action: fix build

chore: update utls
chore: remove unused global goroutine in kcp-go
2026-03-04 04:47:30 +00:00 · 2025-10-15 01:35:29 +08:00 · 2025-10-14 23:08:15 +08:00 · 2025-10-08 02:36:37 +08:00 · 2025-10-06 09:23:22 +08:00 · 2025-10-06 09:16:50 +08:00
33 changed files with 3097 additions and 635 deletions
--- a/.github/patch/go1.21.patch
+++ b/.github/patch/go1.21.patch
@@ -0,0 +1,182 @@
+Subject: [PATCH] Revert "[release-branch.go1.21] crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+---
+Index: src/crypto/rand/rand.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
+--- a/src/crypto/rand/rand.go	(revision 8bba868de983dd7bf55fcd121495ba8d6e2734e7)
+++ b/src/crypto/rand/rand.go	(revision 7e6c963d81e14ee394402671d4044b2940c8d2c1)
+@@ -15,7 +15,7 @@
+ // available, /dev/urandom otherwise.
+ // On OpenBSD and macOS, Reader uses getentropy(2).
+ // On other Unix-like systems, Reader reads from /dev/urandom.
+-// On Windows systems, Reader uses the ProcessPrng API.
+// On Windows systems, Reader uses the RtlGenRandom API.
+ // On JS/Wasm, Reader uses the Web Crypto API.
+ // On WASIP1/Wasm, Reader uses random_get from wasi_snapshot_preview1.
+ var Reader io.Reader
+Index: src/crypto/rand/rand_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go
+--- a/src/crypto/rand/rand_windows.go	(revision 8bba868de983dd7bf55fcd121495ba8d6e2734e7)
+++ b/src/crypto/rand/rand_windows.go	(revision 7e6c963d81e14ee394402671d4044b2940c8d2c1)
+@@ -15,8 +15,11 @@
+ 
+ type rngReader struct{}
+ 
+-func (r *rngReader) Read(b []byte) (int, error) {
+-	if err := windows.ProcessPrng(b); err != nil {
+func (r *rngReader) Read(b []byte) (n int, err error) {
+	// RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at
+	// most 1<<31-1 bytes at a time so that  this works the same on 32-bit
+	// and 64-bit systems.
+	if err := batched(windows.RtlGenRandom, 1<<31-1)(b); err != nil {
+ 		return 0, err
+ 	}
+ 	return len(b), nil
+Index: src/internal/syscall/windows/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go
+--- a/src/internal/syscall/windows/syscall_windows.go	(revision 8bba868de983dd7bf55fcd121495ba8d6e2734e7)
+++ b/src/internal/syscall/windows/syscall_windows.go	(revision 7e6c963d81e14ee394402671d4044b2940c8d2c1)
+@@ -384,7 +384,7 @@
+ //sys	DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock
+ //sys	CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW
+ 
+-//sys	ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng
+//sys	RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036
+ 
+ //sys	RtlLookupFunctionEntry(pc uintptr, baseAddress *uintptr, table *byte) (ret uintptr) = kernel32.RtlLookupFunctionEntry
+ //sys	RtlVirtualUnwind(handlerType uint32, baseAddress uintptr, pc uintptr, entry uintptr, ctxt uintptr, data *uintptr, frame *uintptr, ctxptrs *byte) (ret uintptr) = kernel32.RtlVirtualUnwind
+Index: src/internal/syscall/windows/zsyscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go
+--- a/src/internal/syscall/windows/zsyscall_windows.go	(revision 8bba868de983dd7bf55fcd121495ba8d6e2734e7)
+++ b/src/internal/syscall/windows/zsyscall_windows.go	(revision 7e6c963d81e14ee394402671d4044b2940c8d2c1)
+@@ -37,14 +37,13 @@
+ }
+ 
+ var (
+-	modadvapi32         = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+-	modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll"))
+-	modiphlpapi         = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+-	modkernel32         = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+-	modnetapi32         = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+-	modpsapi            = syscall.NewLazyDLL(sysdll.Add("psapi.dll"))
+-	moduserenv          = syscall.NewLazyDLL(sysdll.Add("userenv.dll"))
+-	modws2_32           = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll"))
+	modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+	modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+	modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+	modnetapi32 = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+	modpsapi    = syscall.NewLazyDLL(sysdll.Add("psapi.dll"))
+	moduserenv  = syscall.NewLazyDLL(sysdll.Add("userenv.dll"))
+	modws2_32   = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll"))
+ 
+ 	procAdjustTokenPrivileges        = modadvapi32.NewProc("AdjustTokenPrivileges")
+ 	procDuplicateTokenEx             = modadvapi32.NewProc("DuplicateTokenEx")
+@@ -53,7 +52,7 @@
+ 	procOpenThreadToken              = modadvapi32.NewProc("OpenThreadToken")
+ 	procRevertToSelf                 = modadvapi32.NewProc("RevertToSelf")
+ 	procSetTokenInformation          = modadvapi32.NewProc("SetTokenInformation")
+-	procProcessPrng                  = modbcryptprimitives.NewProc("ProcessPrng")
+	procSystemFunction036            = modadvapi32.NewProc("SystemFunction036")
+ 	procGetAdaptersAddresses         = modiphlpapi.NewProc("GetAdaptersAddresses")
+ 	procCreateEventW                 = modkernel32.NewProc("CreateEventW")
+ 	procGetACP                       = modkernel32.NewProc("GetACP")
+@@ -149,12 +148,12 @@
+ 	return
+ }
+ 
+-func ProcessPrng(buf []byte) (err error) {
+func RtlGenRandom(buf []byte) (err error) {
+ 	var _p0 *byte
+ 	if len(buf) > 0 {
+ 		_p0 = &buf[0]
+ 	}
+-	r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+	r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+ 	if r1 == 0 {
+ 		err = errnoErr(e1)
+ 	}
+Index: src/runtime/os_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+--- a/src/runtime/os_windows.go	(revision 8bba868de983dd7bf55fcd121495ba8d6e2734e7)
+++ b/src/runtime/os_windows.go	(revision 7e6c963d81e14ee394402671d4044b2940c8d2c1)
+@@ -127,8 +127,15 @@
+ 	_AddVectoredContinueHandler,
+ 	_ stdFunction
+ 
+-	// Use ProcessPrng to generate cryptographically random data.
+-	_ProcessPrng stdFunction
+	// Use RtlGenRandom to generate cryptographically random data.
+	// This approach has been recommended by Microsoft (see issue
+	// 15589 for details).
+	// The RtlGenRandom is not listed in advapi32.dll, instead
+	// RtlGenRandom function can be found by searching for SystemFunction036.
+	// Also some versions of Mingw cannot link to SystemFunction036
+	// when building executable as Cgo. So load SystemFunction036
+	// manually during runtime startup.
+	_RtlGenRandom stdFunction
+ 
+ 	// Load ntdll.dll manually during startup, otherwise Mingw
+ 	// links wrong printf function to cgo executable (see issue
+@@ -145,12 +152,12 @@
+ )
+ 
+ var (
+-	bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0}
+-	kernel32dll         = [...]uint16{'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', 0}
+-	ntdlldll            = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
+-	powrprofdll         = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
+-	winmmdll            = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
+-	ws2_32dll           = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0}
+	advapi32dll = [...]uint16{'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l', 0}
+	kernel32dll = [...]uint16{'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', 0}
+	ntdlldll    = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
+	powrprofdll = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
+	winmmdll    = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
+	ws2_32dll   = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0}
+ )
+ 
+ // Function to be called by windows CreateThread
+@@ -249,11 +256,11 @@
+ 	}
+ 	_AddVectoredContinueHandler = windowsFindfunc(k32, []byte("AddVectoredContinueHandler\000"))
+ 
+-	bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:])
+-	if bcryptPrimitives == 0 {
+-		throw("bcryptprimitives.dll not found")
+	a32 := windowsLoadSystemLib(advapi32dll[:])
+	if a32 == 0 {
+		throw("advapi32.dll not found")
+ 	}
+-	_ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000"))
+	_RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000"))
+ 
+ 	n32 := windowsLoadSystemLib(ntdlldll[:])
+ 	if n32 == 0 {
+@@ -610,7 +617,7 @@
+ //go:nosplit
+ func getRandomData(r []byte) {
+ 	n := 0
+-	if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+	if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+ 		n = len(r)
+ 	}
+ 	extendRandom(r, n)
--- a/.github/patch/go1.22.patch
+++ b/.github/patch/go1.22.patch
@@ -0,0 +1,645 @@
+Subject: [PATCH] Revert "runtime: always use LoadLibraryEx to load system libraries"
+Revert "syscall: remove Windows 7 console handle workaround"
+Revert "net: remove sysSocket fallback for Windows 7"
+Revert "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+---
+Index: src/crypto/rand/rand.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
+--- a/src/crypto/rand/rand.go	(revision cb4eee693c382bea4222f20837e26501d40ed892)
+++ b/src/crypto/rand/rand.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+@@ -15,7 +15,7 @@
+ // available, /dev/urandom otherwise.
+ // On OpenBSD and macOS, Reader uses getentropy(2).
+ // On other Unix-like systems, Reader reads from /dev/urandom.
+-// On Windows systems, Reader uses the ProcessPrng API.
+// On Windows systems, Reader uses the RtlGenRandom API.
+ // On JS/Wasm, Reader uses the Web Crypto API.
+ // On WASIP1/Wasm, Reader uses random_get from wasi_snapshot_preview1.
+ var Reader io.Reader
+Index: src/crypto/rand/rand_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go
+--- a/src/crypto/rand/rand_windows.go	(revision cb4eee693c382bea4222f20837e26501d40ed892)
+++ b/src/crypto/rand/rand_windows.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+@@ -15,8 +15,11 @@
+ 
+ type rngReader struct{}
+ 
+-func (r *rngReader) Read(b []byte) (int, error) {
+-	if err := windows.ProcessPrng(b); err != nil {
+func (r *rngReader) Read(b []byte) (n int, err error) {
+	// RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at
+	// most 1<<31-1 bytes at a time so that  this works the same on 32-bit
+	// and 64-bit systems.
+	if err := batched(windows.RtlGenRandom, 1<<31-1)(b); err != nil {
+ 		return 0, err
+ 	}
+ 	return len(b), nil
+Index: src/internal/syscall/windows/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go
+--- a/src/internal/syscall/windows/syscall_windows.go	(revision cb4eee693c382bea4222f20837e26501d40ed892)
+++ b/src/internal/syscall/windows/syscall_windows.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+@@ -384,7 +384,7 @@
+ //sys	DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock
+ //sys	CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW
+ 
+-//sys	ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng
+//sys	RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036
+ 
+ type FILE_ID_BOTH_DIR_INFO struct {
+ 	NextEntryOffset uint32
+Index: src/internal/syscall/windows/zsyscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go
+--- a/src/internal/syscall/windows/zsyscall_windows.go	(revision cb4eee693c382bea4222f20837e26501d40ed892)
+++ b/src/internal/syscall/windows/zsyscall_windows.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+@@ -37,14 +37,13 @@
+ }
+ 
+ var (
+-	modadvapi32         = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+-	modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll"))
+-	modiphlpapi         = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+-	modkernel32         = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+-	modnetapi32         = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+-	modpsapi            = syscall.NewLazyDLL(sysdll.Add("psapi.dll"))
+-	moduserenv          = syscall.NewLazyDLL(sysdll.Add("userenv.dll"))
+-	modws2_32           = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll"))
+	modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+	modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+	modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+	modnetapi32 = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+	modpsapi    = syscall.NewLazyDLL(sysdll.Add("psapi.dll"))
+	moduserenv  = syscall.NewLazyDLL(sysdll.Add("userenv.dll"))
+	modws2_32   = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll"))
+ 
+ 	procAdjustTokenPrivileges             = modadvapi32.NewProc("AdjustTokenPrivileges")
+ 	procDuplicateTokenEx                  = modadvapi32.NewProc("DuplicateTokenEx")
+@@ -56,7 +55,7 @@
+ 	procQueryServiceStatus                = modadvapi32.NewProc("QueryServiceStatus")
+ 	procRevertToSelf                      = modadvapi32.NewProc("RevertToSelf")
+ 	procSetTokenInformation               = modadvapi32.NewProc("SetTokenInformation")
+-	procProcessPrng                       = modbcryptprimitives.NewProc("ProcessPrng")
+	procSystemFunction036                 = modadvapi32.NewProc("SystemFunction036")
+ 	procGetAdaptersAddresses              = modiphlpapi.NewProc("GetAdaptersAddresses")
+ 	procCreateEventW                      = modkernel32.NewProc("CreateEventW")
+ 	procGetACP                            = modkernel32.NewProc("GetACP")
+@@ -180,12 +179,12 @@
+ 	return
+ }
+ 
+-func ProcessPrng(buf []byte) (err error) {
+func RtlGenRandom(buf []byte) (err error) {
+ 	var _p0 *byte
+ 	if len(buf) > 0 {
+ 		_p0 = &buf[0]
+ 	}
+-	r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+	r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+ 	if r1 == 0 {
+ 		err = errnoErr(e1)
+ 	}
+Index: src/runtime/os_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+--- a/src/runtime/os_windows.go	(revision cb4eee693c382bea4222f20837e26501d40ed892)
+++ b/src/runtime/os_windows.go	(revision 83ff9782e024cb328b690cbf0da4e7848a327f4f)
+@@ -40,8 +40,8 @@
+ //go:cgo_import_dynamic runtime._GetSystemInfo GetSystemInfo%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._GetThreadContext GetThreadContext%2 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._SetThreadContext SetThreadContext%2 "kernel32.dll"
+-//go:cgo_import_dynamic runtime._LoadLibraryExW LoadLibraryExW%3 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._LoadLibraryW LoadLibraryW%1 "kernel32.dll"
+//go:cgo_import_dynamic runtime._LoadLibraryA LoadLibraryA%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._PostQueuedCompletionStatus PostQueuedCompletionStatus%4 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._QueryPerformanceCounter QueryPerformanceCounter%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._RaiseFailFastException RaiseFailFastException%3 "kernel32.dll"
+@@ -74,7 +74,6 @@
+ 	// Following syscalls are available on every Windows PC.
+ 	// All these variables are set by the Windows executable
+ 	// loader before the Go program starts.
+-	_AddVectoredContinueHandler,
+ 	_AddVectoredExceptionHandler,
+ 	_CloseHandle,
+ 	_CreateEventA,
+@@ -98,8 +97,8 @@
+ 	_GetSystemInfo,
+ 	_GetThreadContext,
+ 	_SetThreadContext,
+-	_LoadLibraryExW,
+ 	_LoadLibraryW,
+	_LoadLibraryA,
+ 	_PostQueuedCompletionStatus,
+ 	_QueryPerformanceCounter,
+ 	_RaiseFailFastException,
+@@ -127,8 +126,23 @@
+ 	_WriteFile,
+ 	_ stdFunction
+ 
+-	// Use ProcessPrng to generate cryptographically random data.
+-	_ProcessPrng stdFunction
+	// Following syscalls are only available on some Windows PCs.
+	// We will load syscalls, if available, before using them.
+	_AddDllDirectory,
+	_AddVectoredContinueHandler,
+	_LoadLibraryExA,
+	_LoadLibraryExW,
+	_ stdFunction
+
+	// Use RtlGenRandom to generate cryptographically random data.
+	// This approach has been recommended by Microsoft (see issue
+	// 15589 for details).
+	// The RtlGenRandom is not listed in advapi32.dll, instead
+	// RtlGenRandom function can be found by searching for SystemFunction036.
+	// Also some versions of Mingw cannot link to SystemFunction036
+	// when building executable as Cgo. So load SystemFunction036
+	// manually during runtime startup.
+	_RtlGenRandom stdFunction
+ 
+ 	// Load ntdll.dll manually during startup, otherwise Mingw
+ 	// links wrong printf function to cgo executable (see issue
+@@ -143,14 +157,6 @@
+ 	_ stdFunction
+ )
+ 
+-var (
+-	bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0}
+-	ntdlldll            = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
+-	powrprofdll         = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
+-	winmmdll            = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
+-	ws2_32dll           = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0}
+-)
+-
+ // Function to be called by windows CreateThread
+ // to start new os thread.
+ func tstart_stdcall(newm *m)
+@@ -239,25 +245,51 @@
+ 	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+ }
+ 
+-func windowsLoadSystemLib(name []uint16) uintptr {
+-	return stdcall3(_LoadLibraryExW, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+//go:linkname syscall_getSystemDirectory syscall.getSystemDirectory
+func syscall_getSystemDirectory() string {
+	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+}
+
+func windowsLoadSystemLib(name []byte) uintptr {
+	if useLoadLibraryEx {
+		return stdcall3(_LoadLibraryExA, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+	} else {
+		absName := append(sysDirectory[:sysDirectoryLen], name...)
+		return stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&absName[0])))
+	}
+ }
+ 
+ func loadOptionalSyscalls() {
+-	bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:])
+-	if bcryptPrimitives == 0 {
+-		throw("bcryptprimitives.dll not found")
+	var kernel32dll = []byte("kernel32.dll\000")
+	k32 := stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&kernel32dll[0])))
+	if k32 == 0 {
+		throw("kernel32.dll not found")
+ 	}
+-	_ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000"))
+	_AddDllDirectory = windowsFindfunc(k32, []byte("AddDllDirectory\000"))
+	_AddVectoredContinueHandler = windowsFindfunc(k32, []byte("AddVectoredContinueHandler\000"))
+	_LoadLibraryExA = windowsFindfunc(k32, []byte("LoadLibraryExA\000"))
+	_LoadLibraryExW = windowsFindfunc(k32, []byte("LoadLibraryExW\000"))
+	useLoadLibraryEx = (_LoadLibraryExW != nil && _LoadLibraryExA != nil && _AddDllDirectory != nil)
+
+	initSysDirectory()
+ 
+-	n32 := windowsLoadSystemLib(ntdlldll[:])
+	var advapi32dll = []byte("advapi32.dll\000")
+	a32 := windowsLoadSystemLib(advapi32dll)
+	if a32 == 0 {
+		throw("advapi32.dll not found")
+	}
+	_RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000"))
+
+	var ntdll = []byte("ntdll.dll\000")
+	n32 := windowsLoadSystemLib(ntdll)
+ 	if n32 == 0 {
+ 		throw("ntdll.dll not found")
+ 	}
+ 	_RtlGetCurrentPeb = windowsFindfunc(n32, []byte("RtlGetCurrentPeb\000"))
+ 	_RtlGetNtVersionNumbers = windowsFindfunc(n32, []byte("RtlGetNtVersionNumbers\000"))
+ 
+-	m32 := windowsLoadSystemLib(winmmdll[:])
+	var winmmdll = []byte("winmm.dll\000")
+	m32 := windowsLoadSystemLib(winmmdll)
+ 	if m32 == 0 {
+ 		throw("winmm.dll not found")
+ 	}
+@@ -267,7 +299,8 @@
+ 		throw("timeBegin/EndPeriod not found")
+ 	}
+ 
+-	ws232 := windowsLoadSystemLib(ws2_32dll[:])
+	var ws232dll = []byte("ws2_32.dll\000")
+	ws232 := windowsLoadSystemLib(ws232dll)
+ 	if ws232 == 0 {
+ 		throw("ws2_32.dll not found")
+ 	}
+@@ -286,7 +319,7 @@
+ 		context  uintptr
+ 	}
+ 
+-	powrprof := windowsLoadSystemLib(powrprofdll[:])
+	powrprof := windowsLoadSystemLib([]byte("powrprof.dll\000"))
+ 	if powrprof == 0 {
+ 		return // Running on Windows 7, where we don't need it anyway.
+ 	}
+@@ -360,6 +393,22 @@
+ // in sys_windows_386.s and sys_windows_amd64.s:
+ func getlasterror() uint32
+ 
+// When loading DLLs, we prefer to use LoadLibraryEx with
+// LOAD_LIBRARY_SEARCH_* flags, if available. LoadLibraryEx is not
+// available on old Windows, though, and the LOAD_LIBRARY_SEARCH_*
+// flags are not available on some versions of Windows without a
+// security patch.
+//
+// https://msdn.microsoft.com/en-us/library/ms684179(v=vs.85).aspx says:
+// "Windows 7, Windows Server 2008 R2, Windows Vista, and Windows
+// Server 2008: The LOAD_LIBRARY_SEARCH_* flags are available on
+// systems that have KB2533623 installed. To determine whether the
+// flags are available, use GetProcAddress to get the address of the
+// AddDllDirectory, RemoveDllDirectory, or SetDefaultDllDirectories
+// function. If GetProcAddress succeeds, the LOAD_LIBRARY_SEARCH_*
+// flags can be used with LoadLibraryEx."
+var useLoadLibraryEx bool
+
+ var timeBeginPeriodRetValue uint32
+ 
+ // osRelaxMinNS indicates that sysmon shouldn't osRelax if the next
+@@ -507,7 +556,6 @@
+ 	initHighResTimer()
+ 	timeBeginPeriodRetValue = osRelax(false)
+ 
+-	initSysDirectory()
+ 	initLongPathSupport()
+ 
+ 	ncpu = getproccount()
+@@ -524,7 +572,7 @@
+ //go:nosplit
+ func readRandom(r []byte) int {
+ 	n := 0
+-	if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+	if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+ 		n = len(r)
+ 	}
+ 	return n
+Index: src/net/hook_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/hook_windows.go b/src/net/hook_windows.go
+--- a/src/net/hook_windows.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+++ b/src/net/hook_windows.go	(revision ef0606261340e608017860b423ffae5c1ce78239)
+@@ -13,6 +13,7 @@
+ 	hostsFilePath = windows.GetSystemDirectory() + "/Drivers/etc/hosts"
+ 
+ 	// Placeholders for socket system calls.
+	socketFunc    func(int, int, int) (syscall.Handle, error)                                                 = syscall.Socket
+ 	wsaSocketFunc func(int32, int32, int32, *syscall.WSAProtocolInfo, uint32, uint32) (syscall.Handle, error) = windows.WSASocket
+ 	connectFunc   func(syscall.Handle, syscall.Sockaddr) error                                                = syscall.Connect
+ 	listenFunc    func(syscall.Handle, int) error                                                             = syscall.Listen
+Index: src/net/internal/socktest/main_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_test.go b/src/net/internal/socktest/main_test.go
+--- a/src/net/internal/socktest/main_test.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+++ b/src/net/internal/socktest/main_test.go	(revision ef0606261340e608017860b423ffae5c1ce78239)
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !js && !plan9 && !wasip1 && !windows
+//go:build !js && !plan9 && !wasip1
+ 
+ package socktest_test
+ 
+Index: src/net/internal/socktest/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_windows_test.go b/src/net/internal/socktest/main_windows_test.go
+new file mode 100644
+--- /dev/null	(revision ef0606261340e608017860b423ffae5c1ce78239)
+++ b/src/net/internal/socktest/main_windows_test.go	(revision ef0606261340e608017860b423ffae5c1ce78239)
+@@ -0,0 +1,22 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package socktest_test
+
+import "syscall"
+
+var (
+	socketFunc func(int, int, int) (syscall.Handle, error)
+	closeFunc  func(syscall.Handle) error
+)
+
+func installTestHooks() {
+	socketFunc = sw.Socket
+	closeFunc = sw.Closesocket
+}
+
+func uninstallTestHooks() {
+	socketFunc = syscall.Socket
+	closeFunc = syscall.Closesocket
+}
+Index: src/net/internal/socktest/sys_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/sys_windows.go b/src/net/internal/socktest/sys_windows.go
+--- a/src/net/internal/socktest/sys_windows.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+++ b/src/net/internal/socktest/sys_windows.go	(revision ef0606261340e608017860b423ffae5c1ce78239)
+@@ -9,6 +9,38 @@
+ 	"syscall"
+ )
+ 
+// Socket wraps [syscall.Socket].
+func (sw *Switch) Socket(family, sotype, proto int) (s syscall.Handle, err error) {
+	sw.once.Do(sw.init)
+
+	so := &Status{Cookie: cookie(family, sotype, proto)}
+	sw.fmu.RLock()
+	f, _ := sw.fltab[FilterSocket]
+	sw.fmu.RUnlock()
+
+	af, err := f.apply(so)
+	if err != nil {
+		return syscall.InvalidHandle, err
+	}
+	s, so.Err = syscall.Socket(family, sotype, proto)
+	if err = af.apply(so); err != nil {
+		if so.Err == nil {
+			syscall.Closesocket(s)
+		}
+		return syscall.InvalidHandle, err
+	}
+
+	sw.smu.Lock()
+	defer sw.smu.Unlock()
+	if so.Err != nil {
+		sw.stats.getLocked(so.Cookie).OpenFailed++
+		return syscall.InvalidHandle, so.Err
+	}
+	nso := sw.addLocked(s, family, sotype, proto)
+	sw.stats.getLocked(nso.Cookie).Opened++
+	return s, nil
+}
+
+ // WSASocket wraps [syscall.WSASocket].
+ func (sw *Switch) WSASocket(family, sotype, proto int32, protinfo *syscall.WSAProtocolInfo, group uint32, flags uint32) (s syscall.Handle, err error) {
+ 	sw.once.Do(sw.init)
+Index: src/net/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/main_windows_test.go b/src/net/main_windows_test.go
+--- a/src/net/main_windows_test.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+++ b/src/net/main_windows_test.go	(revision ef0606261340e608017860b423ffae5c1ce78239)
+@@ -8,6 +8,7 @@
+ 
+ var (
+ 	// Placeholders for saving original socket system calls.
+	origSocket      = socketFunc
+ 	origWSASocket   = wsaSocketFunc
+ 	origClosesocket = poll.CloseFunc
+ 	origConnect     = connectFunc
+@@ -17,6 +18,7 @@
+ )
+ 
+ func installTestHooks() {
+	socketFunc = sw.Socket
+ 	wsaSocketFunc = sw.WSASocket
+ 	poll.CloseFunc = sw.Closesocket
+ 	connectFunc = sw.Connect
+@@ -26,6 +28,7 @@
+ }
+ 
+ func uninstallTestHooks() {
+	socketFunc = origSocket
+ 	wsaSocketFunc = origWSASocket
+ 	poll.CloseFunc = origClosesocket
+ 	connectFunc = origConnect
+Index: src/net/sock_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/sock_windows.go b/src/net/sock_windows.go
+--- a/src/net/sock_windows.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+++ b/src/net/sock_windows.go	(revision ef0606261340e608017860b423ffae5c1ce78239)
+@@ -20,6 +20,21 @@
+ func sysSocket(family, sotype, proto int) (syscall.Handle, error) {
+ 	s, err := wsaSocketFunc(int32(family), int32(sotype), int32(proto),
+ 		nil, 0, windows.WSA_FLAG_OVERLAPPED|windows.WSA_FLAG_NO_HANDLE_INHERIT)
+	if err == nil {
+		return s, nil
+	}
+	// WSA_FLAG_NO_HANDLE_INHERIT flag is not supported on some
+	// old versions of Windows, see
+	// https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx
+	// for details. Just use syscall.Socket, if windows.WSASocket failed.
+
+	// See ../syscall/exec_unix.go for description of ForkLock.
+	syscall.ForkLock.RLock()
+	s, err = socketFunc(family, sotype, proto)
+	if err == nil {
+		syscall.CloseOnExec(s)
+	}
+	syscall.ForkLock.RUnlock()
+ 	if err != nil {
+ 		return syscall.InvalidHandle, os.NewSyscallError("socket", err)
+ 	}
+Index: src/syscall/exec_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
+--- a/src/syscall/exec_windows.go	(revision 9779155f18b6556a034f7bb79fb7fb2aad1e26a9)
+++ b/src/syscall/exec_windows.go	(revision 7f83badcb925a7e743188041cb6e561fc9b5b642)
+@@ -14,7 +14,6 @@
+ 	"unsafe"
+ )
+ 
+-// ForkLock is not used on Windows.
+ var ForkLock sync.RWMutex
+ 
+ // EscapeArg rewrites command line argument s as prescribed
+@@ -317,6 +316,17 @@
+ 		}
+ 	}
+ 
+	var maj, min, build uint32
+	rtlGetNtVersionNumbers(&maj, &min, &build)
+	isWin7 := maj < 6 || (maj == 6 && min <= 1)
+	// NT kernel handles are divisible by 4, with the bottom 3 bits left as
+	// a tag. The fully set tag correlates with the types of handles we're
+	// concerned about here.  Except, the kernel will interpret some
+	// special handle values, like -1, -2, and so forth, so kernelbase.dll
+	// checks to see that those bottom three bits are checked, but that top
+	// bit is not checked.
+	isLegacyWin7ConsoleHandle := func(handle Handle) bool { return isWin7 && handle&0x10000003 == 3 }
+
+ 	p, _ := GetCurrentProcess()
+ 	parentProcess := p
+ 	if sys.ParentProcess != 0 {
+@@ -325,7 +335,15 @@
+ 	fd := make([]Handle, len(attr.Files))
+ 	for i := range attr.Files {
+ 		if attr.Files[i] > 0 {
+-			err := DuplicateHandle(p, Handle(attr.Files[i]), parentProcess, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+			destinationProcessHandle := parentProcess
+
+			// On Windows 7, console handles aren't real handles, and can only be duplicated
+			// into the current process, not a parent one, which amounts to the same thing.
+			if parentProcess != p && isLegacyWin7ConsoleHandle(Handle(attr.Files[i])) {
+				destinationProcessHandle = p
+			}
+
+			err := DuplicateHandle(p, Handle(attr.Files[i]), destinationProcessHandle, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+ 			if err != nil {
+ 				return 0, 0, err
+ 			}
+@@ -356,6 +374,14 @@
+ 
+ 	fd = append(fd, sys.AdditionalInheritedHandles...)
+ 
+	// On Windows 7, console handles aren't real handles, so don't pass them
+	// through to PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
+	for i := range fd {
+		if isLegacyWin7ConsoleHandle(fd[i]) {
+			fd[i] = 0
+		}
+	}
+
+ 	// The presence of a NULL handle in the list is enough to cause PROC_THREAD_ATTRIBUTE_HANDLE_LIST
+ 	// to treat the entire list as empty, so remove NULL handles.
+ 	j := 0
+Index: src/runtime/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/syscall_windows.go b/src/runtime/syscall_windows.go
+--- a/src/runtime/syscall_windows.go	(revision 7f83badcb925a7e743188041cb6e561fc9b5b642)
+++ b/src/runtime/syscall_windows.go	(revision 83ff9782e024cb328b690cbf0da4e7848a327f4f)
+@@ -413,23 +413,36 @@
+ 
+ const _LOAD_LIBRARY_SEARCH_SYSTEM32 = 0x00000800
+ 
+// When available, this function will use LoadLibraryEx with the filename
+// parameter and the important SEARCH_SYSTEM32 argument. But on systems that
+// do not have that option, absoluteFilepath should contain a fallback
+// to the full path inside of system32 for use with vanilla LoadLibrary.
+//
+ //go:linkname syscall_loadsystemlibrary syscall.loadsystemlibrary
+ //go:nosplit
+ //go:cgo_unsafe_args
+-func syscall_loadsystemlibrary(filename *uint16) (handle, err uintptr) {
+func syscall_loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle, err uintptr) {
+ 	lockOSThread()
+ 	c := &getg().m.syscall
+-	c.fn = getLoadLibraryEx()
+-	c.n = 3
+-	args := struct {
+-		lpFileName *uint16
+-		hFile      uintptr // always 0
+-		flags      uint32
+-	}{filename, 0, _LOAD_LIBRARY_SEARCH_SYSTEM32}
+-	c.args = uintptr(noescape(unsafe.Pointer(&args)))
+
+	if useLoadLibraryEx {
+		c.fn = getLoadLibraryEx()
+		c.n = 3
+		args := struct {
+			lpFileName *uint16
+			hFile      uintptr // always 0
+			flags      uint32
+		}{filename, 0, _LOAD_LIBRARY_SEARCH_SYSTEM32}
+		c.args = uintptr(noescape(unsafe.Pointer(&args)))
+	} else {
+		c.fn = getLoadLibrary()
+		c.n = 1
+		c.args = uintptr(noescape(unsafe.Pointer(&absoluteFilepath)))
+	}
+ 
+ 	cgocall(asmstdcallAddr, unsafe.Pointer(c))
+ 	KeepAlive(filename)
+	KeepAlive(absoluteFilepath)
+ 	handle = c.r1
+ 	if handle == 0 {
+ 		err = c.err
+Index: src/syscall/dll_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/dll_windows.go b/src/syscall/dll_windows.go
+--- a/src/syscall/dll_windows.go	(revision 7f83badcb925a7e743188041cb6e561fc9b5b642)
+++ b/src/syscall/dll_windows.go	(revision 83ff9782e024cb328b690cbf0da4e7848a327f4f)
+@@ -44,7 +44,7 @@
+ 
+ func SyscallN(trap uintptr, args ...uintptr) (r1, r2 uintptr, err Errno)
+ func loadlibrary(filename *uint16) (handle uintptr, err Errno)
+-func loadsystemlibrary(filename *uint16) (handle uintptr, err Errno)
+func loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle uintptr, err Errno)
+ func getprocaddress(handle uintptr, procname *uint8) (proc uintptr, err Errno)
+ 
+ // A DLL implements access to a single DLL.
+@@ -53,6 +53,9 @@
+ 	Handle Handle
+ }
+ 
+//go:linkname getSystemDirectory
+func getSystemDirectory() string // Implemented in runtime package.
+
+ // LoadDLL loads the named DLL file into memory.
+ //
+ // If name is not an absolute path and is not a known system DLL used by
+@@ -69,7 +72,11 @@
+ 	var h uintptr
+ 	var e Errno
+ 	if sysdll.IsSystemDLL[name] {
+-		h, e = loadsystemlibrary(namep)
+		absoluteFilepathp, err := UTF16PtrFromString(getSystemDirectory() + name)
+		if err != nil {
+			return nil, err
+		}
+		h, e = loadsystemlibrary(namep, absoluteFilepathp)
+ 	} else {
+ 		h, e = loadlibrary(namep)
+ 	}
--- a/.github/patch/go1.23.patch
+++ b/.github/patch/go1.23.patch
@@ -0,0 +1,643 @@
+Subject: [PATCH] Revert "runtime: always use LoadLibraryEx to load system libraries"
+Revert "syscall: remove Windows 7 console handle workaround"
+Revert "net: remove sysSocket fallback for Windows 7"
+Revert "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+---
+Index: src/crypto/rand/rand.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
+--- a/src/crypto/rand/rand.go	(revision 6885bad7dd86880be6929c02085e5c7a67ff2887)
+++ b/src/crypto/rand/rand.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+@@ -16,7 +16,7 @@
+ //   - On macOS and iOS, Reader uses arc4random_buf(3).
+ //   - On OpenBSD and NetBSD, Reader uses getentropy(2).
+ //   - On other Unix-like systems, Reader reads from /dev/urandom.
+-//   - On Windows, Reader uses the ProcessPrng API.
+//   - On Windows systems, Reader uses the RtlGenRandom API.
+ //   - On js/wasm, Reader uses the Web Crypto API.
+ //   - On wasip1/wasm, Reader uses random_get from wasi_snapshot_preview1.
+ var Reader io.Reader
+Index: src/crypto/rand/rand_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go
+--- a/src/crypto/rand/rand_windows.go	(revision 6885bad7dd86880be6929c02085e5c7a67ff2887)
+++ b/src/crypto/rand/rand_windows.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+@@ -15,8 +15,11 @@
+ 
+ type rngReader struct{}
+ 
+-func (r *rngReader) Read(b []byte) (int, error) {
+-	if err := windows.ProcessPrng(b); err != nil {
+func (r *rngReader) Read(b []byte) (n int, err error) {
+	// RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at
+	// most 1<<31-1 bytes at a time so that  this works the same on 32-bit
+	// and 64-bit systems.
+	if err := batched(windows.RtlGenRandom, 1<<31-1)(b); err != nil {
+ 		return 0, err
+ 	}
+ 	return len(b), nil
+Index: src/internal/syscall/windows/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go
+--- a/src/internal/syscall/windows/syscall_windows.go	(revision 6885bad7dd86880be6929c02085e5c7a67ff2887)
+++ b/src/internal/syscall/windows/syscall_windows.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+@@ -414,7 +414,7 @@
+ //sys	DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock
+ //sys	CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW
+ 
+-//sys	ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng
+//sys	RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036
+ 
+ type FILE_ID_BOTH_DIR_INFO struct {
+ 	NextEntryOffset uint32
+Index: src/internal/syscall/windows/zsyscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go
+--- a/src/internal/syscall/windows/zsyscall_windows.go	(revision 6885bad7dd86880be6929c02085e5c7a67ff2887)
+++ b/src/internal/syscall/windows/zsyscall_windows.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+@@ -38,7 +38,6 @@
+ 
+ var (
+ 	modadvapi32         = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+-	modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll"))
+ 	modiphlpapi         = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+ 	modkernel32         = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+ 	modnetapi32         = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+@@ -57,7 +56,7 @@
+ 	procQueryServiceStatus                = modadvapi32.NewProc("QueryServiceStatus")
+ 	procRevertToSelf                      = modadvapi32.NewProc("RevertToSelf")
+ 	procSetTokenInformation               = modadvapi32.NewProc("SetTokenInformation")
+-	procProcessPrng                       = modbcryptprimitives.NewProc("ProcessPrng")
+	procSystemFunction036                 = modadvapi32.NewProc("SystemFunction036")
+ 	procGetAdaptersAddresses              = modiphlpapi.NewProc("GetAdaptersAddresses")
+ 	procCreateEventW                      = modkernel32.NewProc("CreateEventW")
+ 	procGetACP                            = modkernel32.NewProc("GetACP")
+@@ -183,12 +182,12 @@
+ 	return
+ }
+ 
+-func ProcessPrng(buf []byte) (err error) {
+func RtlGenRandom(buf []byte) (err error) {
+ 	var _p0 *byte
+ 	if len(buf) > 0 {
+ 		_p0 = &buf[0]
+ 	}
+-	r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+	r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+ 	if r1 == 0 {
+ 		err = errnoErr(e1)
+ 	}
+Index: src/runtime/os_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+--- a/src/runtime/os_windows.go	(revision 6885bad7dd86880be6929c02085e5c7a67ff2887)
+++ b/src/runtime/os_windows.go	(revision 69e2eed6dd0f6d815ebf15797761c13f31213dd6)
+@@ -39,8 +39,8 @@
+ //go:cgo_import_dynamic runtime._GetSystemInfo GetSystemInfo%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._GetThreadContext GetThreadContext%2 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._SetThreadContext SetThreadContext%2 "kernel32.dll"
+-//go:cgo_import_dynamic runtime._LoadLibraryExW LoadLibraryExW%3 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._LoadLibraryW LoadLibraryW%1 "kernel32.dll"
+//go:cgo_import_dynamic runtime._LoadLibraryA LoadLibraryA%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._PostQueuedCompletionStatus PostQueuedCompletionStatus%4 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._QueryPerformanceCounter QueryPerformanceCounter%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._QueryPerformanceFrequency QueryPerformanceFrequency%1 "kernel32.dll"
+@@ -74,7 +74,6 @@
+ 	// Following syscalls are available on every Windows PC.
+ 	// All these variables are set by the Windows executable
+ 	// loader before the Go program starts.
+-	_AddVectoredContinueHandler,
+ 	_AddVectoredExceptionHandler,
+ 	_CloseHandle,
+ 	_CreateEventA,
+@@ -97,8 +96,8 @@
+ 	_GetSystemInfo,
+ 	_GetThreadContext,
+ 	_SetThreadContext,
+-	_LoadLibraryExW,
+ 	_LoadLibraryW,
+	_LoadLibraryA,
+ 	_PostQueuedCompletionStatus,
+ 	_QueryPerformanceCounter,
+ 	_QueryPerformanceFrequency,
+@@ -127,8 +126,23 @@
+ 	_WriteFile,
+ 	_ stdFunction
+ 
+-	// Use ProcessPrng to generate cryptographically random data.
+-	_ProcessPrng stdFunction
+	// Following syscalls are only available on some Windows PCs.
+	// We will load syscalls, if available, before using them.
+	_AddDllDirectory,
+	_AddVectoredContinueHandler,
+	_LoadLibraryExA,
+	_LoadLibraryExW,
+	_ stdFunction
+
+	// Use RtlGenRandom to generate cryptographically random data.
+	// This approach has been recommended by Microsoft (see issue
+	// 15589 for details).
+	// The RtlGenRandom is not listed in advapi32.dll, instead
+	// RtlGenRandom function can be found by searching for SystemFunction036.
+	// Also some versions of Mingw cannot link to SystemFunction036
+	// when building executable as Cgo. So load SystemFunction036
+	// manually during runtime startup.
+	_RtlGenRandom stdFunction
+ 
+ 	// Load ntdll.dll manually during startup, otherwise Mingw
+ 	// links wrong printf function to cgo executable (see issue
+@@ -145,13 +159,6 @@
+ 	_ stdFunction
+ )
+ 
+-var (
+-	bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0}
+-	ntdlldll            = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
+-	powrprofdll         = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
+-	winmmdll            = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
+-)
+-
+ // Function to be called by windows CreateThread
+ // to start new os thread.
+ func tstart_stdcall(newm *m)
+@@ -244,8 +251,18 @@
+ 	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+ }
+ 
+-func windowsLoadSystemLib(name []uint16) uintptr {
+-	return stdcall3(_LoadLibraryExW, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+//go:linkname syscall_getSystemDirectory syscall.getSystemDirectory
+func syscall_getSystemDirectory() string {
+	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+}
+
+func windowsLoadSystemLib(name []byte) uintptr {
+	if useLoadLibraryEx {
+		return stdcall3(_LoadLibraryExA, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+	} else {
+		absName := append(sysDirectory[:sysDirectoryLen], name...)
+		return stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&absName[0])))
+	}
+ }
+ 
+ //go:linkname windows_QueryPerformanceCounter internal/syscall/windows.QueryPerformanceCounter
+@@ -263,13 +280,28 @@
+ }
+ 
+ func loadOptionalSyscalls() {
+-	bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:])
+-	if bcryptPrimitives == 0 {
+-		throw("bcryptprimitives.dll not found")
+	var kernel32dll = []byte("kernel32.dll\000")
+	k32 := stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&kernel32dll[0])))
+	if k32 == 0 {
+		throw("kernel32.dll not found")
+ 	}
+-	_ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000"))
+	_AddDllDirectory = windowsFindfunc(k32, []byte("AddDllDirectory\000"))
+	_AddVectoredContinueHandler = windowsFindfunc(k32, []byte("AddVectoredContinueHandler\000"))
+	_LoadLibraryExA = windowsFindfunc(k32, []byte("LoadLibraryExA\000"))
+	_LoadLibraryExW = windowsFindfunc(k32, []byte("LoadLibraryExW\000"))
+	useLoadLibraryEx = (_LoadLibraryExW != nil && _LoadLibraryExA != nil && _AddDllDirectory != nil)
+
+	initSysDirectory()
+ 
+-	n32 := windowsLoadSystemLib(ntdlldll[:])
+	var advapi32dll = []byte("advapi32.dll\000")
+	a32 := windowsLoadSystemLib(advapi32dll)
+	if a32 == 0 {
+		throw("advapi32.dll not found")
+	}
+	_RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000"))
+
+	var ntdll = []byte("ntdll.dll\000")
+	n32 := windowsLoadSystemLib(ntdll)
+ 	if n32 == 0 {
+ 		throw("ntdll.dll not found")
+ 	}
+@@ -298,7 +330,7 @@
+ 		context  uintptr
+ 	}
+ 
+-	powrprof := windowsLoadSystemLib(powrprofdll[:])
+	powrprof := windowsLoadSystemLib([]byte("powrprof.dll\000"))
+ 	if powrprof == 0 {
+ 		return // Running on Windows 7, where we don't need it anyway.
+ 	}
+@@ -357,6 +389,22 @@
+ // in sys_windows_386.s and sys_windows_amd64.s:
+ func getlasterror() uint32
+ 
+// When loading DLLs, we prefer to use LoadLibraryEx with
+// LOAD_LIBRARY_SEARCH_* flags, if available. LoadLibraryEx is not
+// available on old Windows, though, and the LOAD_LIBRARY_SEARCH_*
+// flags are not available on some versions of Windows without a
+// security patch.
+//
+// https://msdn.microsoft.com/en-us/library/ms684179(v=vs.85).aspx says:
+// "Windows 7, Windows Server 2008 R2, Windows Vista, and Windows
+// Server 2008: The LOAD_LIBRARY_SEARCH_* flags are available on
+// systems that have KB2533623 installed. To determine whether the
+// flags are available, use GetProcAddress to get the address of the
+// AddDllDirectory, RemoveDllDirectory, or SetDefaultDllDirectories
+// function. If GetProcAddress succeeds, the LOAD_LIBRARY_SEARCH_*
+// flags can be used with LoadLibraryEx."
+var useLoadLibraryEx bool
+
+ var timeBeginPeriodRetValue uint32
+ 
+ // osRelaxMinNS indicates that sysmon shouldn't osRelax if the next
+@@ -430,7 +478,8 @@
+ 		// Only load winmm.dll if we need it.
+ 		// This avoids a dependency on winmm.dll for Go programs
+ 		// that run on new Windows versions.
+-		m32 := windowsLoadSystemLib(winmmdll[:])
+		var winmmdll = []byte("winmm.dll\000")
+		m32 := windowsLoadSystemLib(winmmdll)
+ 		if m32 == 0 {
+ 			print("runtime: LoadLibraryExW failed; errno=", getlasterror(), "\n")
+ 			throw("winmm.dll not found")
+@@ -471,6 +520,28 @@
+ 	canUseLongPaths = true
+ }
+ 
+var osVersionInfo struct {
+	majorVersion uint32
+	minorVersion uint32
+	buildNumber  uint32
+}
+
+func initOsVersionInfo() {
+	info := _OSVERSIONINFOW{}
+	info.osVersionInfoSize = uint32(unsafe.Sizeof(info))
+	stdcall1(_RtlGetVersion, uintptr(unsafe.Pointer(&info)))
+	osVersionInfo.majorVersion = info.majorVersion
+	osVersionInfo.minorVersion = info.minorVersion
+	osVersionInfo.buildNumber = info.buildNumber
+}
+
+//go:linkname rtlGetNtVersionNumbers syscall.rtlGetNtVersionNumbers
+func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32) {
+	*majorVersion = osVersionInfo.majorVersion
+	*minorVersion = osVersionInfo.minorVersion
+	*buildNumber = osVersionInfo.buildNumber
+}
+
+ func osinit() {
+ 	asmstdcallAddr = unsafe.Pointer(abi.FuncPCABI0(asmstdcall))
+ 
+@@ -483,8 +554,8 @@
+ 	initHighResTimer()
+ 	timeBeginPeriodRetValue = osRelax(false)
+ 
+-	initSysDirectory()
+ 	initLongPathSupport()
+	initOsVersionInfo()
+ 
+ 	ncpu = getproccount()
+ 
+@@ -500,7 +571,7 @@
+ //go:nosplit
+ func readRandom(r []byte) int {
+ 	n := 0
+-	if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+	if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+ 		n = len(r)
+ 	}
+ 	return n
+Index: src/net/hook_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/hook_windows.go b/src/net/hook_windows.go
+--- a/src/net/hook_windows.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+++ b/src/net/hook_windows.go	(revision 21290de8a4c91408de7c2b5b68757b1e90af49dd)
+@@ -13,6 +13,7 @@
+ 	hostsFilePath = windows.GetSystemDirectory() + "/Drivers/etc/hosts"
+ 
+ 	// Placeholders for socket system calls.
+	socketFunc    func(int, int, int) (syscall.Handle, error)                                                 = syscall.Socket
+ 	wsaSocketFunc func(int32, int32, int32, *syscall.WSAProtocolInfo, uint32, uint32) (syscall.Handle, error) = windows.WSASocket
+ 	connectFunc   func(syscall.Handle, syscall.Sockaddr) error                                                = syscall.Connect
+ 	listenFunc    func(syscall.Handle, int) error                                                             = syscall.Listen
+Index: src/net/internal/socktest/main_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_test.go b/src/net/internal/socktest/main_test.go
+--- a/src/net/internal/socktest/main_test.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+++ b/src/net/internal/socktest/main_test.go	(revision 21290de8a4c91408de7c2b5b68757b1e90af49dd)
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !js && !plan9 && !wasip1 && !windows
+//go:build !js && !plan9 && !wasip1
+ 
+ package socktest_test
+ 
+Index: src/net/internal/socktest/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_windows_test.go b/src/net/internal/socktest/main_windows_test.go
+new file mode 100644
+--- /dev/null	(revision 21290de8a4c91408de7c2b5b68757b1e90af49dd)
+++ b/src/net/internal/socktest/main_windows_test.go	(revision 21290de8a4c91408de7c2b5b68757b1e90af49dd)
+@@ -0,0 +1,22 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package socktest_test
+
+import "syscall"
+
+var (
+	socketFunc func(int, int, int) (syscall.Handle, error)
+	closeFunc  func(syscall.Handle) error
+)
+
+func installTestHooks() {
+	socketFunc = sw.Socket
+	closeFunc = sw.Closesocket
+}
+
+func uninstallTestHooks() {
+	socketFunc = syscall.Socket
+	closeFunc = syscall.Closesocket
+}
+Index: src/net/internal/socktest/sys_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/sys_windows.go b/src/net/internal/socktest/sys_windows.go
+--- a/src/net/internal/socktest/sys_windows.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+++ b/src/net/internal/socktest/sys_windows.go	(revision 21290de8a4c91408de7c2b5b68757b1e90af49dd)
+@@ -9,6 +9,38 @@
+ 	"syscall"
+ )
+ 
+// Socket wraps [syscall.Socket].
+func (sw *Switch) Socket(family, sotype, proto int) (s syscall.Handle, err error) {
+	sw.once.Do(sw.init)
+
+	so := &Status{Cookie: cookie(family, sotype, proto)}
+	sw.fmu.RLock()
+	f, _ := sw.fltab[FilterSocket]
+	sw.fmu.RUnlock()
+
+	af, err := f.apply(so)
+	if err != nil {
+		return syscall.InvalidHandle, err
+	}
+	s, so.Err = syscall.Socket(family, sotype, proto)
+	if err = af.apply(so); err != nil {
+		if so.Err == nil {
+			syscall.Closesocket(s)
+		}
+		return syscall.InvalidHandle, err
+	}
+
+	sw.smu.Lock()
+	defer sw.smu.Unlock()
+	if so.Err != nil {
+		sw.stats.getLocked(so.Cookie).OpenFailed++
+		return syscall.InvalidHandle, so.Err
+	}
+	nso := sw.addLocked(s, family, sotype, proto)
+	sw.stats.getLocked(nso.Cookie).Opened++
+	return s, nil
+}
+
+ // WSASocket wraps [syscall.WSASocket].
+ func (sw *Switch) WSASocket(family, sotype, proto int32, protinfo *syscall.WSAProtocolInfo, group uint32, flags uint32) (s syscall.Handle, err error) {
+ 	sw.once.Do(sw.init)
+Index: src/net/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/main_windows_test.go b/src/net/main_windows_test.go
+--- a/src/net/main_windows_test.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+++ b/src/net/main_windows_test.go	(revision 21290de8a4c91408de7c2b5b68757b1e90af49dd)
+@@ -8,6 +8,7 @@
+ 
+ var (
+ 	// Placeholders for saving original socket system calls.
+	origSocket      = socketFunc
+ 	origWSASocket   = wsaSocketFunc
+ 	origClosesocket = poll.CloseFunc
+ 	origConnect     = connectFunc
+@@ -17,6 +18,7 @@
+ )
+ 
+ func installTestHooks() {
+	socketFunc = sw.Socket
+ 	wsaSocketFunc = sw.WSASocket
+ 	poll.CloseFunc = sw.Closesocket
+ 	connectFunc = sw.Connect
+@@ -26,6 +28,7 @@
+ }
+ 
+ func uninstallTestHooks() {
+	socketFunc = origSocket
+ 	wsaSocketFunc = origWSASocket
+ 	poll.CloseFunc = origClosesocket
+ 	connectFunc = origConnect
+Index: src/net/sock_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/sock_windows.go b/src/net/sock_windows.go
+--- a/src/net/sock_windows.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+++ b/src/net/sock_windows.go	(revision 21290de8a4c91408de7c2b5b68757b1e90af49dd)
+@@ -20,6 +20,21 @@
+ func sysSocket(family, sotype, proto int) (syscall.Handle, error) {
+ 	s, err := wsaSocketFunc(int32(family), int32(sotype), int32(proto),
+ 		nil, 0, windows.WSA_FLAG_OVERLAPPED|windows.WSA_FLAG_NO_HANDLE_INHERIT)
+	if err == nil {
+		return s, nil
+	}
+	// WSA_FLAG_NO_HANDLE_INHERIT flag is not supported on some
+	// old versions of Windows, see
+	// https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx
+	// for details. Just use syscall.Socket, if windows.WSASocket failed.
+
+	// See ../syscall/exec_unix.go for description of ForkLock.
+	syscall.ForkLock.RLock()
+	s, err = socketFunc(family, sotype, proto)
+	if err == nil {
+		syscall.CloseOnExec(s)
+	}
+	syscall.ForkLock.RUnlock()
+ 	if err != nil {
+ 		return syscall.InvalidHandle, os.NewSyscallError("socket", err)
+ 	}
+Index: src/syscall/exec_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
+--- a/src/syscall/exec_windows.go	(revision 9ac42137ef6730e8b7daca016ece831297a1d75b)
+++ b/src/syscall/exec_windows.go	(revision 6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76)
+@@ -14,7 +14,6 @@
+ 	"unsafe"
+ )
+ 
+-// ForkLock is not used on Windows.
+ var ForkLock sync.RWMutex
+ 
+ // EscapeArg rewrites command line argument s as prescribed
+@@ -254,6 +253,9 @@
+ var zeroProcAttr ProcAttr
+ var zeroSysProcAttr SysProcAttr
+ 
+//go:linkname rtlGetNtVersionNumbers
+func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32)
+
+ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle uintptr, err error) {
+ 	if len(argv0) == 0 {
+ 		return 0, 0, EWINDOWS
+@@ -317,6 +319,17 @@
+ 		}
+ 	}
+ 
+	var maj, min, build uint32
+	rtlGetNtVersionNumbers(&maj, &min, &build)
+	isWin7 := maj < 6 || (maj == 6 && min <= 1)
+	// NT kernel handles are divisible by 4, with the bottom 3 bits left as
+	// a tag. The fully set tag correlates with the types of handles we're
+	// concerned about here.  Except, the kernel will interpret some
+	// special handle values, like -1, -2, and so forth, so kernelbase.dll
+	// checks to see that those bottom three bits are checked, but that top
+	// bit is not checked.
+	isLegacyWin7ConsoleHandle := func(handle Handle) bool { return isWin7 && handle&0x10000003 == 3 }
+
+ 	p, _ := GetCurrentProcess()
+ 	parentProcess := p
+ 	if sys.ParentProcess != 0 {
+@@ -325,7 +338,15 @@
+ 	fd := make([]Handle, len(attr.Files))
+ 	for i := range attr.Files {
+ 		if attr.Files[i] > 0 {
+-			err := DuplicateHandle(p, Handle(attr.Files[i]), parentProcess, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+			destinationProcessHandle := parentProcess
+
+			// On Windows 7, console handles aren't real handles, and can only be duplicated
+			// into the current process, not a parent one, which amounts to the same thing.
+			if parentProcess != p && isLegacyWin7ConsoleHandle(Handle(attr.Files[i])) {
+				destinationProcessHandle = p
+			}
+
+			err := DuplicateHandle(p, Handle(attr.Files[i]), destinationProcessHandle, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+ 			if err != nil {
+ 				return 0, 0, err
+ 			}
+@@ -356,6 +377,14 @@
+ 
+ 	fd = append(fd, sys.AdditionalInheritedHandles...)
+ 
+	// On Windows 7, console handles aren't real handles, so don't pass them
+	// through to PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
+	for i := range fd {
+		if isLegacyWin7ConsoleHandle(fd[i]) {
+			fd[i] = 0
+		}
+	}
+
+ 	// The presence of a NULL handle in the list is enough to cause PROC_THREAD_ATTRIBUTE_HANDLE_LIST
+ 	// to treat the entire list as empty, so remove NULL handles.
+ 	j := 0
+Index: src/runtime/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/syscall_windows.go b/src/runtime/syscall_windows.go
+--- a/src/runtime/syscall_windows.go	(revision 6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76)
+++ b/src/runtime/syscall_windows.go	(revision 69e2eed6dd0f6d815ebf15797761c13f31213dd6)
+@@ -413,10 +413,20 @@
+ 
+ const _LOAD_LIBRARY_SEARCH_SYSTEM32 = 0x00000800
+ 
+// When available, this function will use LoadLibraryEx with the filename
+// parameter and the important SEARCH_SYSTEM32 argument. But on systems that
+// do not have that option, absoluteFilepath should contain a fallback
+// to the full path inside of system32 for use with vanilla LoadLibrary.
+//
+ //go:linkname syscall_loadsystemlibrary syscall.loadsystemlibrary
+-func syscall_loadsystemlibrary(filename *uint16) (handle, err uintptr) {
+-	handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryExW)), uintptr(unsafe.Pointer(filename)), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+func syscall_loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle, err uintptr) {
+	if useLoadLibraryEx {
+		handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryExW)), uintptr(unsafe.Pointer(filename)), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+	} else {
+		handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryW)), uintptr(unsafe.Pointer(absoluteFilepath)))
+	}
+ 	KeepAlive(filename)
+	KeepAlive(absoluteFilepath)
+ 	if handle != 0 {
+ 		err = 0
+ 	}
+Index: src/syscall/dll_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/dll_windows.go b/src/syscall/dll_windows.go
+--- a/src/syscall/dll_windows.go	(revision 6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76)
+++ b/src/syscall/dll_windows.go	(revision 69e2eed6dd0f6d815ebf15797761c13f31213dd6)
+@@ -44,7 +44,7 @@
+ 
+ func SyscallN(trap uintptr, args ...uintptr) (r1, r2 uintptr, err Errno)
+ func loadlibrary(filename *uint16) (handle uintptr, err Errno)
+-func loadsystemlibrary(filename *uint16) (handle uintptr, err Errno)
+func loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle uintptr, err Errno)
+ func getprocaddress(handle uintptr, procname *uint8) (proc uintptr, err Errno)
+ 
+ // A DLL implements access to a single DLL.
+@@ -53,6 +53,9 @@
+ 	Handle Handle
+ }
+ 
+//go:linkname getSystemDirectory
+func getSystemDirectory() string // Implemented in runtime package.
+
+ // LoadDLL loads the named DLL file into memory.
+ //
+ // If name is not an absolute path and is not a known system DLL used by
+@@ -69,7 +72,11 @@
+ 	var h uintptr
+ 	var e Errno
+ 	if sysdll.IsSystemDLL[name] {
+-		h, e = loadsystemlibrary(namep)
+		absoluteFilepathp, err := UTF16PtrFromString(getSystemDirectory() + name)
+		if err != nil {
+			return nil, err
+		}
+		h, e = loadsystemlibrary(namep, absoluteFilepathp)
+ 	} else {
+ 		h, e = loadlibrary(namep)
+ 	}
--- a/.github/patch/go1.24.patch
+++ b/.github/patch/go1.24.patch
@@ -0,0 +1,657 @@
+Subject: [PATCH] Revert "runtime: always use LoadLibraryEx to load system libraries"
+Revert "syscall: remove Windows 7 console handle workaround"
+Revert "net: remove sysSocket fallback for Windows 7"
+Revert "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+---
+Index: src/crypto/internal/sysrand/rand_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/internal/sysrand/rand_windows.go b/src/crypto/internal/sysrand/rand_windows.go
+--- a/src/crypto/internal/sysrand/rand_windows.go	(revision 3901409b5d0fb7c85a3e6730a59943cc93b2835c)
+++ b/src/crypto/internal/sysrand/rand_windows.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+@@ -7,5 +7,26 @@
+ import "internal/syscall/windows"
+ 
+ func read(b []byte) error {
+-	return windows.ProcessPrng(b)
+	// RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at
+	// most 1<<31-1 bytes at a time so that  this works the same on 32-bit
+	// and 64-bit systems.
+	return batched(windows.RtlGenRandom, 1<<31-1)(b)
+}
+
+// batched returns a function that calls f to populate a []byte by chunking it
+// into subslices of, at most, readMax bytes.
+func batched(f func([]byte) error, readMax int) func([]byte) error {
+	return func(out []byte) error {
+		for len(out) > 0 {
+			read := len(out)
+			if read > readMax {
+				read = readMax
+			}
+			if err := f(out[:read]); err != nil {
+				return err
+			}
+			out = out[read:]
+		}
+		return nil
+	}
+ }
+Index: src/crypto/rand/rand.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
+--- a/src/crypto/rand/rand.go	(revision 3901409b5d0fb7c85a3e6730a59943cc93b2835c)
+++ b/src/crypto/rand/rand.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+@@ -22,7 +22,7 @@
+ //   - On legacy Linux (< 3.17), Reader opens /dev/urandom on first use.
+ //   - On macOS, iOS, and OpenBSD Reader, uses arc4random_buf(3).
+ //   - On NetBSD, Reader uses the kern.arandom sysctl.
+-//   - On Windows, Reader uses the ProcessPrng API.
+//   - On Windows systems, Reader uses the RtlGenRandom API.
+ //   - On js/wasm, Reader uses the Web Crypto API.
+ //   - On wasip1/wasm, Reader uses random_get.
+ //
+Index: src/internal/syscall/windows/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go
+--- a/src/internal/syscall/windows/syscall_windows.go	(revision 3901409b5d0fb7c85a3e6730a59943cc93b2835c)
+++ b/src/internal/syscall/windows/syscall_windows.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+@@ -416,7 +416,7 @@
+ //sys	DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock
+ //sys	CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW
+ 
+-//sys	ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng
+//sys	RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036
+ 
+ type FILE_ID_BOTH_DIR_INFO struct {
+ 	NextEntryOffset uint32
+Index: src/internal/syscall/windows/zsyscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go
+--- a/src/internal/syscall/windows/zsyscall_windows.go	(revision 3901409b5d0fb7c85a3e6730a59943cc93b2835c)
+++ b/src/internal/syscall/windows/zsyscall_windows.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+@@ -38,7 +38,6 @@
+ 
+ var (
+ 	modadvapi32         = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+-	modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll"))
+ 	modiphlpapi         = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+ 	modkernel32         = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+ 	modnetapi32         = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+@@ -63,7 +62,7 @@
+ 	procQueryServiceStatus                = modadvapi32.NewProc("QueryServiceStatus")
+ 	procRevertToSelf                      = modadvapi32.NewProc("RevertToSelf")
+ 	procSetTokenInformation               = modadvapi32.NewProc("SetTokenInformation")
+-	procProcessPrng                       = modbcryptprimitives.NewProc("ProcessPrng")
+	procSystemFunction036                 = modadvapi32.NewProc("SystemFunction036")
+ 	procGetAdaptersAddresses              = modiphlpapi.NewProc("GetAdaptersAddresses")
+ 	procCreateEventW                      = modkernel32.NewProc("CreateEventW")
+ 	procGetACP                            = modkernel32.NewProc("GetACP")
+@@ -236,12 +235,12 @@
+ 	return
+ }
+ 
+-func ProcessPrng(buf []byte) (err error) {
+func RtlGenRandom(buf []byte) (err error) {
+ 	var _p0 *byte
+ 	if len(buf) > 0 {
+ 		_p0 = &buf[0]
+ 	}
+-	r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+	r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+ 	if r1 == 0 {
+ 		err = errnoErr(e1)
+ 	}
+Index: src/runtime/os_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+--- a/src/runtime/os_windows.go	(revision 3901409b5d0fb7c85a3e6730a59943cc93b2835c)
+++ b/src/runtime/os_windows.go	(revision ac3e93c061779dfefc0dd13a5b6e6f764a25621e)
+@@ -40,8 +40,8 @@
+ //go:cgo_import_dynamic runtime._GetSystemInfo GetSystemInfo%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._GetThreadContext GetThreadContext%2 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._SetThreadContext SetThreadContext%2 "kernel32.dll"
+-//go:cgo_import_dynamic runtime._LoadLibraryExW LoadLibraryExW%3 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._LoadLibraryW LoadLibraryW%1 "kernel32.dll"
+//go:cgo_import_dynamic runtime._LoadLibraryA LoadLibraryA%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._PostQueuedCompletionStatus PostQueuedCompletionStatus%4 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._QueryPerformanceCounter QueryPerformanceCounter%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._QueryPerformanceFrequency QueryPerformanceFrequency%1 "kernel32.dll"
+@@ -75,7 +75,6 @@
+ 	// Following syscalls are available on every Windows PC.
+ 	// All these variables are set by the Windows executable
+ 	// loader before the Go program starts.
+-	_AddVectoredContinueHandler,
+ 	_AddVectoredExceptionHandler,
+ 	_CloseHandle,
+ 	_CreateEventA,
+@@ -98,8 +97,8 @@
+ 	_GetSystemInfo,
+ 	_GetThreadContext,
+ 	_SetThreadContext,
+-	_LoadLibraryExW,
+ 	_LoadLibraryW,
+	_LoadLibraryA,
+ 	_PostQueuedCompletionStatus,
+ 	_QueryPerformanceCounter,
+ 	_QueryPerformanceFrequency,
+@@ -128,8 +127,23 @@
+ 	_WriteFile,
+ 	_ stdFunction
+ 
+-	// Use ProcessPrng to generate cryptographically random data.
+-	_ProcessPrng stdFunction
+	// Following syscalls are only available on some Windows PCs.
+	// We will load syscalls, if available, before using them.
+	_AddDllDirectory,
+	_AddVectoredContinueHandler,
+	_LoadLibraryExA,
+	_LoadLibraryExW,
+	_ stdFunction
+
+	// Use RtlGenRandom to generate cryptographically random data.
+	// This approach has been recommended by Microsoft (see issue
+	// 15589 for details).
+	// The RtlGenRandom is not listed in advapi32.dll, instead
+	// RtlGenRandom function can be found by searching for SystemFunction036.
+	// Also some versions of Mingw cannot link to SystemFunction036
+	// when building executable as Cgo. So load SystemFunction036
+	// manually during runtime startup.
+	_RtlGenRandom stdFunction
+ 
+ 	// Load ntdll.dll manually during startup, otherwise Mingw
+ 	// links wrong printf function to cgo executable (see issue
+@@ -146,13 +160,6 @@
+ 	_ stdFunction
+ )
+ 
+-var (
+-	bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0}
+-	ntdlldll            = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
+-	powrprofdll         = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
+-	winmmdll            = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
+-)
+-
+ // Function to be called by windows CreateThread
+ // to start new os thread.
+ func tstart_stdcall(newm *m)
+@@ -245,8 +252,18 @@
+ 	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+ }
+ 
+-func windowsLoadSystemLib(name []uint16) uintptr {
+-	return stdcall3(_LoadLibraryExW, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+//go:linkname syscall_getSystemDirectory syscall.getSystemDirectory
+func syscall_getSystemDirectory() string {
+	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+}
+
+func windowsLoadSystemLib(name []byte) uintptr {
+	if useLoadLibraryEx {
+		return stdcall3(_LoadLibraryExA, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+	} else {
+		absName := append(sysDirectory[:sysDirectoryLen], name...)
+		return stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&absName[0])))
+	}
+ }
+ 
+ //go:linkname windows_QueryPerformanceCounter internal/syscall/windows.QueryPerformanceCounter
+@@ -264,13 +281,28 @@
+ }
+ 
+ func loadOptionalSyscalls() {
+-	bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:])
+-	if bcryptPrimitives == 0 {
+-		throw("bcryptprimitives.dll not found")
+	var kernel32dll = []byte("kernel32.dll\000")
+	k32 := stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&kernel32dll[0])))
+	if k32 == 0 {
+		throw("kernel32.dll not found")
+ 	}
+-	_ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000"))
+	_AddDllDirectory = windowsFindfunc(k32, []byte("AddDllDirectory\000"))
+	_AddVectoredContinueHandler = windowsFindfunc(k32, []byte("AddVectoredContinueHandler\000"))
+	_LoadLibraryExA = windowsFindfunc(k32, []byte("LoadLibraryExA\000"))
+	_LoadLibraryExW = windowsFindfunc(k32, []byte("LoadLibraryExW\000"))
+	useLoadLibraryEx = (_LoadLibraryExW != nil && _LoadLibraryExA != nil && _AddDllDirectory != nil)
+
+	initSysDirectory()
+ 
+-	n32 := windowsLoadSystemLib(ntdlldll[:])
+	var advapi32dll = []byte("advapi32.dll\000")
+	a32 := windowsLoadSystemLib(advapi32dll)
+	if a32 == 0 {
+		throw("advapi32.dll not found")
+	}
+	_RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000"))
+
+	var ntdll = []byte("ntdll.dll\000")
+	n32 := windowsLoadSystemLib(ntdll)
+ 	if n32 == 0 {
+ 		throw("ntdll.dll not found")
+ 	}
+@@ -299,7 +331,7 @@
+ 		context  uintptr
+ 	}
+ 
+-	powrprof := windowsLoadSystemLib(powrprofdll[:])
+	powrprof := windowsLoadSystemLib([]byte("powrprof.dll\000"))
+ 	if powrprof == 0 {
+ 		return // Running on Windows 7, where we don't need it anyway.
+ 	}
+@@ -358,6 +390,22 @@
+ // in sys_windows_386.s and sys_windows_amd64.s:
+ func getlasterror() uint32
+ 
+// When loading DLLs, we prefer to use LoadLibraryEx with
+// LOAD_LIBRARY_SEARCH_* flags, if available. LoadLibraryEx is not
+// available on old Windows, though, and the LOAD_LIBRARY_SEARCH_*
+// flags are not available on some versions of Windows without a
+// security patch.
+//
+// https://msdn.microsoft.com/en-us/library/ms684179(v=vs.85).aspx says:
+// "Windows 7, Windows Server 2008 R2, Windows Vista, and Windows
+// Server 2008: The LOAD_LIBRARY_SEARCH_* flags are available on
+// systems that have KB2533623 installed. To determine whether the
+// flags are available, use GetProcAddress to get the address of the
+// AddDllDirectory, RemoveDllDirectory, or SetDefaultDllDirectories
+// function. If GetProcAddress succeeds, the LOAD_LIBRARY_SEARCH_*
+// flags can be used with LoadLibraryEx."
+var useLoadLibraryEx bool
+
+ var timeBeginPeriodRetValue uint32
+ 
+ // osRelaxMinNS indicates that sysmon shouldn't osRelax if the next
+@@ -431,7 +479,8 @@
+ 		// Only load winmm.dll if we need it.
+ 		// This avoids a dependency on winmm.dll for Go programs
+ 		// that run on new Windows versions.
+-		m32 := windowsLoadSystemLib(winmmdll[:])
+		var winmmdll = []byte("winmm.dll\000")
+		m32 := windowsLoadSystemLib(winmmdll)
+ 		if m32 == 0 {
+ 			print("runtime: LoadLibraryExW failed; errno=", getlasterror(), "\n")
+ 			throw("winmm.dll not found")
+@@ -472,6 +521,28 @@
+ 	canUseLongPaths = true
+ }
+ 
+var osVersionInfo struct {
+	majorVersion uint32
+	minorVersion uint32
+	buildNumber  uint32
+}
+
+func initOsVersionInfo() {
+	info := _OSVERSIONINFOW{}
+	info.osVersionInfoSize = uint32(unsafe.Sizeof(info))
+	stdcall1(_RtlGetVersion, uintptr(unsafe.Pointer(&info)))
+	osVersionInfo.majorVersion = info.majorVersion
+	osVersionInfo.minorVersion = info.minorVersion
+	osVersionInfo.buildNumber = info.buildNumber
+}
+
+//go:linkname rtlGetNtVersionNumbers syscall.rtlGetNtVersionNumbers
+func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32) {
+	*majorVersion = osVersionInfo.majorVersion
+	*minorVersion = osVersionInfo.minorVersion
+	*buildNumber = osVersionInfo.buildNumber
+}
+
+ func osinit() {
+ 	asmstdcallAddr = unsafe.Pointer(abi.FuncPCABI0(asmstdcall))
+ 
+@@ -484,8 +555,8 @@
+ 	initHighResTimer()
+ 	timeBeginPeriodRetValue = osRelax(false)
+ 
+-	initSysDirectory()
+ 	initLongPathSupport()
+	initOsVersionInfo()
+ 
+ 	ncpu = getproccount()
+ 
+@@ -501,7 +572,7 @@
+ //go:nosplit
+ func readRandom(r []byte) int {
+ 	n := 0
+-	if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+	if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+ 		n = len(r)
+ 	}
+ 	return n
+Index: src/net/hook_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/hook_windows.go b/src/net/hook_windows.go
+--- a/src/net/hook_windows.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+++ b/src/net/hook_windows.go	(revision 7b1fd7d39c6be0185fbe1d929578ab372ac5c632)
+@@ -13,6 +13,7 @@
+ 	hostsFilePath = windows.GetSystemDirectory() + "/Drivers/etc/hosts"
+ 
+ 	// Placeholders for socket system calls.
+	socketFunc    func(int, int, int) (syscall.Handle, error)                                                 = syscall.Socket
+ 	wsaSocketFunc func(int32, int32, int32, *syscall.WSAProtocolInfo, uint32, uint32) (syscall.Handle, error) = windows.WSASocket
+ 	connectFunc   func(syscall.Handle, syscall.Sockaddr) error                                                = syscall.Connect
+ 	listenFunc    func(syscall.Handle, int) error                                                             = syscall.Listen
+Index: src/net/internal/socktest/main_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_test.go b/src/net/internal/socktest/main_test.go
+--- a/src/net/internal/socktest/main_test.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+++ b/src/net/internal/socktest/main_test.go	(revision 7b1fd7d39c6be0185fbe1d929578ab372ac5c632)
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !js && !plan9 && !wasip1 && !windows
+//go:build !js && !plan9 && !wasip1
+ 
+ package socktest_test
+ 
+Index: src/net/internal/socktest/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_windows_test.go b/src/net/internal/socktest/main_windows_test.go
+new file mode 100644
+--- /dev/null	(revision 7b1fd7d39c6be0185fbe1d929578ab372ac5c632)
+++ b/src/net/internal/socktest/main_windows_test.go	(revision 7b1fd7d39c6be0185fbe1d929578ab372ac5c632)
+@@ -0,0 +1,22 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package socktest_test
+
+import "syscall"
+
+var (
+	socketFunc func(int, int, int) (syscall.Handle, error)
+	closeFunc  func(syscall.Handle) error
+)
+
+func installTestHooks() {
+	socketFunc = sw.Socket
+	closeFunc = sw.Closesocket
+}
+
+func uninstallTestHooks() {
+	socketFunc = syscall.Socket
+	closeFunc = syscall.Closesocket
+}
+Index: src/net/internal/socktest/sys_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/sys_windows.go b/src/net/internal/socktest/sys_windows.go
+--- a/src/net/internal/socktest/sys_windows.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+++ b/src/net/internal/socktest/sys_windows.go	(revision 7b1fd7d39c6be0185fbe1d929578ab372ac5c632)
+@@ -9,6 +9,38 @@
+ 	"syscall"
+ )
+ 
+// Socket wraps [syscall.Socket].
+func (sw *Switch) Socket(family, sotype, proto int) (s syscall.Handle, err error) {
+	sw.once.Do(sw.init)
+
+	so := &Status{Cookie: cookie(family, sotype, proto)}
+	sw.fmu.RLock()
+	f, _ := sw.fltab[FilterSocket]
+	sw.fmu.RUnlock()
+
+	af, err := f.apply(so)
+	if err != nil {
+		return syscall.InvalidHandle, err
+	}
+	s, so.Err = syscall.Socket(family, sotype, proto)
+	if err = af.apply(so); err != nil {
+		if so.Err == nil {
+			syscall.Closesocket(s)
+		}
+		return syscall.InvalidHandle, err
+	}
+
+	sw.smu.Lock()
+	defer sw.smu.Unlock()
+	if so.Err != nil {
+		sw.stats.getLocked(so.Cookie).OpenFailed++
+		return syscall.InvalidHandle, so.Err
+	}
+	nso := sw.addLocked(s, family, sotype, proto)
+	sw.stats.getLocked(nso.Cookie).Opened++
+	return s, nil
+}
+
+ // WSASocket wraps [syscall.WSASocket].
+ func (sw *Switch) WSASocket(family, sotype, proto int32, protinfo *syscall.WSAProtocolInfo, group uint32, flags uint32) (s syscall.Handle, err error) {
+ 	sw.once.Do(sw.init)
+Index: src/net/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/main_windows_test.go b/src/net/main_windows_test.go
+--- a/src/net/main_windows_test.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+++ b/src/net/main_windows_test.go	(revision 7b1fd7d39c6be0185fbe1d929578ab372ac5c632)
+@@ -8,6 +8,7 @@
+ 
+ var (
+ 	// Placeholders for saving original socket system calls.
+	origSocket      = socketFunc
+ 	origWSASocket   = wsaSocketFunc
+ 	origClosesocket = poll.CloseFunc
+ 	origConnect     = connectFunc
+@@ -17,6 +18,7 @@
+ )
+ 
+ func installTestHooks() {
+	socketFunc = sw.Socket
+ 	wsaSocketFunc = sw.WSASocket
+ 	poll.CloseFunc = sw.Closesocket
+ 	connectFunc = sw.Connect
+@@ -26,6 +28,7 @@
+ }
+ 
+ func uninstallTestHooks() {
+	socketFunc = origSocket
+ 	wsaSocketFunc = origWSASocket
+ 	poll.CloseFunc = origClosesocket
+ 	connectFunc = origConnect
+Index: src/net/sock_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/sock_windows.go b/src/net/sock_windows.go
+--- a/src/net/sock_windows.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+++ b/src/net/sock_windows.go	(revision 7b1fd7d39c6be0185fbe1d929578ab372ac5c632)
+@@ -20,6 +20,21 @@
+ func sysSocket(family, sotype, proto int) (syscall.Handle, error) {
+ 	s, err := wsaSocketFunc(int32(family), int32(sotype), int32(proto),
+ 		nil, 0, windows.WSA_FLAG_OVERLAPPED|windows.WSA_FLAG_NO_HANDLE_INHERIT)
+	if err == nil {
+		return s, nil
+	}
+	// WSA_FLAG_NO_HANDLE_INHERIT flag is not supported on some
+	// old versions of Windows, see
+	// https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx
+	// for details. Just use syscall.Socket, if windows.WSASocket failed.
+
+	// See ../syscall/exec_unix.go for description of ForkLock.
+	syscall.ForkLock.RLock()
+	s, err = socketFunc(family, sotype, proto)
+	if err == nil {
+		syscall.CloseOnExec(s)
+	}
+	syscall.ForkLock.RUnlock()
+ 	if err != nil {
+ 		return syscall.InvalidHandle, os.NewSyscallError("socket", err)
+ 	}
+Index: src/syscall/exec_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
+--- a/src/syscall/exec_windows.go	(revision 2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8)
+++ b/src/syscall/exec_windows.go	(revision 979d6d8bab3823ff572ace26767fd2ce3cf351ae)
+@@ -14,7 +14,6 @@
+ 	"unsafe"
+ )
+ 
+-// ForkLock is not used on Windows.
+ var ForkLock sync.RWMutex
+ 
+ // EscapeArg rewrites command line argument s as prescribed
+@@ -254,6 +253,9 @@
+ var zeroProcAttr ProcAttr
+ var zeroSysProcAttr SysProcAttr
+ 
+//go:linkname rtlGetNtVersionNumbers
+func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32)
+
+ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle uintptr, err error) {
+ 	if len(argv0) == 0 {
+ 		return 0, 0, EWINDOWS
+@@ -317,6 +319,17 @@
+ 		}
+ 	}
+ 
+	var maj, min, build uint32
+	rtlGetNtVersionNumbers(&maj, &min, &build)
+	isWin7 := maj < 6 || (maj == 6 && min <= 1)
+	// NT kernel handles are divisible by 4, with the bottom 3 bits left as
+	// a tag. The fully set tag correlates with the types of handles we're
+	// concerned about here.  Except, the kernel will interpret some
+	// special handle values, like -1, -2, and so forth, so kernelbase.dll
+	// checks to see that those bottom three bits are checked, but that top
+	// bit is not checked.
+	isLegacyWin7ConsoleHandle := func(handle Handle) bool { return isWin7 && handle&0x10000003 == 3 }
+
+ 	p, _ := GetCurrentProcess()
+ 	parentProcess := p
+ 	if sys.ParentProcess != 0 {
+@@ -325,7 +338,15 @@
+ 	fd := make([]Handle, len(attr.Files))
+ 	for i := range attr.Files {
+ 		if attr.Files[i] > 0 {
+-			err := DuplicateHandle(p, Handle(attr.Files[i]), parentProcess, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+			destinationProcessHandle := parentProcess
+
+			// On Windows 7, console handles aren't real handles, and can only be duplicated
+			// into the current process, not a parent one, which amounts to the same thing.
+			if parentProcess != p && isLegacyWin7ConsoleHandle(Handle(attr.Files[i])) {
+				destinationProcessHandle = p
+			}
+
+			err := DuplicateHandle(p, Handle(attr.Files[i]), destinationProcessHandle, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+ 			if err != nil {
+ 				return 0, 0, err
+ 			}
+@@ -356,6 +377,14 @@
+ 
+ 	fd = append(fd, sys.AdditionalInheritedHandles...)
+ 
+	// On Windows 7, console handles aren't real handles, so don't pass them
+	// through to PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
+	for i := range fd {
+		if isLegacyWin7ConsoleHandle(fd[i]) {
+			fd[i] = 0
+		}
+	}
+
+ 	// The presence of a NULL handle in the list is enough to cause PROC_THREAD_ATTRIBUTE_HANDLE_LIST
+ 	// to treat the entire list as empty, so remove NULL handles.
+ 	j := 0
+Index: src/runtime/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/syscall_windows.go b/src/runtime/syscall_windows.go
+--- a/src/runtime/syscall_windows.go	(revision 979d6d8bab3823ff572ace26767fd2ce3cf351ae)
+++ b/src/runtime/syscall_windows.go	(revision ac3e93c061779dfefc0dd13a5b6e6f764a25621e)
+@@ -413,10 +413,20 @@
+ 
+ const _LOAD_LIBRARY_SEARCH_SYSTEM32 = 0x00000800
+ 
+// When available, this function will use LoadLibraryEx with the filename
+// parameter and the important SEARCH_SYSTEM32 argument. But on systems that
+// do not have that option, absoluteFilepath should contain a fallback
+// to the full path inside of system32 for use with vanilla LoadLibrary.
+//
+ //go:linkname syscall_loadsystemlibrary syscall.loadsystemlibrary
+-func syscall_loadsystemlibrary(filename *uint16) (handle, err uintptr) {
+-	handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryExW)), uintptr(unsafe.Pointer(filename)), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+func syscall_loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle, err uintptr) {
+	if useLoadLibraryEx {
+		handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryExW)), uintptr(unsafe.Pointer(filename)), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+	} else {
+		handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryW)), uintptr(unsafe.Pointer(absoluteFilepath)))
+	}
+ 	KeepAlive(filename)
+	KeepAlive(absoluteFilepath)
+ 	if handle != 0 {
+ 		err = 0
+ 	}
+Index: src/syscall/dll_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/dll_windows.go b/src/syscall/dll_windows.go
+--- a/src/syscall/dll_windows.go	(revision 979d6d8bab3823ff572ace26767fd2ce3cf351ae)
+++ b/src/syscall/dll_windows.go	(revision ac3e93c061779dfefc0dd13a5b6e6f764a25621e)
+@@ -45,7 +45,7 @@
+ //go:noescape
+ func SyscallN(trap uintptr, args ...uintptr) (r1, r2 uintptr, err Errno)
+ func loadlibrary(filename *uint16) (handle uintptr, err Errno)
+-func loadsystemlibrary(filename *uint16) (handle uintptr, err Errno)
+func loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle uintptr, err Errno)
+ func getprocaddress(handle uintptr, procname *uint8) (proc uintptr, err Errno)
+ 
+ // A DLL implements access to a single DLL.
+@@ -54,6 +54,9 @@
+ 	Handle Handle
+ }
+ 
+//go:linkname getSystemDirectory
+func getSystemDirectory() string // Implemented in runtime package.
+
+ // LoadDLL loads the named DLL file into memory.
+ //
+ // If name is not an absolute path and is not a known system DLL used by
+@@ -70,7 +73,11 @@
+ 	var h uintptr
+ 	var e Errno
+ 	if sysdll.IsSystemDLL[name] {
+-		h, e = loadsystemlibrary(namep)
+		absoluteFilepathp, err := UTF16PtrFromString(getSystemDirectory() + name)
+		if err != nil {
+			return nil, err
+		}
+		h, e = loadsystemlibrary(namep, absoluteFilepathp)
+ 	} else {
+ 		h, e = loadlibrary(namep)
+ 	}
--- a/.github/patch/go1.25.patch
+++ b/.github/patch/go1.25.patch
@@ -0,0 +1,657 @@
+Subject: [PATCH] Revert "runtime: always use LoadLibraryEx to load system libraries"
+Revert "syscall: remove Windows 7 console handle workaround"
+Revert "net: remove sysSocket fallback for Windows 7"
+Revert "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+---
+Index: src/crypto/internal/sysrand/rand_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/internal/sysrand/rand_windows.go b/src/crypto/internal/sysrand/rand_windows.go
+--- a/src/crypto/internal/sysrand/rand_windows.go	(revision 6e676ab2b809d46623acb5988248d95d1eb7939c)
+++ b/src/crypto/internal/sysrand/rand_windows.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+@@ -7,5 +7,26 @@
+ import "internal/syscall/windows"
+ 
+ func read(b []byte) error {
+-	return windows.ProcessPrng(b)
+	// RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at
+	// most 1<<31-1 bytes at a time so that  this works the same on 32-bit
+	// and 64-bit systems.
+	return batched(windows.RtlGenRandom, 1<<31-1)(b)
+}
+
+// batched returns a function that calls f to populate a []byte by chunking it
+// into subslices of, at most, readMax bytes.
+func batched(f func([]byte) error, readMax int) func([]byte) error {
+	return func(out []byte) error {
+		for len(out) > 0 {
+			read := len(out)
+			if read > readMax {
+				read = readMax
+			}
+			if err := f(out[:read]); err != nil {
+				return err
+			}
+			out = out[read:]
+		}
+		return nil
+	}
+ }
+Index: src/crypto/rand/rand.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
+--- a/src/crypto/rand/rand.go	(revision 6e676ab2b809d46623acb5988248d95d1eb7939c)
+++ b/src/crypto/rand/rand.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+@@ -22,7 +22,7 @@
+ //   - On legacy Linux (< 3.17), Reader opens /dev/urandom on first use.
+ //   - On macOS, iOS, and OpenBSD Reader, uses arc4random_buf(3).
+ //   - On NetBSD, Reader uses the kern.arandom sysctl.
+-//   - On Windows, Reader uses the ProcessPrng API.
+//   - On Windows systems, Reader uses the RtlGenRandom API.
+ //   - On js/wasm, Reader uses the Web Crypto API.
+ //   - On wasip1/wasm, Reader uses random_get.
+ //
+Index: src/internal/syscall/windows/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go
+--- a/src/internal/syscall/windows/syscall_windows.go	(revision 6e676ab2b809d46623acb5988248d95d1eb7939c)
+++ b/src/internal/syscall/windows/syscall_windows.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+@@ -419,7 +419,7 @@
+ //sys	DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock
+ //sys	CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW
+ 
+-//sys	ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng
+//sys	RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036
+ 
+ type FILE_ID_BOTH_DIR_INFO struct {
+ 	NextEntryOffset uint32
+Index: src/internal/syscall/windows/zsyscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go
+--- a/src/internal/syscall/windows/zsyscall_windows.go	(revision 6e676ab2b809d46623acb5988248d95d1eb7939c)
+++ b/src/internal/syscall/windows/zsyscall_windows.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+@@ -38,7 +38,6 @@
+ 
+ var (
+ 	modadvapi32         = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+-	modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll"))
+ 	modiphlpapi         = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+ 	modkernel32         = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+ 	modnetapi32         = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+@@ -63,7 +62,7 @@
+ 	procQueryServiceStatus                = modadvapi32.NewProc("QueryServiceStatus")
+ 	procRevertToSelf                      = modadvapi32.NewProc("RevertToSelf")
+ 	procSetTokenInformation               = modadvapi32.NewProc("SetTokenInformation")
+-	procProcessPrng                       = modbcryptprimitives.NewProc("ProcessPrng")
+	procSystemFunction036                 = modadvapi32.NewProc("SystemFunction036")
+ 	procGetAdaptersAddresses              = modiphlpapi.NewProc("GetAdaptersAddresses")
+ 	procCreateEventW                      = modkernel32.NewProc("CreateEventW")
+ 	procCreateIoCompletionPort            = modkernel32.NewProc("CreateIoCompletionPort")
+@@ -242,12 +241,12 @@
+ 	return
+ }
+ 
+-func ProcessPrng(buf []byte) (err error) {
+func RtlGenRandom(buf []byte) (err error) {
+ 	var _p0 *byte
+ 	if len(buf) > 0 {
+ 		_p0 = &buf[0]
+ 	}
+-	r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+	r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+ 	if r1 == 0 {
+ 		err = errnoErr(e1)
+ 	}
+Index: src/runtime/os_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+--- a/src/runtime/os_windows.go	(revision 6e676ab2b809d46623acb5988248d95d1eb7939c)
+++ b/src/runtime/os_windows.go	(revision f56f1e23507e646c85243a71bde7b9629b2f970c)
+@@ -39,8 +39,8 @@
+ //go:cgo_import_dynamic runtime._GetSystemInfo GetSystemInfo%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._GetThreadContext GetThreadContext%2 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._SetThreadContext SetThreadContext%2 "kernel32.dll"
+-//go:cgo_import_dynamic runtime._LoadLibraryExW LoadLibraryExW%3 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._LoadLibraryW LoadLibraryW%1 "kernel32.dll"
+//go:cgo_import_dynamic runtime._LoadLibraryA LoadLibraryA%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._PostQueuedCompletionStatus PostQueuedCompletionStatus%4 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._QueryPerformanceCounter QueryPerformanceCounter%1 "kernel32.dll"
+ //go:cgo_import_dynamic runtime._QueryPerformanceFrequency QueryPerformanceFrequency%1 "kernel32.dll"
+@@ -74,7 +74,6 @@
+ 	// Following syscalls are available on every Windows PC.
+ 	// All these variables are set by the Windows executable
+ 	// loader before the Go program starts.
+-	_AddVectoredContinueHandler,
+ 	_AddVectoredExceptionHandler,
+ 	_CloseHandle,
+ 	_CreateEventA,
+@@ -97,8 +96,8 @@
+ 	_GetSystemInfo,
+ 	_GetThreadContext,
+ 	_SetThreadContext,
+-	_LoadLibraryExW,
+ 	_LoadLibraryW,
+	_LoadLibraryA,
+ 	_PostQueuedCompletionStatus,
+ 	_QueryPerformanceCounter,
+ 	_QueryPerformanceFrequency,
+@@ -127,8 +126,23 @@
+ 	_WriteFile,
+ 	_ stdFunction
+ 
+-	// Use ProcessPrng to generate cryptographically random data.
+-	_ProcessPrng stdFunction
+	// Following syscalls are only available on some Windows PCs.
+	// We will load syscalls, if available, before using them.
+	_AddDllDirectory,
+	_AddVectoredContinueHandler,
+	_LoadLibraryExA,
+	_LoadLibraryExW,
+	_ stdFunction
+
+	// Use RtlGenRandom to generate cryptographically random data.
+	// This approach has been recommended by Microsoft (see issue
+	// 15589 for details).
+	// The RtlGenRandom is not listed in advapi32.dll, instead
+	// RtlGenRandom function can be found by searching for SystemFunction036.
+	// Also some versions of Mingw cannot link to SystemFunction036
+	// when building executable as Cgo. So load SystemFunction036
+	// manually during runtime startup.
+	_RtlGenRandom stdFunction
+ 
+ 	// Load ntdll.dll manually during startup, otherwise Mingw
+ 	// links wrong printf function to cgo executable (see issue
+@@ -145,13 +159,6 @@
+ 	_ stdFunction
+ )
+ 
+-var (
+-	bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0}
+-	ntdlldll            = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
+-	powrprofdll         = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
+-	winmmdll            = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
+-)
+-
+ // Function to be called by windows CreateThread
+ // to start new os thread.
+ func tstart_stdcall(newm *m)
+@@ -244,8 +251,18 @@
+ 	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+ }
+ 
+-func windowsLoadSystemLib(name []uint16) uintptr {
+-	return stdcall3(_LoadLibraryExW, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+//go:linkname syscall_getSystemDirectory syscall.getSystemDirectory
+func syscall_getSystemDirectory() string {
+	return unsafe.String(&sysDirectory[0], sysDirectoryLen)
+}
+
+func windowsLoadSystemLib(name []byte) uintptr {
+	if useLoadLibraryEx {
+		return stdcall3(_LoadLibraryExA, uintptr(unsafe.Pointer(&name[0])), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+	} else {
+		absName := append(sysDirectory[:sysDirectoryLen], name...)
+		return stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&absName[0])))
+	}
+ }
+ 
+ //go:linkname windows_QueryPerformanceCounter internal/syscall/windows.QueryPerformanceCounter
+@@ -263,13 +280,28 @@
+ }
+ 
+ func loadOptionalSyscalls() {
+-	bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:])
+-	if bcryptPrimitives == 0 {
+-		throw("bcryptprimitives.dll not found")
+	var kernel32dll = []byte("kernel32.dll\000")
+	k32 := stdcall1(_LoadLibraryA, uintptr(unsafe.Pointer(&kernel32dll[0])))
+	if k32 == 0 {
+		throw("kernel32.dll not found")
+ 	}
+-	_ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000"))
+	_AddDllDirectory = windowsFindfunc(k32, []byte("AddDllDirectory\000"))
+	_AddVectoredContinueHandler = windowsFindfunc(k32, []byte("AddVectoredContinueHandler\000"))
+	_LoadLibraryExA = windowsFindfunc(k32, []byte("LoadLibraryExA\000"))
+	_LoadLibraryExW = windowsFindfunc(k32, []byte("LoadLibraryExW\000"))
+	useLoadLibraryEx = (_LoadLibraryExW != nil && _LoadLibraryExA != nil && _AddDllDirectory != nil)
+
+	initSysDirectory()
+ 
+-	n32 := windowsLoadSystemLib(ntdlldll[:])
+	var advapi32dll = []byte("advapi32.dll\000")
+	a32 := windowsLoadSystemLib(advapi32dll)
+	if a32 == 0 {
+		throw("advapi32.dll not found")
+	}
+	_RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000"))
+
+	var ntdll = []byte("ntdll.dll\000")
+	n32 := windowsLoadSystemLib(ntdll)
+ 	if n32 == 0 {
+ 		throw("ntdll.dll not found")
+ 	}
+@@ -298,7 +330,7 @@
+ 		context  uintptr
+ 	}
+ 
+-	powrprof := windowsLoadSystemLib(powrprofdll[:])
+	powrprof := windowsLoadSystemLib([]byte("powrprof.dll\000"))
+ 	if powrprof == 0 {
+ 		return // Running on Windows 7, where we don't need it anyway.
+ 	}
+@@ -357,6 +389,22 @@
+ // in sys_windows_386.s and sys_windows_amd64.s:
+ func getlasterror() uint32
+ 
+// When loading DLLs, we prefer to use LoadLibraryEx with
+// LOAD_LIBRARY_SEARCH_* flags, if available. LoadLibraryEx is not
+// available on old Windows, though, and the LOAD_LIBRARY_SEARCH_*
+// flags are not available on some versions of Windows without a
+// security patch.
+//
+// https://msdn.microsoft.com/en-us/library/ms684179(v=vs.85).aspx says:
+// "Windows 7, Windows Server 2008 R2, Windows Vista, and Windows
+// Server 2008: The LOAD_LIBRARY_SEARCH_* flags are available on
+// systems that have KB2533623 installed. To determine whether the
+// flags are available, use GetProcAddress to get the address of the
+// AddDllDirectory, RemoveDllDirectory, or SetDefaultDllDirectories
+// function. If GetProcAddress succeeds, the LOAD_LIBRARY_SEARCH_*
+// flags can be used with LoadLibraryEx."
+var useLoadLibraryEx bool
+
+ var timeBeginPeriodRetValue uint32
+ 
+ // osRelaxMinNS indicates that sysmon shouldn't osRelax if the next
+@@ -430,7 +478,8 @@
+ 		// Only load winmm.dll if we need it.
+ 		// This avoids a dependency on winmm.dll for Go programs
+ 		// that run on new Windows versions.
+-		m32 := windowsLoadSystemLib(winmmdll[:])
+		var winmmdll = []byte("winmm.dll\000")
+		m32 := windowsLoadSystemLib(winmmdll)
+ 		if m32 == 0 {
+ 			print("runtime: LoadLibraryExW failed; errno=", getlasterror(), "\n")
+ 			throw("winmm.dll not found")
+@@ -471,6 +520,28 @@
+ 	canUseLongPaths = true
+ }
+ 
+var osVersionInfo struct {
+	majorVersion uint32
+	minorVersion uint32
+	buildNumber  uint32
+}
+
+func initOsVersionInfo() {
+	info := _OSVERSIONINFOW{}
+	info.osVersionInfoSize = uint32(unsafe.Sizeof(info))
+	stdcall1(_RtlGetVersion, uintptr(unsafe.Pointer(&info)))
+	osVersionInfo.majorVersion = info.majorVersion
+	osVersionInfo.minorVersion = info.minorVersion
+	osVersionInfo.buildNumber = info.buildNumber
+}
+
+//go:linkname rtlGetNtVersionNumbers syscall.rtlGetNtVersionNumbers
+func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32) {
+	*majorVersion = osVersionInfo.majorVersion
+	*minorVersion = osVersionInfo.minorVersion
+	*buildNumber = osVersionInfo.buildNumber
+}
+
+ func osinit() {
+ 	asmstdcallAddr = unsafe.Pointer(abi.FuncPCABI0(asmstdcall))
+ 
+@@ -483,8 +554,8 @@
+ 	initHighResTimer()
+ 	timeBeginPeriodRetValue = osRelax(false)
+ 
+-	initSysDirectory()
+ 	initLongPathSupport()
+	initOsVersionInfo()
+ 
+ 	numCPUStartup = getCPUCount()
+ 
+@@ -500,7 +571,7 @@
+ //go:nosplit
+ func readRandom(r []byte) int {
+ 	n := 0
+-	if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+	if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+ 		n = len(r)
+ 	}
+ 	return n
+Index: src/net/hook_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/hook_windows.go b/src/net/hook_windows.go
+--- a/src/net/hook_windows.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+++ b/src/net/hook_windows.go	(revision 6788c4c6f9fafb56729bad6b660f7ee2272d699f)
+@@ -13,6 +13,7 @@
+ 	hostsFilePath = windows.GetSystemDirectory() + "/Drivers/etc/hosts"
+ 
+ 	// Placeholders for socket system calls.
+	socketFunc    func(int, int, int) (syscall.Handle, error)                                                 = syscall.Socket
+ 	wsaSocketFunc func(int32, int32, int32, *syscall.WSAProtocolInfo, uint32, uint32) (syscall.Handle, error) = windows.WSASocket
+ 	connectFunc   func(syscall.Handle, syscall.Sockaddr) error                                                = syscall.Connect
+ 	listenFunc    func(syscall.Handle, int) error                                                             = syscall.Listen
+Index: src/net/internal/socktest/main_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_test.go b/src/net/internal/socktest/main_test.go
+--- a/src/net/internal/socktest/main_test.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+++ b/src/net/internal/socktest/main_test.go	(revision 6788c4c6f9fafb56729bad6b660f7ee2272d699f)
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !js && !plan9 && !wasip1 && !windows
+//go:build !js && !plan9 && !wasip1
+ 
+ package socktest_test
+ 
+Index: src/net/internal/socktest/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/main_windows_test.go b/src/net/internal/socktest/main_windows_test.go
+new file mode 100644
+--- /dev/null	(revision 6788c4c6f9fafb56729bad6b660f7ee2272d699f)
+++ b/src/net/internal/socktest/main_windows_test.go	(revision 6788c4c6f9fafb56729bad6b660f7ee2272d699f)
+@@ -0,0 +1,22 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package socktest_test
+
+import "syscall"
+
+var (
+	socketFunc func(int, int, int) (syscall.Handle, error)
+	closeFunc  func(syscall.Handle) error
+)
+
+func installTestHooks() {
+	socketFunc = sw.Socket
+	closeFunc = sw.Closesocket
+}
+
+func uninstallTestHooks() {
+	socketFunc = syscall.Socket
+	closeFunc = syscall.Closesocket
+}
+Index: src/net/internal/socktest/sys_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/internal/socktest/sys_windows.go b/src/net/internal/socktest/sys_windows.go
+--- a/src/net/internal/socktest/sys_windows.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+++ b/src/net/internal/socktest/sys_windows.go	(revision 6788c4c6f9fafb56729bad6b660f7ee2272d699f)
+@@ -9,6 +9,38 @@
+ 	"syscall"
+ )
+ 
+// Socket wraps [syscall.Socket].
+func (sw *Switch) Socket(family, sotype, proto int) (s syscall.Handle, err error) {
+	sw.once.Do(sw.init)
+
+	so := &Status{Cookie: cookie(family, sotype, proto)}
+	sw.fmu.RLock()
+	f, _ := sw.fltab[FilterSocket]
+	sw.fmu.RUnlock()
+
+	af, err := f.apply(so)
+	if err != nil {
+		return syscall.InvalidHandle, err
+	}
+	s, so.Err = syscall.Socket(family, sotype, proto)
+	if err = af.apply(so); err != nil {
+		if so.Err == nil {
+			syscall.Closesocket(s)
+		}
+		return syscall.InvalidHandle, err
+	}
+
+	sw.smu.Lock()
+	defer sw.smu.Unlock()
+	if so.Err != nil {
+		sw.stats.getLocked(so.Cookie).OpenFailed++
+		return syscall.InvalidHandle, so.Err
+	}
+	nso := sw.addLocked(s, family, sotype, proto)
+	sw.stats.getLocked(nso.Cookie).Opened++
+	return s, nil
+}
+
+ // WSASocket wraps [syscall.WSASocket].
+ func (sw *Switch) WSASocket(family, sotype, proto int32, protinfo *syscall.WSAProtocolInfo, group uint32, flags uint32) (s syscall.Handle, err error) {
+ 	sw.once.Do(sw.init)
+Index: src/net/main_windows_test.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/main_windows_test.go b/src/net/main_windows_test.go
+--- a/src/net/main_windows_test.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+++ b/src/net/main_windows_test.go	(revision 6788c4c6f9fafb56729bad6b660f7ee2272d699f)
+@@ -12,6 +12,7 @@
+ 
+ var (
+ 	// Placeholders for saving original socket system calls.
+	origSocket      = socketFunc
+ 	origWSASocket   = wsaSocketFunc
+ 	origClosesocket = poll.CloseFunc
+ 	origConnect     = connectFunc
+@@ -21,6 +22,7 @@
+ )
+ 
+ func installTestHooks() {
+	socketFunc = sw.Socket
+ 	wsaSocketFunc = sw.WSASocket
+ 	poll.CloseFunc = sw.Closesocket
+ 	connectFunc = sw.Connect
+@@ -30,6 +32,7 @@
+ }
+ 
+ func uninstallTestHooks() {
+	socketFunc = origSocket
+ 	wsaSocketFunc = origWSASocket
+ 	poll.CloseFunc = origClosesocket
+ 	connectFunc = origConnect
+Index: src/net/sock_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/net/sock_windows.go b/src/net/sock_windows.go
+--- a/src/net/sock_windows.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+++ b/src/net/sock_windows.go	(revision 6788c4c6f9fafb56729bad6b660f7ee2272d699f)
+@@ -20,6 +20,21 @@
+ func sysSocket(family, sotype, proto int) (syscall.Handle, error) {
+ 	s, err := wsaSocketFunc(int32(family), int32(sotype), int32(proto),
+ 		nil, 0, windows.WSA_FLAG_OVERLAPPED|windows.WSA_FLAG_NO_HANDLE_INHERIT)
+	if err == nil {
+		return s, nil
+	}
+	// WSA_FLAG_NO_HANDLE_INHERIT flag is not supported on some
+	// old versions of Windows, see
+	// https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx
+	// for details. Just use syscall.Socket, if windows.WSASocket failed.
+
+	// See ../syscall/exec_unix.go for description of ForkLock.
+	syscall.ForkLock.RLock()
+	s, err = socketFunc(family, sotype, proto)
+	if err == nil {
+		syscall.CloseOnExec(s)
+	}
+	syscall.ForkLock.RUnlock()
+ 	if err != nil {
+ 		return syscall.InvalidHandle, os.NewSyscallError("socket", err)
+ 	}
+Index: src/syscall/exec_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
+--- a/src/syscall/exec_windows.go	(revision 8cb5472d94c34b88733a81091bd328e70ee565a4)
+++ b/src/syscall/exec_windows.go	(revision a5b2168bb836ed9d6601c626f95e56c07923f906)
+@@ -14,7 +14,6 @@
+ 	"unsafe"
+ )
+ 
+-// ForkLock is not used on Windows.
+ var ForkLock sync.RWMutex
+ 
+ // EscapeArg rewrites command line argument s as prescribed
+@@ -254,6 +253,9 @@
+ var zeroProcAttr ProcAttr
+ var zeroSysProcAttr SysProcAttr
+ 
+//go:linkname rtlGetNtVersionNumbers
+func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32)
+
+ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle uintptr, err error) {
+ 	if len(argv0) == 0 {
+ 		return 0, 0, EWINDOWS
+@@ -317,6 +319,17 @@
+ 		}
+ 	}
+ 
+	var maj, min, build uint32
+	rtlGetNtVersionNumbers(&maj, &min, &build)
+	isWin7 := maj < 6 || (maj == 6 && min <= 1)
+	// NT kernel handles are divisible by 4, with the bottom 3 bits left as
+	// a tag. The fully set tag correlates with the types of handles we're
+	// concerned about here.  Except, the kernel will interpret some
+	// special handle values, like -1, -2, and so forth, so kernelbase.dll
+	// checks to see that those bottom three bits are checked, but that top
+	// bit is not checked.
+	isLegacyWin7ConsoleHandle := func(handle Handle) bool { return isWin7 && handle&0x10000003 == 3 }
+
+ 	p, _ := GetCurrentProcess()
+ 	parentProcess := p
+ 	if sys.ParentProcess != 0 {
+@@ -325,7 +338,15 @@
+ 	fd := make([]Handle, len(attr.Files))
+ 	for i := range attr.Files {
+ 		if attr.Files[i] > 0 {
+-			err := DuplicateHandle(p, Handle(attr.Files[i]), parentProcess, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+			destinationProcessHandle := parentProcess
+
+			// On Windows 7, console handles aren't real handles, and can only be duplicated
+			// into the current process, not a parent one, which amounts to the same thing.
+			if parentProcess != p && isLegacyWin7ConsoleHandle(Handle(attr.Files[i])) {
+				destinationProcessHandle = p
+			}
+
+			err := DuplicateHandle(p, Handle(attr.Files[i]), destinationProcessHandle, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+ 			if err != nil {
+ 				return 0, 0, err
+ 			}
+@@ -356,6 +377,14 @@
+ 
+ 	fd = append(fd, sys.AdditionalInheritedHandles...)
+ 
+	// On Windows 7, console handles aren't real handles, so don't pass them
+	// through to PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
+	for i := range fd {
+		if isLegacyWin7ConsoleHandle(fd[i]) {
+			fd[i] = 0
+		}
+	}
+
+ 	// The presence of a NULL handle in the list is enough to cause PROC_THREAD_ATTRIBUTE_HANDLE_LIST
+ 	// to treat the entire list as empty, so remove NULL handles.
+ 	j := 0
+Index: src/runtime/syscall_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/syscall_windows.go b/src/runtime/syscall_windows.go
+--- a/src/runtime/syscall_windows.go	(revision a5b2168bb836ed9d6601c626f95e56c07923f906)
+++ b/src/runtime/syscall_windows.go	(revision f56f1e23507e646c85243a71bde7b9629b2f970c)
+@@ -413,10 +413,20 @@
+ 
+ const _LOAD_LIBRARY_SEARCH_SYSTEM32 = 0x00000800
+ 
+// When available, this function will use LoadLibraryEx with the filename
+// parameter and the important SEARCH_SYSTEM32 argument. But on systems that
+// do not have that option, absoluteFilepath should contain a fallback
+// to the full path inside of system32 for use with vanilla LoadLibrary.
+//
+ //go:linkname syscall_loadsystemlibrary syscall.loadsystemlibrary
+-func syscall_loadsystemlibrary(filename *uint16) (handle, err uintptr) {
+-	handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryExW)), uintptr(unsafe.Pointer(filename)), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+func syscall_loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle, err uintptr) {
+	if useLoadLibraryEx {
+		handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryExW)), uintptr(unsafe.Pointer(filename)), 0, _LOAD_LIBRARY_SEARCH_SYSTEM32)
+	} else {
+		handle, _, err = syscall_SyscallN(uintptr(unsafe.Pointer(_LoadLibraryW)), uintptr(unsafe.Pointer(absoluteFilepath)))
+	}
+ 	KeepAlive(filename)
+	KeepAlive(absoluteFilepath)
+ 	if handle != 0 {
+ 		err = 0
+ 	}
+Index: src/syscall/dll_windows.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/syscall/dll_windows.go b/src/syscall/dll_windows.go
+--- a/src/syscall/dll_windows.go	(revision a5b2168bb836ed9d6601c626f95e56c07923f906)
+++ b/src/syscall/dll_windows.go	(revision f56f1e23507e646c85243a71bde7b9629b2f970c)
+@@ -45,7 +45,7 @@
+ //go:noescape
+ func SyscallN(trap uintptr, args ...uintptr) (r1, r2 uintptr, err Errno)
+ func loadlibrary(filename *uint16) (handle uintptr, err Errno)
+-func loadsystemlibrary(filename *uint16) (handle uintptr, err Errno)
+func loadsystemlibrary(filename *uint16, absoluteFilepath *uint16) (handle uintptr, err Errno)
+ func getprocaddress(handle uintptr, procname *uint8) (proc uintptr, err Errno)
+ 
+ // A DLL implements access to a single DLL.
+@@ -54,6 +54,9 @@
+ 	Handle Handle
+ }
+ 
+//go:linkname getSystemDirectory
+func getSystemDirectory() string // Implemented in runtime package.
+
+ // LoadDLL loads the named DLL file into memory.
+ //
+ // If name is not an absolute path and is not a known system DLL used by
+@@ -70,7 +73,11 @@
+ 	var h uintptr
+ 	var e Errno
+ 	if sysdll.IsSystemDLL[name] {
+-		h, e = loadsystemlibrary(namep)
+		absoluteFilepathp, err := UTF16PtrFromString(getSystemDirectory() + name)
+		if err != nil {
+			return nil, err
+		}
+		h, e = loadsystemlibrary(namep, absoluteFilepathp)
+ 	} else {
+ 		h, e = loadlibrary(namep)
+ 	}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -146,17 +146,17 @@ jobs:
          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-v3-go120, goversion: '1.20' }

    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5

    - name: Set up Go
      if: ${{ matrix.jobs.goversion == '' && matrix.jobs.abi != '1' }}
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version: '1.25'

    - name: Set up Go
      if: ${{ matrix.jobs.goversion != '' && matrix.jobs.abi != '1' }}
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version: ${{ matrix.jobs.goversion }}

@@ -179,12 +179,8 @@ jobs:
    - name: Revert Golang1.25 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
      run: |
-        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
-        curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.25.patch

      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.24.x
@@ -198,12 +194,8 @@ jobs:
    - name: Revert Golang1.24 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.24' }}
      run: |
-        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
-        curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/979d6d8bab3823ff572ace26767fd2ce3cf351ae.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/ac3e93c061779dfefc0dd13a5b6e6f764a25621e.diff | patch --verbose -p 1
+        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.24.patch

      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.23.x
@@ -217,12 +209,8 @@ jobs:
    - name: Revert Golang1.23 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.23' }}
      run: |
-        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
-        curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
+        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.23.patch

      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.22.x
@@ -236,20 +224,15 @@ jobs:
    - name: Revert Golang1.22 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.22' }}
      run: |
-        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
-        curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/7f83badcb925a7e743188041cb6e561fc9b5b642.diff | patch --verbose -p 1
-        curl https://github.com/MetaCubeX/go/commit/83ff9782e024cb328b690cbf0da4e7848a327f4f.diff | patch --verbose -p 1
+        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.22.patch

      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
    - name: Revert Golang1.21 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.21' }}
      run: |
-        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
-        curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
+        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.21.patch

    - name: Set variables
      run: |
@@ -438,7 +421,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          ref: Meta
          fetch-depth: '0'
@@ -497,7 +480,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,7 +22,7 @@ jobs:
          - 'windows-latest' # amd64 windows
          - 'macos-latest' # arm64 macos
          - 'ubuntu-24.04-arm' # arm64 linux
-          - 'macos-13' # amd64 macos
+          - 'macos-15-intel' # amd64 macos
        go-version:
          - '1.25'
          - '1.24'
@@ -41,96 +41,18 @@ jobs:
      # Fix mingw trying to be smart and converting paths https://github.com/moby/moby/issues/24029#issuecomment-250412919
      MSYS_NO_PATHCONV: true
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ matrix.go-version }}

-      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-      # this patch file only works on golang1.25.x
-      # that means after golang1.26 release it must be changed
-      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
-      # revert:
-      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
-      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
-      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
-      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
-      - name: Revert Golang1.25 commit for Windows7/8
-        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.25' }}
+      - name: Revert Golang commit for Windows7/8
+        if: ${{ runner.os == 'Windows' && matrix.go-version != '1.20' }}
        run: |
-          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
          cd $(go env GOROOT)
-          curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
-
-      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-      # this patch file only works on golang1.24.x
-      # that means after golang1.25 release it must be changed
-      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
-      # revert:
-      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
-      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
-      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
-      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
-      - name: Revert Golang1.24 commit for Windows7/8
-        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.24' }}
-        run: |
-          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-          cd $(go env GOROOT)
-          curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/979d6d8bab3823ff572ace26767fd2ce3cf351ae.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/ac3e93c061779dfefc0dd13a5b6e6f764a25621e.diff | patch --verbose -p 1
-
-        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-        # this patch file only works on golang1.23.x
-        # that means after golang1.24 release it must be changed
-        # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
-        # revert:
-        # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
-        # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
-        # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
-        # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
-      - name: Revert Golang1.23 commit for Windows7/8
-        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.23' }}
-        run: |
-          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-          cd $(go env GOROOT)
-          curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
-
-        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-        # this patch file only works on golang1.22.x
-        # that means after golang1.23 release it must be changed
-        # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
-        # revert:
-        # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
-        # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
-        # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
-        # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
-      - name: Revert Golang1.22 commit for Windows7/8
-        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.22' }}
-        run: |
-          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-          cd $(go env GOROOT)
-          curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/7f83badcb925a7e743188041cb6e561fc9b5b642.diff | patch --verbose -p 1
-          curl https://github.com/MetaCubeX/go/commit/83ff9782e024cb328b690cbf0da4e7848a327f4f.diff | patch --verbose -p 1
-
-        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-      - name: Revert Golang1.21 commit for Windows7/8
-        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.21' }}
-        run: |
-          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-          cd $(go env GOROOT)
-          curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
+          patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go${{matrix.go-version}}.patch

      - name: Test
        run: go test ./... -v -count=1
--- a/adapter/outbound/mieru.go
+++ b/adapter/outbound/mieru.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net"
 	"strconv"
-	"strings"
 	"sync"

 	CN "github.com/metacubex/mihomo/common/net"
@@ -31,8 +30,8 @@ type MieruOption struct {
 	BasicOption
 	Name          string `proxy:"name"`
 	Server        string `proxy:"server"`
-	Port          string `proxy:"port,omitempty"`
-	PortRange     string `proxy:"port-range,omitempty"` // deprecated
+	Port          int    `proxy:"port,omitempty"`
+	PortRange     string `proxy:"port-range,omitempty"`
 	Transport     string `proxy:"transport"`
 	UDP           bool   `proxy:"udp,omitempty"`
 	UserName      string `proxy:"username"`
@@ -124,19 +123,13 @@ func NewMieru(option MieruOption) (*Mieru, error) {
 	}
 	// Client is started lazily on the first use.

-	// Use the first port to construct the address.
 	var addr string
-	var portStr string
-	if option.Port != "" {
-		portStr = option.Port
+	if option.Port != 0 {
+		addr = net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	} else {
-		portStr = option.PortRange
+		beginPort, _, _ := beginAndEndPortFromPortRange(option.PortRange)
+		addr = net.JoinHostPort(option.Server, strconv.Itoa(beginPort))
 	}
-	firstPort, err := getFirstPort(portStr)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get first port from port string %q: %w", portStr, err)
-	}
-	addr = net.JoinHostPort(option.Server, strconv.Itoa(firstPort))
 	outbound := &Mieru{
 		Base: &Base{
 			name:   option.Name,
@@ -190,62 +183,54 @@ func buildMieruClientConfig(option MieruOption) (*mieruclient.ClientConfig, erro
 	}

 	transportProtocol := mierupb.TransportProtocol_TCP.Enum()
-
-	portBindings := make([]*mierupb.PortBinding, 0)
-	if option.Port != "" {
-		parts := strings.Split(option.Port, ",")
-		for _, part := range parts {
-			part = strings.TrimSpace(part)
-			if strings.Contains(part, "-") {
-				_, _, err := beginAndEndPortFromPortRange(part)
-				if err == nil {
-					portBindings = append(portBindings, &mierupb.PortBinding{
-						PortRange: proto.String(part),
-						Protocol:  transportProtocol,
-					})
-				} else {
-					return nil, err
-				}
-			} else {
-				p, err := strconv.Atoi(part)
-				if err != nil {
-					return nil, fmt.Errorf("invalid port value: %s", part)
-				}
-				portBindings = append(portBindings, &mierupb.PortBinding{
-					Port:     proto.Int32(int32(p)),
-					Protocol: transportProtocol,
-				})
-			}
-		}
-	}
-	if option.PortRange != "" {
-		parts := strings.Split(option.PortRange, ",")
-		for _, part := range parts {
-			part = strings.TrimSpace(part)
-			if _, _, err := beginAndEndPortFromPortRange(part); err == nil {
-				portBindings = append(portBindings, &mierupb.PortBinding{
-					PortRange: proto.String(part),
-					Protocol:  transportProtocol,
-				})
-			}
-		}
-	}
-
 	var server *mierupb.ServerEndpoint
 	if net.ParseIP(option.Server) != nil {
 		// server is an IP address
-		server = &mierupb.ServerEndpoint{
-			IpAddress:    proto.String(option.Server),
-			PortBindings: portBindings,
+		if option.PortRange != "" {
+			server = &mierupb.ServerEndpoint{
+				IpAddress: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						PortRange: proto.String(option.PortRange),
+						Protocol:  transportProtocol,
+					},
+				},
+			}
+		} else {
+			server = &mierupb.ServerEndpoint{
+				IpAddress: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						Port:     proto.Int32(int32(option.Port)),
+						Protocol: transportProtocol,
+					},
+				},
+			}
 		}
 	} else {
 		// server is a domain name
-		server = &mierupb.ServerEndpoint{
-			DomainName:   proto.String(option.Server),
-			PortBindings: portBindings,
+		if option.PortRange != "" {
+			server = &mierupb.ServerEndpoint{
+				DomainName: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						PortRange: proto.String(option.PortRange),
+						Protocol:  transportProtocol,
+					},
+				},
+			}
+		} else {
+			server = &mierupb.ServerEndpoint{
+				DomainName: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						Port:     proto.Int32(int32(option.Port)),
+						Protocol: transportProtocol,
+					},
+				},
+			}
 		}
 	}
-
 	config := &mieruclient.ClientConfig{
 		Profile: &mierupb.ClientProfile{
 			ProfileName: proto.String(option.Name),
@@ -274,9 +259,31 @@ func validateMieruOption(option MieruOption) error {
 	if option.Server == "" {
 		return fmt.Errorf("server is empty")
 	}
-	if option.Port == "" && option.PortRange == "" {
-		return fmt.Errorf("port must be set")
+	if option.Port == 0 && option.PortRange == "" {
+		return fmt.Errorf("either port or port-range must be set")
 	}
+	if option.Port != 0 && option.PortRange != "" {
+		return fmt.Errorf("port and port-range cannot be set at the same time")
+	}
+	if option.Port != 0 && (option.Port < 1 || option.Port > 65535) {
+		return fmt.Errorf("port must be between 1 and 65535")
+	}
+	if option.PortRange != "" {
+		begin, end, err := beginAndEndPortFromPortRange(option.PortRange)
+		if err != nil {
+			return fmt.Errorf("invalid port-range format")
+		}
+		if begin < 1 || begin > 65535 {
+			return fmt.Errorf("begin port must be between 1 and 65535")
+		}
+		if end < 1 || end > 65535 {
+			return fmt.Errorf("end port must be between 1 and 65535")
+		}
+		if begin > end {
+			return fmt.Errorf("begin port must be less than or equal to end port")
+		}
+	}
+
 	if option.Transport != "TCP" {
 		return fmt.Errorf("transport must be TCP")
 	}
@@ -299,36 +306,8 @@ func validateMieruOption(option MieruOption) error {
 	return nil
 }

-func getFirstPort(portStr string) (int, error) {
-	if portStr == "" {
-		return 0, fmt.Errorf("port string is empty")
-	}
-	parts := strings.Split(portStr, ",")
-	firstPart := parts[0]
-
-	if strings.Contains(firstPart, "-") {
-		begin, _, err := beginAndEndPortFromPortRange(firstPart)
-		if err != nil {
-			return 0, err
-		}
-		return begin, nil
-	}
-
-	port, err := strconv.Atoi(firstPart)
-	if err != nil {
-		return 0, fmt.Errorf("invalid port format: %s", firstPart)
-	}
-	return port, nil
-}
-
 func beginAndEndPortFromPortRange(portRange string) (int, int, error) {
 	var begin, end int
 	_, err := fmt.Sscanf(portRange, "%d-%d", &begin, &end)
-	if err != nil {
-		return 0, 0, fmt.Errorf("invalid port range format: %w", err)
-	}
-	if begin > end {
-		return 0, 0, fmt.Errorf("begin port is greater than end port: %s", portRange)
-	}
 	return begin, end, err
 }
--- a/adapter/outbound/mieru_test.go
+++ b/adapter/outbound/mieru_test.go
@@ -1,51 +1,22 @@
 package outbound

-import (
-	"reflect"
-	"testing"
-
-	mieruclient "github.com/enfein/mieru/v3/apis/client"
-	mierupb "github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
-	"google.golang.org/protobuf/proto"
-)
+import "testing"

 func TestNewMieru(t *testing.T) {
-	transportProtocol := mierupb.TransportProtocol_TCP.Enum()
 	testCases := []struct {
 		option       MieruOption
 		wantBaseAddr string
-		wantConfig   *mieruclient.ClientConfig
 	}{
 		{
 			option: MieruOption{
 				Name:      "test",
 				Server:    "1.2.3.4",
-				Port:      "10000",
+				Port:      10000,
 				Transport: "TCP",
 				UserName:  "test",
 				Password:  "test",
 			},
 			wantBaseAddr: "1.2.3.4:10000",
-			wantConfig: &mieruclient.ClientConfig{
-				Profile: &mierupb.ClientProfile{
-					ProfileName: proto.String("test"),
-					User: &mierupb.User{
-						Name:     proto.String("test"),
-						Password: proto.String("test"),
-					},
-					Servers: []*mierupb.ServerEndpoint{
-						{
-							IpAddress: proto.String("1.2.3.4"),
-							PortBindings: []*mierupb.PortBinding{
-								{
-									Port:     proto.Int32(10000),
-									Protocol: transportProtocol,
-								},
-							},
-						},
-					},
-				},
-			},
 		},
 		{
 			option: MieruOption{
@@ -57,212 +28,28 @@ func TestNewMieru(t *testing.T) {
 				Password:  "test",
 			},
 			wantBaseAddr: "[2001:db8::1]:10001",
-			wantConfig: &mieruclient.ClientConfig{
-				Profile: &mierupb.ClientProfile{
-					ProfileName: proto.String("test"),
-					User: &mierupb.User{
-						Name:     proto.String("test"),
-						Password: proto.String("test"),
-					},
-					Servers: []*mierupb.ServerEndpoint{
-						{
-							IpAddress: proto.String("2001:db8::1"),
-							PortBindings: []*mierupb.PortBinding{
-								{
-									PortRange: proto.String("10001-10002"),
-									Protocol:  transportProtocol,
-								},
-							},
-						},
-					},
-				},
-			},
 		},
 		{
 			option: MieruOption{
 				Name:      "test",
 				Server:    "example.com",
-				Port:      "10003",
+				Port:      10003,
 				Transport: "TCP",
 				UserName:  "test",
 				Password:  "test",
 			},
 			wantBaseAddr: "example.com:10003",
-			wantConfig: &mieruclient.ClientConfig{
-				Profile: &mierupb.ClientProfile{
-					ProfileName: proto.String("test"),
-					User: &mierupb.User{
-						Name:     proto.String("test"),
-						Password: proto.String("test"),
-					},
-					Servers: []*mierupb.ServerEndpoint{
-						{
-							DomainName: proto.String("example.com"),
-							PortBindings: []*mierupb.PortBinding{
-								{
-									Port:     proto.Int32(10003),
-									Protocol: transportProtocol,
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			option: MieruOption{
-				Name:      "test",
-				Server:    "example.com",
-				Port:      "10004,10005",
-				Transport: "TCP",
-				UserName:  "test",
-				Password:  "test",
-			},
-			wantBaseAddr: "example.com:10004",
-			wantConfig: &mieruclient.ClientConfig{
-				Profile: &mierupb.ClientProfile{
-					ProfileName: proto.String("test"),
-					User: &mierupb.User{
-						Name:     proto.String("test"),
-						Password: proto.String("test"),
-					},
-					Servers: []*mierupb.ServerEndpoint{
-						{
-							DomainName: proto.String("example.com"),
-							PortBindings: []*mierupb.PortBinding{
-								{
-									Port:     proto.Int32(10004),
-									Protocol: transportProtocol,
-								},
-								{
-									Port:     proto.Int32(10005),
-									Protocol: transportProtocol,
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			option: MieruOption{
-				Name:      "test",
-				Server:    "example.com",
-				Port:      "10006-10007,11000",
-				Transport: "TCP",
-				UserName:  "test",
-				Password:  "test",
-			},
-			wantBaseAddr: "example.com:10006",
-			wantConfig: &mieruclient.ClientConfig{
-				Profile: &mierupb.ClientProfile{
-					ProfileName: proto.String("test"),
-					User: &mierupb.User{
-						Name:     proto.String("test"),
-						Password: proto.String("test"),
-					},
-					Servers: []*mierupb.ServerEndpoint{
-						{
-							DomainName: proto.String("example.com"),
-							PortBindings: []*mierupb.PortBinding{
-								{
-									PortRange: proto.String("10006-10007"),
-									Protocol:  transportProtocol,
-								},
-								{
-									Port:     proto.Int32(11000),
-									Protocol: transportProtocol,
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			option: MieruOption{
-				Name:      "test",
-				Server:    "example.com",
-				Port:      "10008",
-				PortRange: "10009-10010",
-				Transport: "TCP",
-				UserName:  "test",
-				Password:  "test",
-			},
-			wantBaseAddr: "example.com:10008",
-			wantConfig: &mieruclient.ClientConfig{
-				Profile: &mierupb.ClientProfile{
-					ProfileName: proto.String("test"),
-					User: &mierupb.User{
-						Name:     proto.String("test"),
-						Password: proto.String("test"),
-					},
-					Servers: []*mierupb.ServerEndpoint{
-						{
-							DomainName: proto.String("example.com"),
-							PortBindings: []*mierupb.PortBinding{
-								{
-									Port:     proto.Int32(10008),
-									Protocol: transportProtocol,
-								},
-								{
-									PortRange: proto.String("10009-10010"),
-									Protocol:  transportProtocol,
-								},
-							},
-						},
-					},
-				},
-			},
 		},
 	}

 	for _, testCase := range testCases {
 		mieru, err := NewMieru(testCase.option)
 		if err != nil {
-			t.Fatal(err)
+			t.Error(err)
 		}
-		config, err := mieru.client.Load()
-		if err != nil {
-			t.Fatal(err)
-		}
-		config.Dialer = nil
 		if mieru.addr != testCase.wantBaseAddr {
 			t.Errorf("got addr %q, want %q", mieru.addr, testCase.wantBaseAddr)
 		}
-		if !reflect.DeepEqual(config, testCase.wantConfig) {
-			t.Errorf("got config %+v, want %+v", config, testCase.wantConfig)
-		}
-	}
-}
-
-func TestNewMieruError(t *testing.T) {
-	testCases := []MieruOption{
-		{
-			Name:      "test",
-			Server:    "example.com",
-			Port:      "invalid",
-			PortRange: "invalid",
-			Transport: "TCP",
-			UserName:  "test",
-			Password:  "test",
-		},
-		{
-			Name:      "test",
-			Server:    "example.com",
-			Port:      "",
-			PortRange: "",
-			Transport: "TCP",
-			UserName:  "test",
-			Password:  "test",
-		},
-	}
-
-	for _, option := range testCases {
-		_, err := NewMieru(option)
-		if err == nil {
-			t.Errorf("expected error for option %+v, but got nil", option)
-		}
 	}
 }

@@ -276,7 +63,6 @@ func TestBeginAndEndPortFromPortRange(t *testing.T) {
 		{"1-10", 1, 10, false},
 		{"1000-2000", 1000, 2000, false},
 		{"65535-65535", 65535, 65535, false},
-		{"2000-1000", 0, 0, true},
 		{"1", 0, 0, true},
 		{"1-", 0, 0, true},
 		{"-10", 0, 0, true},
--- a/component/resolver/service.go
+++ b/component/resolver/service.go
@@ -6,15 +6,15 @@ import (
 	D "github.com/miekg/dns"
 )

-var DefaultLocalServer LocalServer
+var DefaultService Service

-type LocalServer interface {
+type Service interface {
 	ServeMsg(ctx context.Context, msg *D.Msg) (*D.Msg, error)
 }

 // ServeMsg with a dns.Msg, return resolve dns.Msg
 func ServeMsg(ctx context.Context, msg *D.Msg) (*D.Msg, error) {
-	if server := DefaultLocalServer; server != nil {
+	if server := DefaultService; server != nil {
 		return server.ServeMsg(ctx, msg)
 	}

--- a/config/config.go
+++ b/config/config.go
@@ -146,6 +146,7 @@ type DNS struct {
 	PreferH3              bool
 	IPv6                  bool
 	IPv6Timeout           uint
+	UseHosts              bool
 	UseSystemHosts        bool
 	NameServer            []dns.NameServer
 	Fallback              []dns.NameServer
@@ -157,7 +158,6 @@ type DNS struct {
 	CacheAlgorithm        string
 	CacheMaxSize          int
 	FakeIPRange           *fakeip.Pool
-	Hosts                 *trie.DomainTrie[resolver.HostValue]
 	NameServerPolicy      []dns.Policy
 	ProxyServerNameserver []dns.NameServer
 	DirectNameServer      []dns.NameServer
@@ -680,7 +680,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.Hosts = hosts

-	dnsCfg, err := parseDNS(rawCfg, hosts, ruleProviders)
+	dnsCfg, err := parseDNS(rawCfg, ruleProviders)
 	if err != nil {
 		return nil, err
 	}
@@ -1341,7 +1341,7 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rulePro
 	return policy, nil
 }

-func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) {
+func parseDNS(rawCfg *RawConfig, ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) {
 	cfg := rawCfg.DNS
 	if cfg.Enable && len(cfg.NameServer) == 0 {
 		return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty")
@@ -1357,6 +1357,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		PreferH3:       cfg.PreferH3,
 		IPv6Timeout:    cfg.IPv6Timeout,
 		IPv6:           cfg.IPv6,
+		UseHosts:       cfg.UseHosts,
 		UseSystemHosts: cfg.UseSystemHosts,
 		EnhancedMode:   cfg.EnhancedMode,
 		CacheAlgorithm: cfg.CacheAlgorithm,
@@ -1490,10 +1491,6 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		}
 	}

-	if cfg.UseHosts {
-		dnsCfg.Hosts = hosts
-	}
-
 	return dnsCfg, nil
 }

--- a/context/dns.go
+++ b/context/dns.go
@@ -2,10 +2,10 @@ package context

 import (
 	"context"
+
 	"github.com/metacubex/mihomo/common/utils"

 	"github.com/gofrs/uuid/v5"
-	"github.com/miekg/dns"
 )

 const (
@@ -17,17 +17,15 @@ const (
 type DNSContext struct {
 	context.Context

-	id  uuid.UUID
-	msg *dns.Msg
-	tp  string
+	id uuid.UUID
+	tp string
 }

-func NewDNSContext(ctx context.Context, msg *dns.Msg) *DNSContext {
+func NewDNSContext(ctx context.Context) *DNSContext {
 	return &DNSContext{
 		Context: ctx,

-		id:  utils.NewUUIDV4(),
-		msg: msg,
+		id: utils.NewUUIDV4(),
 	}
 }

--- a/dns/enhancer.go
+++ b/dns/enhancer.go
@@ -12,6 +12,7 @@ type ResolverEnhancer struct {
 	mode     C.DNSMode
 	fakePool *fakeip.Pool
 	mapping  *lru.LruCache[netip.Addr, string]
+	useHosts bool
 }

 func (h *ResolverEnhancer) FakeIPEnabled() bool {
@@ -103,7 +104,13 @@ func (h *ResolverEnhancer) StoreFakePoolState() {
 	}
 }

-func NewEnhancer(cfg Config) *ResolverEnhancer {
+type EnhancerConfig struct {
+	EnhancedMode C.DNSMode
+	Pool         *fakeip.Pool
+	UseHosts     bool
+}
+
+func NewEnhancer(cfg EnhancerConfig) *ResolverEnhancer {
 	var fakePool *fakeip.Pool
 	var mapping *lru.LruCache[netip.Addr, string]

@@ -116,5 +123,6 @@ func NewEnhancer(cfg Config) *ResolverEnhancer {
 		mode:     cfg.EnhancedMode,
 		fakePool: fakePool,
 		mapping:  mapping,
+		useHosts: cfg.UseHosts,
 	}
 }
--- a/dns/local.go
+++ b/dns/local.go
@@ -1,20 +0,0 @@
-package dns
-
-import (
-	"context"
-
-	D "github.com/miekg/dns"
-)
-
-type LocalServer struct {
-	handler handler
-}
-
-// ServeMsg implement resolver.LocalServer ResolveMsg
-func (s *LocalServer) ServeMsg(ctx context.Context, msg *D.Msg) (*D.Msg, error) {
-	return handlerWithContext(ctx, s.handler, msg)
-}
-
-func NewLocalServer(resolver *Resolver, mapper *ResolverEnhancer) *LocalServer {
-	return &LocalServer{handler: NewHandler(resolver, mapper)}
-}
--- a/dns/middleware.go
+++ b/dns/middleware.go
@@ -7,22 +7,22 @@ import (

 	"github.com/metacubex/mihomo/common/lru"
 	"github.com/metacubex/mihomo/component/fakeip"
-	R "github.com/metacubex/mihomo/component/resolver"
+	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
-	"github.com/metacubex/mihomo/context"
+	icontext "github.com/metacubex/mihomo/context"
 	"github.com/metacubex/mihomo/log"

 	D "github.com/miekg/dns"
 )

 type (
-	handler    func(ctx *context.DNSContext, r *D.Msg) (*D.Msg, error)
+	handler    func(ctx *icontext.DNSContext, r *D.Msg) (*D.Msg, error)
 	middleware func(next handler) handler
 )

-func withHosts(hosts R.Hosts, mapping *lru.LruCache[netip.Addr, string]) middleware {
+func withHosts(mapping *lru.LruCache[netip.Addr, string]) middleware {
 	return func(next handler) handler {
-		return func(ctx *context.DNSContext, r *D.Msg) (*D.Msg, error) {
+		return func(ctx *icontext.DNSContext, r *D.Msg) (*D.Msg, error) {
 			q := r.Question[0]

 			if !isIPRequest(q) {
@@ -36,7 +36,7 @@ func withHosts(hosts R.Hosts, mapping *lru.LruCache[netip.Addr, string]) middlew
 				rr.Target = domain + "."
 				resp.Answer = append([]D.RR{rr}, resp.Answer...)
 			}
-			record, ok := hosts.Search(host, q.Qtype != D.TypeA && q.Qtype != D.TypeAAAA)
+			record, ok := resolver.DefaultHosts.Search(host, q.Qtype != D.TypeA && q.Qtype != D.TypeAAAA)
 			if !ok {
 				if record != nil && record.IsDomain {
 					// replace request domain
@@ -88,7 +88,7 @@ func withHosts(hosts R.Hosts, mapping *lru.LruCache[netip.Addr, string]) middlew
 				return next(ctx, r)
 			}

-			ctx.SetType(context.DNSTypeHost)
+			ctx.SetType(icontext.DNSTypeHost)
 			msg.SetRcode(r, D.RcodeSuccess)
 			msg.Authoritative = true
 			msg.RecursionAvailable = true
@@ -99,7 +99,7 @@ func withHosts(hosts R.Hosts, mapping *lru.LruCache[netip.Addr, string]) middlew

 func withMapping(mapping *lru.LruCache[netip.Addr, string]) middleware {
 	return func(next handler) handler {
-		return func(ctx *context.DNSContext, r *D.Msg) (*D.Msg, error) {
+		return func(ctx *icontext.DNSContext, r *D.Msg) (*D.Msg, error) {
 			q := r.Question[0]

 			if !isIPRequest(q) {
@@ -149,7 +149,7 @@ func withMapping(mapping *lru.LruCache[netip.Addr, string]) middleware {

 func withFakeIP(fakePool *fakeip.Pool) middleware {
 	return func(next handler) handler {
-		return func(ctx *context.DNSContext, r *D.Msg) (*D.Msg, error) {
+		return func(ctx *icontext.DNSContext, r *D.Msg) (*D.Msg, error) {
 			q := r.Question[0]

 			host := strings.TrimRight(q.Name, ".")
@@ -173,7 +173,7 @@ func withFakeIP(fakePool *fakeip.Pool) middleware {
 			msg := r.Copy()
 			msg.Answer = []D.RR{rr}

-			ctx.SetType(context.DNSTypeFakeIP)
+			ctx.SetType(icontext.DNSTypeFakeIP)
 			setMsgTTL(msg, 1)
 			msg.SetRcode(r, D.RcodeSuccess)
 			msg.Authoritative = true
@@ -185,8 +185,8 @@ func withFakeIP(fakePool *fakeip.Pool) middleware {
 }

 func withResolver(resolver *Resolver) handler {
-	return func(ctx *context.DNSContext, r *D.Msg) (*D.Msg, error) {
-		ctx.SetType(context.DNSTypeRaw)
+	return func(ctx *icontext.DNSContext, r *D.Msg) (*D.Msg, error) {
+		ctx.SetType(icontext.DNSTypeRaw)

 		q := r.Question[0]

@@ -218,11 +218,11 @@ func compose(middlewares []middleware, endpoint handler) handler {
 	return h
 }

-func NewHandler(resolver *Resolver, mapper *ResolverEnhancer) handler {
-	middlewares := []middleware{}
+func newHandler(resolver *Resolver, mapper *ResolverEnhancer) handler {
+	var middlewares []middleware

-	if resolver.hosts != nil {
-		middlewares = append(middlewares, withHosts(R.NewHosts(resolver.hosts), mapper.mapping))
+	if mapper.useHosts {
+		middlewares = append(middlewares, withHosts(mapper.mapping))
 	}

 	if mapper.mode == C.DNSFakeIP {
--- a/dns/resolver.go
+++ b/dns/resolver.go
@@ -9,7 +9,6 @@ import (
 	"github.com/metacubex/mihomo/common/arc"
 	"github.com/metacubex/mihomo/common/lru"
 	"github.com/metacubex/mihomo/common/singleflight"
-	"github.com/metacubex/mihomo/component/fakeip"
 	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/component/trie"
 	C "github.com/metacubex/mihomo/constant"
@@ -40,7 +39,6 @@ type result struct {
 type Resolver struct {
 	ipv6                  bool
 	ipv6Timeout           time.Duration
-	hosts                 *trie.DomainTrie[resolver.HostValue]
 	main                  []dnsClient
 	fallback              []dnsClient
 	fallbackDomainFilters []C.DomainMatcher
@@ -452,11 +450,8 @@ type Config struct {
 	DirectFollowPolicy   bool
 	IPv6                 bool
 	IPv6Timeout          uint
-	EnhancedMode         C.DNSMode
 	FallbackIPFilter     []C.IpMatcher
 	FallbackDomainFilter []C.DomainMatcher
-	Pool                 *fakeip.Pool
-	Hosts                *trie.DomainTrie[resolver.HostValue]
 	Policy               []Policy
 	CacheAlgorithm       string
 	CacheMaxSize         int
@@ -530,7 +525,6 @@ func NewResolver(config Config) (rs Resolvers) {
 		ipv6:        config.IPv6,
 		main:        cacheTransform(config.Main),
 		cache:       config.newCache(),
-		hosts:       config.Hosts,
 		ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 	}
 	r.defaultResolver = defaultResolver
@@ -541,7 +535,6 @@ func NewResolver(config Config) (rs Resolvers) {
 			ipv6:        config.IPv6,
 			main:        cacheTransform(config.ProxyServer),
 			cache:       config.newCache(),
-			hosts:       config.Hosts,
 			ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 		}
 	}
@@ -551,7 +544,6 @@ func NewResolver(config Config) (rs Resolvers) {
 			ipv6:        config.IPv6,
 			main:        cacheTransform(config.DirectServer),
 			cache:       config.newCache(),
-			hosts:       config.Hosts,
 			ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 		}
 	}
--- a/dns/server.go
+++ b/dns/server.go
@@ -1,13 +1,12 @@
 package dns

 import (
-	stdContext "context"
-	"errors"
+	"context"
 	"net"

 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/common/sockopt"
-	"github.com/metacubex/mihomo/context"
+	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/log"

 	D "github.com/miekg/dns"
@@ -21,39 +20,32 @@ var (
 )

 type Server struct {
-	handler   handler
+	service   resolver.Service
 	tcpServer *D.Server
 	udpServer *D.Server
 }

 // ServeDNS implement D.Handler ServeDNS
 func (s *Server) ServeDNS(w D.ResponseWriter, r *D.Msg) {
-	msg, err := handlerWithContext(stdContext.Background(), s.handler, r)
+	msg, err := s.service.ServeMsg(context.Background(), r)
 	if err != nil {
-		D.HandleFailed(w, r)
+		m := new(D.Msg)
+		m.SetRcode(r, D.RcodeServerFailure)
+		// does not matter if this write fails
+		w.WriteMsg(m)
 		return
 	}
 	msg.Compress = true
 	w.WriteMsg(msg)
 }

-func handlerWithContext(stdCtx stdContext.Context, handler handler, msg *D.Msg) (*D.Msg, error) {
-	if len(msg.Question) == 0 {
-		return nil, errors.New("at least one question is required")
-	}
-
-	ctx := context.NewDNSContext(stdCtx, msg)
-	return handler(ctx, msg)
+func (s *Server) SetService(service resolver.Service) {
+	s.service = service
 }

-func (s *Server) SetHandler(handler handler) {
-	s.handler = handler
-}
-
-func ReCreateServer(addr string, resolver *Resolver, mapper *ResolverEnhancer) {
-	if addr == address && resolver != nil {
-		handler := NewHandler(resolver, mapper)
-		server.SetHandler(handler)
+func ReCreateServer(addr string, service resolver.Service) {
+	if addr == address && service != nil {
+		server.SetService(service)
 		return
 	}

@@ -67,10 +59,10 @@ func ReCreateServer(addr string, resolver *Resolver, mapper *ResolverEnhancer) {
 		server.udpServer = nil
 	}

-	server.handler = nil
+	server.service = nil
 	address = ""

-	if addr == "" {
+	if addr == "" || service == nil {
 		return
 	}

@@ -87,8 +79,7 @@ func ReCreateServer(addr string, resolver *Resolver, mapper *ResolverEnhancer) {
 	}

 	address = addr
-	handler := NewHandler(resolver, mapper)
-	server = &Server{handler: handler}
+	server = &Server{service: service}

 	go func() {
 		p, err := inbound.ListenPacket("udp", addr)
--- a/dns/service.go
+++ b/dns/service.go
@@ -0,0 +1,29 @@
+package dns
+
+import (
+	"context"
+	"errors"
+
+	"github.com/metacubex/mihomo/component/resolver"
+	icontext "github.com/metacubex/mihomo/context"
+	D "github.com/miekg/dns"
+)
+
+type Service struct {
+	handler handler
+}
+
+// ServeMsg implement [resolver.Service] ResolveMsg
+func (s *Service) ServeMsg(ctx context.Context, msg *D.Msg) (*D.Msg, error) {
+	if len(msg.Question) == 0 {
+		return nil, errors.New("at least one question is required")
+	}
+
+	return s.handler(icontext.NewDNSContext(ctx), msg)
+}
+
+var _ resolver.Service = (*Service)(nil)
+
+func NewService(resolver *Resolver, mapper *ResolverEnhancer) *Service {
+	return &Service{handler: newHandler(resolver, mapper)}
+}
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -543,7 +543,7 @@ proxies: # socks5
    plugin: kcptun
    plugin-opts:
      key: it's a secrect # pre-shared secret between client and server
-      crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none, null
+      crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, none, null
      mode: fast # profiles: fast3, fast2, fast, normal, manual
      conn: 1 # set num of UDP connections to server
      autoexpire: 0 # set auto expiration time(in seconds) for a single UDP connection, 0 to disable
@@ -558,7 +558,7 @@ proxies: # socks5
      acknodelay: false # flush ack immediately when a packet is received
      nodelay: 0
      interval: 50
-      resend: false
+      resend: 0
      sockbuf: 4194304 # per-socket buffer in bytes
      smuxver: 1 # specify smux version, available 1,2
      smuxbuf: 4194304 # the overall de-mux buffer in bytes
@@ -1024,8 +1024,8 @@ proxies: # socks5
  - name: mieru
    type: mieru
    server: 1.2.3.4
-    port: 2999 # 支持使用 ports 格式，例如 2999,3999 或 2999-3010,3950,3995-3999
-    # port-range: 2090-2099 # 已废弃，请使用 port
+    port: 2999
+    # port-range: 2090-2099 #（不可同时填写 port 和 port-range）
    transport: TCP # 只支持 TCP
    udp: true # 支持 UDP over TCP
    username: user
@@ -1370,7 +1370,7 @@ listeners:
    # kcp-tun:
    #   enable: false
    #   key: it's a secrect # pre-shared secret between client and server
-    #   crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none, null
+    #   crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, none, null
    #   mode: fast # profiles: fast3, fast2, fast, normal, manual
    #   conn: 1 # set num of UDP connections to server
    #   autoexpire: 0 # set auto expiration time(in seconds) for a single UDP connection, 0 to disable
@@ -1385,7 +1385,7 @@ listeners:
    #   acknodelay: false # flush ack immediately when a packet is received
    #   nodelay: 0
    #   interval: 50
-    #   resend: false
+    #   resend: 0
    #   sockbuf: 4194304 # per-socket buffer in bytes
    #   smuxver: 1 # specify smux version, available 1,2
    #   smuxbuf: 4194304 # the overall de-mux buffer in bytes
--- a/go.mod
+++ b/go.mod
@@ -23,13 +23,13 @@ require (
 	github.com/metacubex/chacha v0.1.5
 	github.com/metacubex/fswatch v0.1.1
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
-	github.com/metacubex/kcp-go v0.0.0-20250923001605-1ba6f691c45b
-	github.com/metacubex/quic-go v0.54.1-0.20250730114134-a1ae705fe295
+	github.com/metacubex/kcp-go v0.0.0-20251007183319-0df1aec1639a
+	github.com/metacubex/quic-go v0.55.1-0.20251004050223-450bd9e32033
 	github.com/metacubex/randv2 v0.2.0
 	github.com/metacubex/restls-client-go v0.1.7
 	github.com/metacubex/sing v0.5.6
 	github.com/metacubex/sing-mux v0.3.4
-	github.com/metacubex/sing-quic v0.0.0-20250909002258-06122df8f231
+	github.com/metacubex/sing-quic v0.0.0-20251004051927-c45ee18473bb
 	github.com/metacubex/sing-shadowsocks v0.2.12
 	github.com/metacubex/sing-shadowsocks2 v0.2.7
 	github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2
@@ -38,7 +38,7 @@ require (
 	github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f
 	github.com/metacubex/smux v0.0.0-20250922175018-15c9a6a78719
 	github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0
-	github.com/metacubex/utls v1.8.1
+	github.com/metacubex/utls v1.8.2
 	github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f
 	github.com/miekg/dns v1.1.63 // lastest version compatible with golang1.20
 	github.com/mroth/weightedrand/v2 v2.1.0
@@ -105,7 +105,6 @@ require (
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
-	go.uber.org/mock v0.4.0 // indirect
 	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -108,12 +108,12 @@ github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvO
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88=
 github.com/metacubex/gvisor v0.0.0-20250919004547-6122b699a301 h1:N5GExQJqYAH3gOCshpp2u/J3CtNYzMctmlb0xK9wtbQ=
 github.com/metacubex/gvisor v0.0.0-20250919004547-6122b699a301/go.mod h1:8LpS0IJW1VmWzUm3ylb0e2SK5QDm5lO/2qwWLZgRpBU=
-github.com/metacubex/kcp-go v0.0.0-20250923001605-1ba6f691c45b h1:z7JLKjugnQ1qvDOAD8yMA5C8AlJY3bG+VrrgRntRlUY=
-github.com/metacubex/kcp-go v0.0.0-20250923001605-1ba6f691c45b/go.mod h1:HIJZW4QMhbBqXuqC1ly6Hn0TEYT2SzRw58ns1yGhXTs=
+github.com/metacubex/kcp-go v0.0.0-20251007183319-0df1aec1639a h1:5vdk2pI71itLBT2mpyNExM1UKZ+2mG7MVC+ZARpRXmg=
+github.com/metacubex/kcp-go v0.0.0-20251007183319-0df1aec1639a/go.mod h1:HIJZW4QMhbBqXuqC1ly6Hn0TEYT2SzRw58ns1yGhXTs=
 github.com/metacubex/nftables v0.0.0-20250503052935-30a69ab87793 h1:1Qpuy+sU3DmyX9HwI+CrBT/oLNJngvBorR2RbajJcqo=
 github.com/metacubex/nftables v0.0.0-20250503052935-30a69ab87793/go.mod h1:RjRNb4G52yAgfR+Oe/kp9G4PJJ97Fnj89eY1BFO3YyA=
-github.com/metacubex/quic-go v0.54.1-0.20250730114134-a1ae705fe295 h1:8JVlYuE8uSJAvmyCd4TjvDxs57xjb0WxEoaWafK5+qs=
-github.com/metacubex/quic-go v0.54.1-0.20250730114134-a1ae705fe295/go.mod h1:1lktQFtCD17FZliVypbrDHwbsFSsmz2xz2TRXydvB5c=
+github.com/metacubex/quic-go v0.55.1-0.20251004050223-450bd9e32033 h1:LEzvR5AmHEatqE6IWgMBUJHnaiz9VJfZeDGOiHFuWZU=
+github.com/metacubex/quic-go v0.55.1-0.20251004050223-450bd9e32033/go.mod h1:1lktQFtCD17FZliVypbrDHwbsFSsmz2xz2TRXydvB5c=
 github.com/metacubex/randv2 v0.2.0 h1:uP38uBvV2SxYfLj53kuvAjbND4RUDfFJjwr4UigMiLs=
 github.com/metacubex/randv2 v0.2.0/go.mod h1:kFi2SzrQ5WuneuoLLCMkABtiBu6VRrMrWFqSPyj2cxY=
 github.com/metacubex/restls-client-go v0.1.7 h1:eCwiXCTQb5WJu9IlgYvDBA1OgrINv58dEe7hcN5H15k=
@@ -123,8 +123,8 @@ github.com/metacubex/sing v0.5.6 h1:mEPDCadsCj3DB8gn+t/EtposlYuALEkExa/LUguw6/c=
 github.com/metacubex/sing v0.5.6/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
 github.com/metacubex/sing-mux v0.3.4 h1:tf4r27CIkzaxq9kBlAXQkgMXq2HPp5Mta60Kb4RCZF0=
 github.com/metacubex/sing-mux v0.3.4/go.mod h1:SEJfAuykNj/ozbPqngEYqyggwSr81+L7Nu09NRD5mh4=
-github.com/metacubex/sing-quic v0.0.0-20250909002258-06122df8f231 h1:dGvo7UahC/gYBQNBoictr14baJzBjAKUAorP63QFFtg=
-github.com/metacubex/sing-quic v0.0.0-20250909002258-06122df8f231/go.mod h1:B60FxaPHjR1SeQB0IiLrgwgvKsaoASfOWdiqhLjmMGA=
+github.com/metacubex/sing-quic v0.0.0-20251004051927-c45ee18473bb h1:gxrJmnxuEAel+kh3V7ntqkHjURif0xKDu76nzr/BF5Y=
+github.com/metacubex/sing-quic v0.0.0-20251004051927-c45ee18473bb/go.mod h1:JK4+PYUKps6pnlicKjsSUAjAcvIUjhorIjdNZGg930M=
 github.com/metacubex/sing-shadowsocks v0.2.12 h1:Wqzo8bYXrK5aWqxu/TjlTnYZzAKtKsaFQBdr6IHFaBE=
 github.com/metacubex/sing-shadowsocks v0.2.12/go.mod h1:2e5EIaw0rxKrm1YTRmiMnDulwbGxH9hAFlrwQLQMQkU=
 github.com/metacubex/sing-shadowsocks2 v0.2.7 h1:hSuuc0YpsfiqYqt1o+fP4m34BQz4e6wVj3PPBVhor3A=
@@ -141,8 +141,8 @@ github.com/metacubex/smux v0.0.0-20250922175018-15c9a6a78719 h1:T6qCCfolRDAVJKea
 github.com/metacubex/smux v0.0.0-20250922175018-15c9a6a78719/go.mod h1:4bPD8HWx9jPJ9aE4uadgyN7D1/Wz3KmPy+vale8sKLE=
 github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0 h1:Ui+/2s5Qz0lSnDUBmEL12M5Oi/PzvFxGTNohm8ZcsmE=
 github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
-github.com/metacubex/utls v1.8.1 h1:RW8GeCGWAegjV0HW5nw9DoqNoeGAXXeYUP6AysmRvx4=
-github.com/metacubex/utls v1.8.1/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
+github.com/metacubex/utls v1.8.2 h1:d7KalMZ5hnOJ6lThMz8Ykd+5dvmXH3Eoeyfv2jUuG3w=
+github.com/metacubex/utls v1.8.2/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
 github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f h1:FGBPRb1zUabhPhDrlKEjQ9lgIwQ6cHL4x8M9lrERhbk=
 github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f/go.mod h1:oPGcV994OGJedmmxrcK9+ni7jUEMGhR+uVQAdaduIP4=
 github.com/metacubex/yamux v0.0.0-20250918083631-dd5f17c0be49 h1:lhlqpYHopuTLx9xQt22kSA9HtnyTDmk5XjjQVCGHe2E=
@@ -219,7 +219,6 @@ gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec/go.mod h1:BZ1RAo
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
-go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -240,20 +240,18 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 	if !c.Enable {
 		resolver.DefaultResolver = nil
 		resolver.DefaultHostMapper = nil
-		resolver.DefaultLocalServer = nil
+		resolver.DefaultService = nil
 		resolver.ProxyServerHostResolver = nil
 		resolver.DirectHostResolver = nil
-		dns.ReCreateServer("", nil, nil)
+		dns.ReCreateServer("", nil)
 		return
 	}
-	cfg := dns.Config{
+
+	r := dns.NewResolver(dns.Config{
 		Main:                 c.NameServer,
 		Fallback:             c.Fallback,
 		IPv6:                 c.IPv6 && generalIPv6,
 		IPv6Timeout:          c.IPv6Timeout,
-		EnhancedMode:         c.EnhancedMode,
-		Pool:                 c.FakeIPRange,
-		Hosts:                c.Hosts,
 		FallbackIPFilter:     c.FallbackIPFilter,
 		FallbackDomainFilter: c.FallbackDomainFilter,
 		Default:              c.DefaultNameserver,
@@ -263,19 +261,23 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 		DirectFollowPolicy:   c.DirectFollowPolicy,
 		CacheAlgorithm:       c.CacheAlgorithm,
 		CacheMaxSize:         c.CacheMaxSize,
-	}
-
-	r := dns.NewResolver(cfg)
-	m := dns.NewEnhancer(cfg)
+	})
+	m := dns.NewEnhancer(dns.EnhancerConfig{
+		EnhancedMode: c.EnhancedMode,
+		Pool:         c.FakeIPRange,
+		UseHosts:     c.UseHosts,
+	})

 	// reuse cache of old host mapper
 	if old := resolver.DefaultHostMapper; old != nil {
 		m.PatchFrom(old.(*dns.ResolverEnhancer))
 	}

+	s := dns.NewService(r.Resolver, m)
+
 	resolver.DefaultResolver = r
 	resolver.DefaultHostMapper = m
-	resolver.DefaultLocalServer = dns.NewLocalServer(r.Resolver, m)
+	resolver.DefaultService = s
 	resolver.UseSystemHosts = c.UseSystemHosts

 	if r.ProxyResolver.Invalid() {
@@ -290,7 +292,7 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 		resolver.DirectHostResolver = r.Resolver
 	}

-	dns.ReCreateServer(c.Listen, r.Resolver, m)
+	dns.ReCreateServer(c.Listen, s)
 }

 func updateHosts(tree *trie.DomainTrie[resolver.HostValue]) {
--- a/transport/hysteria/congestion/brutal.go
+++ b/transport/hysteria/congestion/brutal.go
@@ -2,6 +2,8 @@ package congestion

 import (
 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
+
 	"time"
 )

@@ -47,11 +49,11 @@ func (b *BrutalSender) SetRTTStatsProvider(rttStats congestion.RTTStatsProvider)
 	b.rttStats = rttStats
 }

-func (b *BrutalSender) TimeUntilSend(bytesInFlight congestion.ByteCount) time.Time {
+func (b *BrutalSender) TimeUntilSend(bytesInFlight congestion.ByteCount) monotime.Time {
 	return b.pacer.TimeUntilSend()
 }

-func (b *BrutalSender) HasPacingBudget(now time.Time) bool {
+func (b *BrutalSender) HasPacingBudget(now monotime.Time) bool {
 	return b.pacer.Budget(now) >= b.maxDatagramSize
 }

@@ -67,13 +69,13 @@ func (b *BrutalSender) GetCongestionWindow() congestion.ByteCount {
 	return congestion.ByteCount(float64(b.bps) * rtt.Seconds() * 1.5 / b.ackRate)
 }

-func (b *BrutalSender) OnPacketSent(sentTime time.Time, bytesInFlight congestion.ByteCount,
+func (b *BrutalSender) OnPacketSent(sentTime monotime.Time, bytesInFlight congestion.ByteCount,
 	packetNumber congestion.PacketNumber, bytes congestion.ByteCount, isRetransmittable bool) {
 	b.pacer.SentPacket(sentTime, bytes)
 }

 func (b *BrutalSender) OnPacketAcked(number congestion.PacketNumber, ackedBytes congestion.ByteCount,
-	priorInFlight congestion.ByteCount, eventTime time.Time) {
+	priorInFlight congestion.ByteCount, eventTime monotime.Time) {
 	// Stub
 }

@@ -82,8 +84,8 @@ func (b *BrutalSender) OnCongestionEvent(number congestion.PacketNumber, lostByt
 	// Stub
 }

-func (b *BrutalSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime time.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
-	currentTimestamp := eventTime.Unix()
+func (b *BrutalSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime monotime.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
+	currentTimestamp := int64(eventTime)
 	slot := currentTimestamp % pktInfoSlotCount
 	if b.pktInfoSlots[slot].Timestamp == currentTimestamp {
 		b.pktInfoSlots[slot].LossCount += uint64(len(lostPackets))
--- a/transport/hysteria/congestion/pacer.go
+++ b/transport/hysteria/congestion/pacer.go
@@ -2,6 +2,8 @@ package congestion

 import (
 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
+
 	"math"
 	"time"
 )
@@ -15,7 +17,7 @@ const (
 type pacer struct {
 	budgetAtLastSent congestion.ByteCount
 	maxDatagramSize  congestion.ByteCount
-	lastSentTime     time.Time
+	lastSentTime     monotime.Time
 	getBandwidth     func() congestion.ByteCount // in bytes/s
 }

@@ -28,7 +30,7 @@ func newPacer(getBandwidth func() congestion.ByteCount) *pacer {
 	return p
 }

-func (p *pacer) SentPacket(sendTime time.Time, size congestion.ByteCount) {
+func (p *pacer) SentPacket(sendTime monotime.Time, size congestion.ByteCount) {
 	budget := p.Budget(sendTime)
 	if size > budget {
 		p.budgetAtLastSent = 0
@@ -38,7 +40,7 @@ func (p *pacer) SentPacket(sendTime time.Time, size congestion.ByteCount) {
 	p.lastSentTime = sendTime
 }

-func (p *pacer) Budget(now time.Time) congestion.ByteCount {
+func (p *pacer) Budget(now monotime.Time) congestion.ByteCount {
 	if p.lastSentTime.IsZero() {
 		return p.maxBurstSize()
 	}
@@ -54,10 +56,10 @@ func (p *pacer) maxBurstSize() congestion.ByteCount {
 }

 // TimeUntilSend returns when the next packet should be sent.
-// It returns the zero value of time.Time if a packet can be sent immediately.
-func (p *pacer) TimeUntilSend() time.Time {
+// It returns the zero value of monotime.Time if a packet can be sent immediately.
+func (p *pacer) TimeUntilSend() monotime.Time {
 	if p.budgetAtLastSent >= p.maxDatagramSize {
-		return time.Time{}
+		return monotime.Time(0)
 	}
 	return p.lastSentTime.Add(maxDuration(
 		minPacingDelay,
--- a/transport/tuic/congestion/bandwidth_sampler.go
+++ b/transport/tuic/congestion/bandwidth_sampler.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
 )

 var (
@@ -36,7 +37,7 @@ type SendTimeState struct {
 type ConnectionStateOnSentPacket struct {
 	packetNumber congestion.PacketNumber
 	// Time at which the packet is sent.
-	sendTime time.Time
+	sendTime monotime.Time
 	// Size of the packet.
 	size congestion.ByteCount
 	// The value of |totalBytesSentAtLastAckedPacket| at the time the
@@ -44,10 +45,10 @@ type ConnectionStateOnSentPacket struct {
 	totalBytesSentAtLastAckedPacket congestion.ByteCount
 	// The value of |lastAckedPacketSentTime| at the time the packet was
 	// sent.
-	lastAckedPacketSentTime time.Time
+	lastAckedPacketSentTime monotime.Time
 	// The value of |lastAckedPacketAckTime| at the time the packet was
 	// sent.
-	lastAckedPacketAckTime time.Time
+	lastAckedPacketAckTime monotime.Time
 	// Send time states that are returned to the congestion controller when the
 	// packet is acked or lost.
 	sendTimeState SendTimeState
@@ -166,9 +167,9 @@ type BandwidthSampler struct {
 	totalBytesSentAtLastAckedPacket congestion.ByteCount
 	// The time at which the last acknowledged packet was sent. Set to
 	// QuicTime::Zero() if no valid timestamp is available.
-	lastAckedPacketSentTime time.Time
+	lastAckedPacketSentTime monotime.Time
 	// The time at which the most recent packet was acknowledged.
-	lastAckedPacketAckTime time.Time
+	lastAckedPacketAckTime monotime.Time
 	// The most recently sent packet.
 	lastSendPacket congestion.PacketNumber
 	// Indicates whether the bandwidth sampler is currently in an app-limited
@@ -194,7 +195,7 @@ func NewBandwidthSampler() *BandwidthSampler {
 // packets are sent in order. The information about the packet will not be
 // released from the sampler until it the packet is either acknowledged or
 // declared lost.
-func (s *BandwidthSampler) OnPacketSent(sentTime time.Time, lastSentPacket congestion.PacketNumber, sentBytes, bytesInFlight congestion.ByteCount, hasRetransmittableData bool) {
+func (s *BandwidthSampler) OnPacketSent(sentTime monotime.Time, lastSentPacket congestion.PacketNumber, sentBytes, bytesInFlight congestion.ByteCount, hasRetransmittableData bool) {
 	s.lastSendPacket = lastSentPacket

 	if !hasRetransmittableData {
@@ -224,7 +225,7 @@ func (s *BandwidthSampler) OnPacketSent(sentTime time.Time, lastSentPacket conge
 // OnPacketAcked Notifies the sampler that the |lastAckedPacket| is acknowledged. Returns a
 // bandwidth sample. If no bandwidth sample is available,
 // QuicBandwidth::Zero() is returned.
-func (s *BandwidthSampler) OnPacketAcked(ackTime time.Time, lastAckedPacket congestion.PacketNumber) *BandwidthSample {
+func (s *BandwidthSampler) OnPacketAcked(ackTime monotime.Time, lastAckedPacket congestion.PacketNumber) *BandwidthSample {
 	sentPacketState := s.connectionStats.Get(lastAckedPacket)
 	if sentPacketState == nil {
 		return NewBandwidthSample()
@@ -238,7 +239,7 @@ func (s *BandwidthSampler) OnPacketAcked(ackTime time.Time, lastAckedPacket cong

 // onPacketAckedInner Handles the actual bandwidth calculations, whereas the outer method handles
 // retrieving and removing |sentPacket|.
-func (s *BandwidthSampler) onPacketAckedInner(ackTime time.Time, lastAckedPacket congestion.PacketNumber, sentPacket *ConnectionStateOnSentPacket) *BandwidthSample {
+func (s *BandwidthSampler) onPacketAckedInner(ackTime monotime.Time, lastAckedPacket congestion.PacketNumber, sentPacket *ConnectionStateOnSentPacket) *BandwidthSample {
 	s.totalBytesAcked += sentPacket.size

 	s.totalBytesSentAtLastAckedPacket = sentPacket.sendTimeState.totalBytesSent
@@ -336,7 +337,7 @@ type ConnectionStates struct {
 	stats map[congestion.PacketNumber]*ConnectionStateOnSentPacket
 }

-func (s *ConnectionStates) Insert(packetNumber congestion.PacketNumber, sentTime time.Time, bytes congestion.ByteCount, sampler *BandwidthSampler) bool {
+func (s *ConnectionStates) Insert(packetNumber congestion.PacketNumber, sentTime monotime.Time, bytes congestion.ByteCount, sampler *BandwidthSampler) bool {
 	if _, ok := s.stats[packetNumber]; ok {
 		return false
 	}
@@ -357,7 +358,7 @@ func (s *ConnectionStates) Remove(packetNumber congestion.PacketNumber) (bool, *
 	return ok, state
 }

-func NewConnectionStateOnSentPacket(packetNumber congestion.PacketNumber, sentTime time.Time, bytes congestion.ByteCount, sampler *BandwidthSampler) *ConnectionStateOnSentPacket {
+func NewConnectionStateOnSentPacket(packetNumber congestion.PacketNumber, sentTime monotime.Time, bytes congestion.ByteCount, sampler *BandwidthSampler) *ConnectionStateOnSentPacket {
 	return &ConnectionStateOnSentPacket{
 		packetNumber:                    packetNumber,
 		sendTime:                        sentTime,
--- a/transport/tuic/congestion/bbr_sender.go
+++ b/transport/tuic/congestion/bbr_sender.go
@@ -9,6 +9,7 @@ import (

 	"github.com/metacubex/quic-go"
 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
 	"github.com/metacubex/randv2"
 )

@@ -121,13 +122,13 @@ type bbrSender struct {
 	// Tracks the maximum number of bytes acked faster than the sending rate.
 	maxAckHeight *WindowedFilter
 	// The time this aggregation started and the number of bytes acked during it.
-	aggregationEpochStartTime time.Time
+	aggregationEpochStartTime monotime.Time
 	aggregationEpochBytes     congestion.ByteCount
 	// Minimum RTT estimate.  Automatically expires within 10 seconds (and
 	// triggers PROBE_RTT mode) if no new value is sampled during that period.
 	minRtt time.Duration
 	// The time at which the current value of |min_rtt_| was assigned.
-	minRttTimestamp time.Time
+	minRttTimestamp monotime.Time
 	// The maximum allowed number of bytes in flight.
 	congestionWindow congestion.ByteCount
 	// The initial value of the |congestion_window_|.
@@ -160,7 +161,7 @@ type bbrSender struct {
 	// pacing gain cycle.
 	cycleCurrentOffset int
 	// The time at which the last pacing gain cycle was started.
-	lastCycleStart time.Time
+	lastCycleStart monotime.Time
 	// Indicates whether the connection has reached the full bandwidth mode.
 	isAtFullBandwidth bool
 	// Number of rounds during which there was no significant bandwidth increase.
@@ -172,7 +173,7 @@ type bbrSender struct {
 	// Time at which PROBE_RTT has to be exited.  Setting it to zero indicates
 	// that the time is yet unknown as the number of packets in flight has not
 	// reached the required value.
-	exitProbeRttAt time.Time
+	exitProbeRttAt monotime.Time
 	// Indicates whether a round-trip has passed since PROBE_RTT became active.
 	probeRttRoundPassed bool
 	// Indicates whether the most recent bandwidth sample was marked as
@@ -277,12 +278,12 @@ func (b *bbrSender) GetBytesInFlight() congestion.ByteCount {
 }

 // TimeUntilSend returns when the next packet should be sent.
-func (b *bbrSender) TimeUntilSend(bytesInFlight congestion.ByteCount) time.Time {
+func (b *bbrSender) TimeUntilSend(bytesInFlight congestion.ByteCount) monotime.Time {
 	b.bytesInFlight = bytesInFlight
 	return b.pacer.TimeUntilSend()
 }

-func (b *bbrSender) HasPacingBudget(now time.Time) bool {
+func (b *bbrSender) HasPacingBudget(now monotime.Time) bool {
 	return b.pacer.Budget(now) >= b.maxDatagramSize
 }

@@ -298,7 +299,7 @@ func (b *bbrSender) SetMaxDatagramSize(s congestion.ByteCount) {
 	b.pacer.SetMaxDatagramSize(s)
 }

-func (b *bbrSender) OnPacketSent(sentTime time.Time, bytesInFlight congestion.ByteCount, packetNumber congestion.PacketNumber, bytes congestion.ByteCount, isRetransmittable bool) {
+func (b *bbrSender) OnPacketSent(sentTime monotime.Time, bytesInFlight congestion.ByteCount, packetNumber congestion.PacketNumber, bytes congestion.ByteCount, isRetransmittable bool) {
 	b.pacer.SentPacket(sentTime, bytes)
 	b.lastSendPacket = packetNumber

@@ -335,7 +336,7 @@ func (b *bbrSender) MaybeExitSlowStart() {

 }

-func (b *bbrSender) OnPacketAcked(number congestion.PacketNumber, ackedBytes congestion.ByteCount, priorInFlight congestion.ByteCount, eventTime time.Time) {
+func (b *bbrSender) OnPacketAcked(number congestion.PacketNumber, ackedBytes congestion.ByteCount, priorInFlight congestion.ByteCount, eventTime monotime.Time) {
 	// Stub
 }

@@ -343,7 +344,7 @@ func (b *bbrSender) OnCongestionEvent(number congestion.PacketNumber, lostBytes
 	// Stub
 }

-func (b *bbrSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime time.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
+func (b *bbrSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime monotime.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
 	totalBytesAckedBefore := b.sampler.totalBytesAcked
 	isRoundStart, minRttExpired := false, false

@@ -490,7 +491,7 @@ func (b *bbrSender) UpdateRoundTripCounter(lastAckedPacket congestion.PacketNumb
 	return false
 }

-func (b *bbrSender) UpdateBandwidthAndMinRtt(now time.Time, ackedPackets []congestion.AckedPacketInfo) bool {
+func (b *bbrSender) UpdateBandwidthAndMinRtt(now monotime.Time, ackedPackets []congestion.AckedPacketInfo) bool {
 	sampleMinRtt := InfiniteRTT

 	for _, packet := range ackedPackets {
@@ -610,7 +611,7 @@ func (b *bbrSender) UpdateRecoveryState(hasLosses, isRoundStart bool) {
 	}
 }

-func (b *bbrSender) UpdateAckAggregationBytes(ackTime time.Time, ackedBytes congestion.ByteCount) congestion.ByteCount {
+func (b *bbrSender) UpdateAckAggregationBytes(ackTime monotime.Time, ackedBytes congestion.ByteCount) congestion.ByteCount {
 	// Compute how many bytes are expected to be delivered, assuming max bandwidth
 	// is correct.
 	expectedAckedBytes := congestion.ByteCount(b.maxBandwidth.GetBest()) *
@@ -630,7 +631,7 @@ func (b *bbrSender) UpdateAckAggregationBytes(ackTime time.Time, ackedBytes cong
 	return b.aggregationEpochBytes - expectedAckedBytes
 }

-func (b *bbrSender) UpdateGainCyclePhase(now time.Time, priorInFlight congestion.ByteCount, hasLosses bool) {
+func (b *bbrSender) UpdateGainCyclePhase(now monotime.Time, priorInFlight congestion.ByteCount, hasLosses bool) {
 	bytesInFlight := b.GetBytesInFlight()
 	// In most cases, the cycle is advanced after an RTT passes.
 	shouldAdvanceGainCycling := now.Sub(b.lastCycleStart) > b.GetMinRtt()
@@ -697,7 +698,7 @@ func (b *bbrSender) CheckIfFullBandwidthReached() {
 	}
 }

-func (b *bbrSender) MaybeExitStartupOrDrain(now time.Time) {
+func (b *bbrSender) MaybeExitStartupOrDrain(now monotime.Time) {
 	if b.mode == STARTUP && b.isAtFullBandwidth {
 		b.OnExitStartup(now)
 		b.mode = DRAIN
@@ -709,7 +710,7 @@ func (b *bbrSender) MaybeExitStartupOrDrain(now time.Time) {
 	}
 }

-func (b *bbrSender) EnterProbeBandwidthMode(now time.Time) {
+func (b *bbrSender) EnterProbeBandwidthMode(now monotime.Time) {
 	b.mode = PROBE_BW
 	b.congestionWindowGain = b.congestionWindowGainConst

@@ -725,7 +726,7 @@ func (b *bbrSender) EnterProbeBandwidthMode(now time.Time) {
 	b.pacingGain = PacingGain[b.cycleCurrentOffset]
 }

-func (b *bbrSender) MaybeEnterOrExitProbeRtt(now time.Time, isRoundStart, minRttExpired bool) {
+func (b *bbrSender) MaybeEnterOrExitProbeRtt(now monotime.Time, isRoundStart, minRttExpired bool) {
 	if minRttExpired && !b.exitingQuiescence && b.mode != PROBE_RTT {
 		if b.InSlowStart() {
 			b.OnExitStartup(now)
@@ -734,7 +735,7 @@ func (b *bbrSender) MaybeEnterOrExitProbeRtt(now time.Time, isRoundStart, minRtt
 		b.pacingGain = 1.0
 		// Do not decide on the time to exit PROBE_RTT until the |bytes_in_flight|
 		// is at the target small value.
-		b.exitProbeRttAt = time.Time{}
+		b.exitProbeRttAt = monotime.Time(0)
 	}

 	if b.mode == PROBE_RTT {
@@ -773,7 +774,7 @@ func (b *bbrSender) ProbeRttCongestionWindow() congestion.ByteCount {
 	}
 }

-func (b *bbrSender) EnterStartupMode(now time.Time) {
+func (b *bbrSender) EnterStartupMode(now monotime.Time) {
 	// if b.rttStats != nil {
 	// TODO: slow start.
 	// }
@@ -782,7 +783,7 @@ func (b *bbrSender) EnterStartupMode(now time.Time) {
 	b.congestionWindowGain = b.highCwndGain
 }

-func (b *bbrSender) OnExitStartup(now time.Time) {
+func (b *bbrSender) OnExitStartup(now monotime.Time) {
 	if b.rttStats == nil {
 		return
 	}
--- a/transport/tuic/congestion/cubic.go
+++ b/transport/tuic/congestion/cubic.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
 )

 // This cubic implementation is based on the one found in Chromiums's QUIC
@@ -42,7 +43,7 @@ type Cubic struct {
 	numConnections int

 	// Time when this cycle started, after last loss event.
-	epoch time.Time
+	epoch monotime.Time

 	// Max congestion window used just before last loss event.
 	// Note: to improve fairness to other streams an additional back off is
@@ -77,7 +78,7 @@ func NewCubic(clock Clock) *Cubic {

 // Reset is called after a timeout to reset the cubic state
 func (c *Cubic) Reset() {
-	c.epoch = time.Time{}
+	c.epoch = monotime.Time(0)
 	c.lastMaxCongestionWindow = 0
 	c.ackedBytesCount = 0
 	c.estimatedTCPcongestionWindow = 0
@@ -121,7 +122,7 @@ func (c *Cubic) OnApplicationLimited() {
 	// in such a period. This reset effectively freezes congestion window growth
 	// through application-limited periods and allows Cubic growth to continue
 	// when the entire window is being used.
-	c.epoch = time.Time{}
+	c.epoch = monotime.Time(0)
 }

 // CongestionWindowAfterPacketLoss computes a new congestion window to use after
@@ -135,7 +136,7 @@ func (c *Cubic) CongestionWindowAfterPacketLoss(currentCongestionWindow congesti
 	} else {
 		c.lastMaxCongestionWindow = currentCongestionWindow
 	}
-	c.epoch = time.Time{} // Reset time.
+	c.epoch = monotime.Time(0) // Reset time.
 	return congestion.ByteCount(float32(currentCongestionWindow) * c.beta())
 }

@@ -147,7 +148,7 @@ func (c *Cubic) CongestionWindowAfterAck(
 	ackedBytes congestion.ByteCount,
 	currentCongestionWindow congestion.ByteCount,
 	delayMin time.Duration,
-	eventTime time.Time,
+	eventTime monotime.Time,
 ) congestion.ByteCount {
 	c.ackedBytesCount += ackedBytes

--- a/transport/tuic/congestion/cubic_sender.go
+++ b/transport/tuic/congestion/cubic_sender.go
@@ -2,9 +2,9 @@ package congestion

 import (
 	"fmt"
-	"time"

 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
 )

 const (
@@ -103,11 +103,11 @@ func (c *cubicSender) SetRTTStatsProvider(provider congestion.RTTStatsProvider)
 }

 // TimeUntilSend returns when the next packet should be sent.
-func (c *cubicSender) TimeUntilSend(_ congestion.ByteCount) time.Time {
+func (c *cubicSender) TimeUntilSend(_ congestion.ByteCount) monotime.Time {
 	return c.pacer.TimeUntilSend()
 }

-func (c *cubicSender) HasPacingBudget(now time.Time) bool {
+func (c *cubicSender) HasPacingBudget(now monotime.Time) bool {
 	return c.pacer.Budget(now) >= c.maxDatagramSize
 }

@@ -120,7 +120,7 @@ func (c *cubicSender) minCongestionWindow() congestion.ByteCount {
 }

 func (c *cubicSender) OnPacketSent(
-	sentTime time.Time,
+	sentTime monotime.Time,
 	_ congestion.ByteCount,
 	packetNumber congestion.PacketNumber,
 	bytes congestion.ByteCount,
@@ -162,7 +162,7 @@ func (c *cubicSender) OnPacketAcked(
 	ackedPacketNumber congestion.PacketNumber,
 	ackedBytes congestion.ByteCount,
 	priorInFlight congestion.ByteCount,
-	eventTime time.Time,
+	eventTime monotime.Time,
 ) {
 	c.largestAckedPacketNumber = Max(ackedPacketNumber, c.largestAckedPacketNumber)
 	if c.InRecovery() {
@@ -197,7 +197,7 @@ func (c *cubicSender) OnCongestionEvent(packetNumber congestion.PacketNumber, lo
 	c.numAckedPackets = 0
 }

-func (b *cubicSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime time.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
+func (b *cubicSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime monotime.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
 	// Stub
 }

@@ -207,7 +207,7 @@ func (c *cubicSender) maybeIncreaseCwnd(
 	_ congestion.PacketNumber,
 	ackedBytes congestion.ByteCount,
 	priorInFlight congestion.ByteCount,
-	eventTime time.Time,
+	eventTime monotime.Time,
 ) {
 	// Do not increase the congestion window unless the sender is close to using
 	// the current window.
--- a/transport/tuic/congestion/pacer.go
+++ b/transport/tuic/congestion/pacer.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
 )

 const initialMaxDatagramSize = congestion.ByteCount(1252)
@@ -16,7 +17,7 @@ const maxBurstSizePackets = 10
 type pacer struct {
 	budgetAtLastSent     congestion.ByteCount
 	maxDatagramSize      congestion.ByteCount
-	lastSentTime         time.Time
+	lastSentTime         monotime.Time
 	getAdjustedBandwidth func() uint64 // in bytes/s
 }

@@ -37,7 +38,7 @@ func newPacer(getBandwidth func() Bandwidth) *pacer {
 	return p
 }

-func (p *pacer) SentPacket(sendTime time.Time, size congestion.ByteCount) {
+func (p *pacer) SentPacket(sendTime monotime.Time, size congestion.ByteCount) {
 	budget := p.Budget(sendTime)
 	if size > budget {
 		p.budgetAtLastSent = 0
@@ -47,7 +48,7 @@ func (p *pacer) SentPacket(sendTime time.Time, size congestion.ByteCount) {
 	p.lastSentTime = sendTime
 }

-func (p *pacer) Budget(now time.Time) congestion.ByteCount {
+func (p *pacer) Budget(now monotime.Time) congestion.ByteCount {
 	if p.lastSentTime.IsZero() {
 		return p.maxBurstSize()
 	}
@@ -63,10 +64,10 @@ func (p *pacer) maxBurstSize() congestion.ByteCount {
 }

 // TimeUntilSend returns when the next packet should be sent.
-// It returns the zero value of time.Time if a packet can be sent immediately.
-func (p *pacer) TimeUntilSend() time.Time {
+// It returns the zero value of monotime.Time if a packet can be sent immediately.
+func (p *pacer) TimeUntilSend() monotime.Time {
 	if p.budgetAtLastSent >= p.maxDatagramSize {
-		return time.Time{}
+		return monotime.Time(0)
 	}
 	return p.lastSentTime.Add(Max(
 		MinPacingDelay,
--- a/transport/tuic/congestion_v2/bandwidth_sampler.go
+++ b/transport/tuic/congestion_v2/bandwidth_sampler.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
 )

 const (
@@ -103,7 +104,7 @@ type maxAckHeightTracker struct {
 	// bandwidth.
 	maxAckHeightFilter *WindowedFilter[extraAckedEvent, roundTripCount]
 	// The time this aggregation started and the number of bytes acked during it.
-	aggregationEpochStartTime time.Time
+	aggregationEpochStartTime monotime.Time
 	aggregationEpochBytes     congestion.ByteCount
 	// The last sent packet number before the current aggregation epoch started.
 	lastSentPacketNumberBeforeEpoch congestion.PacketNumber
@@ -133,7 +134,7 @@ func (m *maxAckHeightTracker) Update(
 	roundTripCount roundTripCount,
 	lastSentPacketNumber congestion.PacketNumber,
 	lastAckedPacketNumber congestion.PacketNumber,
-	ackTime time.Time,
+	ackTime monotime.Time,
 	bytesAcked congestion.ByteCount,
 ) congestion.ByteCount {
 	forceNewEpoch := false
@@ -241,7 +242,7 @@ func (m *maxAckHeightTracker) NumAckAggregationEpochs() uint64 {

 // AckPoint represents a point on the ack line.
 type ackPoint struct {
-	ackTime         time.Time
+	ackTime         monotime.Time
 	totalBytesAcked congestion.ByteCount
 }

@@ -250,7 +251,7 @@ type recentAckPoints struct {
 	ackPoints [2]ackPoint
 }

-func (r *recentAckPoints) Update(ackTime time.Time, totalBytesAcked congestion.ByteCount) {
+func (r *recentAckPoints) Update(ackTime monotime.Time, totalBytesAcked congestion.ByteCount) {
 	if ackTime.Before(r.ackPoints[1].ackTime) {
 		r.ackPoints[1].ackTime = ackTime
 	} else if ackTime.After(r.ackPoints[1].ackTime) {
@@ -284,7 +285,7 @@ func (r *recentAckPoints) LessRecentPoint() *ackPoint {
 // that moment.
 type connectionStateOnSentPacket struct {
 	// Time at which the packet is sent.
-	sentTime time.Time
+	sentTime monotime.Time
 	// Size of the packet.
 	size congestion.ByteCount
 	// The value of |totalBytesSentAtLastAckedPacket| at the time the
@@ -292,10 +293,10 @@ type connectionStateOnSentPacket struct {
 	totalBytesSentAtLastAckedPacket congestion.ByteCount
 	// The value of |lastAckedPacketSentTime| at the time the packet was
 	// sent.
-	lastAckedPacketSentTime time.Time
+	lastAckedPacketSentTime monotime.Time
 	// The value of |lastAckedPacketAckTime| at the time the packet was
 	// sent.
-	lastAckedPacketAckTime time.Time
+	lastAckedPacketAckTime monotime.Time
 	// Send time states that are returned to the congestion controller when the
 	// packet is acked or lost.
 	sendTimeState sendTimeState
@@ -305,7 +306,7 @@ type connectionStateOnSentPacket struct {
 // sampler.
 // |bytes_in_flight| is the bytes in flight right after the packet is sent.
 func newConnectionStateOnSentPacket(
-	sentTime time.Time,
+	sentTime monotime.Time,
 	size congestion.ByteCount,
 	bytesInFlight congestion.ByteCount,
 	sampler *bandwidthSampler,
@@ -456,10 +457,10 @@ type bandwidthSampler struct {

 	// The time at which the last acknowledged packet was sent. Set to
 	// QuicTime::Zero() if no valid timestamp is available.
-	lastAckedPacketSentTime time.Time
+	lastAckedPacketSentTime monotime.Time

 	// The time at which the most recent packet was acknowledged.
-	lastAckedPacketAckTime time.Time
+	lastAckedPacketAckTime monotime.Time

 	// The most recently sent packet.
 	lastSentPacket congestion.PacketNumber
@@ -551,7 +552,7 @@ func (b *bandwidthSampler) IsOverestimateAvoidanceEnabled() bool {
 }

 func (b *bandwidthSampler) OnPacketSent(
-	sentTime time.Time,
+	sentTime monotime.Time,
 	packetNumber congestion.PacketNumber,
 	bytes congestion.ByteCount,
 	bytesInFlight congestion.ByteCount,
@@ -595,7 +596,7 @@ func (b *bandwidthSampler) OnPacketSent(
 }

 func (b *bandwidthSampler) OnCongestionEvent(
-	ackTime time.Time,
+	ackTime monotime.Time,
 	ackedPackets []congestion.AckedPacketInfo,
 	lostPackets []congestion.LostPacketInfo,
 	maxBandwidth Bandwidth,
@@ -758,7 +759,7 @@ func (b *bandwidthSampler) chooseA0Point(totalBytesAcked congestion.ByteCount, a
 	return true
 }

-func (b *bandwidthSampler) onPacketAcknowledged(ackTime time.Time, packetNumber congestion.PacketNumber) bandwidthSample {
+func (b *bandwidthSampler) onPacketAcknowledged(ackTime monotime.Time, packetNumber congestion.PacketNumber) bandwidthSample {
 	sample := newBandwidthSample()
 	b.lastAckedPacket = packetNumber
 	sentPacketPointer := b.connectionStateMap.GetEntry(packetNumber)
--- a/transport/tuic/congestion_v2/bbr_sender.go
+++ b/transport/tuic/congestion_v2/bbr_sender.go
@@ -8,6 +8,7 @@ import (

 	"github.com/metacubex/quic-go"
 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"

 	"github.com/metacubex/randv2"
 )
@@ -127,7 +128,7 @@ type bbrSender struct {
 	// triggers PROBE_RTT mode) if no new value is sampled during that period.
 	minRtt time.Duration
 	// The time at which the current value of |min_rtt_| was assigned.
-	minRttTimestamp time.Time
+	minRttTimestamp monotime.Time

 	// The maximum allowed number of bytes in flight.
 	congestionWindow congestion.ByteCount
@@ -168,7 +169,7 @@ type bbrSender struct {
 	// pacing gain cycle.
 	cycleCurrentOffset int
 	// The time at which the last pacing gain cycle was started.
-	lastCycleStart time.Time
+	lastCycleStart monotime.Time

 	// Indicates whether the connection has reached the full bandwidth mode.
 	isAtFullBandwidth bool
@@ -183,7 +184,7 @@ type bbrSender struct {
 	// Time at which PROBE_RTT has to be exited.  Setting it to zero indicates
 	// that the time is yet unknown as the number of packets in flight has not
 	// reached the required value.
-	exitProbeRttAt time.Time
+	exitProbeRttAt monotime.Time
 	// Indicates whether a round-trip has passed since PROBE_RTT became active.
 	probeRttRoundPassed bool

@@ -307,18 +308,18 @@ func (b *bbrSender) SetRTTStatsProvider(provider congestion.RTTStatsProvider) {
 }

 // TimeUntilSend implements the SendAlgorithm interface.
-func (b *bbrSender) TimeUntilSend(bytesInFlight congestion.ByteCount) time.Time {
+func (b *bbrSender) TimeUntilSend(bytesInFlight congestion.ByteCount) monotime.Time {
 	return b.pacer.TimeUntilSend()
 }

 // HasPacingBudget implements the SendAlgorithm interface.
-func (b *bbrSender) HasPacingBudget(now time.Time) bool {
+func (b *bbrSender) HasPacingBudget(now monotime.Time) bool {
 	return b.pacer.Budget(now) >= b.maxDatagramSize
 }

 // OnPacketSent implements the SendAlgorithm interface.
 func (b *bbrSender) OnPacketSent(
-	sentTime time.Time,
+	sentTime monotime.Time,
 	bytesInFlight congestion.ByteCount,
 	packetNumber congestion.PacketNumber,
 	bytes congestion.ByteCount,
@@ -349,7 +350,7 @@ func (b *bbrSender) MaybeExitSlowStart() {
 }

 // OnPacketAcked implements the SendAlgorithm interface.
-func (b *bbrSender) OnPacketAcked(number congestion.PacketNumber, ackedBytes, priorInFlight congestion.ByteCount, eventTime time.Time) {
+func (b *bbrSender) OnPacketAcked(number congestion.PacketNumber, ackedBytes, priorInFlight congestion.ByteCount, eventTime monotime.Time) {
 	// Do nothing.
 }

@@ -403,7 +404,7 @@ func (b *bbrSender) OnCongestionEvent(number congestion.PacketNumber, lostBytes,
 	// Do nothing.
 }

-func (b *bbrSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime time.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
+func (b *bbrSender) OnCongestionEventEx(priorInFlight congestion.ByteCount, eventTime monotime.Time, ackedPackets []congestion.AckedPacketInfo, lostPackets []congestion.LostPacketInfo) {
 	totalBytesAckedBefore := b.sampler.TotalBytesAcked()
 	totalBytesLostBefore := b.sampler.TotalBytesLost()

@@ -592,7 +593,7 @@ func (b *bbrSender) probeRttCongestionWindow() congestion.ByteCount {
 	return b.minCongestionWindow
 }

-func (b *bbrSender) maybeUpdateMinRtt(now time.Time, sampleMinRtt time.Duration) bool {
+func (b *bbrSender) maybeUpdateMinRtt(now monotime.Time, sampleMinRtt time.Duration) bool {
 	// Do not expire min_rtt if none was ever available.
 	minRttExpired := b.minRtt != 0 && now.After(b.minRttTimestamp.Add(minRttExpiry))
 	if minRttExpired || sampleMinRtt < b.minRtt || b.minRtt == 0 {
@@ -604,7 +605,7 @@ func (b *bbrSender) maybeUpdateMinRtt(now time.Time, sampleMinRtt time.Duration)
 }

 // Enters the STARTUP mode.
-func (b *bbrSender) enterStartupMode(now time.Time) {
+func (b *bbrSender) enterStartupMode(now monotime.Time) {
 	b.mode = bbrModeStartup
 	// b.maybeTraceStateChange(logging.CongestionStateStartup)
 	b.pacingGain = b.highGain
@@ -612,7 +613,7 @@ func (b *bbrSender) enterStartupMode(now time.Time) {
 }

 // Enters the PROBE_BW mode.
-func (b *bbrSender) enterProbeBandwidthMode(now time.Time) {
+func (b *bbrSender) enterProbeBandwidthMode(now monotime.Time) {
 	b.mode = bbrModeProbeBw
 	// b.maybeTraceStateChange(logging.CongestionStateProbeBw)
 	b.congestionWindowGain = b.congestionWindowGainConstant
@@ -641,7 +642,7 @@ func (b *bbrSender) updateRoundTripCounter(lastAckedPacket congestion.PacketNumb
 }

 // Updates the current gain used in PROBE_BW mode.
-func (b *bbrSender) updateGainCyclePhase(now time.Time, priorInFlight congestion.ByteCount, hasLosses bool) {
+func (b *bbrSender) updateGainCyclePhase(now monotime.Time, priorInFlight congestion.ByteCount, hasLosses bool) {
 	// In most cases, the cycle is advanced after an RTT passes.
 	shouldAdvanceGainCycling := now.After(b.lastCycleStart.Add(b.getMinRtt()))
 	// If the pacing gain is above 1.0, the connection is trying to probe the
@@ -713,7 +714,7 @@ func (b *bbrSender) maybeAppLimited(bytesInFlight congestion.ByteCount) {

 // Transitions from STARTUP to DRAIN and from DRAIN to PROBE_BW if
 // appropriate.
-func (b *bbrSender) maybeExitStartupOrDrain(now time.Time) {
+func (b *bbrSender) maybeExitStartupOrDrain(now monotime.Time) {
 	if b.mode == bbrModeStartup && b.isAtFullBandwidth {
 		b.mode = bbrModeDrain
 		// b.maybeTraceStateChange(logging.CongestionStateDrain)
@@ -726,14 +727,14 @@ func (b *bbrSender) maybeExitStartupOrDrain(now time.Time) {
 }

 // Decides whether to enter or exit PROBE_RTT.
-func (b *bbrSender) maybeEnterOrExitProbeRtt(now time.Time, isRoundStart, minRttExpired bool) {
+func (b *bbrSender) maybeEnterOrExitProbeRtt(now monotime.Time, isRoundStart, minRttExpired bool) {
 	if minRttExpired && !b.exitingQuiescence && b.mode != bbrModeProbeRtt {
 		b.mode = bbrModeProbeRtt
 		// b.maybeTraceStateChange(logging.CongestionStateProbRtt)
 		b.pacingGain = 1.0
 		// Do not decide on the time to exit PROBE_RTT until the |bytes_in_flight|
 		// is at the target small value.
-		b.exitProbeRttAt = time.Time{}
+		b.exitProbeRttAt = monotime.Time(0)
 	}

 	if b.mode == bbrModeProbeRtt {
--- a/transport/tuic/congestion_v2/clock.go
+++ b/transport/tuic/congestion_v2/clock.go
@@ -1,10 +1,12 @@
 package congestion

-import "time"
+import (
+	"github.com/metacubex/quic-go/monotime"
+)

 // A Clock returns the current time
 type Clock interface {
-	Now() time.Time
+	Now() monotime.Time
 }

 // DefaultClock implements the Clock interface using the Go stdlib clock.
@@ -13,6 +15,6 @@ type DefaultClock struct{}
 var _ Clock = DefaultClock{}

 // Now gets the current time
-func (DefaultClock) Now() time.Time {
-	return time.Now()
+func (DefaultClock) Now() monotime.Time {
+	return monotime.Now()
 }
--- a/transport/tuic/congestion_v2/pacer.go
+++ b/transport/tuic/congestion_v2/pacer.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/metacubex/quic-go/congestion"
+	"github.com/metacubex/quic-go/monotime"
 )

 const (
@@ -15,7 +16,7 @@ const (
 type Pacer struct {
 	budgetAtLastSent congestion.ByteCount
 	maxDatagramSize  congestion.ByteCount
-	lastSentTime     time.Time
+	lastSentTime     monotime.Time
 	getBandwidth     func() congestion.ByteCount // in bytes/s
 }

@@ -28,7 +29,7 @@ func NewPacer(getBandwidth func() congestion.ByteCount) *Pacer {
 	return p
 }

-func (p *Pacer) SentPacket(sendTime time.Time, size congestion.ByteCount) {
+func (p *Pacer) SentPacket(sendTime monotime.Time, size congestion.ByteCount) {
 	budget := p.Budget(sendTime)
 	if size > budget {
 		p.budgetAtLastSent = 0
@@ -38,7 +39,7 @@ func (p *Pacer) SentPacket(sendTime time.Time, size congestion.ByteCount) {
 	p.lastSentTime = sendTime
 }

-func (p *Pacer) Budget(now time.Time) congestion.ByteCount {
+func (p *Pacer) Budget(now monotime.Time) congestion.ByteCount {
 	if p.lastSentTime.IsZero() {
 		return p.maxBurstSize()
 	}
@@ -57,10 +58,10 @@ func (p *Pacer) maxBurstSize() congestion.ByteCount {
 }

 // TimeUntilSend returns when the next packet should be sent.
-// It returns the zero value of time.Time if a packet can be sent immediately.
-func (p *Pacer) TimeUntilSend() time.Time {
+// It returns the zero value of monotime.Time if a packet can be sent immediately.
+func (p *Pacer) TimeUntilSend() monotime.Time {
 	if p.budgetAtLastSent >= p.maxDatagramSize {
-		return time.Time{}
+		return monotime.Time(0)
 	}
 	return p.lastSentTime.Add(Max(
 		congestion.MinPacingDelay,
Author	SHA1	Message	Date
wwqgtxx	c5fe3670ef	action: fix build	2025-10-15 01:35:29 +08:00
wwqgtxx	de2ff37f4f	chore: update utls	2025-10-14 23:08:15 +08:00
wwqgtxx	da69b192f2	chore: remove unused global goroutine in kcp-go	2025-10-08 02:36:37 +08:00
wwqgtxx	c13549f564	action: update actions version	2025-10-06 09:23:22 +08:00
wwqgtxx	ce168c0e67	action: update macos-13 to macos-15-intel	2025-10-06 09:16:50 +08:00
wwqgtxx	d225625378	chore: update quic-go to 0.55.0	2025-10-04 13:41:35 +08:00
wwqgtxx	40e0813869	chore: adjust the internal code structure of the dns module	2025-09-29 11:24:41 +08:00
wwqgtxx	94b591ed44	chore: separate the DNS enhancer config passing	2025-09-29 10:36:55 +08:00
wwqgtxx	f7bd8b83e5	chore: revert "chore: consolidate mieru port configuration (#2277 )" The `port` field should not be allowed to be set to non-int values, as this would break some downstream assumptions that the option is an int. This reverts commit `1b1f95aa9c`.	2025-09-28 20:28:48 +08:00
wwqgtxx	f45c6f5e91	chore: update quic-go to 0.54.1	2025-09-26 08:13:31 +08:00
wwqgtxx	3b15cbd9eb	doc: fix resend doc	2025-09-24 23:28:08 +08:00
wwqgtxx	6f4da5f1fb	doc: fix crypt doc	2025-09-24 20:43:13 +08:00