR.
@Serge: your problem is due to graphics drivers. Some old Intel drivers done this “joke” with our bootkit due to an incorrect management of Video memory. I think that if you update them, you will be able to correct use all memory..
@James B: I have to go out and buy another physical test HD, then I will certainly let you know, ok?
I hope that this answers could be usefull.
We take the opportunity to wish you all an “Happy new year 2013”!
Regards,
Andrea
Thank you for your quick answer, Andrea.
In the meantime I have verified. I used the freeware hex editor “HxD” which shows me the MBR or PBR. “Bootkit” is doing what you (and the log file) say:
● Copies the 1. MBR sector to 0x0000000C
● Add “Bootkit” code to sector 0x0000000A
● Modifies 1. MBR sector to include “Bootkit” code
Background of my question for MBR/PBR:
I see in log file that “Bootkit” checks the boot manager “bootmgr”. Surely to recognize the different boot manager from Vista/7/8. But what happens when I have a multiboot system with 2 or 3 partitions and 2 or 3 different boot managers ? E.G.:
1. partition=Vista, 2. partition=Windows 7, 3. partition=Windows 8.
Or
1. partition=Win7 64 bit, 2. partition=Win8 64 bit, 3. partition=Win8 32 bit
Remark 1: Please send me an email if you have finished the UEFI version (also very interesting) or if you need a tester for it.
Remark 2: In you blog text you wrote:
“The tool is compatible with Windows Vista/7/8 (release preview) 32 bit builds.”
You should change it from “8 (release preview)” to “8 (RTM)”. And perhaps add: “Till now not for UEFI / secure boot”
Hi Andrea. I have an Intel core I5 750 CPU, MB: ASUS p7p55 lx and nVidia GTS 250 GPU and using latest BIOS and all drivers. I don`t have any integrated GPUs in CPU or north bridge. I have the same problem with win7. I forced to install patched win7 kernel and it works. May be I need to change some BIOS settings? Looking forward for new version of your bootkit.
Thanks.
installed this patch but after reboot a message like this is shown and the system (windows) doesn’t start:
– disk read error press ctrl+alt+delete to restart
what to do to make this work?
Hi Andrea and All
Happy New Year 2013 too
Have you any idea about the conflict between Acronis Boot Manager and your Rootkit ? (the rootkit disappear when I install the acronis boot manager and it reappears when I uninstall it).
best regards
Do you mean Boot Manager included with Disk Director Suite 10, right? I don’t know why it doesn’t work but I am starting to analyzing it. I never used it before your requests.
@Vlad
Sorry, I don’t know why but it seems that your MBR is corrupted.
I think that you have a custom original MBR, and something goes wrong with it. In our next release we are going to implement a way for you to send us your installed NonStandard MBR…
@NiFu
Don’t worry. In our tests bootmgr of current Windows System is located on first harddisk volume object. Btw I am investigating on it for completely sureness…
Our blog post will be updated for the next release of Bootkit…
@ALL
For the sake of accommodation, all of you that would like to test new release of bootkit, could you send me a mail at address “andrea.allievi@itsec.it” (without quotes) please?
Regards,
Andrea
Hi Andrea,
I tried run your bootkit on Win 8 RTM (trial version) but after install and restart I didn’t see any difference (visible RAM is 3.5 GB while I’ve 16 GB physical RAM). Could you help me?
Janusz
OK, I forgot… my motherboard (P8P67 Deluxe) uses UEFI. Please, design version compatible with UEFI. Lot of modern motherboards use it instead old BIOS.
Janusz
Hi Andrea
I mean “Acronis® True Image Home 2011” witch is not part of disk director. Acronis True Image create boot manager on MBR to boot on “Acronis” linux partition with F11 choice in case of corrupted system file for disk imaging recovery http://www.acronis.com/homecomputing/products/trueimage/
Hello Andrea and all
Sorry to bother you.. but after few days and few reboot this morning my laptop do not want to reboot anyway.
Windows 8 do not load and I have looping reboot every time after bootkit step – bootkit step give some blinking cursor for 1 or 2 sec before boot looping –
.
I recovered my original MBR and disk signature with Acronis True image and its ok, w8 boot but with some MBR error 3 code message.
Bootkit is not longer loaded at this time but I would like to know how to delete this bootkit from MBR to avoid MBR error code 3 message.
I’m not hurry… have good we
best regards
Hi!
You can remove bootkit with its installation program, or, if You have already restored system MBR with Acronis, with some low level disk utilities like DiskExplorer. If you read your previous bootkit installation log file you can find out which sectors it has used for installation. Just clear (fill with 0) them (except MBR sector obviously). However this operation is not needed if you have already replaced system MBR, because other used sectors are not referenced anymore.
For manually restore system MBR you can use Windows 7/8 DVD, open command prompt and type bootrec /fixMbr.
The cursor blinking is typically due to some video drivers issue. Unfortunately we can’t fix them.
@ALL: Current development goes on. We have just implemented some custom boot loaders and activators compatibility, improved Nt boot code recognition and so on… Furthermore we have started UEFI implementation…
Regards,
Andrea
Thanks for reply
MBR error 3 code message come from Acronis T I , just have to reinstall the boot manager after MBR restoring and all is ok.
Any idea why the bootkit run for few days before to kill my system suddently ? its annoying…
allo anyone ? are you alive ? 😎
Hi Mike!
Yes, I’m alive…. I don’t have any idea of the cause of your problem. Some driver change (from Windows update)?
By the way I am preparing a new more stable version with a “Report problem” tool.
Regards,
Andrea
Hi,
I Tried this on Win 7 pro and facing same problem, system boots and restarts immediately. I’m using Dell Latitude 5410 and bios is set to use legacy mode.
Hi Andrea,
Thanks for your reply. Some MS updates every wednesday yes… @±£¢¤¬¦²³¼½!”/$%?¨^
Hi Andrea!
Thanks for you bootkit! It`s work, but I have small problem.
Config:
– Windows 8 6.2 (build 9200) PRO VL
– 4GB RAM
Problem:
– I use bootkit and have all 4GB, but windows boot very very long time:
Windows need 4 minutes to load start screen. After load system fully stable (memtest for windows).
hello. any news ?… about bootkit
BIG PROBLEM!!!
i tried your bootkit on a legal windows 8 pro version, i have a hp 8760w with uefi bios, i installed yout bootkit and at first it ran, but after restart boot sequence stopped during bios setup and restarts endless. i tried to reinstall windows 8 and tried all of the repair-options but nothing helped, after restart the boot sequence hangs again.
do you have a tool to remove the bootkitinstaller?
thanks for your help
Make low format for all hard and create new partitions…
Hi all!
Sorry for delay but we have had a company transition.
New release of our bootkit is ready. We are planning to release it with a brand-new article in about few working days….
@606320 – Yes, our installation program works also as a remover… Btw a fresh installation of Windows 8 can remove it without any problem. I don’t think that Bootkit could make this kind of problems. BTW you can remove it booting with a Windows DVD and writing “bootrec /fixmbr” at console….
@maximum117 – Long boot delay is due to used BIOS segment. In some physical PC this could lead to problems because Bootkit segment seems to be partially used by BIOS code. The issue is already fixed in new release..
Stay tuned! We will release new article with bootkit application soon (testers who wrote me have already received a test copy)…
I wish you all a nice weekend!
Andrea
Doesn’t work for Windows 7 Premium, after installation of the bootkit and rebooting, the PC can not find operating system.
Can anyone help me? after i installed this bootkit, i cant boot windows 7 and even if i can, it will show black screen and nothing else. My windows is 32 bit Windows 7 home premium.
Hi! This is instable, sometimes system is booting, but sometimes not (even the logo of booting process does not appear).
But I find an interesting thing: Your Windows is going to work again at least once…
Enter a DVD of Windows 7 or Windows 8 and I select Repair your computer -> Windows Memory Diagnostic -> Restart now and check for problem.
Your computer will boot Windows Memory Diagnostic. Press F1, select Basic and press F10. After checking your memory (few minutes this process), your PC will be restarted and it will boot into Windows.
So I guess maybe “Windows Memory Diagnostic” is the key of your problem. I really don’t know why after checking memory, PC is booting.
Rectification: select Repair your computer
Note: “Windows Memory Diagnostic” is run from hard disk. 😉
New version is completely stable and it will be published very soon… accompanied with an entire article that explains how to correctly install and remove it… Give us just few hours…
Andrea
Ciao, Andrea
Your bootkit works perfectly. Which is why you’ll have a problem with some unhappy users 🙂
The problem is, Intel HD drivers for Vista/7/8 are not compatible at all with more than 4GB of memory (this is not a limitation of your bootkit btw, it applies to all 4GB patches that exist).
This means that users of Intel HD (i.e. on Sandy/Ivy Bridge) will end up with BSoD’s (on desktop machines) / black screens (on laptops).
HOWEVER. Installing the Windows XP version of the Intel HD drivers – instead of the Vista ones – will work; true, you won’t get desktop composition et co. anymore (on 7/8), but you’ll be able to use all your RAM.
However, there’s a serious problem with that: Optimus won’t work; so if you have a laptop with Intel+Nvidia cards, you can kiss the Nvidia one goodbye; it will never work (drivers will install, but the sofware won’t recognize it). That’s because Optimus NVIDIA chipsets use the DACs in the Intel graphics card – so no driver support means, no NVIDIA acceleration.
Note: if you outright disable the on-chip Intel HD (as I do on my i7 desktop machine), there will be no problem whatsoever.
To sum it all up:
– if you don’t have Intel HD, or if you disable it, you’ll be fine;
– if you have Intel HD, on Vista/7/8 you have to choose between 4GB+ support (with XP drivers, so no Aero) and blue/black screens at boot;
– if you have an Optimus video card (most laptops do), you won’t be able to use it (Intel XP driver issue)
PS. no Intel drivers exist that would work. Sorry. XP ones don’t support Aero/Optimus, Vista ones crash with more than 4GB of RAM. That applies to all versions I’ve seen in the last 2 years, since I discovered the problem.
So I:
a) wish to personally congratulate you on a job well done;
b) would recommend that you make the warnings above public – I guess, the more popular your solution becomes, the more the people will stumble upon it.
Feel free to post this info on your blog, in whole or in part. Also, if there’s any question you might have about the above, feel free to contact me.
Best regards, and congratulations,
Mircea
Hi Mircea!
First of all, thanks for your compliments. And also, many thanks for the valuable information you give us. I knew something about Intel drivers… but I didn’t know these kinds of details. In future, when I will have some spare time, I’ll certainly investigate on this. I don’t realize why on Windows Server 2008 that kind of drivers don’t crash (same Kernel as Vista/7)… I have to reverse them!
By the way on the fall of February we have release a new, more stable version of our bootkit (check blog), that can be installed even on System VBR.
Windows Xp was not really taken into account due to the lack of time (we have others projects, nobody pay us to develop this free release), and also because in our opinion Xp has some limitation in its kernel (as all kind of 12 years old operation systems).
Thank you
Regards,
Andrea
The bootkit is a pretty good solution. But, I would go for a static kernel patch instead of the in memory patching method. As previously stated by you and many other users, the patch changes the MBR and this could become a problem with some applications that use the volume licensing method (some licensing applications also read data from the MBR). With a static patching method, the kernel is always patched and there is no need for a loader. If you want to remove the static patch to the kernel, additional code can be written so that the same application that statically patches the kernel is able to unpatch it (rewrite the original code in the kernel, which would only require a restart).
Regarding the addresses above 4GB and the memory mapping of the devices, I’m not an expert at this, but maybe there is a way to force the drivers to only use the memory below the 4GB limit and let applications use the memory above this limit (applications can also use the unmapped memory by the devices below the 4GB limit)? Maybe there is a way to force the drivers to only see the memory below the 4GB limit, but the OS and all other applications can see the full amount of the available memory? This would require further reversing, but I think that it is possible.
There is one more statement that I would like to address. Many of us are still using XP/2003. For example, I’m using Server 2003 as a workstation. Why? Well, the OS is a lot more stable than XP, the kernel is basically the same, but the Server 2003 kernel is faster (if you have a lot of memory on your rig) and it allows me to use the 6GB available on my rig. That being said, some of us still use XP/2003 as a main workstation OS. Some of the reasons are related to the simple interface (not everybody likes transparent windows and touch device compatibility, some of us are fine using the keyboard and mouse method), but for the most part, I think that many people are still using this “outdated” OS (as referred to by Microsoft and yourself) because of application compatibility, an issue that still hasn’t been resolved by Microsoft. Some of us use CAD/CAM/CAE applications (or any other application that does not fall under your average “surf and have fun” range of applications) that either don’t run well under Windows 7/8, or don’t run at all. Some of these applications are no longer developed (or not updated regularly), but for the most part, they still do their job. Now, WinXP has no problem running these applications, but this is not true for any more recent version of Windows. Well, isn’t this the whole point of the PE application standard? Run your application on any flavor of Windows? With recent versions of Windows, this seems to be less and less true. So, for me, this is the only reason why I’m still stuck with XP/2003. That’s why I think that you should also think about addressing the issue with the 4GB limit on XP and make the patch/loader compatible with XP. I think that many users would still be using XP if it wasn’t for the 4GB limit. I read some of your answers on the blog and I know that you ran into a lot of obfuscated code during the process of reversing this 4GB issue on XP (I guess this is exactly why there no 4GB limit patch for XP to date), but I think users would appreciate the extra effort. I haven’t ran into any driver issues (BSOD) using Server 2003 with 6GB of RAM, so I guess the same thing would apply to Windows XP if the kernel is patched. For ease in reversing, you could compare how Server 2003’s licensing is done and duplicate the process in XP. This might raise issues with Microsoft, but hey, nobody is forcing anybody to use the patch. It’s here, it’s available, as you state in your blog, use it at your own risk.
MDR wrote:
> so I guess the same thing would apply to Windows XP if the
> kernel is patched.
Nope. Used to be true with XP SP1 (actually, no patch was necessary for XP SP1); in SP2 however, they outright removed the necessary code from the _HAL_ (the kernel itself is ok). XP will never work unless you use a HAL from a different system, and I ran into SOFTWARE_LICENSING_ERROR BSoD’s when trying to do so 🙂
The above is pretty well documented – google it. And in the mean time, you’re stuck with either vanilla Srv2k3 or Vista+ with patch/bootkit.
OK, so, what you’re saying is that even if you use the necessary code from XP SP1 (the omitted code from the HAL on SP2 and SP3) and inject it in SP2 or SP3, the system would still BSOD with a software licensing error?
> OK, so, what you’re saying is that even if you use the
> necessary code from XP SP1 (the omitted code from the HAL
> on SP2 and SP3) and inject it in SP2 or SP3, the system
> would still BSOD with a software licensing error?
Not at all – I rand into that while attempting to run WinXP on the Server 2003 kernel 🙂
It never occurred to me to attempt to run xp sp3 on the xp sp1 hal. You know, that might just work 🙂 I don’t have any xp machines anymore, but by all means, if you try it, do report on your experience 🙂
Well, I’ll give it a shot ;). I’m not that experienced in reversing (I know a thing or two :D), but I will try to run XP SP3 with the HAL from XP SP1 ;). Will write if I have any results ;).
Can the bootkit be made to patch the kernel of XP SP3 “on the fly” (ifrn memory) with the HAL om XP SP1?
Also, see http://support.microsoft.com/kb/888137
It is a bit unclear to me whether XP SP1 would support MORE than 4GB (I think you need to explicitly enable PAE for that, since SP1 probably won’t, given that DEP was included with XP-SP2/Vista-RTM; also, the kernel is ntkrnlpa.exe or its mp version).
All I can say is, with 4GB of mem, SP1 will see almost 4GB with SP1, instead of the 3.5G or 2.75G it would see with SP2+.
I find it likely though that SP1 would be limited at 4GB, given that the lesser editions of Server 2003 had that cap as well. That’s why I tried running XP on an Server 2003 kernel – and failed, with a stop 9A, SYSTEM_LICENSE_VIOLATION (5,0x13c9,2,0×40000000)
Maybe the Server 2003 kernel checks the CRC or the version of some of the runtime libraries during boot up, maybe that is why you’re getting the BSOD. It sees runtimes with minor version number 1 (Win XP = Win Ver 5.1) and requires a 2 (Server 2003 = Win Ver 5.2), so it just BSOD’s with a SYSTEM_LICENSE_VIOLATION error.
I think this should be investigated further.
Ciao, ho provato la patch sul mio sistema ma adesso non parte piu’, penso di aver fatto una cavolata perche’ ho scoperto solo dopo che nella macchina era installato un bootmanager hp, adesso appena accendo mi compare la seguente scritta: “Client Automation OS Manager Boot Loader Build 1.32.4.4 (C) 2007 Hewlett-Packard”
e non va piu’ avanti, ho gia’ provato a fare il fix dell’mbr ma non ne vuole sapere di ripartire, potete aiutarmi in qualche modo? Vorrei evitare di formattare.
Grazie
Emanuele
Stai usando una release vecchia. Vai su qui: http://www.saferbytes.it/2013/02/28/saferbytes-x86-memory-bootkit-new-updated-build-is-out/ e scarica la release aggiornata…
Sul blog post troverai anche le istruzioni complete per la rimozione. In sisntesi DVD di Windows, console, “bootrec /fixmbr” nel caso lo installi come nuovo Master boot Sector, “bootrec /fixboot” altrimenti…
Regards,
Andrea
Have you ever considered writing an ebook or guest authoring on other sites?
I have a blog centered on the same subjects you discuss and
would really like to have you share some stories/information. I
know my readers would appreciate your work. If you are even remotely interested, feel free to send me an email.
ᏔҺat a infߋrmation оf un-ambiguity andd preserveness ⲟf preciouis
familiarity օn the topic of unexpected emotions.