1.8.4.2 fixes 21390

Author: NevermindExpress

Installer.bat

@@ -1,3 +1,4 @@
+@echo off
 rem ====================================================
 rem	TimeDefuser Service Installer Script
 rem

README.md

@@ -53,7 +53,7 @@ Getting over it will weaponize this already versatile patch, so disabling PatchG
 > [!IMPORTANT]
 > Windows 10 builds are also subject to flight signing, which are code signatures that gets invalid after expiration date, thus preventing system from booting or to be used properly. 
 > Getting over this requires additional work (resigning all binaries and disabling integrity checks, or patching bootloader & ci.dll) which is not covered by this project.
-- Works on pre-RTM, post-RTM ("insider") builds are untested but they likely are same as pre-RTM unless KASLR is enabled, which is not supported by this driver.
+- Tested on pre-RTM Windows 10 and early Windows 11 insider builds (i.e. 21390). Builds with security features enabled such as KASLR are not tested.
 
 # Usage
 Since TimeDefuser 1.8.3, INF file is deprecated and the driver is instead installed as a service with `sc.exe`. A script for installing named `Installer.bat` will be bundled with subsequent releases.
@@ -102,10 +102,11 @@ These screenshots are all taken by me.
 ![Windows 7973 x64-2025-05-04-16-08-40](https://github.com/user-attachments/assets/f3d3a116-5b67-4b8f-bd4c-d907485a435b)
 ![Windows 8331 x64-2026-01-18-22-58-14](https://github.com/user-attachments/assets/7d746160-5626-4af5-916f-f57215eeccc0)
 ![Windows 10072 x64-2025-11-10-12-53-19](https://github.com/user-attachments/assets/02bb0087-762a-4a2b-98c9-16b3bf850a0d)
+<img width="1027" height="768" alt="Windows 21390-2026-06-06-19-18-48" src="https://github.com/user-attachments/assets/55181240-6974-4fdd-9d9b-ae2fd004c11b" />
 ![Windows 2526-2025-05-08-17-39-56](https://github.com/user-attachments/assets/24e4f5c9-5cdc-4eae-b91f-dc13bb93a22c)
 
 # Thanks to
-- **Microsoft** for Windows, Windbg and all else.
+- **Microsoft** for Windows, WinDbg and all else.
 - **archive.org and BetaArchive** for preserving beta builds and debug symbols.
 - **Dimitrios Vlachos** for showing interest while I was developing this.
 - **All the precious testers** that opened up issues.

TimeDefuser-Research.md

@@ -96,6 +96,7 @@ This research is also bundled with a practical Proof-of-Concept (PoC) implementa
 ## 7. Threat Model and Abuse Potential
 While this research focuses on expiration enforcement mechanisms, the techniques described are broadly applicable to kernel patching and runtime modification of enforcement logic. 
 In a threat context, these routines can be modified to do any arbitrary and potentially malicious activities with a frequency of once per hour.
+
 ## 8. Responsible Use and Ethical Considerations
 This research is conducted and presented for educational, defensive, and academic purposes. The techniques described are intended to improve understanding of kernel enforcement mechanisms, 
 tamper resistance, and system integrity, and to contribute to the broader field of operating system security research.

src/Driver.c

@@ -53,7 +53,7 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 	HANDLE hKey = OpenRegistryKey(RegistryPath);
 	//HANDLE hKey = 0;
 	unsigned int KernelSize2 = 0;			// Var used in loops as a max value
-	PAGESections ps[5] = { 0 };				// PE sections that name starts with "PAGE"
+	PAGESections ps[6] = { 0 };				// PE sections that name starts with "PAGE"
 	unsigned char* PotentialTimestamp = NULL;// Potential address of ExNtExpirationDate/a
 	BOOLEAN Legacy = FALSE;
 	int verMajor = 0;
@@ -224,7 +224,7 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 	switch (occurance) {
 		case 0:
 			TDPrint("[X] TimeDefuser: can't find ExpNtExpirationDate!\n");
-			goto patchFail; 
+			//goto patchFail; 
 			break;
 		case 1:
 			TDPrint("[+] TimeDefuser: ExpNtExpirationDate address is 0x%p (first occurrance)\n", pExpNtExpirationDate);
@@ -239,13 +239,13 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 	// Due to it's variable being, we will search the PAGE section and next three sections.
 
 	for (size_t i = 0; i < 768; i++) {
-		if (KernelBase[i] == sectNamePAGELK) { // Check if we found the PAGELK\0\0 section name.
+		if (KernelBase[i] == sectNamePAGE) { // Check if we found the PAGELK\0\0 section name.
 			int* temp = (int*)&KernelBase[i + 1];
 			ps[0].size = temp[0]; // Get the section size
 			ps[0].RVA = temp[1];  // and RVA
-			TDPrint("[+] TimeDefuser: PAGELK Section found at 0x%p with size %d\n", (unsigned char*)KernelBase + temp[1], temp[0]);
+			TDPrint("[+] TimeDefuser: PAGE Section found at 0x%p with size %d\n", (unsigned char*)KernelBase + temp[1], temp[0]);
 			// Get the RVA and size of next three sections.
-			for (char j = 1; j < 5; j++) {
+			for (char j = 1; j < 6; j++) {
 				temp += 10;
 				ps[j].size = temp[0]; // Get the section size
 				ps[j].RVA = temp[1];  // and RVA
@@ -255,7 +255,7 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 	}
 
 	if (!ps[0].size) {
-		TDPrint("[X] TimeDefuser: PAGELK Section not found!\n");
+		TDPrint("[X] TimeDefuser: PAGE Section not found!\n");
 		goto patchFail;
 	}
 

src/TimeDefuser.h

@@ -4,7 +4,7 @@
 #include "tdwdm/wdm.h"
 
 /// Definitions
-#define td_version "1.8.4.1"
+#define td_version "1.8.4.2"
 
 #define SystemModuleInformation 11
 #define PEheader 0x5a4d // MZ
@@ -13,7 +13,7 @@
 #define sectNamePAGE		0x0000000045474150 // "PAGE\0\0\0\0"
 
 #if defined(AMD64)
-	#define KUSERSystemExpirationDate (LARGE_INTEGER*)0xfffff780000002c8;
+	#define KUSERSystemExpirationDate (LARGE_INTEGER*)0xfffff780000002c8; // c802000080f7ffff
 	typedef unsigned __int64 ptr_t;
 #elif defined(i386)
 	#define KUSERSystemExpirationDate (LARGE_INTEGER*)0xffdf02c8;