# AES-256 for Windows XP

Scripts and instructions listed below include AES-256 support for Windows XP, which, among other things, will allow Internet Explorer 8 browser to open sites that use HTTPS protocol with 256-bit encryption.

3.2 KB

#### File name:

AES256_for_WindowsXP.vbs

133

374.0 KB

#### File name:

AES256_for_WindowsXP_ENG.EXE

136

426 Bytes

#### File name:

AES256_for_WindowsXP.bat

42

### Attention!

Windows XP system libraries do not officially support AES-256, and this script is just a workaround. Use the script only if you understand what the AES-256 algorithm is needed for, and you know how to restore the system in case of unforeseen critical errors.

### Why do I need AES-256 support?

Due to the fact that Windows XP does not support the AES-256 encryption algorithm, many Internet sites running HTTPS do not open in Internet Explorer 8 under this operating system. For the same reason, many programs that depend on Internet Explorer or use system encryption libraries do not work properly (for example, read about an error due to which Skype cannot connect to the Internet).

### How to enable AES-256 support manually?

Officially, Windows XP does not support AES-256, and it is unlikely that the algorithm will ever be supported. However, Windows XP has an “older brother”, Windows Embedded POSReady 2009 (the operating system is designed for POS-terminals, ATM, self-service checkouts and others). For the English version of this OS there is an update KB3081320, which adds support for AES-256, but it cannot be installed on Windows XP.

Fortunately, this update is very simple, and most importantly, I managed to find a simple way to add AES-256 support for Windows XP. The plan is as follows:
I saved it as «KB3081320.exe», so that it would be more convenient to write commands.

2. Extract all files with the command:
C:\path\to\installer\KB3081320.exe /x:C:\KB3081320

3. Replace system libraries with copies from the folder C:\KB3081320\SP3QFE
For your convenience, I uploaded them to the server: dssenh.dll, rsaenh.dll and schannel.dll

In case you do not know how to replace system libraries, you can do it in this way:
1. Find the required library in each of these folders:
• %windir%\ServicePackFiles\i386\
• %windir%\system32\dllcache\
• %windir%\system32\
2. Rename the library from these folders to something else
3. Copy the new library to each of these folders
4. Restart the computer

### How to enable AES-256 by installing KB3081320?

Since KB3081320 can be installed only on Windows Embedded, we should use a hack to turn our computer into an “ATM”. Of course, it will not give money (although, who knows), but at least it will deceive the update installer. Therefore, let’s start:
2. Run the installer WindowsXP-KB3081320-x86-Embedded-ENU.exe
3. Remove from the system the presence of “ATM” using PosReady_Disable.reg
4. Restart the computer (do this only after you removed “ATM”)

### What algorithm does my computer support?

To check which encryption algorithm is used on your computer or to find out if you enabled AES-256 support: start Internet Explorer → click “Help” → choose “About” → and check string “Cipher Strength” (for example, if your computer supports AES-256, here is specified “Cipher Strength: 256-bit”).

I will be grateful for your feedback and additions. Please do not hesitate to leave comments – this is very important for me and, especially, for blog visitors.

1. 0 0 0
Dave,
Correct me if I'm wrong, but I think it might be a good idea to suggest that users change the files in \dllcache\ first. I followed your instructions and rebooted, and nothing changed. I think that Windows File Protection immediately repaired \system32\ with the originals from \dllcache\ (before I replaced them).

As a side note: I did not have a %windir%\ServicePackFiles\i386\ directory. I think this is because I never installed a service pack -- SP3 was slipstreamed onto my installation disc. This was fine, and did not affect the process.

I should mention that after my second reboot this did in fact work for me, beautifully. I've been looking for a solution to Windows XP HTTPS issues for almost a year now. Skype immediately began showing link previews again, which it had not done in a couple of weeks, and gave me a banner ad (which I don't even remember the last time I saw). I'm looking forward to seeing if all of the HTTPS errors I've been getting in Opera and Chrome will go away now, but unfortunately I cannot remember any of the sites it had been happening on.

Last but not least, I think your spam filter is filtering Opera 12. :'D
1. 0 0 0
Hi Dave! Thank you for your notices. I am very pleased that I was able to help you. In truth, most people believe that IE8 on Windows XP cannot support AES256. Until recently, I also thought so. However, some days ago, thanks to one visitor, I found out that it can be enabled if you “convert” Windows XP to Windows Embedded POSReady 2009, install some updates and change some registry parameters. Investigating this information thoroughly, I found and developed this simple solution.

I myself tested this solution manually and never had problems. Nevertheless, I will update the instruction, as this is indeed a correct remark. And you are right about ServicePackFiles folder — it exists only if Windows was upgraded to SP3.

The only question: what do you mean by “your spam filter is filtering Opera 12”? Can you explain please?
1. 0 0 0
Dave,
Sorry, I was mistaken! I've encountered comment form spam filters in the past that seemed to filter Opera 12 for some reason. That's not actually the case here. The error was actually a result of me running NoScript (disabling JavaScript, essentially) -- your form submits via AJAX, and if scripting is turned off, it submits incorrectly and fails with an error message of "An Error Was Encountered. The action you have requested is not allowed.".

By the way, do you know if there is any method that tricks TLS 1.1 and 1.2 into working in IE8 on XP? Even with this change, the checkboxes for them do not appear. (I swear I've seen them in the past, though...)
1. 0 0 0
I apologize, but, unfortunately, I did not investigate this question on how to enable TLS 1.1 and 1.2. If you can find the answer, I will be grateful for any hints.

In the meantime, I updated the article, added new scripts, and thanks to kb80 upgraded DLLs to a more secure patch.
2. 2 +2 0
kb80,
Btw, the security update KB3081320 supersedes KB3055973 and contains the most current version of the dlls, so if you apply them from KB3081320 instead, the system also will be protected from the MiTM vulnerability, according to the article.

1. 1 +1 0
Yeah! That’s cool! Thank you very much! I updated the article and added some new things.
1. 0 0 0
Dave,
Have you considered posting a new article linking back to this one, mentioning that you fixed a security flaw? Some folks (such as myself) may have installed it already, and are unaware that it's been updated, and will only find out if they happen to visit again for some reason.
1. 0 0 0
As far as I know, all people interested in such articles always subscribe to notifications or regularly visit it. And you are a living example :)
3. 1 +1 0
Rumo,
I have discovered that once the PosReady key is introduced in the system registry it will never more be deleted or changed (so that PosReady_Disable.reg has no effect). All subkeys under the WPA key (like that one) are protected by DRM — or something like that. This can be most of time harmless, but one or another rogue program can refuse to install in what they identify as a PosReady system.

Other than that, thanks for the tip. I have replaced the files in \Windows\system32 and \Windows\system32\dllcache from outside Windows XP (in a dual-boot machine), and it solved the problem with Skype. No ill effects so far.

[Updated ]
I've submitted a previous comment about a problem with the hack you recommend for installing KB3081320, but apparently it has been removed. I think people should be warned that the change made in their systems by PosReady_Enable.reg is irreversible.

[Updated ]
Now that my first comment is back, my subsequent comment has become superfluous — and so this one...

Thanks.
1. 0 0 0
Hi Rumo! Thank you for your comments and sorry for being late. One of these days I’m going to test it and I will update the article.

[Updated ]
Tested it! You are absolutely right. I checked, and found that the value is not deleted if you restart the computer. Therefore, it is important to remove it before restarting the computer.
1. 0 0 0
Rumo,
Hi! I think that it's not possible to remove it even before restarting the computer. Please correct me if I'm wrong.
1. 0 0 0