Removing Windows Watermark Manually Thumbnail
Author David O
Posted September 24, 2013 6:43 am
Skill Level
Duration

Removing Windows Watermark Manually

Windows 8.1 and other versions of Windows that are in beta will have watermarks. It's just a way to notify users that this is not a full version of Windows and will require upgrade and key's once the evaluation period is over with. For example, Windows versions that are already released have a 30-60 day evaluation period, and for beta you have until the version is released. But that's besides the point.

Today, we are going to manually or physically remove the watermark. This tutorial is for those who want to know how it's really done without just running a program and copying files from one location to another. The point of this other than learning? In the future if a new version of Window's is released, you can be the one to make the replaceable files for others to use.

Warning: This tutorial can cause damage to your computer or various hardware and software. We take no responsibility for any damage done. This tutorial is provided "as-is" with no guarantee of working or functioning properly. If you are unsure about a step or this tutorial, try it in a Virtual Machine or in a system that you can restore or can repair easily.

Programs and Tools Required

You are going to need a fair amount of tools and software for this. There are variations of software you can use, but with the following you will be set to continue.

  • Hexadecimal Editor: HxD is what I suggest.
  • Process Monitor: ProcMon has good filtering and is free and easy.
  • Grep or RegEx Search: AstroGrep or GrepWin. Both are fast and have nice features.
  • Command Prompt and some text editing programs.

Step 1: Files being Used

The first task is to find out what files are being used, so we can limit our search for files we need to edit. This of course can be avoided if you want to wait around all day to possibly search for the correct file.

  1. Find the Process or Program that has the Watermark. I suggest trying "Explorer.exe" first, since it does contain the desktop and Start Screen. You do this by opening Task Manager, and killing tasks and starting them one by one until the watermark is gone.
  2. Once you find the process (it's explorer.exe), you open your Process Monitor.
  3. Filter your Process Monitor to only show results for this process. I search by Process Name and not PID.
  4. Filter Process Monitor to only show files being opened. In ProcMon the Operation for files being opened is "CreateFile". You can use the drop down to see all other Operations.
  5. Kill the task for Explorer.exe; Clear the ProcMon log; Start Capturing in ProcMon.
  6. Start Explorer.exe back up. In Task Manager go to File > New Task > explorer.exe
  7. In ProcMon stop capturing as soon as you see the watermark. This will limit the amount of files you will have to search through.
  8. Save the ProcMon to a CSV (make sure you only save the filtered results)

Step 2: Searching For The String

Now that we have a list of all the files Explorer used on startup, and have it filtered down to just file names, we can run a GREP or Regular Expression Search through all of these files to find the string we want.

For the Grep Application I am using, you include file names delimited by the "|" character. So in your list of files, you will want to replace Line Breaks "\n" with "|". Your application that you are using may be different, you might even be able to include the full path name to search for only those files.

  1. Set your GREP Search Path to C:\Windows. This is where all system files live. If you are modifying a program, search for C:\Windows, your user's directory (AppData and etc), ProgramData along with the Program Files directory.
  2. Run the regular expression "(.{0,3})" between each letter you are searching unless your program allows for unicode search. The express above will search for any number of 3 bytes (24bits). Most windows files will use 16bit encoding so normal text search won't work. To search for "Windows" you will enter the following:
Regular Expression
1
(.{0,3})W(.{0,3})i(.{0,3})n(.{0,3})d(.{0,3})o(.{0,3})w(.{0,3})s

If you have to search for a "special" character, you have to prepend it with a "\" (Backslash).

Special Characters
1
. ^ $ * + ? ( ) [ { \ |
  1. Enable Binary Search and limit your search to your file names we gathered above. If you don't do this, it will take hours to search every file. When we filter, we skip a good 20,000 files before we even start searching for the files that are any real use to us. You can also filter out files that don't end with .mui extension. The MUI extension is a multilanguage file Microsoft uses for strings. If you are searching for a string, there's a good chance it's in a MUI file.
  2. Search for the string we need to find. Include enough text to make it unique so it won't appear in every file, but not too much where results won't be found. Numbers will most likely not be searchable. Search for "Windows 8.1 Pro Preview" and "Evaluation copy." with the regex above between each letter.
  3. Take note of the files found. You will want files in a normal path, not a path with {000000-0000-00000} formatting, since those are not used. Also we are mostly looking for MUI files unless none are returned, in which case we will look for DLL and various files.
Found Results
1
2
3
4
5
6
File Name Path
---------------------------------------------------------------------------------------------------------
basebrd.dll C:\Windows\Branding\Basebrd
basebrd.dll.mui C:\Windows\Branding\Basebrd\en-US
shell32.dll.mui C:\Windows\System32\en-US
shell32.dll.mui C:\Windows\SysWOW64\en-US

As you can see, we have the same file "shell32.dll.mui" in both SysWOW64 and System32. First always modify the System32 file. If that doesn't work move onto the 64bit file folder and try that.

Step 3: Editing Files to remove Watermark

Now that we have a few files that could be correct, we limit it to the MUI files, and remove the SysWOW64 file. Now we have 2, which makes sense since we search for 2 strings. If you have more results it will be a trial and error process. Always make backups and keep track of changes you have made.

  1. Copy basebrd.dll.mui and shell32.dll.mui to your Desktop
  2. Copy both files again to a backup folder that you will not change. (Things can go wrong)
  3. Open the files in your Hexadecimal Editor.
  4. Search for the strings we previously search for. HxD allows for Unicode Search, so use this option or you won't get any results. If you don't have this option, you will need to convert your search string "Windows" to Hex and then place 00's in between each Hex value.
  5. Hopefully you find only 1 result in the file. If you do, replace it with "00" hex value. Do not delete it from the file. If you find more than 1 result, make sure the string isn't a string that contains extra characters. For example, in basebrd.dll.mui, you will find 2 value searches for "Windows 8.1 Pro Preview". The first one is right, the second one contains the copyright character also, which on the watermark doesn't show up.
  6. Once finished editing the file, save it and move onto the next file Shell32.dll.mui
  7. When looking for "Build 9431" or any other number, you won't find it. You have to search for "Build" and find the one that will most be it. Numbers are usually not placed directly in stings and stored elsewhere. If you search for "Build" you will get a lot of results, but only 1 of them will not be surrounded by "( )" values. You will want to delete all the %w and various characters after it also, which tell the processor to add the number after Build. In this case, you can fill everything from that Build to the end of Evaluation Copy. string since they are back to back.

Step 4: Taking Ownership

Before we can copy the modified files to those system directories, we have to take ownership of them. Right now "TrustedInstaller" has ownership, and you won't be able to replace the files.

Run the following command in CMD or Command Prompt (not as administrator).

Take Ownership
1
2
TAKEOWN /F C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui
TAKEOWN /F C:\Windows\System32\en-US\shell32.dll.mui

If your file paths are different, then use those paths instead. the "/F" option means "filename", just for reference.

If you can't copy a file because "File in Use", rename the file to append ".backup" or ".old" then copy the modified file again.

Step 6: Giving Ownership Back

Now we have an issue, those files are owned by us and not TrustedInstaller, so we have to revert the owner back. This isn't required, but it's good practice to do so.

Run the following commands in Command Prompt or CMD. Make sure you start CMD as "Run as Administrator."

Set Owner
1
2
ICACLS C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui /setowner "NT Service\TrustedInstaller"
ICACLS C:\Windows\System32\en-US\shell32.dll.mui /setowner "NT Service\TrustedInstaller"

Finishing Up

Now we should be all finished up. We have to restart Explorer.exe in our Task manager to see the changes update. Hopefully everything still works, or you will have to probably load a LiveCD and replace the modified files with the backups you made at the beginning.

If you notice some text still existing, keep working on the files in HxD or your hex editor until you get it right.

Good Luck and Happy Hacking.

Did you like this post? Leave feedback or ask questions in the comment section below. Also don't forget to share this post with your friends by using the social icons to the right.

Comments

There are no comments as of yet, but you can change that!

Write a Comment

September 1, 2014 2:28 pm
Notify me when someone replies.