# AES-256 for Windows XP

Scripts and instructions listed below include AES-256 support for Windows XP, which, among other things, will allow Internet Explorer 8 browser to open sites that use HTTPS protocol with 256-bit encryption.

3.2 KB

#### File name:

AES256_for_WindowsXP.vbs

861

374.0 KB

#### File name:

AES256_for_WindowsXP_ENG.EXE

736

426 Bytes

#### File name:

AES256_for_WindowsXP.bat

221

### Attention!

Windows XP system libraries do not officially support AES-256, and this script is just a workaround. Use the script only if you understand what the AES-256 algorithm is needed for, and you know how to restore the system in case of unforeseen critical errors.

### Why do I need AES-256 support?

Due to the fact that Windows XP does not support the AES-256 encryption algorithm, many Internet sites running HTTPS do not open in Internet Explorer 8 under this operating system. For the same reason, many programs that depend on Internet Explorer or use system encryption libraries do not work properly (for example, read about an error due to which Skype cannot connect to the Internet).

### How to enable AES-256 support manually?

Officially, Windows XP does not support AES-256, and it is unlikely that the algorithm will ever be supported. However, Windows XP has an “older brother”, Windows Embedded POSReady 2009 (the operating system is designed for POS-terminals, ATM, self-service checkouts and others). For the English version of this OS there is an update KB3081320, which adds support for AES-256, but it cannot be installed on Windows XP.

Fortunately, this update is very simple, and most importantly, I managed to find a simple way to add AES-256 support for Windows XP. The plan is as follows:
I saved it as «KB3081320.exe», so that it would be more convenient to write commands.

2. Extract all files with the command:
C:\path\to\installer\KB3081320.exe /x:C:\KB3081320

3. Replace system libraries with copies from the folder C:\KB3081320\SP3QFE
For your convenience, I uploaded them to the server: dssenh.dll, rsaenh.dll and schannel.dll

In case you do not know how to replace system libraries, you can do it in this way:
1. Find the required library in each of these folders:
• %windir%\ServicePackFiles\i386\
• %windir%\system32\dllcache\
• %windir%\system32\
2. Rename the library from these folders to something else
3. Copy the new library to each of these folders
4. Restart the computer

### How to enable AES-256 by installing KB3081320?

Since KB3081320 can be installed only on Windows Embedded, we should use a hack to turn our computer into an “ATM”. Of course, it will not give money (although, who knows), but at least it will deceive the update installer. Therefore, let’s start:
2. Run the installer WindowsXP-KB3081320-x86-Embedded-ENU.exe
3. Remove from the system the presence of “ATM” using PosReady_Disable.reg
4. Restart the computer (do this only after you removed “ATM”)

### What algorithm does my computer support?

To check which encryption algorithm is used on your computer or to find out if you enabled AES-256 support: start Internet Explorer → click “Help” → choose “About” → and check string “Cipher Strength” (for example, if your computer supports AES-256, here is specified “Cipher Strength: 256-bit”).

I will be grateful for your feedback and additions. Please do not hesitate to leave comments – this is very important for me and, especially, for blog visitors.

1. 0 0 0
Dave,
Correct me if I'm wrong, but I think it might be a good idea to suggest that users change the files in \dllcache\ first. I followed your instructions and rebooted, and nothing changed. I think that Windows File Protection immediately repaired \system32\ with the originals from \dllcache\ (before I replaced them).

As a side note: I did not have a %windir%\ServicePackFiles\i386\ directory. I think this is because I never installed a service pack -- SP3 was slipstreamed onto my installation disc. This was fine, and did not affect the process.

I should mention that after my second reboot this did in fact work for me, beautifully. I've been looking for a solution to Windows XP HTTPS issues for almost a year now. Skype immediately began showing link previews again, which it had not done in a couple of weeks, and gave me a banner ad (which I don't even remember the last time I saw). I'm looking forward to seeing if all of the HTTPS errors I've been getting in Opera and Chrome will go away now, but unfortunately I cannot remember any of the sites it had been happening on.

Last but not least, I think your spam filter is filtering Opera 12. :'D
1. 0 0 0
Hi Dave! Thank you for your notices. I am very pleased that I was able to help you. In truth, most people believe that IE8 on Windows XP cannot support AES256. Until recently, I also thought so. However, some days ago, thanks to one visitor, I found out that it can be enabled if you “convert” Windows XP to Windows Embedded POSReady 2009, install some updates and change some registry parameters. Investigating this information thoroughly, I found and developed this simple solution.

I myself tested this solution manually and never had problems. Nevertheless, I will update the instruction, as this is indeed a correct remark. And you are right about ServicePackFiles folder — it exists only if Windows was upgraded to SP3.

The only question: what do you mean by “your spam filter is filtering Opera 12”? Can you explain please?
1. 0 0 0
Dave,
Sorry, I was mistaken! I've encountered comment form spam filters in the past that seemed to filter Opera 12 for some reason. That's not actually the case here. The error was actually a result of me running NoScript (disabling JavaScript, essentially) -- your form submits via AJAX, and if scripting is turned off, it submits incorrectly and fails with an error message of "An Error Was Encountered. The action you have requested is not allowed.".

By the way, do you know if there is any method that tricks TLS 1.1 and 1.2 into working in IE8 on XP? Even with this change, the checkboxes for them do not appear. (I swear I've seen them in the past, though...)
1. 0 0 0
I apologize, but, unfortunately, I did not investigate this question on how to enable TLS 1.1 and 1.2. If you can find the answer, I will be grateful for any hints.

In the meantime, I updated the article, added new scripts, and thanks to kb80 upgraded DLLs to a more secure patch.
2. 2 +2 0
kb80,
Btw, the security update KB3081320 supersedes KB3055973 and contains the most current version of the dlls, so if you apply them from KB3081320 instead, the system also will be protected from the MiTM vulnerability, according to the article.

1. 1 +1 0
Yeah! That’s cool! Thank you very much! I updated the article and added some new things.
1. 0 0 0
Dave,
Have you considered posting a new article linking back to this one, mentioning that you fixed a security flaw? Some folks (such as myself) may have installed it already, and are unaware that it's been updated, and will only find out if they happen to visit again for some reason.
1. 0 0 0
As far as I know, all people interested in such articles always subscribe to notifications or regularly visit it. And you are a living example :)
3. 1 +1 0
Rumo,
I have discovered that once the PosReady key is introduced in the system registry it will never more be deleted or changed (so that PosReady_Disable.reg has no effect). All subkeys under the WPA key (like that one) are protected by DRM — or something like that. This can be most of time harmless, but one or another rogue program can refuse to install in what they identify as a PosReady system.

Other than that, thanks for the tip. I have replaced the files in \Windows\system32 and \Windows\system32\dllcache from outside Windows XP (in a dual-boot machine), and it solved the problem with Skype. No ill effects so far.

[Updated ]
I've submitted a previous comment about a problem with the hack you recommend for installing KB3081320, but apparently it has been removed. I think people should be warned that the change made in their systems by PosReady_Enable.reg is irreversible.

[Updated ]
Now that my first comment is back, my subsequent comment has become superfluous — and so this one...

Thanks.
1. 0 0 0
Hi Rumo! Thank you for your comments and sorry for being late. One of these days I’m going to test it and I will update the article.

[Updated ]
Tested it! You are absolutely right. I checked, and found that the value is not deleted if you restart the computer. Therefore, it is important to remove it before restarting the computer.
1. 0 0 0
Rumo,
Hi! I think that it's not possible to remove it even before restarting the computer. Please correct me if I'm wrong.
1. 0 0 0
I did only a few tests and not sure if it always works, but I noticed that if I run PosReady_Disable.reg before restarting computer it is no longer restored. I can repeat tests if you get a different result.
4. 0 0 0
Olda,
Thanks a lot! My favourite mail client Alpine works under Windows XP again. Since our IMAP server was upgraded to Debian 9, which refuse all usual Windows XP ciphers, I had to abandon the mail client which I use for years. Now it is back :-).
5. 0 0 0
Alec,
Hi,
Thanks a lot for your solution it helped me to run our application on XP again.
6. 2 +2 0
Usher,
@Rumo
@Dave
You can't delete POSReady entry when running Windows - it's a part of registry protected by system. However, you can connect the HDD to another PC and edit inactive registry files from another system, if you really want… but I don't think so.
If your system is fully updated (including MS Installer 4.5, exFAT drivers and possibly some other needful things), you can stay with POSReady 2009 - it works OK with both Home and Pro versions of Windows XP. Now you will get many other security updates with no additional fiddling. Note that there is already available update for TLS 1.1/1.2! It's KB4019276, that supersedes KB3081320 - it's in optional updates now, but in February it should be promoted to important and installed with IE8 cumulative update.
1. 0 0 0
Hello! Thank you for such good comment. By the way, this is why I suggested the way to enable AES-256 without «converting» XP to POSReady.
1. 0 0 0
Usher,
Note that from the very beginning you are talking about Internet Explorer 8 (and its libs), and updates for IE8 are available in Windows XP Embedded only.
It's really much easier to stay with POSReady and get all security updates installed automatically than to dig in installers, libs, scripts, etc. manually. The updates are really important, some are even so critical, that Microsoft releases them also for Windows XP (see SMB update in May 2017 for example).

And last but not least - installing AES-2 only without TLS 1.1/1.2 and IE8 updates is like changing only one bald tire in your old car.
1. 0 0 0
I mentioned IE only because Skype relies on its functions. I doubt that someone is using IE8 on a regular basis.

As for Windows XP, I published this solution in order to fix the connection issue on Windows XP. I didn't see anyone who would like to switch to such updates (especially it concerns sysadmins, at least who contacted me and had the only task to restore the functionality of Skype).
7. 0 0 0
Laszlo,
unfortunately trying to run http://download.skaip.org/win-kb/WindowsXP-KB3081320-x86-Embedded-ENU.exe on my mothers Windows XP system with the Hungarian version of the language would not work. Is there a fix for that?
1. 0 0 0
8. 0 0 0
aliaksandr,
I'd like to second Usher's claim and urge you to consider switching to KB4019276 in your manual (please see Microsoft KB article for the list of updated files - apart for dlls there is an updated kernel-mode driver).

btw, this update does not reanimate Skype - all of my contacts are offline for now (February, 10)
1. 0 0 0
Hi! Of course, keeping OS up-to-date is very important, but people who choose to remain on Windows XP already do not do this. I'm very grateful to Usher for pointing out about this update (I didn't know about it, because I do not follow news about Windows XP). In addition, I am grateful to you for reminding about it. However, to replace KB3081320 by KB4019276, I must again spend a lot of time for testing and updating all scripts. At the moment I cannot afford it. By the way, my main goal was to help users to connect to the Skype on Windows XP. And I did it.

As for your problem it's something else, and occurs due to this issue.
9. 0 0 0
murrkey,
Hi Great job! I haven't tried this yet but I'm sure it will work.
I have been looking for this Skype fix for a long time.
One question re. replacing the 3 dlls manually. Will the machine convert to Embedded POS?
Or will it remain just XP-SP3 with updated drivers? Or do I need to follow the remaining directions and convert to Embedded POS? oops 3 questions.
1. 0 0 0
Hi! Thanks. I hope that you will succeed. Meanwhile:
1) Replacing DLLs manually or using a BAT/VBS script will not convert your OS to POS. Just note that if you do this manually, OS protection may restore the original files (this is why, at least you should do it very quickly).

2) When you will replace these files, nothing else will be changed (neither other files, nor drivers, nor the registry).

3) I don't recommend to convert OS to POS, because it will be very difficult to return everything back. In addition, perhaps you will get updates for ATM.
1. 0 0 0
murrkey,
Thanks for the quick response... I manually replaced the files and Skype now gets incoming calls!

The only issue I ran into was difficulty replacing the files in system32. Two of them reported "in-use" and would not let me overwrite. Even in safe mode. I had to use an external maintenance program to insert the new DLLs. I also needed to sign out of Skype and quit... then restart XP and everything worked.
Thank again
2. 0 0 0
Usher,
> Will the machine convert to Embedded POS?

No. In general Windows XP Embedded/WEPOS/POSReady is Windows XP SP3 OEM repacked with another installer. It's designed to create a minimal OS installation (some kind of Windows Lite), containing only software and drivers selected by developers while standard OEM installation contains full backup of Windows and all windows software and drivers provided by OEM devs. It means that you won't have any additional updates dedicated for POS/ATM if you don't install any such software on your own.

There is NO real system conversion - POSReady in XP is only a single registry entry and a single change in installer scripts (*.inf), other files are unchanged, so you can use POSReady trick for both XP Pro and Home. And it's not so difficult to remove the registry entry - you should just use regedit from command prompt after starting 32-bit Windows Vista/7/8/10 DVD/USB disc installer in repair mode. You can use this installer also to replace files in use by system (don't forget to replace files also in c:\WINDOWS\system32\dllcache if needed) or to run chkdsk /b on old HDD.

The real problem is IE8 update (still with no full TLS 1.x support) - currently it may take a week with 100% single CPU kernel load by wuauclt, so the update should be download manually from Microsoft Update Catalog. There may be similar problems with some MS Office updates, other updates should install much faster.
Note that there is a naming convention mismatch in MS Update Catalog – older files are described mostly as "Windows XP WEPOS/POSReady" updates and newer ones as "Windows XP Embedded" updates.