Cmd XP 65001 Fix

Cmd.exe for windows XP, originally cannot run a batch script file
when it uses the codepage 65001 (UTF-8).

The problem was solved in the version for windows 7.
The cause of this is when cmd.exe for windows xp internally
call to the function MultiByteToWideChar using
the argument dwFlags with the value 1.
The documentation says this:
"For UTF-8 dwFlags must be set to 0. Otherwise, the function fails".
For solve this, a patch was created (by Jason Hood) that implements
the functionality used in the version for windows 7, that consist
on determine dwFlags according the code page.
Note: this patch is for the version 5.1.2600.5512 (this comes
with the service pack 3).

For patch it you need download two files:

bwpatch utility

Original url (includes sources):

Patch: cmd-utf8-new.patch

Content of cmd-utf8-new.patch:
# Patch XP's CMD.EXE (5.1.2600.5512) to work with UTF-8 batch files.
# Updated 19 may 2014

File: cmd.exe
005E57: E8C49B010090	[ FF155811D04A ]
00A477: E8A455010090	[ FF155811D04A ]
0162E6: E83597000090	[ FF155811D04A ]
01A3A5: E87656000090	[ FF155811D04A ]
01C2DD: E83E37000090	[ FF155811D04A ]
01FA20: 8B44E40485C07519687C49D04AFF153C  [ 00000000000000000000000000000000 ]
        11D04A68AC06D24A50FF153811D04AFF  [ 00000000000000000000000000000000 ]
        D03D35C4000074570F8727            [ 0000000000000000000000 ]
01FA4E: 83F82A744C3D2CC4000072153D2EC400  [ 00000000000000000000000000000000 ]
        00763E3D31C4000074373D33C4000074  [ 00000000000000000000000000000000 ]
        30FF255811D04A3DC8CE000074233D98  [ 00000000000000000000000000000000 ]
        D60000741C3DAADE000072E53DB3DE00  [ 00000000000000000000000000000000 ]
        00760E3DE8FD000072D73DE9FD000077  [ 00000000000000000000000000000000 ]
        D0C644E40800FF255811D04A00004765  [ 00000000000000000000000000000000 ]
        74414350                          [ 00000000 ]

Unzip in a directory, in this case in C:\batch
In the same directory put the file cmd-utf8-new.patch
Now run these commands (provides by Jason Hood):
Copy %SystemRoot%\system32\cmd.exe
bwpatchw.exe cmd.exe -f cmd-utf8-new.patch
Copy /Y cmd.exe "%SystemRoot%\system32\cmdutf8.exe"
Set "key=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"
Reg.exe add "%key%" /v "Debugger" /d "%SystemRoot%\system32\cmdutf8.exe" /f

Now every time the systems run "cmd.exe" it will run cmdutf8.exe as if it were cmd.exe
This option is used because if you replace the original cmd.exe with the patched cmd.exe
windows will restore it (because it protect the system files from modifications).
This solution is really functional.
Now, if you run the command prompt it internally use cmdutf8.exe.

Very thanks to Jason Hood for all the help with this patch solution.

The source of the patch for be used with multiasm plugin for ollydbg 2.01:


Content of cmd-xp-new.asm:
; Patch XP's CMD.EXE (5.1.2600.5512) to work with UTF-8 batch files.
; Method discovered by Carlos, patch by adoxa.
; Created 14 may 2014
; Fixed 19 may 2014 by Carlos

call 4ad20620
call 4ad20620
call 4ad20620
call 4ad20620
call 4ad20620

mov eax,[esp+4] ;; code page
test eax,eax
jnz short @f
push 4ad0497c ;; push lpModuleName =  L"kernel32.dll"
call dword[4ad0113c] ;; hModule = call GetModuleHandleW
push @GetACP ;; push lpProcName = "GetACP"
push eax ;; push hModule
call dword[4ad01138] ;; *func = GetProcAddress
call eax ;; call func()
cmp eax,50229.
je short @f
ja @bigger
cmp eax,42.
je short @f
cmp eax,50220.
jb short @ok
cmp eax,50222.
jbe short @f
cmp eax,50225.
je short @f
cmp eax,50227.
je short @f
jmp dword[4ad01158] ;; MultiByteToWideChar
cmp eax,52936.
je short @f
cmp eax,54936.
je short @f
cmp eax,57002.
jb short @ok
cmp eax,57011.
jbe short @f
cmp eax,65000.
jb short @ok
cmp eax,65001.
ja short @ok
mov byte[esp+8],0 ;; flags
jmp dword[4ad01158] ;; MultiByteToWideChar

@GetACP@4: "GetACP\0"