Windows 95 build 224

4.00.224
Build of Windows 95
Screenshot
Release nameBeta 2
OS familyWindows 9x
Version number4.00
Build number224
Architecturex86
Compiled on1994-11-03
Expiration date
Timebomb1995-03-31 (+148 days)
Product key
Beta Site ID186349
Password94730fb34
About dialog
Windows95-4.0.224-About.png
TCB.png TCBGallery.png BA.png

Windows 95 build 224 is the official Beta 2 build of Windows 95. It is available in both free and check/debug versions. However, the check/debug version of the build is not usable and refuses to boot due to a missing USER32.DLL.

In spite of date printed on CDs which were sent to testers, as well as content files' timestamp are set to 1994-10-28, however the layout.inf file in PRECOPY2.CAB suggests that the build was actually built on 1994-11-03, and thus it is possible that Microsoft decided to intentionally change the timestamps of the media files for an unknown reason.

NFO file[edit | edit source]

The following NFO file was included as part of the PWA release.[1]

NFO contents

                                             ▄▓▄
              ▄█▄                          ▄▀▒▓▌
             ▐██▄▀▀▄              ▄      ▄▀ ░▒▓
             ██████▄▀▄          ▄▀▓▌   ▄▀   ░▓▌ ▄▄
            ▐███████▌▐▌       ▄▀ ▒▓    ▐▌  ░▒▓ ▐▌▐██▄▄        .
           ▄█████████▌█     ▄▀  ░▓▌     █ ░▒▓▌ █ █████▀▀▄▄   ■
            ▀▀█████████▌  ▄▀   ░▒▓      ▐▌░▒▓  ▐▌▐██▀  ▄  ▀▄▀
               ▀████████   █  ░▒▓▌      █░▒▓▌   ▀▄██▌   ▀▄
          ▌     ▐██████▌   ▐▌░▒▓▀  ▄▀  ▐░▒▓▀    ▄ ▀█▀     █▄
          ▐▌ ▐   ██████    █░▒▒▀ ▄▀ ▀ ▄▀▄▀     ▐▓░▄   ▄▄  ▐▀▄
────────── ▓▄▀▌ ▐█████▌───▐░▒▒ ▄▀   ▄█▀▀ ───── ▓▒░▐▌ ▀   ─ █▓█ ───-───-─· ·
           ▐▓ ▀▄█████▀    █▄▀     ▄▀    ▀▄    ▐▓▒  █      ▐▌▒▓▌
            ▄▓▓████▀     ▐▀      ■            ▓▒░  ▐▌    ▄▀ ░▒▓
          ▄▓▓██▀▀ ▄▄    ▄▀      .            ▐▓▒░   ▀▄    ▀▄ ░▓▌
         ▐▓▓▀ ▄▓    ▀▀▄▄▄                    ▓▒░     ▄▀     ▀▄▒▓
         ▓▒▌  ▐▓▒        ▀▀▀▄               ▐▓▒░░  ▄▀         ▀
         ▐▓▄   █▓▒       ░▄▀                ▀▓▓▒▒░▀
          ▀▓▀  ▐▓▒░    ░▄▀                    ▀▓▀     ..R.Noble 
                █▓▒░░░▄▀
                █▓▒▒▒▀     ... Pirates With Attitudes
               ▐▓▓▒▀
              ▄▓▓▀           Proudly Presents ...
═══════════════▀═════════════════════════════════════════════════════════════
│ ⌐ Windows 95 Official Beta 2 Build 224                at 11-09-94 16:00 ¬ │
│───────────────────────────────────────────────────────────────────────────│─
│ Supplier .....: Dark Lord            │ Type .....: Win. Comp              │
│ Cracker ......: N/A                  │ Video ....:                        │
│ Packager .....: Les Manley           │ Audio ....:                        │
│ Protection ...: S/N                  │ Rating ...: [■■■■■■■■■-]           │
═══════════════════════════════════════════════════════════════════════════════

   There is a protection on this one to like every other version's on W95
   NTA's user id is working on this one to.. 
   BETA ID: 162330 Location:01a74a138
   

   Special Note: We're all thinking of you Blackhawk! Hope you get
                 well real soon....

                 In the mean time, Snakes Place will be acting World HQ

                           -/ This is PWA -\


┐──────────────────┐────────────────────────────────────────-- -   -  ·· ·  ·
│ President .......│ Orion
└──────────────────┐────────-───- -- ·· ··  ·
│ Council .........│ Blackhawk, Dark Lord, Les Manley, Satman, Snake
└──────────────────┐─────────────────--- -   -  · · ··   ·
│ Senior Members ..│ Gordon Gekko, Rambone, Raw Liquid, Vigilante
└──────────────────┐─────────────────--- -   -  · · ··   ·
│ Members .........│ Charlie, Chowdery, DreamWEaver, Gumby, Ixcalthar,
│                  │ Kracken, Marlenus, Mr. Eagle, Roland of Gilead, Skybum
│                  │ Snidely Whiplash
└──────────────────┐─────────────────--- -   -  · · ··   ·
│ Affiliate .......│ Ares, Defcon-4, Drew, Mad Wizard, Magic Design,
│   Programmers ...│ Soul Rebel, Straight Jacket
════════════════════════════════════════════════════─════─═───-──-─--  ·· ·  ·

⌠ ────────────────────────────────────────────────────────────────────────────
│ Bulletin Board Name······│ Status······Nodes │ AC· │ SysOp ·············· │
───────────────────────────│───────────────────│─────│────────────────────────
│ Assassins' Guild ······· │ World HQ ····[11] │ XXX │ Blackhawk / R.Liquid │
│ Snake's Place ·········· │ U.S. HQ ······[4] │ XXX │ Snake ·············· │
│ Second Front ··········· │ European HQ ··[4] │ +XX │ Les Manley ········· │
───────────────────────────│───────────────────│─────│────────────────────────
│ Boner's Domain ········· │ Member Board ·[4] │ XXX │ Rambone ············ │
│ GetaWay ················ │ Member Board ·[5] │ +XX │ Macro Nit ·········· │
│ Falcon's Eye ··········· │ Member Board ·[5] │ XXX │ Ixcalthar ·········· │
│ Origin Unknown ········· │ Member Board ·[2] │ XXX │ Satman ············· │
│ Rising Sun·············· │ Member Board ·[1] │ XXX │ Orion  ············· │
│ Velvet Underground ····· │ Member Board ·[2] │ XXX │ Vigilante ·········· │
───────────────────────────│───────────────────│─────│────────────────────────
│ Belly of the Beast······ │ Affiliate ····[1] │ 603 │ Sulfuric Acid ······ │
│ Warez Shack ············ │ Affiliate ····[2] │ 404 │ Reich ·············· │
│ Access Denied ·········· │ Affiliate ····[3] │ 619 │ Criminal ··········· │
═══════════════════════════════════════════════════════════════════════════════

            If you are going to do it ... Do it with an ATTITUDE!


   Please note that PWA is NOT accepting pay sites of any nature.... We're 
   in this for fun and entertainment, not to try to make ourselves rich. :)


────────────────────────────────┤ Final Note ├─────────────────────────────────
 ║ Support the software companies! If you enjoy using a program or using a   ║
 ║ Util, consider buying it! Someone's got to make it worth the programmer's ║
 ║ effort to keep up the high standards... They made it, so they DESERVE it! ║
───────────────────────────────────────────────────────────────────────────────

Bugs[edit | edit source]

Checked/debug version[edit | edit source]

Before getting into the reason of the problem, let's first get some more information about both free and checked/debug USER.EXE, since the blue screen of death error is occurring in USER.EXE's memory range.

It is worth saying that all other debug files operate properly and the system can boot with the checked/debug USER.EXE being replaced with the free/retail one. But we're not going to get any statement mentioning that the build is (Debug), nor we will see a desktop watermark saying "Debug Windows 4.00.224" at the right-bottom side of the screen since these strings are located in USER.EXE itself.

So, by measuring a lot of activity happening in the system during booting using the checked/debug USER.EXE by attaching terminal to WDEB386, and tracing where it might be faulting in, we ended into the following code in USER32.DLL:

013F:BFF64320  MOV     EAX,DWORD PTR [BFF6614E]
013F:BFF64325  MOV     AX,WORD PTR [EAX+0000024E]
013F:BFF6432C  SUB     AX,0EAA
013F:BFF64330  CMP     AX,0001
013F:BFF64334  SBB     EAX,EAX
013F:BFF64336  NEG     EAX
013F:BFF64338  RETD

Looking at the code in kernel-debugger, the area where it gets information from (i.e. address stored in DS:BFF6614E + 0x24E to it) was figured to be from a text: "Status = .Terminate =", and then subtracting 0xEAA from it and negation, looks like it's where the issue is located since before it returns, AX is 00000000. When we set it to 1 manually (r ax=1) and continuing booting the build, it showed the GUI.

But we still have encountered a Trap14 (0x0E). This time it was due to invalid address:

Trap 14 (0EH) - Page Fault 0004, Not Present, Read Access, User Mode
AX=91EFA600  BX=0066FA96  CX=815E173C  DX=00040990  SI=00540494  DI=0066FBA0
IP=BFF6467E  SP=0066F7B8  BP=0066FA18  CR2=91EFA646  CR3=003EE  IOPL=0  F=-- --
CS=013F  SS=0147  DS=0147  ES=0147  FS=1CBF  GS=1B57 -- NV UP EI NG NZ NA PE NC
013F:BFF6467E  MOVZX   EAX,WORD PTR [EAX+46]                DS:91EFA646=INVALID

Looking back into code that was prior to this line, we saw this:

013F:BFF6468D  MOV     EAX,DWORD PTR [BFF6614E]

So now we knew that this address (BFF6614E) has something important to do with the issue, if it is not even the case.

This address was later recognized to be the Shared Table address of USER32.DLL, and its pointer is to code segment 21 in USER.EXE, so now we need to do a comparison between the two USER.EXEs.

Thanks to Watcom Binary files dumper (wdump.exe) for its detailed report about USER.EXE. We have got the following information about this specific segment:

  • Segment 21h in free USER.EXE starts at offset 0x67440 in the file and has a size of 0x452 and allocation of 0xEAA.
  • Segment 21h in check/debug USER.EXE starts at offset 0x7E080 in the file, and has a size of 0x992 and allocation of 0x13EA.

By the help also of HxD, we copy/pasted segments from the files and compared them, and we discovered that the beginning of reserved area for data in the segment itself in the free USER.EXE starts at 0xAD, while in the check/debug one, it starts at 0x37B. So now we have the following two clues:

  • The difference between allocations of free and checked/debug USER.EXE is 0x13EA - 0xEAA = 0x540.
  • The difference between data locations between the two USER.EXEs is 0x37B - 0xAD = 0x2CE.

Now, by looking into the code, we can imagine the following: If all pointers between 0xAD and 0x452 in free USER.EXE should point to a location in the spare area in the segment, and between 0x452 and 0xEAA should point in the additional allocation by the operating system outside the segment's data, then in Check/debug USER.EXE should has its corresponding locations.

Now we switch over to IDA. We loaded USER32.DLL into it and searched for all codes that have BFF6614E into it, and we got around 20 results. What we are going to do now is the following:

  • We look for any code with this layout:
MOV reg, DWORD PTR [BFF6614E]
ADD reg, offset

Or

MOV reg1, DWORD PTR [BFF6614E]
MOV reg2, (D)WORD PTR [reg1+offset]
  • Now we look into the 'offset' value. If it was between 0xAD and 0x452, we need to add 0x2CE to it. If it was between 0x452 and 0xEAA, we should add 0x540 to it, and if it's beyond 0xEAA (e.g. 0x10000 was one of our results) then this should be left unchanged since it now points to another segment, which might be correct.
  • By using HxD to edit manually most of the results that can satisfy our needs, this build can be brought to boot and work without any issue.

Gallery[edit | edit source]

Miscellaneous[edit | edit source]

Floppy disk scans[edit | edit source]

References[edit | edit source]