Attention!
Windows XP system libraries do not officially support AES-256, and this script is just a workaround. Use the script only if you understand what the AES-256 algorithm is needed for, and you know how to restore the system in case of unforeseen critical errors.Why do I need AES-256 support?
Due to the fact that Windows XP does not support the AES-256 encryption algorithm, many Internet sites running HTTPS do not open in Internet Explorer 8 under this operating system. For the same reason, many programs that depend on Internet Explorer or use system encryption libraries do not work properly (for example, read about an error due to which Skype cannot connect to the Internet).How to enable AES-256 support manually?
Officially, Windows XP does not support AES-256, and it is unlikely that the algorithm will ever be supported. However, Windows XP has an “older brother”, Windows Embedded POSReady 2009 (the operating system is designed for POS-terminals, ATM, self-service checkouts and others). For the English version of this OS there is an update KB3081320, which adds support for AES-256, but it cannot be installed on Windows XP.Fortunately, this update is very simple, and most importantly, I managed to find a simple way to add AES-256 support for Windows XP. The plan is as follows:
-
Download installer WindowsXP-KB3081320-x86-Embedded-ENU.exe
I saved it as «KB3081320.exe», so that it would be more convenient to write commands.
-
Extract all files with the command:
C:\path\to\installer\KB3081320.exe /x:C:\KB3081320
-
Replace system libraries with copies from the folder
C:\KB3081320\SP3QFE
For your convenience, I uploaded them to the server: dssenh.dll, rsaenh.dll and schannel.dll
In case you do not know how to replace system libraries, you can do it in this way:
-
Find the required library in each of these folders:
%windir%\ServicePackFiles\i386\%windir%\system32\dllcache\%windir%\system32\
- Rename the library from these folders to something else
- Copy the new library to each of these folders
- Restart the computer
How to enable AES-256 by installing KB3081320?
Since KB3081320 can be installed only on Windows Embedded, we should use a hack to turn our computer into an “ATM”. Of course, it will not give money (although, who knows), but at least it will deceive the update installer. Therefore, let’s start:- Run the REG-file PosReady_Enable.reg
- Run the installer WindowsXP-KB3081320-x86-Embedded-ENU.exe
- Remove from the system the presence of “ATM” using PosReady_Disable.reg
- Restart the computer (do this only after you removed “ATM”)
What algorithm does my computer support?
To check which encryption algorithm is used on your computer or to find out if you enabled AES-256 support: start Internet Explorer → click “Help” → choose “About” → and check string “Cipher Strength” (for example, if your computer supports AES-256, here is specified “Cipher Strength: 256-bit”).I will be grateful for your feedback and additions. Please do not hesitate to leave comments – this is very important for me and, especially, for blog visitors.
36 comments
+6), #As a side note: I did not have a %windir%\ServicePackFiles\i386\ directory. I think this is because I never installed a service pack -- SP3 was slipstreamed onto my installation disc. This was fine, and did not affect the process.
I should mention that after my second reboot this did in fact work for me, beautifully. I've been looking for a solution to Windows XP HTTPS issues for almost a year now. Skype immediately began showing link previews again, which it had not done in a couple of weeks, and gave me a banner ad (which I don't even remember the last time I saw). I'm looking forward to seeing if all of the HTTPS errors I've been getting in Opera and Chrome will go away now, but unfortunately I cannot remember any of the sites it had been happening on.
Last but not least, I think your spam filter is filtering Opera 12. :'D
+1207), # ↑I myself tested this solution manually and never had problems. Nevertheless, I will update the instruction, as this is indeed a correct remark. And you are right about
The only question: what do you mean by “your spam filter is filtering Opera 12”? Can you explain please?
+6), # ↑By the way, do you know if there is any method that tricks TLS 1.1 and 1.2 into working in IE8 on XP? Even with this change, the checkboxes for them do not appear. (I swear I've seen them in the past, though...)
+1207), # ↑In the meantime, I updated the article, added new scripts, and thanks to kb80 upgraded DLLs to a more secure patch.
+3), # ↑I have tried the suggested POSREADY workaround with some result but no success -see below.
RESULTS & COMMENTS:
Used the check tool run inside IE8
http://www.skaip.org/check-access-to-skype
Before any modification ~75% of the IE8 sites were blocked and cipher was 128
PosReady Install; The manual method to install POSREADY was the only one I could get to succeed. It was easy and instructions clear for my level.
(The POSready Reg workaround method failed
– START/RUN PosReady_Enable.reg system responds like “was no such file/command”)
After copying the fines for the manual install (and restart) IE8 was reporting 256 cipher capability…=OK
Runing the Skype tool showed only 3 sites are now blocked ….almost OK ?
Sites blocked; SKYPE ASSETS, SECURE SKYPE, LOGIN SKYPE
Now try to run Skype 7 36 0 150
Try 1- Crying face again. Unload Skype from system
Try 2- Skype message (after thinking for a long time);
“This version of Skype is no longer supported.Unfortunately, the latest version of Skype is not compatible with your OS version. We recommend you upgrade your OS version to take advantage of all the exciting new features that the latest version of Skype has to offer.”
Much appreciate your work in trying to solve our issues but it looks like XP users are going to be pushed out of Skype, any further suggestion are most welcome.
This Skype problem has perplexed me and wasted so much of my time for nigh on 2 years so I am off to ZOOM.COM they have a goofy interface but it is easy to install, good quality, capable and it works perfect for us XP holdouts. /Antony
+1207), # ↑+4), # ↑today on XP the 1st day i got the Skype can't open because IE is outdated..
we'll see tomorrow..
don
+1207), # ↑+8), #You can download it from http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3081320
+1207), # ↑+6), # ↑+1207), # ↑+2), #Other than that, thanks for the tip. I have replaced the files in
\Windows\system32and\Windows\system32\dllcachefrom outside Windows XP (in a dual-boot machine), and it solved the problem with Skype. No ill effects so far.[Updated ]
I've submitted a previous comment about a problem with the hack you recommend for installing KB3081320, but apparently it has been removed. I think people should be warned that the change made in their systems by PosReady_Enable.reg is irreversible.
[Updated ]
Now that my first comment is back, my subsequent comment has become superfluous — and so this one...
Thanks.
+1207), # ↑[Updated ]
Tested it! You are absolutely right. I checked, and found that the value is not deleted if you restart the computer. Therefore, it is important to remove it before restarting the computer.
+2), # ↑+1207), # ↑0), #0), #Thanks a lot for your solution it helped me to run our application on XP again.
+13), #@Administrator
@Dave
You can't delete POSReady entry when running Windows - it's a part of registry protected by system. However, you can connect the HDD to another PC and edit inactive registry files from another system, if you really want… but I don't think so.
If your system is fully updated (including MS Installer 4.5, exFAT drivers and possibly some other needful things), you can stay with POSReady 2009 - it works OK with both Home and Pro versions of Windows XP. Now you will get many other security updates with no additional fiddling. Note that there is already available update for TLS 1.1/1.2! It's KB4019276, that supersedes KB3081320 - it's in optional updates now, but in February it should be promoted to important and installed with IE8 cumulative update.
+1207), # ↑+13), # ↑It's really much easier to stay with POSReady and get all security updates installed automatically than to dig in installers, libs, scripts, etc. manually. The updates are really important, some are even so critical, that Microsoft releases them also for Windows XP (see SMB update in May 2017 for example).
And last but not least - installing AES-2 only without TLS 1.1/1.2 and IE8 updates is like changing only one bald tire in your old car.
+1207), # ↑As for Windows XP, I published this solution in order to fix the connection issue on Windows XP. I didn't see anyone who would like to switch to such updates (especially it concerns sysadmins, at least who contacted me and had the only task to restore the functionality of Skype).
0), #+1207), # ↑+3), #btw, this update does not reanimate Skype - all of my contacts are offline for now (February, 10)
+1207), # ↑As for your problem it's something else, and occurs due to this issue.
+7), #I have been looking for this Skype fix for a long time.
One question re. replacing the 3 dlls manually. Will the machine convert to Embedded POS?
Or will it remain just XP-SP3 with updated drivers? Or do I need to follow the remaining directions and convert to Embedded POS? oops 3 questions.
+1207), # ↑1) Replacing DLLs manually or using a BAT/VBS script will not convert your OS to POS. Just note that if you do this manually, OS protection may restore the original files (this is why, at least you should do it very quickly).
2) When you will replace these files, nothing else will be changed (neither other files, nor drivers, nor the registry).
3) I don't recommend to convert OS to POS, because it will be very difficult to return everything back. In addition, perhaps you will get updates for ATM.
+7), # ↑The only issue I ran into was difficulty replacing the files in system32. Two of them reported "in-use" and would not let me overwrite. Even in safe mode. I had to use an external maintenance program to insert the new DLLs. I also needed to sign out of Skype and quit... then restart XP and everything worked.
Thank again
+13), # ↑No. In general Windows XP Embedded/WEPOS/POSReady is Windows XP SP3 OEM repacked with another installer. It's designed to create a minimal OS installation (some kind of Windows Lite), containing only software and drivers selected by developers while standard OEM installation contains full backup of Windows and all windows software and drivers provided by OEM devs. It means that you won't have any additional updates dedicated for POS/ATM if you don't install any such software on your own.
There is NO real system conversion - POSReady in XP is only a single registry entry and a single change in installer scripts (*.inf), other files are unchanged, so you can use POSReady trick for both XP Pro and Home. And it's not so difficult to remove the registry entry - you should just use regedit from command prompt after starting 32-bit Windows Vista/7/8/10 DVD/USB disc installer in repair mode. You can use this installer also to replace files in use by system (don't forget to replace files also in c:\WINDOWS\system32\dllcache if needed) or to run chkdsk /b on old HDD.
The real problem is IE8 update (still with no full TLS 1.x support) - currently it may take a week with 100% single CPU kernel load by wuauclt, so the update should be download manually from Microsoft Update Catalog. There may be similar problems with some MS Office updates, other updates should install much faster.
Note that there is a naming convention mismatch in MS Update Catalog – older files are described mostly as "Windows XP WEPOS/POSReady" updates and newer ones as "Windows XP Embedded" updates.
+27), #Great article. Many thanks! I'm so glad that your neat site is also useful for stuff other than Skype.
My XP SP3 is really old and my Internet Explorer 8 cannot display HTTS (SSL Enabled) many sites due to being old, and due to being incompatible between certificates and encryption handshakes.
My question, even XP doesn't support TLS 1.1 and 1.2, does that tweak enables us to see chipher strength upgraded to 256 bit instead of current 128 bit?
Isn't that tweak for this?
Many thanks,
Onur
0), #I tried to install the 3 files, first the vbs, second the exe, and third the bat. After restarting (I restarted only after the third install, it might be a problem) I got an error "you are having a problem that is preventing windows from accurately
checking the license for this computer." Error #0X80090006" and nothing happens, only safe mode works without network. Do you have any fox for it? Thank you! (Windows xp sp3)
Regards,
Kornel
+1207), # ↑By the way, are you sure that you have Windows XP SP3? What's the language of your OS? Have you tried to revert old files?
0), #So in my case not for skype at all.
Usually settings for MSIE8 is applied just using the wininet library on XP SP3.
I have check boxes for SSL 3.0 and TSL 1.0 checked.
Any idea what is missing?
Same software on windows 7 works.
It would be a lifesaver if it can be solved, since I have to move all development to windows 7 machine.
Thanks either way, I'm sure many places will work now.
0), #Many thanks for the post.
I was about to drop 5 Windows XP Advantech industrial PC's because the APPs were currently unable to communicate with our customer back-end.
I have to confess that I don't use the files you provided but go to the source (Microsoft) and get from the source (sorry for don't trust).
Regards
+1207), # ↑