Antony Polukhin wrote:
We have no guarantee that CryptGenRandom algorithm is not reversible or predictable.
There is enough information at http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).as... http://en.wikipedia.org/wiki/CryptGenRandom http://blogs.msdn.com/b/michael_howard/archive/2005/01/14/353379.aspx
So mixing in some additional entropy seems reasonable.
There is no guarantee that mixing in highly predictable, or constant, values using SHA1 improves the quality of the random numbers, or decreases their predictability. It is not at all impossible for such amateur improvements to actually decrease the quality of the original source. The only genuine entropy here is QueryPerformanceCounter, which is already incorporated into the output of CryptGenRandom. And in fact, the goal of the original code has never been to achieve crypto quality randomness, or even to approach the quality of CryptGenRandom. It's just for UUID generation, after all.