1.5.2

- Searching now starts from PAGELK and includes next 4 sections, instead of starting from PAGE and searching next 3 sections. (a.k.a. search now starts from 1 section prior.), solves #1 (comment)
- Service startup mode is now set to demand start, permanently solves #4 and other problems with signature enforcement.

Author: NevermindExpress

Driver.c

@@ -8,7 +8,7 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 	unsigned long long* KernelBase = NULL;	// Kernel Base address
 	ULONG KernelSize = 0;					// Kernel image size
 	unsigned int KernelSize2 = 0;			// Var used in loops as a max value
-	PAGESections ps[4] = { 0 };				// PE sections that name starts with "PAGE"
+	PAGESections ps[5] = { 0 };				// PE sections that name starts with "PAGE"
 	unsigned char* PotentialTimestamp;		// Potential address of ExNtExpirationDate/a
 
 	// Unrefence unused variables.
@@ -100,21 +100,18 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 			break;
 	}
 
-	const __int64 sectNamePAGELK = 0x0000000045474150; // "PAGE\0\0\0\0"
-
-
 	// Search for PAGE section at PE sections. This section or one of the next three sections is where the 
 	// "ExpTimeRefreshWork" function is located at, which later calls a function named "ExGetExpirationDate".
 	// Due to it's variable being, we will search the PAGE section and next three sections.
 
 	for (size_t i = 0; i < 768; i++) {
-		if (KernelBase[i] == sectNamePAGE) { // Check if we found the PAGE\0\0\0\0 section name.
-			TDPrint("[+] TimeDefuser: PAGE Section found at 0x%p with size %d\n", &KernelBase[i], *(int*)&KernelBase[i + 1]);
+		if (KernelBase[i] == sectNamePAGELK) { // Check if we found the PAGELK\0\0 section name.
+			TDPrint("[+] TimeDefuser: PAGELK Section found at 0x%p with size %d\n", &KernelBase[i], *(int*)&KernelBase[i + 1]);
 			int* temp = (int*)&KernelBase[i + 1];
 			ps[0].size = temp[0]; // Get the section size
 			ps[0].RVA = temp[1];  // and RVA
 			// Get the RVA and size of next three sections.
-			for (char j = 1; j < 4; j++) {
+			for (char j = 1; j < 5; j++) {
 				temp += 10;
 				ps[j].size = temp[0]; // Get the section size
 				ps[j].RVA = temp[1];  // and RVA
@@ -124,7 +121,7 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 	}
 
 	if (!ps[0].size) {
-		TDPrint("[X] TimeDefuser: PAGE Section not found!\n");
+		TDPrint("[X] TimeDefuser: PAGELK Section not found!\n");
 		goto patchFail;
 	}
 

README.md

@@ -2,7 +2,7 @@
 TimeDefuser is a kernel-mode Windows driver that patches the kernel to neutralize the expiration date (a.k.a. timebomb),
 which is seen on most prerelease builds that has been ever compiled.
 
-This patch patches the timebomb code itself in the kernel so it is the most effective and versatile way to neutralize it, instead of activation patching which is not available in many builds.
+This patch patches the timebomb code itself in the kernel so it is the most effective and versatile way to neutralize it, instead of activation patching (i.e. policy files or registry editing) which is not available in many builds.
 
 All builds are theoretically supported but not all builds are tested, see the notes for more info, or the end of this readme for screenshots.
 
@@ -34,11 +34,14 @@ It will not remove the expiration date of
 - Certain builds such as aforementioned are also subject to crashes by PatchGuard, while others such as the ones with the screenshots below are not. See https://github.com/NevermindExpress/TimeDefuser/issues/5#issuecomment-3369399950
 - Few builds can be patched with policy/spp files replacement. **Again, I KNOW 'THEY' CAN BE PATCHED**. "MUH FBL builds can be patched by doing X/can be used at current date without doing anything" well, my thing can patch **ALL** versions (except ones that have superior PatchGuard) while your method can only fix a few builds.
 ### Windows 10/11
-- Untested. Likely same as 8 unless KASLR is enabled, which is not supported by this driver.
+> [!IMPORTANT]
+> Windows 10 builds are also subject to flight signing, which are code signatures that gets invalid after expiration date, thus preventing system from booting or to be used properly. 
+> Getting over this requires additional work (resigning all binaries and disabling integrity checks, or patching bootloader & ci.dll) which is not covered by this project.
+- Works on pre-RTM, post-RTM ("insider") builds are untested but they likely are same as pre-RTM unless KASLR is enabled, which is not supported by this driver.
 
 # Usage
-1. Enable test-signing (and also disable driver signature enforcement at boot if you end up with boot recovery or signature error at boot)
-2. Download the latest release and obtain "devcon" utility (available in WDK).
+1. Enable test-signing (disabling driver signature enforcement might also be necessary.)
+2. Download the latest release and obtain "devcon" utility (available in WDK and also in some .cab files).
 3. Execute `devcon install C:\Path\to\TimeDefuser.inf Root\TimeDefuser`
 4. Allow the installition and wait for "Driver Installition Complete" message
 5. If your system didn't crash so far, check expiration date from "winver", if it's not there that means that it worked.
@@ -50,18 +53,21 @@ In all cases the usage of kernel debugger is required to tell which one of those
 
 Driver logs will look like this when it works:
 ```
-[*] TimeDefuser: version 1.5 loaded | Compiled on Oct 13 2025 01:44:57 | https://github.com/NevermindExpress/TimeDefuser
-[+] TimeDefuser: SystemExpirationDate is 0x10B72980
-[+] TimeDefuser: Kernel Base address is 0x81090000 and size is 5038080
-[+] TimeDefuser: PAGE Section found at 0x81090478 with size 2164706
-[+] TimeDefuser: searching at 0x8123C000 in 2164706 bytes
-[+] TimeDefuser: searching at 0x8144D000 in 18976 bytes
-[+] TimeDefuser: searching at 0x81452000 in 77340 bytes
-[+] TimeDefuser: Potential TimeRef found at 0x81463037
-[+] TimeDefuser: ExGetExpirationDate found at 0x813DE8F9
+[*] TimeDefuser: version 1.5.2 loaded | Compiled on Nov 10 2025 12:13:16 | https://github.com/NevermindExpress/TimeDefuser
+[+] TimeDefuser: SystemExpirationDate is 0x1d0fca547506980
+[+] TimeDefuser: Kernel Base address is 0xFFFFF802D388C000 and size is 8658944
+[+] TimeDefuser: PAGEDATA Section found at 0xFFFFF802D388C488 with size 62464
+[+] TimeDefuser: searching for stamp at 0xFFFFF802D3FF5000 in 62464 bytes
+[+] TimeDefuser: Timebomb stamp found at 0xFFFFF802D3FF5A10
+[+] TimeDefuser: ExpNtExpirationDate address is 0xFFFFF802D3FF5A10 (first occurrance)
+[+] TimeDefuser: PAGELK Section found at 0xFFFFF802D388C348 with size 98932
+[+] TimeDefuser: searching at 0xFFFFF802D3C62000 in 98932 bytes
+[+] TimeDefuser: Potential TimeRef found at 0xFFFFF802D3C63638
+[+] TimeDefuser: ExGetExpirationDate found at 0xFFFFF802D3E02BB4
 [*] TimeDefuser: Patch completed successfully.
 ```
-[(same thing as an image)](https://github.com/user-attachments/assets/cc475da5-e624-45e3-aaf2-cd22a7e65a8b)
+[(same thing as an image)](https://github.com/user-attachments/assets/7e48a48e-a2dc-4872-8825-6aa98df641e3)
+
 
 Builds with debug symbols are recommended to try, due to symbols making debugging much easier.
 
@@ -89,10 +95,11 @@ Builds with debug symbols are recommended to try, due to symbols making debuggin
 
 
 # Screenshots
-![Windows 8175 x64-2025-05-04-16-05-34](https://github.com/user-attachments/assets/380167b9-e24a-458a-b5ba-597313c6bbd3)
 ![Windows 7973 x64-2025-05-04-16-08-40](https://github.com/user-attachments/assets/f3d3a116-5b67-4b8f-bd4c-d907485a435b)
+![Windows 10072 x64-2025-11-10-12-53-19](https://github.com/user-attachments/assets/02bb0087-762a-4a2b-98c9-16b3bf850a0d)
 ![Windows 2526-2025-05-08-17-39-56](https://github.com/user-attachments/assets/24e4f5c9-5cdc-4eae-b91f-dc13bb93a22c)
 
+
 # Thanks to
 - **Microsoft** for Windows, Windbg and all else.
 - **archive.org and BetaArchive** for preserving beta builds and debug symbols.

TimeDefuser-vs13.sln

@@ -3,28 +3,28 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 2013
 VisualStudioVersion = 12.0.21005.1
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TimeDefuser", "TimeDefuser-vs13.vcxproj", "{D2AF6553-1794-482F-9A99-94166BDCBAA0}"
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TimeDefuser", "TimeDefuser-vs13.vcxproj", "{485FBB3F-2675-431D-A4D1-54A7294C76A2}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Win7 Debug|Win32 = Win7 Debug|Win32
-		Win7 Debug|x64 = Win7 Debug|x64
-		Win7 Release|Win32 = Win7 Release|Win32
-		Win7 Release|x64 = Win7 Release|x64
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Release|x64.Build.0 = Win7 Release|x64
-		{D2AF6553-1794-482F-9A99-94166BDCBAA0}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Debug|Win32.ActiveCfg = Debug|Win32
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Debug|Win32.Build.0 = Debug|Win32
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Debug|Win32.Deploy.0 = Debug|Win32
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Debug|x64.ActiveCfg = Debug|x64
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Debug|x64.Build.0 = Debug|x64
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Debug|x64.Deploy.0 = Debug|x64
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Release|Win32.ActiveCfg = Win7 Release|Win32
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Release|Win32.Build.0 = Win7 Release|Win32
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Release|Win32.Deploy.0 = Win7 Release|Win32
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Release|x64.ActiveCfg = Release|x64
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Release|x64.Build.0 = Release|x64
+		{485FBB3F-2675-431D-A4D1-54A7294C76A2}.Release|x64.Deploy.0 = Release|x64
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

TimeDefuser-vs13.vcxproj

@@ -1,20 +1,20 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Win7 Debug|Win32">
-      <Configuration>Win7 Debug</Configuration>
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
       <Platform>Win32</Platform>
     </ProjectConfiguration>
-    <ProjectConfiguration Include="Win7 Release|Win32">
-      <Configuration>Win7 Release</Configuration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
       <Platform>Win32</Platform>
     </ProjectConfiguration>
-    <ProjectConfiguration Include="Win7 Debug|x64">
-      <Configuration>Win7 Debug</Configuration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
-    <ProjectConfiguration Include="Win7 Release|x64">
-      <Configuration>Win7 Release</Configuration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
   </ItemGroup>
@@ -29,28 +29,28 @@
     <ProjectName>TimeDefuser</ProjectName>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <TargetVersion>Windows7</TargetVersion>
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
     <ConfigurationType>Driver</ConfigurationType>
     <DriverType>WDM</DriverType>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <TargetVersion>Windows7</TargetVersion>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
     <ConfigurationType>Driver</ConfigurationType>
     <DriverType>WDM</DriverType>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <TargetVersion>Windows7</TargetVersion>
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
     <ConfigurationType>Driver</ConfigurationType>
     <DriverType>WDM</DriverType>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <TargetVersion>Windows7</TargetVersion>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
@@ -65,24 +65,30 @@
   </ImportGroup>
   <PropertyGroup Label="UserMacros" />
   <PropertyGroup />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <TargetName>$(TargetName.Replace(' ',''))-x86</TargetName>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <TargetName>$(TargetName.Replace(' ',''))-x86</TargetName>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <TargetName>$(TargetName.Replace(' ',''))-amd64</TargetName>
+    <OutDir>$(SolutionDir)\$(ConfigurationName)\</OutDir>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <TargetName>$(TargetName.Replace(' ',''))-amd64</TargetName>
+    <OutDir>$(SolutionDir)\$(ConfigurationName)\</OutDir>
   </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <Link>
       <Version>6.0</Version>
     </Link>
   </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <Link>
       <Version>6.0</Version>
     </Link>
@@ -91,18 +97,19 @@
     <FilesToPackage Include="$(TargetPath)" />
     <FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
   </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="Driver.cpp" />
-  </ItemGroup>
   <ItemGroup>
     <ClInclude Include="resource.h" />
+    <ClInclude Include="TimeDefuser.h" />
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="TimeDefuser.rc" />
   </ItemGroup>
   <ItemGroup>
     <None Include="TimeDefuser.inf" />
   </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Driver.c" />
+  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

TimeDefuser.inf

@@ -8,7 +8,7 @@ Class         = System
 ClassGuid     = {4d36e97d-e325-11ce-bfc1-08002be10318}
 Provider      = %ManufacturerName%
 CatalogFile   = TimeDefuser.cat
-DriverVer     = 10/15/2025,1.5.1.0
+DriverVer     = 11/10/2025,1.5.2.0
 PnpLockdown   = 1
 
 [DestinationDirs]
@@ -45,7 +45,7 @@ TimeDefuser-x86.sys
 [Service_Inst_x86]
 DisplayName    = %TimeDefuser.SVCDESC%
 ServiceType    = 1  ; SERVICE_KERNEL_DRIVER
-StartType      = 0  ; SERVICE_BOOT_START
+StartType      = 3  ; SERVICE_DEMAND_START
 ErrorControl   = 1  ; SERVICE_ERROR_NORMAL
 ServiceBinary  = %12%\TimeDefuser-x86.sys
 
@@ -64,7 +64,7 @@ TimeDefuser-amd64.sys
 [Service_Inst_amd64]
 DisplayName    = %TimeDefuser.SVCDESC%
 ServiceType    = 1 ; SERVICE_KERNEL_DRIVER
-StartType      = 0 ; SERVICE_BOOT_START
+StartType      = 3 ; SERVICE_DEMAND_START
 ErrorControl   = 1 ; SERVICE_ERROR_NORMAL
 ServiceBinary  = %12%\TimeDefuser-amd64.sys