Feature lockout in Windows

(Redirected from Bluepill)

On multiple occasions, Microsoft has used various mechanisms to hide early prototypes of new features in pre-release builds of Microsoft Windows before their formal introduction.

Windows 7[edit | edit source]

The development of Windows 7 marks the first time a deliberate centralized effort was introduced to conceal new features. Two separate mechanisms were introduced around build 6608:

  • Redpill, a series of registry checks usually present within the executable that implements a hidden feature. Used to enable Superbar, desktop slideshow, Start menu pinning, jump lists, Internet Explorer 8 enhancements, Aero Peek and Aero Shake.
  • Bluepill, which is implemented in the Application Compatibility Engine. It still results in a registry check, albeit indirect. Used to enable the new versions of Calculator, Paint, Sticky Notes and WordPad.

Build 7022 is the last known build to include both Redpill and Bluepill.

Windows 8[edit | edit source]

A more elaborate feature lockout system, called Redpill or SuperPill, was introduced during the development of Windows 8, which now takes advantage of the licensing subsystem as well as components that are not included with the base system. Noteworthy features hidden behind Redpill include the Start Screen, redesigned logon UI, new OOBE, Ribbon in Explorer, new Aero resources, and the pattern login (which later became the picture password login). However, while the majority of hidden features were locked using Redpill, simple registry checks remained the method of choice in some areas.

Product policies, a set of values usually used to determine what a particular edition can or cannot do, are now also used to control shell features. This made it considerably harder to overcome the protection, as the majority of licensing data is signed and handled largely at kernel level. The intended method of delivering the Redpill policies into an existing install (clean installs do not ship with them) was activating against the internal win8act server with the parameter configextension=rpp. Unlocking the functionality manually implies the need to sacrifice parts of licensing functionality. Besides product policy sourced values, a sizable chunk of behavior hidden by Redpill also depends on an external library called shsxs.dll, which is not included with the base Windows install and is only copied upon the activation of Redpill. This library is home to a large set of image and DirectUI markup assets, as well as a handful of functions used to initialize various parts of Metro such as Charms bar, Start screen search and the PC settings application.

Nearly all builds from Milestone 1 to shortly after the Developer Preview (currently 7779 to 8123) have Redpill implemented. Exemptions are builds from the fbl_eeap and winmain_win8m3_eeap branches, and notably the winmain compile of build 8020, e.g. build 8064, which do not have any form of Redpill implemented as all traces of Metro user interface components were removed from the operating system at compile time. These builds were released to Microsoft partners via the Ecosystem Engineering Access Program (EEAP). The only available build with Redpill unlocked out of the box is build 8102, the original Developer Preview. Due to the complexity of the mechanism, a formerly widespread method of unlocking Redpill on other builds was to use a modified set of components from build 8102, although the reliability of this method decreased with earlier builds. It wasn't until the introduction of Redlock with a custom version of shsxs.dll reimplemented from scratch that Redpill could be unlocked for builds before build 7927.

Unlockers[edit | edit source]

3 tools have been developed to enable features hidden by Redpill:

  • RedPill Enabler (also known as the MDL Redpill Enabler, named after the forum where it was first published on) was the one of the first public applications meant to enable features restricted by Redpill. It was developed by Vizion, a member of the My Digital Life forum, and was first released on 17 June 2011.
  • Metro Unlocker was developed by MetroFetro, a YouTuber and developer. It was the first public application that allowed for all restricted features to be enabled, including the Start screen, and remained the only application capable of performing such a task from its initial release in 2016 until the release of Redlock in 2020.
  • Redlock was developed by lucasm and gus33000, two BetaWiki members and software developers. The initial version was released on 29 January 2020. The tool is designed to replicate Microsoft's original Redpill implementation as closely as possible.

Windows 10 and later[edit | edit source]

Windows versions since the Windows 10 Anniversary Update utilize a simplified feature locking mechanism which make use of numeric strings internally referred to as Velocity staging keys. These values are controlled by dynamic link library fcon.dll (Feature Configuration) found within the Windows\System32 directory, responsible for managing feature enablements in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement key (and related subkeys, such as Overrides and EnterpriseTempControls). Features can also be restored from their previous state through the use of a Last Known Good store (found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\LastKnownGood) if the library detects problems with the existing overrides. Built-in feature overrides were introduced from as early as Windows 11 build 22606.

The availability of certain features may depend on the current state of an associated staging key. In most cases, feature states can be modified if the priority data returns 8 (User). In certain cases, a feature may be either forcibly enabled or disabled in code if its priority returns ImageDefault. This type of feature lockout also introduces a data type called "variants", which ship multiple treatments for the same staging key. Treatments may vary between devices and installations.

Currently, most features introduced in newer Windows releases employ this method for concealing and/or testing features that are not ready for widespread release to a scoped set of users. The first known feature to use this new feature lockout mechanism is Sets, which was first introduced in Windows 10 build 17618 with staging keys 13849566 and 10727725. Traditional feature enablement checks via the Windows registry remain as a perennial choice for certain aspects of the operating system.

Tools[edit | edit source]

There are four available tools that offer the ability to manage the states of Velocity staging keys:

  • ViVeTool - Developed by Albacore, recommended for enabling features in later builds of Windows 10 and 11.
  • mach2 - Developed by Rafael Rivera, used to enable features from older Windows 10 builds like build 17618's Sets and 18946's new start menu. Discontinued since December 2020.
  • "Experimental features" drop-down menu in Settings (Windows Update > Windows Insider Program); Velocity staging key 40062046 - Included as part of internal Windows builds (e.g.: build 25267 (rs_wdatp_edr)). It is one of two official methods used internally by Microsoft employees to enable various staging keys, such as security fixes from the Microsoft Security Response Center (MSRC), non-public shell features and bugfixes or improvements for internal Windows functionalities (such as the DirectX graphics stack). It may not list features that are currently unfinished.
  • Staging Tool (StagingTool.exe, version 10.0.25910.1000): This is another official internal tool used by Microsoft employees to manage and configure the states of Velocity staging keys through the use of a command line-based user experience, unintentionally distributed in two internal Feedback Hub quests that were made public on 2 August 2023. The link was later taken down, although archived versions of the tool exist online.

Staging Tool help command

StagingTool [version 10.0.25910.1000 (WinBuild.160101.0800)] 

    [StagingTool.exe] Controls the feature configurations for this device

       Usage: StagingTool.exe [/enable  <featureId>]
                              [/disable <featureId>]
                              [/query   [featureId]]
                              [/reset   <featureId>]
                              [/testmode]
                              [/setvariant <featureId> <variantId> [payload]]
                              [/serialize]

                              [/setlkg]
                              [/restorelkg]

                              [/trace <featureId1> [<featureId2> ... <featureIdN>]]

                              [/setbootconfigs <jsonFile> <registryPath>]

       /enable          Enable the specified feature
       /disable         Disable the specified feature
       /query           Query the specified feature (or all features, if featureId
                        is omitted) for enablement and variant information
         /v                 Optional parameter to also print ImageDefault and ImageOverride features

       /reset           Reset the specified feature to its default state

         <featureId>        Specifies a feature by its feature Id
                            Example: Enable features with Id 1

                                StagingTool.exe /enable 1

       /testmode        Used in conjunction with /enable /disable /reset
                        Applied feature configs will revert after reboot

       /telemetry       Used in conjunction with /enable /disable /reset
                        Enables sending additional telemetry

       /setvariant      Select a feature variant to use (note: the feature must be
                        enabled for variants to be expressed). Use /query to list
                        configured variants.

         <featureId>        Specifies a feature by its feature Id

         <variantId>        Specifies a feature variant by id.

         [payload]          (Optional) Unsigned int payload for the variant
                            (for variants that support fixed payload)

       /serialize       Rather than apply changes to the local machine, use this
                        option to print out (in reg.exe/hex format) a new config
                        with all of the requested changes. This can be used for
                        offline updates to VHDs prior to first boot.

       /setlkg          Set Boot time feature override states as LKG Configurations
       /restorelkg      Restore Boot time LKG configurations states Feature Configurations

       /trace           Realtime ETW trace for the specified feature(s) usage in code
                        E.g. enable trace for the feature with ID 1235441: StagingTool.exe /trace 1235441

       /?                Show command usage

Gallery[edit | edit source]