-
( See at the end of this first post for the files to download)
Why is it so hard to write a tutorial to add the Desktop "explorer " in WinPE?
Like many beginners, I want to understand how one can modify a Winpe10 (boot.wim) and adapt it to its needs or the desire.
And mainly adds native Windows desktop (explorer.exe).
Understanding requires to investigate in the heart of Winpe with tools like "procmon, procexp", etc. And above all it requires a method of investigation.
But for me, it is not easy to describe a method of investigation.
Also, not really knowing to describe a method, I have recorded information which seems to me essential to start the investigation on a given point.
During the investigation and the collection, should introduce changes into the boot.wim file to validate assumptions.
Then put in place a tool to reproduce the generation of this inhospitable Winpe.
But the investigation does not necessarily the good result the first time. Should be many changes to achieve a result.
And of many flashbacks and multiple injections.
I quickly realized that needed a simple and modifiable tool quickly.
In the end, the rudimentary tool will contain all of the identified changed data.
In addition, I adopt the following principles:
-This tool will only use the programs available in the host Win10 system or the ADK.
-It requires the installation of the ADK and the "mount" of the Win10Entreprise Evaluation version to download install.wim file.
Regarding the essential information, I grouped them into a pdf file.. They are necessarily incomplete.
I try to translate them into English with bing translator. So ...
Concerning the script injection, it is written in powershell. I have added a simplistic GUI. To look pretty.
This script is not an end, it is a way, an assistance, a help...
The part "Traitement" of the script will always be evolving as it allows to memorize the discoveries.
The initial script contains what I have implemented so far thanks in part to WinPeSe.
The development difficulties and my poor knowledge of Powershell made me lose sight of the rigor necessary to write well-structured and readable scripts. So my scripts aren't "pretty."
It is quite clear that my purpose is different from that of Win10PeSe.
My goal is to understand how it is possible to produce a WinPeSe. Not to product WinPeSE.
The minimum information to know:
-modify BCD with bcdedit.exe.
-use DISM to Mount/unmount an image (boot.wim for example)
-load/unload a hive with regedit
-modify the ACLs for a key in a hive with regedit
-write a small script in powershell
-create a vhd with PS or diskmgr.msc or diskpart
-generate a BCD to start a VM with a 'flat' winpe
version V2 (2016.02.05...) too old: automatic language detection added
version V3 (2016-02-18-microWinpeBuilder.7z) : connect/deconnect Wifi in PS, ***** get WOW64 with a PS script ! ****** and correct many bugs !!!
version V4 (2016-02-24-microWinpeBuilder.7z) : Gui in English (translate with bing.translator), wow64 even whith software from winpe, messagebox in the foreground
version V5 (2016-02-29-microWinpeBuilder.7z) : Gui with 'form resizing', scripts PS to modify fbwf.sys for scratchSpace greater than 512 Mo
version V6 (2016-04-23-microWinpeBuilder.7z) : session administrator, BITS, WinRm, a piece of IE
-----------the end for build 10586-------
version V7 ( V7-build14393-MicroWinpeBuilder_V7.7z ) : first work for adaptation to build 14393, explorer OK, session adm nearly OK, but many NOK...
version V8 (2016-10-07-microWinpeBuilder-14393.7z) : many bug in script traitements.ps1, explorer, session adm, Wow64, modif themecpl, mstsc = ok; wmp and other ...=NOK
version V8 (2016-10-31-microWinpeBuilder-14393.7z) : first try for printer over the LAN
version V9 (2016-11-04-microWinpeBuilder-14393.7z) : printer USB ( adm and system) and network ( adm )
version V10 (2016-11-30-microWinpeBuilder-14393.7z) : printer PDF/XPS automatically started
version V11 (2016-12-14-microWinpeBuilder-14393.7z) : add mciSendString for play audio file, WMP can read MP3 (pb adm and vhd see post 79)
version V12 (2017-02-05-microWinpeBuilder-14393.7z) : session ADM and a better IE64 for ADM only ( download ok, HS : qwant.com , F12...)
version V13 (2017-02-09-microWinpeBuilder-14393.7z) : better IE64 for ADM with f12 (network trace ok)
-------end build 14393, begin V1709
version V14 (2017-11-15-microWinpeBuilder-V1709.7z) :
version V16 (2018-03-16-microWinpeBuilder-16299.7z) : MSTSC to and from winpe, MSRA in session ADM, IC for hyperV
version V17 (2018-03-16-microWinpeBuilder-16299.7z) : WMP is OK ( the WMP 64 bits needs WMP 32 to bo OK ! )
-------end build V1709, begin V1809
version V19 (V19-MicroWinpeBuilder-1809-en-ScriptConstruction.7z) : Eject USB, more about Printers, WPD-MTP(smartphone in winpe)
version V20 (V20-MicroWinpeBuilder-1809-en-ScriptConstruction.7z) : Many corrections, A little optimization
-------end build V1809, begin V1903
version V22 (V22-MicroWinpeBuilder-1903-fr-ScriptConstruction.7z)
version V23 (V23-MicroWinpeBuilder-1903-1909-ScriptConstruction.7z) : adapt 1909, using full drivers hive (replace V23 because bug in wifi/drivers hive)
-------end build 1909, begin 20h2
version V26 (V26-MicroWinpeBuilder-20H2-fr-ScriptConstruction.7z) : : adapt 20h2, better support Scaner
Version V26-63-MicroWinpeBuilder-20H2-fr-ScriptConstruction.7z : a few corrections, VirtualBox in Winpe
Version V26-64-MicroWinpeBuilder-20H2-fr-ScriptConstruction.7z : a few corrections
PDF V2 translate in English with bing/translator
PDF V2.1 45pages in french 45 pages in English, corrections, etc.
PDF V2.2 update for Mstsc with NLA
PDF V2.3: how to add WireShark and Win10Pcap in winpe after it starts. Orca or 7Z? you can choice !
PDF V2.4: modify themecpl.dll to modify wallpaper ( and color task bar ) : not too complex
PDF V2.5: printer USB ans network
PDF V2.6: printer PDF and XPS, scanner
PDF V2.7: note for mciSendString
PDF V2.8: add "winpe in a VHD" ( simple and yet... ) : pb adm and vhd see "Reply #105"
PDF V2.9: update vhd and session adm ( correct some translations )
PDF V3 : update for session ADM ans IE64 ok for Adm
PDF V3.1 : corrections and clarifications
PDF V3.6 : mstsc with NLA for V1703, Procmon at boot ( all boot activity !)
PDF V3.7 : update for mstsc...
PDF V3.8 : update for WMP...
PDF V4.0 : update v1809, Eject USB, printers, WDP/MTP
PDF V4.2 : Many corrections
PDF V5.0 : 2 files, one for Fr, one for EN - Many corrections
New Method Investigation = FULL-FLAT : a full win10 installation in a vhd, then a modification in hives to get a winpe - see "reply #146"
new version with some changes
-
I have Very quickly read your tutorial, it's quite pretty full, Congratulation :thumbsup: :thumbsup:
Well, it is French :wink:
I would look further, when I find some free time. There is a really interesting work behind :great:
It may lack a little guide to try your powershell script or my first diagonally read was too fast.
1 ) ADK CopyPE.cmd
Then, MicroWinpeBuilder_V1.Ps1, traitement.ps1 ?
I have to go, real life :wink:
I hope others will look to MicroWinPEbuilder to try, test and help to improve :smile:
-
noelBlanc, thanks you for your contribution!
I have downloaded your 7z pack, and using Google translate and my very limited French language skills, I'm having a great time trying to understand the PDF! :thumbsup:
The PDF looks very well written and organised, so it's actually kind of fun to slowly "crawl" through it.
Like ChrisR, I would also like some more hints on the exact method of using the .cmd and .ps
Once again, very nice work and I hope you will continue supporting this!
-
Thank you for your encouragement ChrisR Atari800xl
I kinda rushed to transmit the scripts. It is certain that they contain errors, including strings "fr - fr", which are remained.
I put emphasis on the Pdf and the explanations to investigate in winpe.
The script is only an aid. And I had tried to document its functioning and its interactions with copype.cmd in GUI tabs.
But it is true that must already be at launch.
It has three files:
-MicroWinpeBuilder_V1.Ps1: it is a graphical interface which offers tabs and a 'launch' button
There are two main tabs: input and configuration
Input: to fill in the three basic informations
-the base directory:
It is the one that will receive the result of copype.cmd. But it can also use an existing tree and produced by a manually launched copype.cmd
-the directory containing the ADK: an automatic search in the registry key provides the path resulting from its installation
-the reference win10 directory: a directory containing "install.wim" unzipped (e.g. with DISM/mount-wim...)
Configuration: two options
-use REG. EXE or the API of the C3 for loading/unloading of the hives. At the beginning I had too many errors.
I have a long time to find the impact of GC (garbage collector) on the "runspace" PS (resources not released)
-choose between the software hive taken into 'install.wim' (in full) or winpe (the 'partial' word is somewhat ambiguous)
I couldn't find how to display the wallpaper and I tried one and other opportunities. In addition it demonstrates
the purpose of the script: modify to understand.
-treatment. Ps1: it is activated when you click on the 'launch' button
Initially, I wanted to do full of menus to offer plenty of choice but I made simple: an automatic succession of three steps.
+ If the root directory does not contain the file "media\sources\boot.wim" then the lance copype.cmd script
+ If the root directory does not contain "media\sources\boot.wim.AvecPaquetsDeBase.export" then it launches the "DISM / Add – Package":
It is long because the script installs all of the packages available in the ADK (modification if needed in the script)
and then creation of the 'end of this stage' indicator: copy of bootm.wim with another name
+ the next step is always achieved: it is the injection of the modif in the boot.wim file containing the packages (and renamed) to not crush
-the ProductOptions.txt file that contains the information that I know not find elsewhere
To start:
-Open a console PS as 'administrator'
-type in the path of MicroWinpeBuilder_V1.Ps1
-the console is then hidden and a few seconds more later (depending on processor speed) the GUI will be displayed
I left the button "exit" and the "system" menu at the top right (it is a script and the user knows what it does)
Log: the contents of the console is written to the file 'racine\lastlog.txt' when processing is complete.
"A debug mode" rudimentary to search for PS errors:
Type "racine\MicroWinpeBuilder_V1.Ps1 - debug true":
the GUI is not launched in a runspace
the "hideConsole" function is deactivated
PS errors are displayed in the console PS
Be it that I try a translation with bing?
I dare not ask how JFX found the missing driver for dwm 10586 but I wish I knew. Your methdes of investigation are more effective than mine.
@Atari800xl : perhaps i can help you to translate pdf or ps... and speak about content
Thanks again.
--------
Merci pour vos encouragement ChrisR Atari800xl
Je me suis un peu précipité pour transmettre les scripts. Il est certain qu'ils contiennent des erreurs, notamment des chaînes "fr-fr" qui sont restées.
J'ai mis l'accent sur le Pdf et les explications pour investiguer dans winpe.
Le script n'est qu'une aide. Et j'avais essayé de documenter son fonctionnement et ses interactions avec copype.cmd dans les onglets de l'interface graphique.
Mais c'est vrai qu'il faut déjà arriver à le lancer.
Il a trois fichiers :
- MicroWinpeBuilder_V1.Ps1 : c'est l'interface graphique qui propose des onglets et un bouton "lancement"
Il y a deux onglets principaux : saisie et configuration
Saisie : pour renseigner les trois information de base
- le répertoire de base :
c'est celui qui recevra le résultat de copype.cmd. Mais on peut aussi utiliser une arborescence déjà existante et produite par un copype.cmd lancé manuellement
- le répertoire contenant l'ADK : une recherche automatique dans la clé du registre propose le chemin résultant de son installation
- le répertoire de la référence win10 : un répertoire contenant "install.wim" décompressé ( par exemple avec DISM /mount-wim... )
Configuration : deux options
- utiliser REG.EXE ou les API du C3 pour chargement/déchargement des ruches. Au début j'avais trop d'erreurs.
J'ai mis longtemps pour trouver l'impact du [GC] ( garbage collector ) sur les "runspace" de PS ( ressources non libérées )
- opter entre la ruche software prise dans 'install.wim' ( en totalité ) ou celle de winpe ( le mot 'partielle' est un peu ambigu )
je ne trouvais comment faire afficher le fond d'écran et j'ai tenté l'un et l'autre des possibilités. De plus cela illustre
le but du script : modifier pour comprendre.
- traitement.PS1 : il est activé lorsque l'on clique sur le bouton "lancement"
Au début, je voulais faire plein de menus pour proposer plein de choix mais j'ai fait simple : un enchaînement automatique de trois étapes.
+ si le répertoire racine ne contient pas le fichier "media\sources\boot.wim" alors le script lance copype.cmd
+ si le répertoire racine ne contient pas "media\sources\boot.wim.AvecPaquetsDeBase.export" alors on lance les "DISM /Add-Package" :
c'est long car le script installe tous les paquets disponibles dans l'ADK ( modification si besoin dans le script )
puis création de l'indicateur 'fin de cette étape' : copie de bootm.wim avec un autre nom
+ l'étape suivante est toujours réalisée : c'est l'injection des modif dans le fichier boot.wim contenant les paquets ( et renommé pour ne pas l'écraser )
- le fichier ProductOptions.txt qui contient l'information que je ne sais pas trouver ailleurs
Pour le lancer :
- ouvrir une console PS en tant que 'administrateur'
- taper le chemin de MicroWinpeBuilder_V1.Ps1
- la console est alors masquée et quelques secondes plus tard ( selon la rapidité du processeur ) l'interface graphique s'affiche
J'ai laissé le bouton "exit" et le menu "system" en haut à droite ( c'est un script et l'utilisateur sait ce qu'il fait )
Log : le contenu de la console est écrit dans le fichier 'racine\lastlog.txt' lorsque le traitement est terminé.
Un mode "debug" rudimentaire pour chercher les erreurs PS :
taper "racine\MicroWinpeBuilder_V1.Ps1 -debug true" :
l'ihm n'est pas lancé dans un runspace
la fonction "hideConsole" est neutralisée
les erreurs de PS s'affichent dans la console PS
Faut il que je tente une traduction avec bing?
Je n'ose pas demander comment JFX a trouvé le pilote manquant pour dwm 10586 mais je voudrais bien savoir. Vos méthdes d'investigation sont plus efficace que la mienne.
Encore merci.
-
Looks very good so far :thumbsup:
Sadly I don't have much free time these days.
I dare not ask how JFX found the missing driver for dwm 10586 but I wish I knew. Your methdes of investigation are more effective than mine.
Well, I would not really call my methods effective.
Since the usual ways did not work on dwm, I used a complete Windows 10 an started removing services and files.
In HKLM\SYSTEM\Setup
SystemSetupInProgress, SetupType and CmdLine can be used to disable user logon and instead launch a program as nt authority\system.
-
Thank you JFX
I had never thought to do so.
It takes a lot of rigor to strip Windows and avoid the false trails
Ps : i uploaded twice the same link by error. Is it possible to delete one?
-
i uploaded twice the same link by error. Is it possible to delete one?
Done. With 11 posts, you should able to modify a previous post now, I believe :thumbsup:
-
Image boot.wim created and started successfully :great:
Using install.wim x64 fr-FR extracted folder.
At the first attempt, it did the whole process but failed at the end on Dism /Unmount-Wim (it sometimes happens with Explorer open).
I deleted and re-create the mount folder, then I closed explore before restarting and bing, SUCCESS :thumbsup:
For WiFi, PENetwork would be good. Also a start menu like SIB++ would be a bonus.
[attach=1]
If you want to integrate packages, following language ($Langue), you can probably write something like this (au3 here)
$UILanguages = RegEnumKey($HKLM & "\src_System\ControlSet001\Control\MUI\UILanguages", 1)
IniWrite($inifile, 'Languages', 'UILanguages', $UILanguages)
$LCID = RegRead($HKLM & "\src_System\ControlSet001\Control\MUI\UILanguages\" & $UILanguages, "LCID")
IniWrite($inifile, 'Languages', 'LCID', $LCID)
[Languages]
UILanguages=fr-FR
LCID=1036 (0x40c)
-
Thank you ChrisR. I'm glad it's work for you. I was a little affraid.
One thing more : when Dism Unmount failed, have you seen a messagebox behind the GUI ? It said "close explorer" and it retry unmount /discard. The boot.wim is created even if unmount failed. On my Pc, it work so.
I don't know how to put the messagebox in the foreground. All msgbox are behind. I shall search ...
For autodetection language ( if i understand well that you say ), it's a good idea. It's better than a choice because GUI in script is too long to write. I put in a next version.
And correct the 3 references to "fr-fr" in the script.
Sib++ is usefull but not 'technical', i prefere 'speak" about Wow64 ( more near MS technologie, i have the error 'sxs in not goog' ) and about the call to syswow64\dllhost in a full 64bits version. I began to find it in 2012 (http://reboot.pro/topic/17870-winpe4-et-explorer-pour-débutant-comme-moi/)
Encore merci pour avoir fait le test. Ce n'est pas simple de comprendre et d'utiliser les 'bouts de machins mal ficelés' faits par un autre.
(i try without translator)
-
I received the message, indeed "Close explorer...Retry unmount /discard"
As the MessageBox is long enough, no worry to see it but it would be better in front if you find how.
If error on the first Unmount / Commit, you could possibly test the mount folder size.
and if 0, considered as good and delete and recreate the mount folder and maybe dism /Cleanup-Wim.
I believe that you are not so far for the multilanguage support, if you retrieve the language from Install.wim registry.
$Langue ="xx-xx", $srcPaquetsLangue = join-path $sourceFichiersWinpe "\amd64\WinPE_OCs\$Langue"
It should be good then for language pack (if not en-US) and other localized packages.
and you can also use it to copy .mui file (if exist \$Langue\File.mui > Copy else if exist \en-US\File.mui > Copy)
It should allow other install.wim language source :thumbsup: and have more feedback then.
Dans le tuto, tu as écrit:
Cela reste possible car la ruche software de install.wim contient déjà des « X : », ce qui est très bizarre.
Aurais je modifié ce fichier lors de mes manipulations ?
Oui, tu as du modifier la ruche software, par défaut elle est avec C: (ou D:) et il doit être modifié en X: pour PE
A+
-
@ChrisR : Merci pour le test, la lecture, et les conseils pour le langage et le test unmount. Pour les mui, je teste et copie systématiquement les fichiers des 2 langues, en-us et aussi %langue ='autre' (un tableau envoyé dans le pipeline de PS ). Pourquoi les 2? ceinture et bretelle. Pendant la mise au point, on fait des tests et le code reste.
For language, test the size of mount, i'll modify the script saturday .
For a long time I asked myself the question about the presence of the X: in the ISO file.
Tonight I took the time to do the audit of the units contained in the freshly downloaded ISO file.
My test:
I download (it is long) from https://www.microsoft.com/fr-fr/evalcenter/evaluate-windows-10-enterprise?i=1
Read in the HTML page:
<a href="http://care.dlservice.microsoft.com/dl/download/8/5/C/85CA9FB3-CC7F-44FD-A352-EF960FC181AD/10586.0.151029-1700.TH2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_FR-FR.ISO"> <input class="btn greenbtn" type="button" value="telecharger"></a>
I mount the ISO file.
I open...\sources\install.wim with 7Z.
I extract the software hive in c:\temp
I load this hive in hkey_users with the name "z_software"
I sailed with hkey_users\z_software\Microsoft\windows\currentversion
And I read: ProgramFilesDir = X:\Program Files
I sailed hkey_users\z_software\Microsoft\windows Nt\currentversion
And I read: SystemRoot = X:\WINDOWS
I'm amazed. X: !!! not C: !!!
Is this a mistake on my part?
It would be nice if someone had the time to do this (long) test and attempt to provide an answer.
-
I just checked, you are right, I had not seen, in 10586 it is X: in most keys but it remains C: in RTM 10240 and in Enterprise 2015 LTSB.
-
hello,
Version 2 : Added automatic detection of language from the ISO file or the directory for reference.
Thank you ChrisR for the help about language.
It will be not enough for non-French uses script. Should I translate in English the text of the script tabs.
But no one claims this translation, or pdf also. It is that this is not very useful. It is true that it is a game to me also...
If someone can try with another language...
Concerning what I call the surprise COM64-32 that can highlight year launching desk.cpl for example, the 'system' event log in Winpe reports of an error at the launch of c:\windows\syswow64\dllhost.dll. I regret not to have an IDA 64 version. I will try out Windbg now that I have a new idea.
The "security" event log is almost empty. It seems no longer evolve after startup.
-
I'm not sure to have enough time on my side to help further, to test... PESE is already too much, currently :wink:
Also, I have no Powershell knowledge to help on, but your program seem already well advanced and commented (in french :wink:).
I leaves room for others with more free time, to test or go further, in your all-in-one design.
:cheers:
-
@ChrisR, Merci pour tout ce que tu as fait pour moi. Je t'en suis infiniment reconnaissant. J'avais un peu peur de paraître ridicule. Tu m'as rassuré.
@Atari800XL, may i help you? ( 6502 versus 8080 ? a dilemma in my youth )
Several people have downloaded the 7z file containing a pdf and PS scripts.
I was hoping to have some returns.
Please, tell me what you were hoping to find in these files.
Would you like to:
-an English translation of the pdf?
-an English translation of the text of the scripts?
Version 2 allows automatic detection of the language of the 'ISO' reference as proposed by ChrisR.
But I do not know to remove version 1.
Do not hesitate, give me your opinion, even negative with some comments as ' needed English, pdf useful/useless, script works/does not work '...
The development of scripts (error with reg load/unload) made me abandoned the structure organized for ' build ' each of the components as well as WinPeSe doest it in these scripts. This will be useful if I body script by creating a file by component as the sections of the WinPeSe scripts?
translated by bing....
-
NoelBlanc, that final paragraph was translated very badly, I have no idea what that was about... ("Body script by creating a file by component"?)
About your other questions: I'm looking forward to reading the full PDF, also trying the scripts, I just didn't have time for it this weekend, sorry.
I really like the way you describe the whole process, the French language is just a bit of a problem for me, maybe we can work together on the English translation. But in that case, it would be best if I try the scripts first, so I know what's going on.
I think it would be best if I try it on an en-US version (event though I'm Dutch myself).
Please don't abandon your project, it's very informative and I like to learn more in-depth stuff about PE creation and modification. Thanks!
-
Hello Atari800xl. Thank you for your encouragement and interest that you wear to the documentation.
No worries if you don't have time available at this time. This can wait.
Note: version 1 scripts contained only the version fr-fr of winpe. I do not know how to delete the first post 7Z and replace it with version 2.
For the translation (and the increase in information), your help will be invaluable as I am unable to write in English.
You will be the 'head/Director' for this.
About the 'last paragraph':
in the current script, injection of a component, for example, like Wi-Fi requires various categories like "files to copy, to copy keys, keys to add (this is not the same thing as 'the key to copy'), the drivers to load ', etc."
These actions are scattered throughout the script. They are not easily identifiable.
I did not want that the script is accompanied by a multitude of small files. 3 files, this is already much in my opinion. I would like to avoid the presence of the 'productOption.txt' file.
This is not very educational because it will be difficult for someone else to introduce a new component: it is precisely the purpose of this script.
It seems to me important to integrate all these actions/data "correctly" in the script, in a class of object, for example.
But it will be a little long.
To explain why I had put aside a good structure of the data (the data are intermingled and spaghetti):
I lost a lot of time with:
-the conflict of access to the hives with Dism I met early in the development of the script
(- handles non-released by powershell: I put long before finding a parade on internet with [GC]:...)
-
Well, when I said "work together", I was thinking of more people than just you and me :embarrassed:
For now, please continue your very interesting project, I will follow it even when it is in French!!
You have a very clear and "informative" writing style, so I'm sure that I will be able to follow, with a little help from Google Translate, and maybe additional questions in this thread.
I think a translation will always be a bit "out of date" compared to your originals, so that might pose extra problems and inconsistencies.
:thumbsup:
-
I must admit I am even dumber than I had feared :ohmy:
Seriously: When I wanted to test your scripts yesterday, I had sort of forgotten all the steps for a "normal" PE: 64bit host OS necessary, MS ADK necessary (big download), copype.cmd only runs from the ADK prompt, etc. etc. As I said, I forgot how "strict" and "unflexable" this is.
Good thing the PESE projects are so much easier: HostOS can be "anything", no big extra downloads, etc.
I am still very impressed with your excellent Powershell scripting abilities, so I do hope you will continue this projects, but I'm afraid I might have been a bit too enthousiastic. Too bad I don't have a lot of time at the moment either...
-
the script copype.cmd is started automatically by the PS script. We just need adk is installed on the PC. The injection of the packets is also automatic.
Downloading and installing the adk are the only actions that the user must perform.
It must also mount the install.wim file from the iso in a reference directory.
And it's true we need a pc under win10 (regardless of the build).
No problem if you do not have the necessary time.
In the next version 3, I use a PS script to establish WIFI connection with the C # API. There is an example in c# on the codeplex site.
I'm on holiday but it rains again and again. I will try to investigate in order to add Wow64 in microWinpebuilder.
-
Downloading and installing the adk are the only actions that the user must perform.
It must also mount the install.wim file from the iso in a reference directory.
Both of these sentences can't be true at the same time :wink:
By "it", you mean the script, right? Not the user? The user only has to download and install the adk, then the script ("it") mounts the install.wim?
Sorry for being stupid (I warned you about that), but maybe other readers of this topic are even more stupid? :wink:
I hope for you the rain will stop and the sun will come out of hiding.
-
Sorry, I trusted to the translator.
You have good reason to seek clarification. Please, continuous, it is a great help for me.
You spoke about copype. I introduced an ambiguity by adding a line dealing with install.wim.
In summary, the user must perform the following actions before running the script:
-Download and install Adk (for winpe)
-extract install.wim ISO and unpack it to a directory (for windows reference)
If I can in a future version, I made active radio-buttons. And would suggest 3 choices to the user:
-Enter the path of the Windows ISO
-Enter the path in the install.wim file
-Enter the path of the directory in which the user unpacked install.wim
Currently, only the latter is operational
Rain became snow and we left more to the South in Avignon. Sun this morning
-
noelBlanc, yesterday I managed to create a USB with your script! (Even before your last message).
It turned out to be even simpler than I thought :thumbsup:
I was under the impression that the user would have to do a lot more preparation work himself, but it turns out your script does (pretty much) all the work itself!
I am very impressed with your (powershell and other) skills, very nice job!
On the other hand, I must also admit that the resultant PE is not as "useful" to me as a WinPESE version, but of course that is not the point: If I understand your PDF correctly, you want to study how everything works, and how it can be done without the use of external tools. In that respect your scripts are even more impressive!
I hope I can do some more reading next weekend.
:thumbsup:
-
Atari 800 XL, thank you for the test. I'm glad that the script has run.
Have you used version 2 for the language en-US?
You're right: microWinpeBuilder is micro. Its first name was 'mini' but I changed to 'micro'. Perhaps 'nano' is better.http://theoven.org//Smileys/IPB/wink.gif
It is only useful to help illustrate the progression of learning and facilitate the implementation of the tests.
This is of course WinPeSe team that does all the work. But reading the scripts' WinPe is difficult for me.
This morning I launched setwow64 of WinPeSe. Thanks WinPeSe.
The source code is complicated. Did you explain that?
And with Procmon, I quickly found a few files (obvious ...) to be added in order to run ... \ syswow64 \ cmd.exe and WinObj.exe of sysinternals.
Because I wanted to confirm that the right click on the screen and "Display Settings" launched the dll 'dllhost' 32-bit and showed the window for changing the screen resolution, for example.
the event log is acting strangely. I do not know if it is proposed in WinPeSe.
Eventvwr.msc generates an error message. It seems that the eventlog Service is testing the key 'MININT'.
And if I delete this key, starts the service eventlog 'and recreates the key, then eventvwr.msc displayed newspapers.
I identified this behavior when I took my first steps with older versions of winpe.
This was also the case for cmdlet 'remote powershell'. I would look later.
I prepare a version 3 with a PS script for the Wifi connection ( many c# ). I must also give some explanations on Wifi and netsh in the PDF.
As I often use PS I added powershell_ise.
-
Hello,
Version 3:
-a connecting/disconnecting wifi PS script: it's big, it works correctly on windows 10.
But the use of the API is complex.
-a script PS to enable the 32-bit subsystem (my principle: do not use external program)
To full employment of wow64, use WinPeSe: it is made for this. My scripts are only 'educational'.
To show that 'explorer' 64-bit version uses the COM 32-bit dll 'surrogate' mechanism... \syswow64\dllhost.dll,
i added the 32-bit subsystem as WinPeSe by writing a piece of c# code visible in the PS script.
This is a light version of WinPeSe setwow64.exe. But it is Ps!
With the 32 active subsystem, the right click on the wallpaper and menu 'display settings' or 'personnalize' works.
It remains to understand if it is desk.cpl which forces the use of ' surrogate' 32-bit.
The pdf contains explanations that seem important and concerning the above points.
-
Love it :thumbsup:
It would be even better, if I could understand a single word in french.
BTW: WinObj.exe doesn't run, should it? ("The application has failed to start because its side by side configuration is incorrect.")
-
hello sezz,
Winobj would work. It works in my vm.
In the tab "configuration du script", have you select "install.wim" ? i note this in the first tab but it's not easy to read.
For the option "source software hive = winpe", i'll modify and add the missed keys in ...Windows\cur...\sydebysyde.
I can translate with bing.translator. What part do you want in first? the text in the script ? The comment in the scripts? the pdf ?
Thanks. Merci.
Note : i write this without a translator. If hope you can read me.
-
In the tab "configuration du script", have you select "install.wim" ? i note this in the first tab but it's not easy to read.
Thanks, that fixed it :)
I can translate with bing.translator. What part do you want in first? the text in the script ? The comment in the scripts? the pdf ?
I think it would be the best to start with the GUI.
That way everyone who's interested can quickly test it and decide if he likes it or not ;)
Note : i write this without a translator. If hope you can read me.
Sure. I learned french in school for 2 years, but the only phrase I still know is "je n'est sais pas" :embarrassed:
-
(Can't edit my posts yet, sorry.)
Added my PE modifications from my batch and PowerShell files and it looks really good - I think everything of my stuff works.
But I couldn't figure out how to pass long directory/file names with spaces and other characters like ()[] to DISM using your lancerUnPrg, any suggestions?
Regedit_ works with long names after I changed the launch command to Start-Process -Wait regedit.exe -ArgumentList "/s `"$fichier`""
PS: Yes I know, nobody likes long names, but It's not like they have been invented yesterday and I like to keep things organized and readable :smile:
-
to sezz,
can you give me a complete line that doesn't works? I try ...
but i think you have the solution with 'altgr + 7' .
I use it here : lancerUnPrg $DISM "/Image:$mount /Add-Package /PackagePath:`"$srcPaquets\$_.cab`"" $ModeLine
I modify also my scripts for 'regedit_' .
Thank you very mutch
-
to sezz,
can you give me a complete line that doesn't works? I try ...
I think I found the problem.
DISM.LOG:
2016-02-23 22:25:38, Error DISM DISM.EXE: Failed validating command line: "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\AMD64\DISM\Dism.exe" /English /Image:"F:\MWPE\Output\mount\" /Add-Driver /Driver:"F:\Windows 10 (Custom Setup)\Settings\Drivers-AMD64" /Recurse
EchoArgs output:
Arg 0 is </English>
Arg 1 is </Image:F:\MWPE\Output\mount" /Add-Driver /Driver:F:\Windows>
Arg 2 is <10>
Arg 3 is <(Custom>
Arg 4 is <Setup)\Settings\Drivers-AMD64 /Recurse>
Command line:
"C:\Program Files (x86)\PowerShell Community Extensions\Pscx3\Pscx\Apps\EchoArgs.exe" /English /Image:"F:\MWPE\Output\mount\" /Add-Driver /Driver:"F:\Windows 10 (Custom Setup)\Settings\Drivers-AMD64" /Recurse
The path in $Mount ends with \ and DISM thinks I want to escape the " that comes after the path...
My fault :frusty:, lancerUnPrg is fine!
Now it works:
lancerUnPrg $DISM ("/English /Image:`"" + $Mount.TrimEnd("\") + "`" /Add-Driver /Driver:`"" + $sPathDrivers.TrimEnd("\") + "`" /Recurse") $ModeLine
Output:
02/23/2016 23:07:17 Commande : C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\AMD64\DISM\Dism.exe /English /Image:"F:\MWPE\Output\mount" /Add-Driver /Driver:"F:\Windows 10 (Custom Setup)\Settings\Drivers-AMD64" /Recurse
Deployment Image Servicing and Management tool
Version: 10.0.10586.0
Image Version: 10.0.10586.0
Searching for driver packages to install...
Found 4 driver package(s) to install.
Installing 1 of 4 - F:\Windows 10 (Custom Setup)\Settings\Drivers-AMD64\Acronis\IScsi\iscsi.inf: The driver package was successfully installed.
Installing 2 of 4 - F:\Windows 10 (Custom Setup)\Settings\Drivers-AMD64\Acronis\IScsi\mpdev.inf: The driver package was successfully installed.
Installing 3 of 4 - F:\Windows 10 (Custom Setup)\Settings\Drivers-AMD64\Acronis\IScsi\mpio.inf: The driver package was successfully installed.
Installing 4 of 4 - F:\Windows 10 (Custom Setup)\Settings\Drivers-AMD64\Acronis\IScsi\msiscdsm.inf: The driver package was successfully installed.
The operation completed successfully.
02/23/2016 23:07:20 Retour : 0
-
@ sezz: bravo!
I also delete the "\" if it occurs at the end of the entries in the GUI.
If I understand correctly, you modified the PS scripts for add Acronis drivers in one dism command.
And there, you are very strong. You have the right to say that my scripts are similar to packages of spaghetti.
In the V4 version, I've simplified the GUI to update a file in English translated by bing.translator. If you wanted to tell me if this is understandable, it would be nice. I also added keys and files (sideBySide) missing to make active the WOW32 subsystem using the winpe software hive.
And I changed API for the messagebox appear forward plan.
I'll try to modify the fbwf.sys driver to remove the limit of "cmp eax, 0 x 400" in the cache write in X:. I managed to use in a PS the win32 API script to read the checksum. The writing is simple in PS. I still have to find how to sign the driver with a test certificate.
This is not very useful but it is for the game.
I'd also remove the filter from the "registry". But I have still no information on the subject. The interest for me would be that in the VM "registry" changes remain persistent. If anyone has any information on the subject, please let me enjoy.
V4 2016-02-24-microWinpeBuilder.7z : GUI in English, wow even for software from winpe, messagebox in the forground
-
If I understand correctly, you modified the PS scripts for add Acronis drivers in one dism command.
It's the Microsoft iSCSI Initiator. Acronis adds it when it creates a bootable WinPE ISO. I didn't check if it really needs it, I only took all the files and registry changes and patched TrueImage.exe to not call NtShutdownSystem when I close it.
In the V4 version, I've simplified the GUI to update a file in English translated by bing.translator. If you wanted to tell me if this is understandable, it would be nice.
I can understand it, but I'm not good at english either. It propably takes someone who's fluent in french and english to get good translations ;)
Some minor GUI related changes to allow frame resizing:
--- MicroWinpeBuilder_V4.original.Ps1 2016-02-24 11:03:08.477995000 +0100
+++ MicroWinpeBuilder_V4.Ps1 2016-02-26 23:55:09.215858400 +0100
@@ -757,6 +757,7 @@
$tabControl1.SelectedIndex = 0;
$tabControl1.Size = New-Object System.Drawing.Size(796, 373);
$tabControl1.TabIndex = 1;
+ $tabControl1.Anchor = "Top,Bottom,Left,Right"
#$tabControl1.Appearance = "Buttons"
#
# tabPage_Presentation
@@ -784,6 +785,7 @@
$textBox4.TabStop = $false;
#$textBox4.Text = resources.GetString("textBox4.Text");
$textBox4.Text = $TextPresentation;
+ $textBox4.Anchor = "Top,Left,Bottom,Right";
#
# tabPage_Saisie
#
@@ -963,6 +965,8 @@
$textBox_Console.ReadOnly = $true;
$textBox_Console.ScrollBars = [System.Windows.Forms.ScrollBars]::Vertical;
$textBox_Console.Size = New-Object System.Drawing.Size(782, 329);
+ $textBox_Console.Anchor = "Top,Left,Bottom,Right";
+ $textBox_Console.Font = New-Object System.Drawing.Font("Consolas", 8);
$textBox_Console.TabIndex = 0;
#
# button_Exit
@@ -975,6 +979,7 @@
$button_Exit.UseVisualStyleBackColor = $true;
#$button_Exit.Click += New-Object System.EventHandler($button_Exit_Click);
$button_Exit.Add_Click($button_Exit_OnClick);
+ $button_Exit.Anchor = "Bottom,Right";
#
# statusStrip1
#
@@ -1043,6 +1048,7 @@
$button_Excution.Enabled = $false
#$button_Excution.Click += New-Object System.EventHandler($button_Excution_Click);
$button_Excution.Add_Click($button_Excution_OnClick);
+ $button_Excution.Anchor = "Left,Bottom,Right";
#
# button_GetInfoWim
#
@@ -1054,6 +1060,7 @@
$button_GetInfoWim.UseVisualStyleBackColor = $true;
#$button_Exit.Click += New-Object System.EventHandler($button_Exit_Click);
$button_GetInfoWim.Add_Click($button_GetInfoWim_OnClick);
+ $button_GetInfoWim.Anchor = "Left,Bottom";
#
# radioButton1
@@ -1177,9 +1184,10 @@
$form1.AutoScaleMode = [System.Windows.Forms.AutoScaleMode]::Font;
$form1.ClientSize = New-Object System.Drawing.Size(867, 496);
$form1.MinimumSize = $form1.Size
- $form1.MaximumSize = $form1.Size
$form1.Name = "Form1";
$form1.Text = " $NomDeBase : une aide à l'injection de modifications dans Winpe 10 build 10586";
+ $form1.StartPosition = [System.Windows.Forms.FormStartPosition]::CenterScreen;
+ $form1.Font = New-Object System.Drawing.Font("Segoe UI", 9, [System.Drawing.FontStyle]::Regular, [System.Drawing.GraphicsUnit]::Point, 0);
#
# ajout des controls à la form
#
And some changes to traitement.ps1, because it complained about missing french files and also a small WOW64 fix :
--- traitement.original.ps1 2016-02-24 09:32:15.225624600 +0100
+++ traitement.ps1 2016-02-27 00:16:03.697317100 +0100
@@ -295,6 +295,7 @@
$DestinationWinpe = $so.Racine # c'est le répertoire qui va contenir le futur winpe
$KitsRoot = $so.SrcAdk # la source de l'adk contenant les outils winpe
$Langue = $so.Langue # la langue de la référence windows
+$LangShort = $Langue.Split("-")[0]
$RefWindows = $so.RefWindows # le répertoire contenant la référence
# déchargement des ruches : choix reg.exe ou API de c#
$flg_RegExe = $so.flg_RegExe # true si on utilise reg.exe, false si on utilise c#
@@ -990,18 +991,18 @@
;
WINDOWS\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll
;WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35\MMCEx.Resources.dll
-;WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_fr_31bf3856ad364e35\MMCEx.Resources.dll
+;WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_$LangShort_31bf3856ad364e35\MMCEx.Resources.dll
WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\
WINDOWS\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35\MMCFxCommon.dll
;WINDOWS\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35\MMCFxCommon.Resources.dll
-;WINDOWS\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_fr_31bf3856ad364e35\MMCFxCommon.Resources.dll
+;WINDOWS\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_$LangShort_31bf3856ad364e35\MMCFxCommon.Resources.dll
WINDOWS\assembly\GAC_MSIL\MMCFxCommon.Resources\
WINDOWS\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\Microsoft.ManagementConsole.dll
;wsman
WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Activities\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.Activities.dll
;WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
-WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
+WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\v4.0_3.0.0.0_$LangShort_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
;msi
windows\system32\msi.dll
@@ -1798,20 +1799,20 @@
$filespowershell=@"
Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe
Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe.config
-Windows\system32\WindowsPowerShell\v1.0\fr\powershell_ise.resources.dll
+Windows\system32\WindowsPowerShell\v1.0\$LangShort\powershell_ise.resources.dll
;gac
Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.Editor*\
;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.Editor\v4.0_3.0.0.0__31bf3856ad364e35\
;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.Editor.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\
Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GPowerShell*\
;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GPowerShell\v4.0_3.0.0.0__31bf3856ad364e35\
-;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GPowerShell.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\
+;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GPowerShell.Resources\v4.0_3.0.0.0_$LangShort_31bf3856ad364e35\
Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GraphicalHost*\
;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GraphicalHost\v4.0_3.0.0.0__31bf3856ad364e35\
-;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GraphicalHost.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\
+;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.GraphicalHost.Resources\v4.0_3.0.0.0_$LangShort_31bf3856ad364e35\
Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.ISECommon*\
;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\
-;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.ISECommon.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\
+;Windows\Microsoft.NET\assembly\gac_msil\Microsoft.PowerShell.ISECommon.Resources\v4.0_3.0.0.0_$LangShort_31bf3856ad364e35\
"@
$postPowershell = @"
#
@@ -1972,6 +1973,10 @@
$keysSrc = join-path $src_soft_PS "Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft.windows.*"
$keysDst = join-path $tmp_soft_PS "Microsoft\Windows\CurrentVersion\SideBySide\Winners"
Copy-Item $keysSrc $keysDst -Recurse
+ # fix dpiAware error
+ $keysSrc = join-path $src_soft_PS "Microsoft\Windows\CurrentVersion\SMI\WinSxS Settings\x86_microsoft-windows-*"
+ $keysDst = join-path $tmp_soft_PS "Microsoft\Windows\CurrentVersion\SMI\WinSxS Settings"
+ Copy-Item $keysSrc $keysDst -Recurse
# clés pour desk.cpl et ausi pour clic droit sur le fond d'écran
$keysSrc = join-path $src_soft_PS "Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions"
$keysDst = join-path $tmp_soft_PS "Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions"
@@ -2356,6 +2361,12 @@
affichage "Composant Powershell_ise"
powershell_ise
+
+ # ------------------------------------------------------------
+ # Sezz: Customizations
+ # ------------------------------------------------------------
+ . (Join-Path $script:so.MonPSScriptRoot.TrimEnd("\") "\Sezz\Sezz.ps1")
+ # ------------------------------------------------------------
affichage "Nettoyage des répertoires de langue dans le répertoire system32"
gci $targetSystem32 -filter "??-??" | ?{$_.name -ne $Langue -and $_.name -ne 'en-us'} | remove-item -Recurse
I also figured out why starting PowerShell in Windows PE is extremely slow (first start takes about 20 seconds for me):
- NGEN hasn't run yet -> the native image cache doesn't exist
- CATDB hasn't been generated yet
Running "NGEN.EXE update /NoDependencies /Silent" takes ages, so I ran it once and fetched the files from "X:\Windows\assembly", now I theoretically could use them everytime when building an image, but they are very large (about 300MB)...
The CATDB gets created on the first start of PowerShell.exe, that's why it takes so long. The file "X:\WINDOWS\SYSTEM32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" can be backupped (stop CryptSVC service first) and then used when building an image. It's only about 20MB.
Couldn't find a solution yet without running Win PE first and grabbing the CATDB, but it's good enough for now :)
-
hello sezz,
Wouhaouuu ! you are the best !
i searched since many years why PowerShell is so long the first time. But i never found .
I used Ngen only one time in winpe3 when i put PowerShell in winpe3. I used 'orca' to look inside dotnet2.msi and recreate a part of it's work. But i did not understand its finality.
It's not easy to integrate your solution in the construct process because the file catdb doesn't exist at this time. The GUI can ask for this file.
I'll put your explaination in the pdf because i'm sure it's needed
I'll also modify the GUI and $langshort ( i missed it )
heuu, in the script V4 i use :
;WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35\MMCEx.Resources.dll
;WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_fr_31bf3856ad364e35\MMCEx.Resources.dll
WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\
Line start with ";" is ignored. If line finish with "\" then all subdirectories ( and files ? i don't remember ) are copied.
I found only "Windows\system32\WindowsPowerShell\v1.0\$LangShort\powershell_ise.resources.dll" that need the correction.
Please, can you confirm me that this only line correct the issue?
Another time, thank you very much, sezz. I very much appreciate your help.
For the fbwf.sys, with a script PS, i can modify the file fbwf.sys and put the new checksum. I can sign the pilote with a testing certificat ( makecert, certmgr, signtool ) and launch it in winpe. I thought find the place of the compare to 400h. But the limite of 512Mo still stay. I use IDA32 to disassemble fbwf 32bits and found a function "adjust" that modify my 'work'. I'm trying to find the 'same' code in version 64 but it's difficult for me. Instructions 64 are really different.
-
Hello
I managed to remove the size of the Ramdisk of winpe by editing the fbwf.sys file. You will need Ms software to sign the file. It also takes a disassembler software to localize changes.
To inject changes and calculating the checksum, so I wrote 2 scripts that I join the 7z file. I guess that nobody needs to increase the size of the ramdisk or that other solutions exist. I not finalize my scripts. I leave them in their current state as they together links that have served me.
The PDF contains the explanations that I have collected in MS.
As to sign a file, it takes 3 MS programs available with the SDK or VisualStudio. I also don't know how they got on my PC .
Programs needed: Makecert.exe, signtool.exe, certmgr.exe. the last one is not useful if the certificate remains on the machine that created this certificate)
I added the recommendations of "sezz" for GUI.
For the catroot.db, I don't know yet how produced on the host PC.
MicroWinpeBuilder V5:
GUI: "form resizing"
The scripts get - checksumPrg.ps1 and modify-bytes. Ps1 to edit the file fbwf.sys
addition of photometahander.dll for previewing images in 'explorer'
-
hi,
Notes about Fwfb.sys :
- the management of the available write size in x: remains obscure and incomprehensible.
- I have not yet planned a way to take the presence of the modified driver in the GUI
- currently need to change and run twice the PS script that modifies the driver
- don't forget to modify BCD ta add TESTSIGNING
but nobody seems to have need of these changes.
Actually, i can use PS Remote with WinRm to get information into a computer under win10 from the winpe10.
I note the last commandes i used :
net start LanManServer
winrm quickconfig -q a warning because network profile is public !!! i can open the port with netsh
winrm set winrm/config/client '@{TrustedHosts="*"}'
reg DELETE HKLM\system\currentcontrolset\control\miniNt /f
start-process PowerShell -argumentList '-executionpolicy unrestricted'
start-sleep -s 5
reg ADD HKLM\system\currentcontrolset\control\miniNt /f
And in the next console :
$s="192.168.0.12" # my win10 computer
$c=get-credential WIN-LBH1HBGLMAA\noel #ask the password for the remote computer
invoke-command -computername $s -credential $c -scriptblock {$env:computername}
invoke-command -computername $s -credential $c -scriptblock {gwmi win32_bios}
Note : as with eventlog, you must delete the minint key before starting PowerShell. It is necessary to re-create this key after the startup of PS
For the moment I can't do the reverse, launch an invoke-command since a windows10 to a winpe10.
I open the port like this :
netsh advfirewall firewall Add rule name="NONO-5985-winrm" dir=in protocol=tcp localport=5985 action=allow
I also work with BITS.
- Import-Module BitsTransfer is OK
- Start-BitsTransfer "http://noel.blanc.free.fr/index.php" "x:\" is NOK
Error "The requested operation was not performed because the user is not connected to the network. HRESULT: 0800704DD"
I use the firewall log and the network trace with netsh and ndiscap.sys.
I use auditpol.exe to enrich the event log
I post a new version if something works ...
-
Big disappointment because all my efforts were useless:
-network trace with NETSH: the ETL file is generated but contained frames is not present and the CAB file is not generated
-Mstsc: does work neither input nor output ( remote computer under windows10 ) : error "authentification level" and port 3389 not open
-WinRM with PS: the incoming direction does not work (ports are open and winrm is listening on these ports )
-Bits: start-bitstransfer does not work ( user not connected to a network )
-MP4 files: not played
-"List Network Service" and "Network And Sharing Center" : not helpfull
The implementation of network trace was a bit long (ndiscap.sys, pla, netdiag, schedule...)
I'll put checkboxes in the GUI to not install all these components that do not work and after i'll upload a V6.
May be that someone will use it and find a solution for each of the points.
Thanks for giving me advice on each of the points.
-
hi,
for BITS, i suppose i need to have a real user like "adminstrator" and not "system". So i try to connect with the ADM. I look in the winpese script "9-Administrator.Script".
It's complexe. And after some days, it works in my microwinpebuilder environment.
BUT, there is a big "BUT". The etape "authentification" is long. And the etape "building profile" is long. One or two minutes.
Thanks for giving me a research track
-
Phew, it works!
Login with the administrator account finally works without delay.
Several key services were implemented and a time during this logon.
And the most difficult to identify delay was due to the presence of the network before logon.
I'll prepare a version which allows to mount the network after the opening of session "adm".
And so the service BITS works. But I did not test with a real server bits.
-
I have wondered why there was such a long delay for Administrator login. Thank You for your hard work and tutorial.
-
hello GoodNPlenty,
Merci pour ce retour. Thank you for your return. It's very helpfull for me.
I have not yet tested with WinPeSe and I do not know if WinPeSe loads the network before or after you open the adm session. And surprise: no need for bootexecute for Wow64 in the adm session.
I'm going to finalise soon the MicroWinPeBuilder script to mount the network after the opening of the session adm; But it is necessary that I modify the GUI to offer the choice "session adm" or "normal session".
I have not yet found BITS Server to complete the test. Client BITS seems to work with session adm !
I've also just tested 'internet Explorer'. What I get to do for now:
get a rudimentary window with 'MSN' after various amendments. The necessary context for my test: wow64 because IE 64-bit launches IE 32-bit addressing LCIE (https://blogs.msdn.microsoft.com/ie/2008/03/11/ie8-and-loosely-coupled-ie-lcie/)
IE 64 launches IE32 ( /scodef:... ) for the LCIE by consulting the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main key
x86AppPath = C:\Program Files (x 86) \Internet Explorer\IEXPLORE. EXE
Therefore, copy IE32bits
And by replacing this value by IE64, we get to see a window 'MSN' playing with the task bar
Not really finish.
If someone want to try and help me...tell me.
-
Salut Noel,
J'ai pas eu le temps de jouer avec ton outil mais tu semble bien progresser dans tes ajouts.
what is the interest of BITS in PE?
For the administrator session in 10SE, the network is loaded after login as Admin. It is not loaded in the system session
There are a few problems otherwise, in addition to the delay.
on x64, since v10 Internet Explorer run in a hybrid-mode and both versions are required.
It does not seem possible to get separate versions.
with adll dependencies in addition, he is rather heavy for my tast.
-
Bonjour ChrisR,
For BITS, only the pleasure to make sure it works.
Same thing with Wsman/WinRm, more difficult but it works in the two directions.
For IE in Winpe64bits, i use only IE 64 bits, not version 32bits : i modifiy x86appPath to point to IE 64 bits version.
Only the process "iexplore.exe Scodef:Pid" displays a window ( see LCIE link ) .
After launching the first time ie64, the cpu is very busy. I kill "IE" without the param "scodef". See IE64bits-1.png
After launching the second time ie64, IE displays only one window. See IE64bits-2.png
I kown it's not actually a good solution. It's only for searching.
And i am searching .... for a long time i suppose !
It is necessary always to question what appears to acquit and not be satisfied with the current state of knowledge
-
hi,
For IE, i found this on the net :
http://blog.httpwatch.com/2009/04/07/seven-things-you-should-known-about-ie-8/
"TabProcGrowth=0 is a registry edit that will disable the Loosely-Coupled IE (LCIE) function in Internet Explorer 8. Essentially what this means is that all tabs in Internet Explorer will be handled by one process of iexplore.exe. This also means that Protected Mode will be Off and that if one of your tabs crash, Internet Explorer will crash."
And display IE 64 "scodef" is now OK.
But Ie is still not OK.
A step to the Graal ?
-
hello,
Version V6 (2016-04-23-microWinpeBuilder.7z) : Session adminstrator, BITS, WinRm, a piece IE
Only session adm can be selected in the GUI. All other parameters, like name computer, password of adm, are in the script. Modify it if you need.
Perhaps later i put these param in the GUI.
do not forget, this is an educational objective
Please, give me some feedback, interesting useful useless, stupid ...pdf in french must be translate ...
-
When i was searching for some stuff i found your project page by luck. I guess there is not much interest about it for now but with some work and interest maybe you can improve it. I am not good at powershell so probably will not use your builder. At least i wish i could read the pdf file in English. Is there a hope it can be translated to English?
Why do you spend so much effort to crack fbwf size limit? Do not you know about windows embedded fbwf file. It can support at least a few GB's and used in all pebuilder projects.
If you have so good reversing, coding skills using it in right ways can be more usefull.
-
Well, I think vvurat is a bit harsh ("do something more useful" :wink:) but I also agree to a certain point.
I think it's just very ironic that noelBlanc seems to be a brilliant (powershell-) programmer, but because it is quite a complicated topic, needs (and, luckily: wants) to explain what he's doing, but then lacks the English language skills to share it with us. In the beginning, I thought I might have a go at translating, but I must confess I only understand 50% of his French, and only 10% of his Powershell :embarrassed:
On the other hand, it's still a very interesting topic, and I hope he continues his work here at TheOven, maybe one day we'll need his support for the WinPESE projects as well!
-
I hope he continue also. %50 of my aim to write here is to give him encourage to continue. Because the topic that forwarded me to here there was an example of disappointment that someone complains nobody helps him in theoven.org. http://xxxxx.pro/topic/20970-adding-syswow64-to-win10pe/#entry197718 (http://xxxxx.pro/topic/20970-adding-syswow64-to-win10pe/#entry197718) I thought maybe i can do something and give some interest to good stuff. I never mean "do something more useful" because something is not usefull for me can be very usefull for others too. Maybe i just wanted to say "I also want to use some stuff coded finded by you" with the help of his work spent on other things then powershell.
-
Thanks for the feedback.
No need to worry to have. Everyone goes in the same direction: sharing information! And the critics are not necessarily negative. They make me move forward.
@Atari800xl : Thank you for explaining my incompetence in English and my desire to share information. It's true, I write an English only with bing/translator
@vvurat : Thank you for your interest in the translation. I will try soon but I have not yet finished my reflection on the netsh network traces. Change a driver, as everything I do here, is only an educational objective. Everyone can use without understanding. But anyone who wants to understand how the team WinpeSe built winpe10 can't find any information. And there are 2 different things: the first, edit winbuilder scripts (which is impossible for me) and the second, know what change bring, how find it yourself. It is this last point that excites me and I want to share. I try to tell how one edit boot.wim without additional program. And how to make its own changes by modifying the scripts that are open. Then do not write program with invisible to the user code. Write code readable in all scripts: no risk of viruses. Regarding FWBF, I do not know "embedded fbwf file" (link?), it is also an educational objective. Searching of decompiler, usage, location of the code to edit: 1 day (from memory). The pedagogical interest resides in the code signing (several days) and modification of the BCD.
This weekend will be rainy, I use bing.translator, but I won't be able to know if the translation will be understandable
Thanks again for the feedback.
PS:
One more word about fwbf.sys: knowing that few people would be interested, I wrote a non-robust script
Must be run twice by changing lines to two passages (by modifying the carcteres "#" at the beginning of lines)
As I did not have back on this point, I have not done better.
-
Fbwf files that i collected from chineese forums. Also winpese should have contains it but i could not find.
Usage: I will explain from FBWF_WES8.7z
http://www.mediafire.com/download/mtgutbrhm3nv6o1/fbwf.zip
1-Import reg file fbwf.reg
2-Select and copy desired ram's cfg file to under x:\windows directory
Example (I want 768MB Ram drive): Rename fbwf-768.cfg -> fbwf.cfg and copy under X:\windows folder
3-Copy fbwflib.dll under X:\windows\system32 folder
4-Copy fwbf.sys under X:\windows\system32\drivers folder.
5-If you want you can copy other files too. I have not used them. Maybe they need configuration of fbwf
Files maybe be changed by years. You can grab same regs files from current winpese
noelBlanc SAId:But anyone who wants to understand how the team WinpeSe built winpe10 can't find any information
I also want to ask about this to ChrisR. When he read this lines can he answer to me. I thought to ask by personal message but maybe can ask here too. He can answer by personal message also. At last time we talked there was some secret stuff for to keep winpese different from other tools. This secrets continues or not after many years? Can we ask internal usage of some tools or maybe you can explain by personal message to me :) It is also questionable that how you can keep secrets when %98 of the codes are readable and public. It could just get me loose time when investigating or use another tools. But if you explain it can help other people that wants to make their own PE's. ChrisR can make a new topic about usage of that important stuffs.
Forexample if we were asked to exlain how to integrate fwbf to winpe is this secret or not? :)
I asked this because i explained it so it is not secret anymore :D I do not want to expose anything without the permission of winpese authors.
-
http://www.mediafire.com/download/mtgutbrhm3nv6o1/fbwf.zip (http://www.mediafire.com/download/mtgutbrhm3nv6o1/fbwf.zip)
please delete this comment as it is useless i can modify my posts now.
-
Interesting stuff, thanks for your contributions. I just don't think we can expect ChrisR to take the trouble to explain everything he does. It would take too much time, not only explaining (remember, he's not a native "English speaker" either), but also all the [newbie] questions/ bickering/ complaining etc that would bring about (yes, from me as well).
I think we all can agree we have to be thankful that ChrisR (and Lancelot, JFX, and others) has kept these PESE project going in the first place. I'm sure he will answer most questions we have (as he is a Genuine Nice Guy [TM]), but I also think it would be too much to ask of him to write full FAQ's/ Howto's/ etc.
So once again, please keep up your great new project, noelBlanc, including the HowTo's, I'm sure in time we will all fully understand exactly what is going on "under the hood" of our magical little USB thumb drives!
:thumbsup:
-
noelBlanc SAId:But anyone who wants to understand how the team WinpeSe built winpe10 can't find any information
I guess bad english:
My goal is to understand how it happens to be able to make available to everyone a product like WinPeSe.
and all done without any information !!!! Come on :wink:
All information is written inside open source plugins, and on a working open source project.
1) one reads to figure out -> LiveSystemPro - Kare
2) one builds project and figure out -> MicroWinpeBuilder - noelBlanc
3) one do not read and have disappointment complaining !!!!! ---------> lazy !!!
- exactly what is going on "under the hood" -
on a open source project with open source plugins !!!!! how can anything be "under the hood"
It is also questionable that how you can keep secrets when %98 of the codes are readable and public.
As you are aware we do not keep secrets,
as you should notice by now after years, people who write stupid things on posts are only hiding their laziness.
* So we do not respond to lazy people who only knows writing disappointment or complains on topic posts (a kind of post game)
----> This amazingly keep things secret :lol: can you believe it :lol: :lol: no no, it is only secret to 3) kind of people written above, and so far we like to keep that way.
* And we do not need to respond to clever people since they already can read and use already provided open source info (like you), and do not post unnecessary things to topics.
ps:
what is going on "under the hood" --> or what "magic" is only being able to continue developing projects, which becomes better and bigger in time.
To me, Lonely Cowboy kind of development better suits application development....
Anyway, see you.....
:turtle:
edit:
topic continued here following vvurat request
http://theoven.org/index.php?topic=1751.0
-
We should close this conversation in here because we are lots of out of topic. Maybe our posts should moved to a general discussion free topic.
Done
http://theoven.org/index.php?topic=1751.0
:turtle:
-
Wwwwwaaaaaoooouuuuuh
I do not understand what is alleged against me, or even if someone criticizes me some thing. But the automatic translation of some posts (now displaced) me surprise, to say the least..
It is true that I said that I can't find any information on what is happening under the hood of winpese:
-I'm not complaining
-the English barrier deprive me a large part of information. For example, to understand how run winbuilder with an iso, I put more than a week and I was discouraged more than once before you see a result. I am unable to run it a second time and know what plug-ins will be downloaded or updated updated.
-I repeat: I am not complaining do not know use winbuilder.
What I did:
-I compared the results of my own research on winpe for many years with winpese. The main difference was "ProductPolicy": the key to the Enigma for me!
-I read some winpese scripts to learn the language. I read intensely two scripts: to understand how to implement wow64 and log on to administrator.
In passing, with microwinpebuilder, I noticed that 'bootexecute' is unnecessary with microwinpebuilder and with the version build 10586. I remember the discussion on the Chinese site around that point.
-for some autoit scripts, it is true that I used procmon. And I do not know where to find the sources.
-I repeat: I am not complaining
-I have read various posts on this site with links on Chinese sites (not easy to translate with bing). These Chinese sites dealt with DWM and different variants of SETWOW64.
Some questions in the forum demonstrate that novices like me are asking questions about how it works and how it is built.
And many people do not want to use an external program (this was the case when I worked in a large company).
This is to share my curiosity and the result of my own research (old and new, bit, WinRM, IEFull64 for example) and my readings ( scripts winpese, MS and other sites) I wrote the pdf and PS scripts (with the purpose to hide nothing).
And I understand that the team may not all documented, especially for novices like me.
Thanks atari800xl. You understand me perfectly and you remains my best counsel ( avocat de justice en français ).
I continue with the translation of the pdf as I forward not on the IEFull64 point. The main menu is not displayed. Navigation is difficult without address bar. The process IE scodef with MSN offers a "search" edit but this is not practical.
PS: I use bing/translator and if a word sounds nasty, I'm sorry. Be sure that it is not my will.
-
You are PERFECTLY express everything. If you want to learn anything you can ask at least to me. I am able to capable to build all winpe from zero without using any tools. Just explaining everything is boring and difficult. At least i can show you the right way
-
Nothing alleged against you noelBlanc :thumbsup:
On public forums, there are sometimes very quick and small tornadoes.
My goal is to understand how it happens to be able to make available to everyone a product like WinPeSe.
It is already available to everyone a product WinPESE, freely to be downloaded and used. :thumbsup:
Your goal is doing same or similar with an automation without winbuilder, we understand you work on this.
Some questions in the forum demonstrate that novices like me are asking questions about how it works and how it is built.
I can assure they are not novices like you. :thumbsup: :wink: :wink:
1) They only post and complain :thumbdown: lazy people
2) You work on what you are after,
and share result with a reproducable builder instructions with public via post script pdf etc. :thumbsup: :thumbsup::thumbsup:
I feel your project does not satify vvurat,
and vvurat asking things about WinPESE on current topic !
about a novice fake complain ! by also quoting your words !
quick and small tornadoes, tornado now on other topic :great:
And I understand that the team may not all documented, especially for novices like me.
only %0.1
In past people disrespectfully duplicate SE projects by changing name and acting as they did everything.
Some others are very rudely ask how things works, and we respond them read open source plugins and figure out themselves.
JFX post summarize story
Our goal is to give people an easy way to create a WinPE, not to teach them how.
I may guess, in passing time with your hard working, you will add more and more features and share to public. :great:
Good luck.
(this was the case when I worked in a large company).
Since you are not working anymore it would be easy to reply,
I wonder which company it is and which position you were working? :thumbsup:
:turtle:
-
hello,
I change the text in the pdf. I tried to give it a more user-friendly structure.
I left in the early part in french because it is my source for bing/translator.
I haven't started the translation of the comments of the scripts or the upgrade text in English.
I hope that this document becomes legible and understandable by the greatest number.
Knowledge grows when we share information.
-
many thanks for sharing your work, could you please resubmit your pdf as it seems to be 0Kb and doesn't open
weird, it seems ok now
-
"DWM" requires the CoreMessagingRegistrar service for build 10240 and also the driver
WindowsTrustedRT for build 10586 (see Win10PeSe).
I disable WindowsTrustedRT in 10586 and have not seen any problem yet. What problems it result to disable it?
Software\Microsoft\Windows\CurrentVersion\Explorer\UserSignedIn=1 avoid the delay before the
appearance of icons in the task bar
Have not seen such a problem too.
Without the 'Themes' service, I have not managed to display a background image to screen. This
service requires DWM.
What means without? Without service registry keys or without the service working? Unstarted Themes service does not result background image not to display.
DWM\ColorPrevalence = 1
I am not sure aout this key also. I have seen it chineese builds. Do not know the reason.
Bypass this security, to modify the "runas" values in the 'APPID' key for COM objects (all preferably).
I am very interested in this subject. As i have not look winpes last a few years the last thing i remember is JFX discovery about deleting all "Interactive User" keys. I have seen some PE's have not deleted. Some of them deleted all keys. I am traditionally deleting. I am also discovered that procmon looks APPID registry keys. Especially sometimes i result very slow opening of control panel. I am investigated that dllhost.exe is having problem on user permission when running control panel GUID. I copied permission from another key but it does not solved the issue. What is the detail of APPID keys? There is no information in pdf.
Most important discovery in my side is to delete what you see in following photo. It's reason can be because run as keys in deeper keys gives permissions to which user can open. If somebody can explain what changes should be done in classes registry in windows 10 i will be glad to hear.
Also my other opinion is there is something different in windows 10 registry then other previous operating system registries.
(http://i.hizliresim.com/v51QjO.jpg)
For controlling security of running apps windows 10 added APPIDSVC to early lauch. So I thought deleting that and making APPID and APPIDSVC service start values to 4 maybe get rid of Classes values not to be used but it does not help. Deleting APPID or enabling them does not change anything.
(http://i.hizliresim.com/PkLYn7.jpg)
Wpeinit hangs 5 minutes at startup of winpe
"The 'policymanager.dll' key was present but the key software\micros...\policymanager ' was
absent.
Thank you very much about this knowledge. I also want to learn if policymanager.dll needs in PE?and why? I want also share what i found. One of this files makes winpe stuck at black screen at boot. I have not made one more boot attempt which one is responsible.
Windows\System32\ism32k.dll (Probably this one. Related to xbox i think maybe used from 10240 or need to delete)
Windows\SysWOW64\imm32.dll
Starting the service 'coremessagingregistrar' failed
it lacked the key 'software\micros...\securitymanager '.
Good info
The sound did not work and the notification icon at the bottom right displayed 'no speakers '.
an ACL prohibited access to the key "...\MmDevices\Audio\Render\...\properties" to the
accounts used by the AudioSrv service.
Some good info i know from past but i forgot. Also i was deleting some requiredprivilidges stuff from audiosrv. Maybe windows 10 does not need it to delete. I have not had any problems about it yet.
Cannot move icons on the desktop
It came from the software\microsoft\ole key that did not contain the DragAndDrop-related
information. The new load failed due to the Acl of the key.
I have that problem in my operating system :). Have not had such problem in Winpe yet but usefull to know.
Creation of impossible shortcut on the desktop
it lacked the "appwiz.cpl" and "osbaseln.dll" files as well as their ".mui.
Right click on the wallpaper «display, personnalization» launches nothing: requires the slot 32-
bit system
It is not related to 32bit subsystem. I could not find which file is responsible yet. Investigating. I can change control.exe or other files from older operaing systems for to get it work. My idea is like that in worst condition.
network with netsh trace: ndiscap.sys starts, the ETL file is generated but not the CAB file
The most strange stuff i have seen in winpe. I have seen some etl files generated. Is it means Eventviewer can work i do not know.
The new graphical user interface called 'Metro' seems impossible to implement in Winpe.
Metro needs login as user. System and Administrator boot will not be enough. I do not want to call it impossible yet. There are good stuff i discovered.
«x:\windows\syswow64\dllhost.dll» loading then quickly unloaded. This is the 32-bit version of
'dllhost'.
syswow64\dllhost.dll have not see called yet.
A Chinese developer wrote the software «SetWow64.exe». This software is taken up by the WinPeSe
team.
If has knowledge about author of source code i want to learn. I am just crious about to learn everything.
To explore the system objects: 'winobj.exe'
Need to download it from the ' technet/sysinternals' site. It is 32-bit only. Therefore, you cannot use it
with a normal 64-bit WinPe.
It is also for this gap that I wrote the PS script.
Why need that? How will it be usefull in developing PE? Will download and look.
The 'MonSetWow64.PS1' script
Thanks for that. Can be usefull to learn how SetWow64.exe works. Will look at that too.
'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductPolicy'
It is hearth of a PE but does not needs to investigate so much. Just copy and use from someone working winpe. I do not know where is the source of it. Should be from a terminal server. Mayeb somebody installs a datacenter sever with all functionality and set it up as a terminal server and cpy that key i guess. As i remember a tool that can enable and disable all stuff from product policy key.
http://www.remkoweijnen.nl/blog/2010/06/15/having-fun-with-windows-licensing/
IEFull64 : NOK
I did not understand what this topic is related and for.
Login with the administrator account.
I know how to make it happen but i do not know the process backwards. I am only interested in autologin as administrator. Not booting to system and changing the user with cmd files. I have not got the needed file list yet.
It must absolutely stop and change the "start = disabled" configuration of two services Gpsvc TrustedInstaller.
Since the session 'system', we disconnects the console of this session with "tsdiscon.exe"
Someone should tell me why. Why need to disable. As i see they change gpsvc from autostart to start 3 to 2 . After that get try to get gpsvc to run with pecmd srv gpsvc. It looks very strange and stupid to me. If you want to get it run why do you change its value to 2 to 3. For autologin gpsvc and profsvc and others needs to be run as i know. If somebody explain this to me i will give very valuable information to him privately.
Also
[HKEY_LOCAL_MACHINE\SOFTWARE_00\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoAdminLogon"="0"
and related other keys can be added offline to software hiv. Why chineese add them with pecmd.exe after boot. Are they get deleted at boot?
(http://Slowdown at the opening : corrected)
The absence of the 'hkcu\...\explorer\UserSignedIn' key introduces a delay of almost one minute after
the display of 'Preparation '.... ».
Is this a new information or it is already used in winpese or in your stuff? Now my winpe opens very slow but it should be related to another issues. It is also a very valuable information for me. Previously late opening of andministrator session was related to unstarted schedule and profsvc services.
service 'SENS' I put in place for BITS introduced a further delay of two minutes. Winlogon
sends notifications to various programs and waits for their response. In my case, the 'SENS'
service did not work properly.
There is no SENS service in winpe. So probably winpese does not have it. Main structure of winpe builds are getting rid all unneeded services. This is some stuff i do not know too. Probably they deleting dependency keys and only want needed ones to work for using less system resources. When i work on one service it is like working on a spider home. All services dependent to each other and need to solve all. So i have to add more and more files. I have problem with SENS and Eventlog dervice. Eventlog service gets my winpe boot very slowly. I have to figure out with files related to it. Sens service is arranged as autostart but it does not.
Winlogon notifications are visible in this key must be changed:
"... \ControlSet001\Control\Winlogon\Notifications\Components\"
This is the main part of my valuable information that you exposed it and get valueless. Good stuff too.
Deactivation of the graphical part of logonUI
I had this when working on PE and very surprised to see a command panel logonui. It was interesting stuff.
The event log
Don't forget to add the key '... \services\eventlog\applications' and '... \services\eventlog\system'.
'Eventlog.msc' displays of the logs. To do this, it must implement the following sequence:
• stop the eventlog service
• Rename the key MiniNt
• restart the eventlog service
Oddly, it happens that the events are more registered.
Eventviewer works under winpe? It is very surprising to hear too. Good info
To do this, launch "WF.msc". Then, click on 'properties' (a small link under the
latest profile), and activate the log.
WF.msc also works? As i remember it was need .Netframework to be installed. You should have at least 600mb big winpe.
Trace Procmon shows that the Winrm service does not launch the program "wsmprovhost.exe".
I modify the following key in the Winpe machine:
hklm\system\setup\SystemSetupInProgress = 0
Then I raise the "invoke-command" from the machine services10.
WSman was running ok on previous operating system PE's. Maybe service dll file can be pacthed with an hex editor.
BITS: operational only with the Adm session
Bits needs for downloading windows updates on background. I do not know why you need it.
MSTSC and Termservice: non-operational
Termservice works ok. I say that about starting not about functionality. I have not had so much progress yet. First i have to solve admin login for to get termservice to work. MSTSC should be avoided. I do not know why need in PE and used but uses big amount of system resources.
trace the loading of drivers when you start Winpe
Modify Bcd thus:
Bcdedit/store...\boot.bcd/set {default} bootlog Yes
The x:\windows\NtBtLog.txt file contains the list of drivers loaded and unloaded. But without
explanation. It is sometimes a beginning of track.
Very good information that i do not know.
And end of my words. It is a GREAT tutorial with the knowledge you can not find anywhere. It is good the see it is translated to English and i am aware from it. Because i did not interested in French and find it valueable before you share it is English. If you do not translate and share probably i will never be aware of such important stuff.
I HAVE TO try your project and learn at least how to use powershell very basics. I get very excited already. With this knowledge there should be good results. I WANT untranslated parts to be translated too. Please.
If it were coded with other stuff more easy than powershell i could be glad to help to improve it. Anyway i will follow to learn.
And i want to thank people that write. It is very out of topic but anyway it is in my mind.
http://gena.cwcodes.net/Projects/Gena/Apps/System%20Tools/Debug/Sysinternals_Process_Monitor.script
And the last end again. I succeded to boot all windows services+winpe services alltogether in a winpe. It does not means all services works. I just succeded to keep them inside wim. Also in previous operating systems i was using most of the services at least %90 but could not get documented and lost this fame to spstar. Now i have it and chineese do not know yet.
What it can result? It can be maybe result in full ram booting operating system. So maybe user booting to ram can be possible and this can be result a working metro on ram. I have try only once without success. Anyway i see a hope. I have seen such operating system previously. I have connected remotely. It was build with a person i have never seen him on forum and never heard of name again. I do not like big WinPE's and do not see them valueable. At 285MB everything that can need works smooth. Maybe user login can increase this stuff a few mbs.
-
Thanks much vvurat. I'm glad to read your message. I'll complete the PDF when I would understand everything. Bing translate sometimes changes the meaning of the sentences.
A word on microWinpeBuilder: most importantly, this is the PDF. Although comments in scripts that I have not had the time to integrate PDF
The scripts have a unique mission, illustrate the obtained knowledge and facilitate the start-up of WinPe.
A few words about the scripts:
-2 scripts to build a WinPe
-a big environment construction, installed ADK and Install.wim unzipped
-several scripts launched at startup of WinPe: therefore DotNet is mandatory. With audio, and the size of boot. WIM is 600 MB!
-a VM and a 'flat' WinPe are very suited to the investigation around WinPe
PowerShell is the only scripting language I know. It is not very complicated to learn. It allows to make visible all let not a compiled C++ program see no sources.
Writing a script is very fast. Execution is slow.
But in a pedagogical purpose, volume and speed are not important.
When it succeeded in implementing its WinPe with scripts, you can incorporate changes directly into the keys when possible, write its own C++ or other programs.
If you change of method of construction, so context, it gets different behaviours and different interactions. Lockups and errors do not appear in the same locations. It is therefore possible that the behavior of "your" WinPe is not the same as the behavior of "my" WinPe.
In what follows, to reduce the size of sentence, I call "MicroWinpe" WinPe built with the MicroWinpeBuilder context PS scripts.
A few responses:
WindowsTrustedRT: JFX found that this driver is mandatory for DMW. and in my context, "MicroWinpe" does not start without this driver. And I can't find the link.
Themes service: hostwallpaper.exe displays an image. But with the native desktop to explore, we must delete this file and use the theme service to make the image appear on the desktop.
Dllhost: https://msdn.microsoft.com/en-us/library/ms695225(v=vs.85).aspx
APPID: https://msdn.microsoft.com/en-us/library/ms678477(v=vs.85).aspx
Security in COM: https://msdn.microsoft.com/en-us/library/ms693319(v=vs.85).aspx
IEFull64: please, see reply 42 and 43
GpSvc and TrustedInstaller: it is to keep the memory of information that seems important. If I change 2 in 3 and not say anything, information is lost.
For autologin gpsvc and profsvc: gpsvc applies the "GPO local" if they exist. ProfSvc is used by UserInit to construct the directory's profile
UserSignedIn: it depends on the hive used default. I use the winpe file and this value is absent.
BITS: it's like a smart ftp. Need a special server. Windows enterprise has one. BITS not ser to nothing except to learn how to add a component in WinPe.
Bcdedit:
https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/bcdedit-command-line-options
https://TechNet.Microsoft.com/en-us/library/cc709667(v=WS.10).aspx
https://msdn.Microsoft.com/en-us/library/Windows/hardware/dn653287(v=vs.85).aspx
".. .full ram booting Os..": is it Ramos proppose in previous versions of WinPeSe on this site?
I put long to write because I have a long time to translate. Sorry.
Kind regards
-
Why it is called MicroWinpeBuilder if it is 600Mb? It should be very prowerfull that i have never seen Wf.msc,Eventviever, .Net and other stuff you mention fully works on a PE.
WindowsTrustedRT: JFX found that this driver is mandatory for DMW. and in my context, "MicroWinpe" does not start without this driver. And I can't find the link.
If he said he should know something, but winpe can boot without it and i have not seen any problem.
Themes service: hostwallpaper.exe displays an image. But with the native desktop to explore, we must delete this file and use the theme service to make the image appear on the desktop.
I do not put wallpaperhost.exe too. Have not seen any problem. When it is winpe you can easy show wallpaper with
[HKEY_LOCAL_MACHINE\DEFAULT\Control Panel\Desktop]
"Wallpaper"="%SystemRoot%\\Web\\Wallpaper\\Windows\\img0.jpg"
[HKEY_LOCAL_MACHINE\SOFTWARE_00\Microsoft\Windows NT\CurrentVersion\WinPE]
"CustomBackground"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,77,00,65,00,62,00,5c,00,77,00,61,00,6c,00,6c,00,\
70,00,61,00,70,00,65,00,72,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,5c,00,69,00,6d,00,67,00,30,00,2e,00,6a,00,70,00,67,00,00,00
Also use "PECMD.EXE LOGO %WinDir%\Web\Wallpaper\Windows\img0.jpg" any of them should work. No need 3 of them but i use all.
UserSignedIn: it depends on the hive used default. I use the winpe file and this value is absent.
Maybe because i used install.wim hive i have not fell it is absent.
".. .full ram booting Os..": is it Ramos proppose in previous versions of WinPeSe on this site?
Yes it is. There is a very small diffence with WinPE and real system.
SystemSetupInProgress=0 => Is a real operating system. If the system can boot with this key.
SystemSetupInProgress=1 => WinPE
Normally for to have more features people changes that key to 1 for a specific feature and restore back as you mentionel in your pdf.
Windows 7, Windows 8 and Windows 8.1 easly can be modified to boot winpe or ramos. But windows 10 have not discovered yet i think.
-
At the biggining, i compare my scripts in PS to the program WinpeBuilder size = 800ko
MicroWinpeBuilder because it's a small thing in front of the tool WinPeBuilder. I don't refere to the size of winpe but to the complexe tool winpeBuilder.
WinPe is not a goal for me. I want to collect information on how winpebuilder.exe get it
My mistake : i want to say WindowsTrusted not WindowsTrustedRt. I beg your pardon. Sorry JFX. I modify my PDF !!!!!!!!!!
Second mistake : i verify a next time, WindowsTrustedRt is mandatory in my contexte ( like JFX said ) and WindowsTrustedRtProxy is useless.
for wallpaper, i think i undestand you : in my context, i use the desktop from explorer.exe, not from pecmd.exe witch is not an MS program ( my rule 1 in PDF ). And if i don't use this desktop explorer.exe, winpe display a wallpaper. But in explorer display the desktop, it can't display an image without DWM. Have you time to try and modify ...\winlog\shell = explorer.exe ?
For RamOS, i read this in 2013 and i keep it that i translate from chinese:
http://bbs.wuyou.net/forum.php?mod=viewthread&tid=316491&extra=&page=1
Log on as an Administrator. But many of the programs are running, nothing of practical value, only to experience it.
Generating method of the registry needed to the RamOS: (for x86 and x64 only in Chinese version tried)
Registry has involved SAM, SECURITY, SOFTWARE, SYSTEM. All from the installation file install.wim in the achieved and processed.
1. the SAM and SECURITY:
SECURITY registry does not need to be addressed, but it should be supporting and SAM.
SAM Administrator user is disabled by default, and modify the registry, it will enable it.
2. SOFTWARE registry:
C:\, D:\ replace all X:\
Delete all X:\$windows.~bt\ and Interactive User (this step does not know if needed)
3. the SYSTEM registry:
A. delete the following services, mainly to avoid missing file cannot start.
ControlSet001\Services\PEAUTH
ControlSet001\Services\hwpolicy
ControlSet001\Services\rdyboost
ControlSet001\Services\WdBoot
ControlSet001\Services\WdFilter
ControlSet001\Services\storflt
ControlSet001\Services\WFPLWFS
##=== Delete Services : start=1 ===
ControlSet001\Services\npsvctrig
ControlSet001\Services\Beep
ControlSet001\Services\CSC
ControlSet001\Services\dam
ControlSet001\Services\NetBIOS
ControlSet001\Services\Psched
ControlSet001\Services\discache
ControlSet001\Services\Wanarpv6
B. replace C:\, D:\ X:\
C. all Setup the following key value is set to 0
OOBEInProgress=0
SystemSetupInProgress=0
SetupType=0
SetupPhase=0
D. import the WIM format the drive needed to start PE and driver files:
FBWF.reg,Ramdisk.reg, WimFsf.reg
RamOS and Wim format method should be the same, step a bit more, don't know if there are any omissions.
These changes just to be able to start some personal changes are not included.
Friend8179 method:
Delete rdyboost while {71a27cdd-812a-11d0-bec7-08002be2092f}\LowerFilters or does not recognize the disk.
Method to delete the LowerFilters in the rdyboost.
I tried to describe it here in february 2013 : http://reboot.pro/topic/17870-winpe4-et-explorer-pour-débutant-comme-moi/page-2
I think i try after this in winter. In summer, i try to go far from my PC.
bests regards
-
Have you time to try and modify ...\winlog\shell = explorer.exe ?
My shell is already explorer.exe. But can try to remove pecmd.exe part and test but i am sure wallpaper will stay in its place because it is a winpe and microsoft allow to use a custom wallpaper in winpe like winre.jpg and winpe.jpg also in the absence of wallpaperhost.exe.
All procedure is right. This procedure is used on install.wim. If you install windows and use installed windows to make winpe teorically you will have a user booting winpe and you can use metro with right configuration. This can be tested on RAMOS capable windows editions. I have not interested to try.
Will read that topic with google translate too. Thanks for link.
-
hello,
I see many people have downloaded MicroWinpeBuilder, pdf and scripts. So i organize a challenge :w00t: :
In the contexte of MicroWinpeBuilder ( looks like context of WinPeSe ), who can describe the wallpaper displaying on the desktop of explorer ?
My idea but it is possible that i'm wrong :
context : DWM active !
- winpeShl.exe launchs wallpaperhost.exe if it exist. And this last program displays the wallpaper readed in the key khcu\...\desktop\wallpaper
- when explorer installs the desktop for the user, there is a conflic i can't explain And the screen is black.
So, in MicroWinpeBuilder, i delete wallpaperhost.exe from the image "boot.wim". And reboot.
- WinpeShl.exe can display a wallpaper if the key "..\winpe\customBackground" exist. If not, it display a black screen before explorer comes.
- when explorer installs the desktop for the user, it looks at in ...\temes\aero\... and displays the wallpaper.
Your goal : found the good sequence and reply to the question :
- Themes service is it really usefull ?
-
Upload a prepared winpe.iso and send links to me by personal message. I will check and tell you what is wrong. I have finished building PE %95. And i can say everything is possible also under System account.
-
hello vvurat,
Perhaps i'm wrong but it seems that in your profile your mail is hidden and i can't send a mp...
-
You probably forgot to delete "Interactive User" values from SOFTWARE\Classes. It result a black background in explorer shell.
-
MicrowinpeBuilder works fine and display correctly wallpaper.
But, with the challenge, i hope somebody can explain the interaction of different programs : winpeshl.exe and explorer.exe.
These two programs display an image but seek in differents place. And they not use the same resources API system : explorer use DWM.
About your profil, i didn't see the line above the mail for the MP ( in fact i see but not read ! ). Now i can send you a MP.
-
hello,
I complete the translation of PDF version 2.1 with some corrections and a presentation of the scripts which illustre the knowledge.
first is french (45 pages), after English (45 pages) translate with bing/translator
hope can be help ... and comprehensible.
-
bonjour,
mstsc from Winpe to Windows10 is ok now.
- Without NLA : disabled on Windows 10
and
- With NLA : it need the following keys and files
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig
Security Packages Reg_Multi_Sz kerberos, msv1_0, wdigest, schannel, tspkg <<<<
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders = credssp.dll
new files : tspkg.dll, credsp.dll
-
- With NLA : it need the following keys and files
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig
Security Packages Reg_Multi_Sz kerberos, msv1_0, wdigest, schannel, tspkg <<<<
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders = credssp.dll
new files : tspkg.dll, credsp.dll
I think you succeded. Good work.
-
thank you vvurat for the help about Mstsc and NLA.
netsh trace is too complex and not complet. So i try Wireshark 64 and win10pcap : it works on winpe 64 !
Nevertheless the wn10pcap install fails on my VHD with error: this is not a local drive.
then I install the driver with drvload and it's ok.
PDF V 2.2 : update Mstsc
-
I demand some explanation for following if you mind.
write-host -ForegroundColor yellow "Enregistrement WMI pour netadapter"
regsvr32.exe /s storagewmi.dll
X:\Windows\system32\wbem\mofcomp.exe X:\Windows\system32\wbem\NetAdapterCim.mof
I have some problem with network adapter properties. Without start NetSetupSvc it does not show network adapter properties. NetSetupSvc can not be set to automatic. I suspect from wmi. What theese lines do and what is the result if you do not get them work?
# pour enrichir le log : Suivi détaillé, Système
auditpol.exe /set /Category:'{6997984C-797A-11D9-BED3-505054503030}' /success:enable /failure:enable
auditpol.exe /set /Category:'{69979848-797A-11D9-BED3-505054503030}' /success:enable /failure:enable
# bsod de winpe avec la ligne ci-dessous : Accès aux objets
#auditpol.exe /set /Category:'{6997984A-797A-11D9-BED3-505054503030}' /success:enable /failure:enable
What above lines do?
start-service PLA
$cible = 'HKLM:\System\CurrentcontrolSet\Services\PLA\Configuration'
$aclBase = get-acl $cible
How did you decided pla service acls needs to be fixed. I have not seen any acl problem on pla yet. I see acl problems on winsocks2, dhcp, dnscache,mpssvc. Does pla service need for pe?
Why "X:\sources" folder full with that files.?
Clean some cursor, media,winsxs files and gain space.
-
Hello vvurat
For the four points:
1. "regsvr32.exe /s storagewmi.dll
X:\Windows\system32\wbem\mofcomp.exe X:\Windows\system32\wbem\NetAdapterCim.mof"
in order to use the commands Get-NetAdapterAdvancedProperty, Get-NetAdapter, etc, need to register a COM (interface PS and WMI ante?) object and save objects WMI (MOF)
At the beginning of the project, I used these commands to list the Wifi card. Currently, I use directly the API Wifi (codeplex) which do not exploit WMI.
And over versions, I cleared my list the files storagewmi.dll, NetAdapterCim.mof...
I'll fix in the next version.
2 - auditpol.exe is a console mode program that is equivalent to secpol.msc. It allows to view and edit local strategies.
The commands used in the script to enrich the event 'security' log.
3 - Sevice PLA is used by "netsh trace stop" in the collection of information.
I noted this in a commentary on the "traitement.ps1" script:
# the pla service creates an acl on the key configuration at startup: startup fails
# After this boot failure, modifying the acl to give total control to 'everyone'
# and it restarts the PLA service
4 - Why "X:\sources" folder with that full files.?
I use the boot.wim file produced by the ADK (copype.cmd). The addition of all the packages proposed by Ms is then made with the DISM commands.
This generated boot.wim file actually contains these files in the directory 'sources'. I do not know why ADK files.
Thank you for the help !
-
Only adk setup package can copy such files but there is no setup.exe in wim. Files looks randomly copied. If you use adk for to create wim probably you add setup package with dism. Do you need that package?
-
A variable in the script contains the list of packages to add with DISM.
I have all registered them. I had no criterion to sort and eliminate unnecessary package.
Unlike winbuilder, the GUI script has very few optional elements. The idea is that this is the user who modifies the script for his need.
I remove this package from my list in the next version.
-
PDF V2.3: how to add WireShark and Win10Pcap in winpe after it starts.
may be someone can find this usefeull.
This allowed me to play with ORCA. I do not know if this format will still be useful in a few years. I've never found a description of the sequence of actions.
I will test various changes to Mstsc and NLA before filing a new version of build scripts
-
I have problem with
1-)NetSetupSvc and related network adapter properties page empty. NetSetupSvc starts but stop again. Adapter properties only shows when NetSetupSvc is working. When NetsetupSvc set to Automatic system changes its start value to manuel again. I have try to change its start to "2" automatic in offline boot.wim. Also have try to run it at boot with no luck. (Your PE does not have such problem.)
2-)Starting Rasman service
3-)Desktop right click "Graphic Properties" and "Personalize" gives error. It is a general problem and maybe solved by changing CLSID open value under Classes key
4-)Try to run Wwansvc gives bluescreen and crashes system.
If you work and succed any of them please inform me too :)
-
hello
We can change the wallpaper when WinPe is active. We need to modify the file ThemeCpl.dll. Not to complex !
The tool ResourcesHacker to manipulate resources, explore and modify (big green compilation button) and save changes here :
http://www.angusj.com/resourcehacker/
The only resource to edit: « UIFILE/1001 ».
The two strings of text to modify:
Before
ShellExecute = "ms - settings:personalization - background"
After
shellexecute="%windir%\\system32\\control.exe" shellexecuteparams =" /name Microsoft.Personalization/pageWallpaper /page pageWallpaper"
And
Before
ShellExecute = "ms - settings:personalization - colors"
After
shellexecute="%windir%\\system32\\control.exe" shellexecuteparams =" /name Microsoft.Personalization/pageColorization /page pageColorization"
for the test :
- boot winpe
- from the network (or usb key or ...) copy the new file themecpl.dll in system32
- add your directory ( which contains your file jpg ) under the root x:\fleurs
- right clic under desktop
- select personalization
- click desktop Wallpaper
- clic "browse..."
- select x:\fleurs
- in the combobox, select the new entry "fleurs"
- change your wallpaper
idem for task bar color.
a little more explanation in the PDF V2.4
-
Hello,
A script PS to modify themecpl.dll !
Because i don't want to use externe program ( everyone has not ressourcehacker in his pc ), i write a little script PS to modify themecpl.dll.
The script modify-themecpl.PS1 assume the language of the ressource to modify is : 1033
The ressoure to modify : type = UIFILE and ID = 1001
To verify the language for this resource into themecpl.dll :
launch a PS console and change the working directory to the path where is located the script ( command "CD ...\..\...." )
And tape :
". modify-themecpl.PS1 <the path\name of the file to verify>
An sample :
". C:\Users\noel\Desktop\modify-themecpl.PS1 C:\Users\noel\Desktop\themecpl.dll"
An extract of display :
Type : UIFILE
Name: 1001
Language: 1033
If language is not good for you, modify the script ( change 1033 to ... in [UInt16]$ushortLang = 1033 )
Now to modify the file themecpl.dll :
". C:\Users\noel\Desktop\modify-themecpl.PS1 C:\Users\noel\Desktop\themecpl.dll C:\Users\noel\Desktop\mod-themecpl.dll -flgmodif"
Copy the file and rename it in your winpe10 :
- if winpe is actif, copy it via usb/network in system32
- in the image boot.ini ( DISM mount/unmount ) : not too complex
I'll modify script MicroWinpeBuilder to modify automaticaly the file themecpl.dll
Hope it help.
-
Hello,
Big error :
I mainly use a VM with my WinPe in "flat" mode.
However, this morning I tested WinPe with the administrator session by booting from a usb stick.
Surprise: in the session administrator, several programs (such as powershell and cmd for example) trigger the display of the box:
"The Publisher could not be verified...".
However, this message does not appear in the VM that is built from the same boot.wim file.
For now I do not understand this originates.
Another surprise: on the wallpaper, Alt + F4 Opens the box to stop and change of user.
It is just as effective as in a program mouse clicks whatever it is. But it engages only me.
Please, if you have an idea to fix this new error tell me quickly.
-
http://www.msfn.org/board/topic/170513-how-to-disable-security-popups-under-winpe/ (http://www.msfn.org/board/topic/170513-how-to-disable-security-popups-under-winpe/)
It is strange that security popups disappeared with changing fbwf driver under my windows 8 pe. I do not know the connection between but you can give it a try and use another fbwf.sys.
-
hello. good holidays.
There are 69 downloads but very little return to date.
Do not hesitate to tell me what you think of microwinbuilder, if you managed to do a test, to build a winpe in this environment, if you can modify scripts...
And above all, I am looking for friends who want to do some research to help me understand why adm logon triggers warning messages.
The issue :
In a VM, i make a VHD booting. I decompress boot.wim in this VHD. Winpe is ok !
In a VM, i boot on the iso containing the same boot.wim as above : winpe starts, open the adm session, and the first PowerShell triggers a security message. If i clic OK, all things is ok. But all program in system32 triggers the security message " the editor can not be verify".
I do some things for investigation :
i take the hive softwqre and system from winpeSe : software ( modify for suppress dotnet 3.5... to make PowerShell to run with in this new environment ) and system ( add appinfo and start mpsSvc ).
These differences became with a comparaison with winmerge ( file .reg ). But always pb with boot usb. Other differences are minor, i think so.
In eventvwr.msc, i see that the file usrclass.dat can't be created. It is said "not enougth place or access denied" ( i don't remember the good words ).
I think the bug is more in the mecanic, in the sequence, not in the objects, because it's ok in winpe "Flat".
So if someone is interesting to investigate with me, he makes me happy.
See you soon !
-
hello,
I always try to resolve the anomaly detected with ISO in Winpe during logon ADM.
Over my research...
I searched a long time how can I make the "Open Command Window Here" option.
The http://www.tenforums.com/tutorials/3288-command-prompt-open-windows-10-a.html site
shows different methods to launch CMD. EXE.
The http://www.askvg.com/enable-open-command-window-here-option-in-context-menu-in-windows-vista/ site
shows how to get this option in the context menu without having to press the Shift key.
And surprise! using the "Open Command Window Here" option or the "File/right click" menu, Winpe starts well CMD. EXE without triggering the warning "the Publisher could not be verified..."
But with the touchs "Windows + R", CMD.EXE ( and other ) triggers the warning box. Why this and whis this only with an ISO and not "Flat" ?
for my memory :
delete
HKEY_CLASSES_ROOT\Directory\Background\shell\cmd/extended
and
HKEY_CLASSES_ROOT\Directory\shell\cmd/extended
This only solves nothing. But where to look?
-
hello,
The script Traitement.ps1 doesn't work with build 14393 because many names of file in script use the part of text "10586". I correct that when i can ... too much sun in Nantes.
I think i shall not modify the scripts with the goal to be compatible with the two builds. The last build is the good build for me. Don't forget, theses scripts is for "Learning" !
For my information : to construct winpe for build 14393, it is better to delete oe rename the destination directory because step 1 = launch copype.cmd does not replace boot.wim for the good build.
See you latter....
-
hi,
i meet many error with the build 14393. I made a V7 for this build. It's a first version. And only for this build 14393. No retro compatibility !
With the session "ADM", like winpese, i get a message "logonUi : exception breakpoint"
I see in eventvwr.msc that Windows.UI.logon.dll is the source ( see picture ).
I also see that Winpese "kill" the window message. As i say in my pdf, it is possible to use the console UI for Logonui.
For that, only rename Windows.UI.logon.dll in old.... It's simple but a text Windows will open and display "wellcome, the name adm, preparing Windows.. and after explorer display the wallpaper.
I modify registry and hope getting more description... no, only wer.dll.mui not present. So, only the report of WER.dll and nothing news.
with session "ADM", i also get "editor unknow" error. I constate if i do "tscon 1" to go in session "system" and do "tscon 2" in this session, when i return, new process is OK. So, i think it doesn't need one more file or key, but some synchronization. And i don't find it.
See you later.
-
hi,
With the version V8 ( only for build 14393 - 1616 ), i constate difference when i use winpe in the 3 ways:
- VM in hyperV and a VHD with boot.wim decompressed + bcd : i can't use the graphique logon UI ( display frees ), only the console UI logon.
- the same Vhd in a DD USB + bcd : graphique logon UI and the error (0x80000003 , click and it's OK )
- the ISO ( with same boot.wim ) : graphique logon UI and the two errors ( 0x80000003 and "editor not verified" , click and it's OK )
Why this différences ?
For my memory, i notice theses keys :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
PeBootType = "flat" if VHD in VM or "RamDisk:SourceIdentified" if ISO
PeBootRamdiskSourceDrive = D:\ for ISO and it point on the usb stick
SystemStartOptions : options defined in BCD
I try to investigate with procmon and i learn to charge the symbols in procmon.
https://blogs.msdn.microsoft.com/vijaysk/2009/04/02/getting-better-stack-traces-in-process-monitor-process-explorer/
https://marc.durdin.net/2013/09/the-case-of-the-stack-trace-that-wouldnt/
Don't forget :
- "always copy a recent version of dbghelp.dll and symsrv.dll into the folder with procmon.exe, before starting a trace."
- use a folder cache for symbols and modify : srv*x:\symcache*http://msdl.microsoft.com/download/symbols
So, x:\symcache will contain the files for the next time you analyse, backup on a big disk.
-
Why this différences ?
Just an idea:
boot mode (SafeMode and UEFI/SecureBoot) force OS to use different Graphic.
(which may effect your graphique logon UI !?!? just an idea :wink:)
who knows, maybe booting from .iso or usb or... also changes boot mode ;)
see Win10PESE topic
http://theoven.org/index.php?topic=1503.0
-
Just to note that there is not LogonUI worries when building with RS2 14936.
I gave up on my side on that error with Win10 1607. If someone really want the Switch to Admin, he can use Win10 1511 (10586).
Have you noted some benefits for the Logon as Administrator ?
-
I am very grateful for having taken the time to answer me. Thank you very much for your supports.
@Lancelot : i choose VM in hyper V without uefi ( generation 1 ) and vhd ( not vhdx ). And on the PC, in setup, i disable UEFI.
@Chris : i undestand that build 1607 is not a good deal for Winpese Nor MicroWinpebuilder.
I constate that the session ADM is only needed in winpe for BITS but i never meet someone that need it in winpe ( nor elsewhere that someone want to create a server for that ). In my last job, I used a lot and mostly PowerShell, bits, remote connection in PS. It's just a nostalgia that I like to check if it is available in winpe.
one note : console logon ui is not "Professional" but it is a little-known workaround.
And one question : is it possible to disable the "write-filter" of registry in winpe when it used in flat mode ?
-
And one question : is it possible to disable the "write-filter" of registry in winpe when it used in flat mode ?
Sadly not, it's caused by the WinPE entry in BCD store.
-
Hi,
I see in the forum that a guy ask about printer in Winpe. There are many and many printers, very different. And it seems to me that it's difficult to find the good files ( cat, inf, dll, etc ) before to install this printer. So, i think it's better to install a network printer. The good files are automaticaly donwloaded from the PC who share the printer.
In this version V8 of the scripts microWinpeBuilder, i can print from Notepad to my shared printer over wifi. If you use my actuals scripts, you must start spooler by your self before to launch the wizard or the command line to install.
I can't show you the paper printed of course.
The picture shows the result of the installation.
A few words about my printer "Samsung SCX-4500 Series". I discover that the print processor is a 32 bits program. So Wow64 is mandatory for this printer.
I must say that the printer is not visible in the control panel "devices and printers". But it is really visible in "Notepad/print". You can see your document and manage it if you use "right clic/printer option" from the menu "print" in Notepad.
Before using the network printer, i try with USB printer. But it's difficult to identify the good files and spooler was not good when i did the try. The USB monitor is automaticaly installed when the printer is detected. I install the drivers printer with devmgnt.msc after i plugged the printer.
I'll try to put more explanation in the pdf later.
I hope someone try it and return me it's "experience".
-
Not much time to test Noël but I'll try to find some, it is Interesting :thumbsup:
-
hi,
My first print via USB in winpe !
My printer have many 32 bits programs. I add many files in WOW64. And now i can print from my printer connected USB.
I install it in the adm session. And after the installation, it is disponible in teh system session ( tscon 1 to go ...). And i can also print in this system session.
a picture but it's true, you can't see the paper go out of the printer.
On the picture, you can see that the printer in not connected. I want to show the document in the spooler. But the document go to the printer if i connect it.
BUT it is not visible in the "control pannel\devices ans printers".
To see the printer and interact with it, a open a Notepad, clic "print" and after right clic on the printer and chose "open" or "properties".
At the begining, I got the error for a long time: "startdocprinter error" ( i'll put a picture when i get it). And to bypass this, i modify the key "SystemSetupInProgress".
I must do more about it for a good work automalicaly.
-
tips before modify :
- wifi : disable and enable card before using wificonnexion.ps1
- session adm :
use tscon 1 and tscon 2 to prevent the message "editor not verified"
error message at the begining of session adm is not important
-
hi,
i try to play with the scan of my printer.
I think the installation of driver is ok, as i can see in devmgmt.msc.
But with wfs.exe or with imagingdevices.exe, i get the error message "no scan is detected".
I put a picture to see the context .
Some think is wrong : if you have an idea .....
-
hi,
For the scan, i modify somme keys and i see the scan in imagingdevices.exe.
With wfs.exe, i get a new message "scan can't continue".
I see the architecture of WIA here
https://msdn.microsoft.com/en-us/windows/hardware/drivers/image/wia-architecture-overview
https://msdn.microsoft.com/en-us/windows/hardware/drivers/image/wia-core-components
And i get more info in the log \debug\wiadebug.log.
I active the log with the keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StillImage\Trace\wiaservc.dll]
"TraceFlags"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StillImage\Trace\sti.dll]
"TraceFlags"=dword:00000007
I can see in this log that WIA see one hardware but there is an error "access denied" in DCOM :
ERROR: CreateLocalDevice, Initialize of root item failed (0x80070005)
I put a picture to see the contexte and the log wia
Q : why keys are not completed during installation? because of methode of installation ? i first install wiasa003.inf with DISM during preparation boot.wim, and after, when winpe is started, PNP install the step wiasa003. And after, i launch "drvload scx4500.inf" for complete the installation
an idea ....
-
hi,
Ma première numérisation avec le scan de mon imprimante Samsung SCX4500 : OK
My fisrt scan with my printer is ok.
I make an other test in the calm. I think i have the good elements but not the good sequence.
But the question is still : during installation, why some keys are missing under ....\control\class\{6BB... ?
it's not very usefull but it's a good game. I saw in the forum that a guy ask about printer and i say to me : can i play with printer?
I know, each printer and scan is particular and it's not easy for anyone to put his printer. I use dism because it's a simple way for me.
I isole my drivers and put them in my scripts. Not really reproductible. But it's a good way to learn, not to "eat a raw steack".
I 'll make more modifications to automatise the work.
Bonsoir.
-
hi,
I'm trying to find the package "scx4500.inf_amd64_47a7ea2a0d75d8c7".
On my windows10Pro, I look in the file setupapi.dev.log and i found a surprise :
" sto: {Setup Import Driver Package: c:\programdata\microsoft\windows\devicesoftwareupdates\1f79ef28-b3f9-4de5-8b6e-26332c0c3f65\scx4500.inf} 22:38:04.617
inf: Catalog File: SCX4500.cat
"
It's really my package but i don't know this "temporary" repository "devicesoftwareupdates".
And after in the log, i see that this directory is copied in the driverstore.
But i can't find this package in the ISO Windows10Entreprise.
Please, can someone explain to me where to find my package and describe the mecanisme "import driver package" ?
Thank you very much
-
bonsoir,
I can print (usb and network) and scan but it needs manuals steps.
For a summary of my investigation around my printer/scanner:
1 - when connecting the USB port on the PC, the installation of :
-the printer managed correctly. However, it needs the following treatment:
After you select the printer and before printing, there are changes the SystemSetupInProgress key
Eventually, do net start/net stop spooler.
-Scan works properly. Nevertheless, certain keys are not entered in the register
Therefore, treatment: adding keys, net start/net stop stisvc
2. for PDF and XPS printers, I failed installation.
Fact: due to the method of installation of ntprint.inf and ntprint4.inf with DISM, the hive Drivers does not point
entry ntprint.inf or ntprint4.inf. Indeed the mechanism "DISM" renames these entries with names starting with OEMxxxx.inf.
Consequence: in the session System, i load the hive Drivers and change these entries.
To find good entries to rename, you can consult the file...\mount\...\inf\setup.dev.offline.log
Pre installation: when the spooler starts with SystemSetupInProgress = 0, it pre-installs (IMPORT section in setup.dev.log)
inf files in the directory under x:\windows\system32\spool\tools\microsoft... ( copied in boot.wim ).
Then, you must install these printers with "control.exe/devices and printers" for example.
To select: use the last choice 'add a local printer...', then select the port "PortPrompt". Are displayed on left side "manufacturer" (microsoft)
and on the right, the 2 printers PDF and XPS.
Then we start the installation ... and error message appears:
"cannot install the printer.
Invalid descriptor".
The procmon trace does not tell me more. I don't know from where this descriptor comes. ( translator : ggrrrrr )
Next week, I will compare with installation on a windows 10 OS.
-
hi,
Printers PDF and XPS are OK. I'll write a text for that. And i'll update scripts.
It was long, very long. And nor really usefull, i admit.
My wrong idea : using GUI to install printers pdf and xps
The good way : it's the spooler who install theses two printers automaticaly. it needs only to put the good files in the good place.
And "start-service spooler" with the modification od systemSetupInProgress. And after 1 or 2 minutes, printers are there.
Not visibles in control panel but visibles in Notepad.
It's difficult to put a picture to display the creation of file by printer pdf/Xps. So believe or not .....
"gwmi win32_printer" displays capabilities but not "printing".
it's time to sleep for me.
-
So believe or not .....
I believe :thumbsup:
spooler is one of things not changed much for very long time (Win2000, NT4, ....)
And nor really usefull, i admit.
that is the reason very rarely (once 5 year I guess) someone find and share the way found :wink:
On good side, to me, it is always good to have more solutions at hand :thumbsup:
And after 1 or 2 minutes, printers are there.
Well on Gena it is same, spooler not changed much. :wink:
I'll write a text for that.
I hope Chris can follow easily this on SE.
:turtle:
-
hi,
I updated v10 ( scripts ans pdf ) for printer PDF/XPS.
I put details in the script "traitement.ps1" because it evolved during the investigation. But it's in french.
I'm taking a break because I'm stuck on all tracks.
Everyone can respond to the various anomalies that I can't fix (invisible printers in the control panel for example...)
See you later.
-
hi,
the last week has been difficult. I wanted to test 'Windows To Go'. I bought a 32 GB USB3 key.
But PWCREATOR. EXE has consider that it would be inappropriate because he found only a little more than 29 GB.
So I used the "manual" method with "dism and bootbcd".
The construction was very long, as if the key were USB2.
I got started with this USB3 key on a port USB3. The installation is successful, but it's very long also.
But the worst is when using Windows To Go. Everything was slowed down. Unusable.
The performance monitor indicated that the drive corresponding to the key was used 100% continuously.
I therefore rebuilt WTG on an old key USB2. But no luck. DISM reported an error.
I wasn't in front of the PC. The key had become unusable: write-protected.
I was looking for the "wonderful" softwares available on flashboot.ru or usbdev.ru.
It took several days to find softwares compatibles with my key (alcor Au6983) controller.
A misguided click started installing a software on my PC under Windows 10.
And I said to myself: I just caught a virus.
The curiosity was too strong. I launched the software. Windows 10 reported that he refused to load a driver.
I am grateful to him for that. I got a little integration of this software in the OS.
And so I took out my old laptop which is always under XP SP3.
With XP, I was able to launch many of these softwares. None detected my key.
I tried to modify an .ini file with the hope to steer the recognition of my key.
When it was recognized, I even modified random parameters. Then I clicked on "start".
Of course the software reported errors. I did it again. In less than a minute, it was over.
And my key was operational again.
I launched the antivirus on my Pc on windows 10. Two days. Malware :"JS/Fashack.G" serious and active!
Found only in Firefox. Surprise for me.
One day I'll take care of the PC under XP.
So I tested this USB2 with WTG key. Same slow. Unusable.
I've moved on a bit with Windows Media Player: now I can read MP3 files. I will modify my scripts later.
I can also read files .wav with powershell ( 2 lines !) with "MCISendString API" of winmp.dll.
But WMP will not play the .wav files.
-
hello,
Only with 1607 build 14393 :
In the case of a boot from a VHD mode "flat" (from a VM hyperV or from USB disk), the session "Administrator" does not open.
Workaround:
Rename Windows.UI.Logon.dll to - Windows.UI.Logon.dll
In the current state of the scripts, it is possible to create a file x:\noAdm which prohibits the launch of "tsdiscon.exe". We can do all the necessary investigations before to launch tsdiscon manually .
And if you find a solution, please tell me.
-
Only with 1607 build 14393 :
In the case of a boot from a VHD mode "flat" (from a VM hyperV or from USB disk), the session "Administrator" does not open.
Interesting info...
Workaround:
Rename Windows.UI.Logon.dll to - Windows.UI.Logon.dll
maybe you mean:
Rename Windows.UI.Logon.dll to - Windows.UI.Logon.dl_
:turtle:
-
@Lancelot : thank you, you are right.
A space was added by the translator at the begining of the name. I have a bad habit to rename by adding a "-" at the beginning of the name and not change the extension. I'll change this very bad habit in 2017.
happy new year 2017 !
-
Happy New Year :xmas-beer:
:turtle:
-
hello,
I play with "ChangeResolution" to modify width and height of the screen in PS for Winpe.
Msdn says that the WM_DISPLAYCHANGE is sent to all windows when the display resolution has changed.
And here https://msdn.microsoft.com/en-us/library/windows/desktop/dd183411(v=vs.85).aspx, Msdn says "When the display mode is changed dynamically, the WM_DISPLAYCHANGE message is sent to all running applications with the following message parameters." But with my PS script, the desktop don't adapte itself. I must kill the task explorer.exe and launch again for a good desktop.
If someone knows the solution, please, says to me.
-
Salut Noel
Win10PESE uses JFX'Fixscreen Taskbar hides bottom application window Reply #5 (http://theoven.org/index.php?topic=1570.msg18679#msg18679)
If you want to code it yourself, look at win10pese x86 and desktop wallpaper (http://theoven.org/index.php?topic=1705.msg19879#msg19879)
-
Bonsoir ChrisR,
Mais comment JFX a t-il bien pu trouver qu'il fallait envoyer un WM_DISPLAYCHANGE lors de la réception d'un WM_SETTINGCHANGE ?
Ca marche !
How does JFX find that to adapt task bar on the desktop (explorer), it needs to send WM_DISPLAYCHANGE after system sends WM_SETTINGCHANGE ?
And why winpe doesn't do that?
Many questions without response, i suppose.
I'll put scripts Ps for anyone can see by itself how to change the screen resolution from winpe, dynamically and manually.
-
No idea why explorer doesn't correctly respond to the change.
The tool just wait's for a WM_DISPLAYCHANGE message and does the following:
; Desktop
SHChangeNotify_(#SHCNE_ASSOCCHANGED , 0, 0, 0)
SendMessage_(#HWND_BROADCAST, #WM_SETTINGCHANGE, 0, 0)
; Taskbar
hwnd = FindWindow_("Shell_TrayWnd", 0)
If hwnd
abd\cbSize = SizeOf(APPBARDATA)
abd\hwnd = hwnd
SHAppBarMessage_(#ABM_GETSTATE, abd)
EndIf
;Wallpaper
If Not SystemParametersInfo_(#SPI_GETDESKWALLPAPER, #MAX_PATH, @sWallpaper, 0)
If RegOpenKeyEx_(#HKEY_CURRENT_USER, "Control Panel\Desktop", 0, #KEY_QUERY_VALUE, @hKey) = #ERROR_SUCCESS
dwsize = #MAX_PATH
RegQueryValueEx_(hKey, @"Wallpaper", 0, 0, @sWallpaper, @dwsize)
RegCloseKey_(hKey)
EndIf
EndIf
SystemParametersInfo_(#SPI_SETDESKWALLPAPER, 0, @sWallpaper, #SPIF_UPDATEINIFILE)
-
Hello JFX,
Thank you very much to share your code .
I hope you understand my poor English, i am trying without translator.
May i ask you an other question? How do you find the need of the "sendmessage WM_SETTINGCHANGE" ?
I think i don't use the good tool or good method to investigate. I try spy++ in winpe without result. On internet, i founded only reference to "WM_ChangeDisplay".
Thanks again
Note : i'll test more but i think that WM_SETTINGCHANGE is the only one msg needed in "my winpe" when changing screen resolution.
-
Hello Noel,
SHChangeNotify_(#SHCNE_ASSOCCHANGED , 0, 0, 0)
SendMessage_(#HWND_BROADCAST, #WM_SETTINGCHANGE, 0, 0)
It's just the usual code I use to force refresh desktop icons.
In my WinPE it's not 'always' enough.
Default vga or latest nvidia driver make a difference, but also start menu replacements cause different behavior.
-
Hello JFX,
Thank you very much. Merci beaucoup.
My ask was about the tools you use for find it
And i understand that it's only your experience of programmer that puts you on the track of the solution.
I also understand that this only sendmessage is not enough for you, because you are in front of many différents contexts.
Once again, thank you for taking the time to answer me
In microWinpeBuilder context, I use this PS attached script with a GUI to change screen resolution with your tips. It's OK for me.
-
Hello,
I'm trying to understand why the button in the task bar at the bottom right does not show the desktop.
I have no ambition to find but I want a look and implement some tools like spy ++ and windbg.
1 - address of the WndProc of the button whose class is "TrayShowDesktopButtonWClass".
It is easily found with spy ++. But I can not find it with the API GetWindowLongPtr.
The following code snippet returns 0 and GetLastError returns 50 (decimal): The request is not supported.
While I get all other indexes (hinstall, type).
I don't understand why I get "GWL_HINSTANCE" but not "GWL_WNDPROC".
If someone can explain to me...
$code=@'
using System;
using System.Runtime.InteropServices;
namespace Win32_API
{
public enum GWL
{
GWL_WNDPROC = (-4),
GWL_HINSTANCE = (-6),
GWL_HWNDPARENT = (-8),
GWL_STYLE = (-16),
GWL_EXSTYLE = (-20),
GWL_USERDATA = (-21),
GWL_ID = (-12)
}
public class Win32_API_Class
{
[DllImport("user32.dll", EntryPoint="GetWindowLongPtr", SetLastError = true )]
public static extern IntPtr GetWindowLongPtr(IntPtr hWnd, int nIndex);
[DllImport("kernel32.dll")]
public static extern uint GetLastError();
//https://blogs.msdn.microsoft.com/adam_nathan/2003/04/25/getlasterror-and-managed-code/
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindowEx(IntPtr parentHandle, IntPtr childAfter, string className, string windowTitle);
static public IntPtr GetWindowLongPtr_(IntPtr hWnd, int nIndex)
{
IntPtr ret = GetWindowLongPtr( hWnd, nIndex);
if (ret == IntPtr.Zero){
Console.Write("GetLastError : {0}", GetLastError());
}
return ret;
}
}
}
'@
add-type -TypeDefinition $code
$h1 = [Win32_API.Win32_API_Class]::FindWindow("Shell_TrayWnd", "");
$h2 = [Win32_API.Win32_API_Class]::FindWindowEx($h1, 0, "TrayNotifyWnd", "");
$handle = [Win32_API.Win32_API_Class]::FindWindowEx($h2, 0, "TrayShowDesktopButtonWClass", "");
"Handle de TrayShowDesktopButtonWClass : {0:x}" -f [int]$handle
$hinst=[Win32_API.Win32_API_Class]::GetWindowLongPtr( $handle, [int][Win32_API.GWL]::GWL_HINSTANCE)
"hinst : {0:x}" -f [int64]$hinst
[Win32_API.Win32_API_Class]::GetWindowLongPtr_( $handle, [int][Win32_API.GWL]::GWL_WNDPROC)
#WindowProc fournie par Spy++ : c68D1FB0 mais il n'y a pas de segment, juste l'offset
2 - Trace the WndProc of "TrayShowDesktopButtonWClass" with WinDbg code in a normal 10 windows
As Spy ++ provides the WndProc and PID, I can use WinDbg with the "segment" Hinstance. Otherwise, I do not know what use segment.
The WndProc addresses different "WM_message", as 0x81 (WM_NCCREATE), and 0x82 (WM_NCDESTROY).
Messages that activate the display seems to be: WM_LBUTTONDOWN = 0x201 and WM_LBUTTONUP = 0x202.
These messages are identified by spy ++
The passage of the parameters with X 64 is a little disturbing.
Explore! CWRLImpWndProc <CShowDesktopButton>: s_WndProcBase:--->>> param: handle = RCX, Msg = RDX, wParam = R8, and lParam = R9.
The WM_LBUTTONUP code is currently analysing. There's a piece of interesting code:
Explorer!CShowDesktopButton::_HandleLButtonUp+0x7f:
00007ff6`c69addd3 e8f85affff call Explorer!CShowDesktopButton::_ActivateLivePreview (00007ff6`c69a38d0)
00007ff6`c69addd8 e8df020000 call Explorer!CShowDesktopButton::_ToggleDesktop (00007ff6`c69ae0bc)
This last function sends a WM_message = 0x579 at the window "Shell_TrayWnd".
And if launches a SendMesssage (need test with postMessage!), then the desktop is displayed in Windows10 normal .
But he does not appear in Winpe.
I conclude that must also trace "Shell_TrayWnd", which will be much longer!
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
[DllImport("user32.dll")]
public static extern int SendMessage(int hWnd, int hMsg, int wParam, int lParam);
"@
#Add the SendMessage function as a static method of a class
$Win32_API = Add-Type -MemberDefinition $signature -Name "C_Win32_API" -Namespace Win32Functions -PassThru
$h1 = $Win32_API::FindWindow("Shell_TrayWnd", "");
"{0:x}" -f [int]$h1
$Win32_API::SendMessage($h1,0x579,3,0)
-
hello,
Chris find the solution for "session ADM".
And during this reseach, i find why ie64 doesn't work well. A file missing in microWinpeBuilder : ieframe.dll.mui
So, i'm glad to write this reply from IE64 in MicroWinpeBuilder in a VHD mode flat. :smile:
I test to download a file = OK
I put a picture ...
I am preparing a new version of my PDF(verson 3) to explain for ie64. i'll post as soon as possible.
PS : with ie64 in winpe, i meet difficulties for sign in this site : i receive many times the page "verify cookies..."
manage password seem not working
download and historique dowload = OK
-
Chris find the solution for "session ADM".
Thanks, but you can write We :thumbsup:
About IE32, IE64, do you have it also in the System Session with the download feature or only with the administrator account ?
For the password, maybe you can take a look at Win8.1SE IE11 plugin if it can help.
-
I reply from session System. But download doesn't work.
I try to investigate ..... But security for system is an enfer/evil
-
@ChrisR
From Session System : files are downloaded well but not display
I find them ( many try before i see in directory) in directory.
See picture...
-
I continue to play with IE11-64bits in the ADM session. I wanted to use the debugger F12. At first, it miss some files.
Now, i can get the network trace. it use the service "diagnosticshub.standardcollector.service".
I tryed also "fiddler". In my first test, fiddler ask to install its certificat for https. I install it with certutil.exe.
Not a revolution.
-
Hello,
Today, i play with windbg.exe. I look into the code of Shell_TrayHwd.
As said in some posts before, with SPY, and as it was said in old posts in theoven, the message 0x579 is send to the wndproc Shell_TrayHwd when you want swap to/from the desktop. With windbg, i find a byte in this wndproc which enable the displying of the desktop, and the reverse swap.
I put here some informations from IE in winpe ( yes, it woks enougth but i can't attach a file ).
I translate as soon as possible.
A -Configure the symbol servers and the network for windbg
B - We saw with spy ++ thewindow Shell_TrayHwd receives the message 0 x 579 with wParam = 3
C - identify the handle and address of WndProc to Shell_TrayHwd
with spy ++ that gives the offset of this window and the handle
with a bit of PS that gives the Hinstance which we keep the segment
7ff7`B8714A40
D - so we can attach windbg to process explorer.exe (office administrator)
1 - We put a conditional breakpoint with:
bp 7ff7`B8714A40 ".if (rcx == 0x2007E & rdx == 0x579 & r8 == 3) {.echo msg ok} .else {gc;}"
E - we click below and to the right of the screen
F - activity of windbg greatly slows the process 'explore': wait
2 - code analysis activity: the wndproc begins with a big "switch" to process messages WM_xxxxxxxx
3 - symbols and step by step allow to navigate in the code
Explorer!CImpWndProc::s_WndProc : pour la wndproc
Explorer!CTray::v_WndProc : for the treatments carried out by this wndproc, other messages are sent to "child" windows (I suppose)
4 - the switch is sometimes complex because optimized by the compiler certainly.
Here the value of the message 0 x 579 is manipulated pure become an index into a table of pointers
Explorer!CTray::v_WndProc+0x404:
00007ff7`b8716964 8d83affaffff lea eax,[rbx-551h]
00007ff7`b871696a 83f87d cmp eax,7Dh
00007ff7`b871696d 779c ja Explorer!CTray::v_WndProc+0x3ab (00007ff7`b871690b) [br=0]
00007ff7`b871696f 488d158a96fbff lea rdx,[Explorer!std::_Uninit_move<Microsoft::WRL::ComPtr<IBadgeVisualRenderRequest> * __ptr64,Microsoft::WRL::ComPtr<IBadgeVisualRenderRequest> * __ptr64,std::allocator<Microsoft::WRL::ComPtr<IBadgeVisualRenderRequest> >,Microsoft::WRL::ComPtr<IBadgeVisualRenderRequest> > <PERF> (Explorer+0x0) (00007ff7`b86d0000)]
00007ff7`b8716976 0fb68402607b0400 movzx eax,byte ptr [rdx+rax+47B60h] ds:00007ff7`b8717b88=0d
00007ff7`b871697e 8b8c82a87a0400 mov ecx,dword ptr [rdx+rax*4+47AA8h] ds:00007ff7`b8717adc=0004698a
00007ff7`b8716985 4803ca add rcx,rdx
00007ff7`b8716988 ffe1 jmp rcx {Explorer!CTray::v_WndProc+0x42a (00007ff7`b871698a)}
5 - Continuing the step by step, we find a call whose name is evocative
Explorer!CTray::v_WndProc+0x43d:
00007ff7`b871699d e88af1ffff call Explorer!CTray::_RaiseDesktop (00007ff7`b8715b2c)
6 -Continuing, we find a test that sends in a case of mistaken (my assumption at the time because of there also evocative text)
Explorer!CTray::_RaiseDesktop+0x29:
00007ff7`b8715b55 3899f9020000 cmp byte ptr [rcx+2F9h],bl ds:00007ff7`b88f5b19=01 <<<<<<<<<<<<<<< the byte !!!
00007ff7`b8715b5b 0f85ab5a0700 jne Explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x13dcc (00007ff7`b878b60c) [br=1]
G - I leave windbg and the stimulus to place a single breakpoint on this cmp instruction in order to change the value of this byte
bp 00007ff7`b8715b55 ".if (r8 == 0x579 & r9 == 3) {.echo msg ok} .else {gc;}"
H - I click at the bottom right of the screen
I - i change the byte
J - toggles the display takes place! It persists as long as I am not leaving the administrator session.
Conclusion: this isn't a huge step forward. But this has occupied my day.
-
hello,
It was very long, but i get it : with a hook DLL, i can reset the byte "base +2F9".
And now, the touch "Windows + D" is enabled/active. :wink:
Yes, winPeSe got it since a long time with the use of "wind.exe and MsgHook.dll".
And Yes, this solution is not a good idea because with the next version of winpe, the address will be modify.
But now, with windbg, it become perhaps possible to find why and when this byte is set to 1.
For my memory, the base is given by SPY++ in the "windows Bytes".
I put the tow codes here. I compile them with VSCommunity 2013 in 64bits only. Create a project and add these codes seems simple.
And yes, my code is horrible, i'm not a good developper.
For install : in a cmd, launch the program, it puts a hook in Shell_TrayWnd and wait, so explorer launch the dll, the dll modify the byte, you can press a touch in the cmd , so the program remove the hook. If explorer is killed ( tscon 1 for sample) the byte decomes set to 1. And it need to do again.
Sorry for my english. I hope someone can understand...
-
Great work Noel :thumbsup:
For x86 it's *CTrayObj + 0x231
-
@JFX I am very touched by your words of encouragement.
It's true that I leave completely to one side the 32-bit version. I'm not quite good to manage multiple environments.
Currently, I'm trying to follow the creation of this byte with windbg. The breakpoint "ba r 1 adr" when loading to explore does not fire when setting to 1. Here, I do not understand.
Perhaps not the good method....
PS : Do you think it will be possible to find "automaticaly" the address of this byte for the next versions ?
-
Hmm, will be difficult to find it for other version.
Would be easier if we could find the reason why this byte is set in WinPE.
-
hello,
Not easy to follow the life of this byte. The "ba r 1 adr" breakpoint does not work when this bit is set to 1. But he triggered when readings. The doc makes it clear that the option "r" means "read and write". I tried to "go back" since the RegisterClass call. But this byte is already positioned before the first call.
0:000 > db 7FF7 '93FC5B19--->>> 00007ff7' 93fc5b19 00
BP USER32! RegisterClassExW
g
ModLoad: 00007ff8 '18840000 00007ff8' 1886e000 X:\windows\System32\IMM32. DLL
ModLoad: 00007ff8 '18f60000 00007ff8' 190bb000 X:\windows\System32\MSCTF.dll
Breakpoint 0 hit
0:000 > db 7FF7 '93FC5B19--->>> 00007ff7' 93fc5b19 01
Seeking a little more (even a long time), I find a loop (n = 0 x 19): call msvcrt! _guard_dispach_icall_fptr. It is located in msvcrt! initterm + 0x3d. Byte changes value between 0xB and 0x16 iterations. I missed a good time.
As it is certainly the initialization of global data, I guess that the default value is 1. And so this byte must certainly change its value by an external action (message or subsequent test).
It seems more sensible to put a breakpoint "ba" on this byte in loading a explore in w10. But I must say that I am a little tired today. :sad:
-
Today it's raining.
I just follow changes to the byte 2F9 in "explorer.exe" in Windows 10 build 14393.rs1_release_inmarket.170303 - 1614. But I think that would be the same in all versions of this build 14393.
The attached file contains the trace of the windbg and my comments in french.
I translate the most important here.
Getting started: check the address and the 'windows bytes' with spy ++ to the window "Shell_TrayWnd".
Start windbg. Kill Explorer.exe. In windbg, open the program "explorer.exe".
compute the address of the byte: the basis is provided by spy ++ in the 'windows bytes'. Add 2F9 for build 14393.
Note: I don't remember if I explained how to find this address.
Place the breakpoint:
ba w 1 00007ff6'01e76b59
and GO (g in the file)
explore starts and loads more other dll.
If the address is correct then the breakpoint is triggered.
Breakpoint 0 hit
explore! CTray:v_WndProc + 0xfa6:
00007ff6'01c96a86 84c0 test al, al it is the previous instruction which is important!
Now, how to get le code before this instruction ?
Because it's really the previous code that will tell who and how this byte is changed. Try to deassemble going up in addresses, we quickly found that it is not possible to identify the address of the "jmp" that brought on this "move in 00007ff6'01c96a7f" in my case.
Therefore start from the entrance of the WndProc of a window.
But by looking at the values of the registers and in constant statements following the code launch a "PostMessage", I think that the treatment should not be very long and that may be what would be a response to another message and why "0X5BA" contained in the registers "rbx" and r8.
so we go to the WndProc with:
u explore! CTray::v_WndProc
see the code in the file if you need...
I guess that the msg = 5BA like i see in rbx and r8 at the time of the "BA" breakpoint
I need to get the good address :
00007ff6`01c95ef6 0fb68402e0700400 movzx eax,byte ptr [rdx+rax+470E0h]
00007ff6`01c95efe 8b8c8228700400 mov ecx,dword ptr [rdx+rax*4+47028h]
00007ff6`01c95f05 4803ca add rcx,rdx
00007ff6`01c95f08 ffe1 jmp rcx
So :
rax = 0x5BA -0x551 = 0x69
rdx = 00007ff6'01c50000? the charging base of the prg according to the logic of loading to a prg in PE format
byte * ptr = [rdx + rax + 470E0h] = 00007ff6'01c50000 + 0x69 + 0x470E0 = 00007ff6'01c97149 = 0x1B
0:010 d 00007ff6'01c97149
00007ff6'01c97149 1b 1c 2d 1d 1e 1f 2d 20-21 22 23 24 25 26 27 2d... -...- !" #$%&'-
DWORD * ecx = [rdx + rax * 4 + 47028 h] = 00007ff6'01c50000 + (0x1B * 4) + 0 x 47028 = 00007ff6'01c97094
0:010 d 00007ff6'01c97094
00007ff6'01c97094 74 6a 04 00 e0 65 04 00-45 6a 04 00 63 04 00 tj b9 e... EJ... c...
74 6a 04 00 in memory = 0004674 in address
rcx = 00007ff6'01c50000 + 0x00046A74 = 00007ff6'01c96a74
And jmp rcx !
And there's the code in 00007ff6'01c96a86 at the breakpoint :smile:
0:010> u 00007ff6`01c96a74
explorer!CTray::v_WndProc+0xf94:
00007ff6`01c96a74 397d88 cmp dword ptr [rbp-78h],edi
00007ff6`01c96a77 0f8526660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x15123 (00007ff6`01d0d0a3)
00007ff6`01c96a7d 8bc7 mov eax,edi
00007ff6`01c96a7f 418887f9020000 mov byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba
00007ff6`01c96a86 84c0 test al,al
00007ff6`01c96a88 0f851f660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a8e 4138bff8020000 cmp byte ptr [r15+2F8h],dil
00007ff6`01c96a95 0f8512660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
0:010> u
explorer!CTray::v_WndProc+0xfbb:
00007ff6`01c96a9b 440fb6c0 movzx r8d,al
00007ff6`01c96a9f 4533c9 xor r9d,r9d
00007ff6`01c96aa2 ba0c040000 mov edx,40Ch
00007ff6`01c96aa7 498b8fa0000000 mov rcx,qword ptr [r15+0A0h] DESTINATAIRE INCONNU unknow dest but but but .....
00007ff6`01c96aae ff15c4431800 call qword ptr [explorer!_imp_SendMessageW (00007ff6`01e1ae78)]
00007ff6`01c96ab4 e918f3ffff jmp explorer!CTray::v_WndProc+0x2f1 (00007ff6`01c95dd1)
Summarizes:
someone sends the message 0x5BA with Wparam = 0 and lParam = 0 at the window "Shell_TrayWnd"
The final test: winpe into this piece of PS
$code=@'
using System;
using System.Runtime.InteropServices;
namespace Win32_API
{
public class Win32_API_Class
{
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindowEx(IntPtr parentHandle, IntPtr childAfter, string className, string windowTitle);
[DllImport("user32.dll")]
public static extern int SendMessage(int hWnd, int hMsg, int wParam, int lParam);
}
}
'@
add-type -TypeDefinition $code
$handle = [Win32_API.Win32_API_Class]::FindWindow("Shell_TrayWnd", "");
$iRet = [Win32_API.Win32_API_Class]::SendMessage($handle, 0x5BA, 0, 0);
Et Bingo !
It would be interesting to know who is the sender of this message 5BA.
Is it a method without windbg?
-
You rock man :thumbup:
Seems it's explorer himself who send this message.
[attach=1]
-
@JFX: thanks for the encouragement
I think I recognise a listing generated by IDA. Isn't it ?
-
Yes it's IDA 6.8 with loaded x64 explorer.exe version 14393.
I guess the CTray object has it's own function to enable\disable the show desktop functionallity.
-
is IDA 64bits 6.8 free of charge ?
With windbg i can see explorer!CTray::ModeChanged.
I don't know if i can find some thing if i put a BP.
Perhaps with the crossref....
Merci.
-
hello,
i open explorer.exe in windbg on my windows10 "normal"
i put a breakpoint on explorer!CTray::ModeChanged.
And "go" with "g" : No hit !
I try twice.
I don't understand why. Is it possible that there are an other code in explorer that send the 5BA message ?
-
hello,
I put a "ba w 1 add_2F9" in a explorer on windows10 "normal".
I can't see the transmitter's handle. But i can see the destinataire's handle of the msg 0X40C (send when the byte is reset).
It's "TrayNotifyWnd".
If i suppose transmitter is also the destinataire. Do you think so ?
In this case, can we imagine a handshaking ( i hope it's the good word ) between these 2 windows?
- shell_TrayWnd sets by default the flag 2F9 : witch means that TrayNotifyWnd is not create
- TrayNotifyWnd sends the msg 5BA : that means that TrayNotifyWnd is ok
- shell_TrayWnd resets the byte and now can operate the events ( keyboard, menu, msg ) about "display desktop"
If so, why is it different in winpe?
A long way to explore TrayNotifyWnd ....
Sun is shining so i go to cycle :smile:
PS : during the manipulation, in windbg, I used the "p" command to execute the call to postMessage 40 c. Then I let the program continue with "g". And now wanting to shut down the pc, I see that the 'windows' key and click 'mouse' on the window at the bottom left are inactive as in Winpe. Something to follow can be...
-
Hi Noel,
Good weather here, so I'm not going into the headache of why WinPE not sends this message.
I've updated my WinPE loader to fire this message on every time it receives a wm_taskbarcreated message.
This seems to be a perfect solution.
-
Hi JFX,
Good thing !
I must say that i don't know the wm_taskbarcreated message before you speak about it.
Thanks for sharing the information
-
hello,
But who sent this message 0x5BA in the case of a "normal" windows10?
Quickly...
We therefore have a breakpoint in Windows 10 "normal" on the address of the function PostMessage:
BA r 8 explore! _imp_PostMessageW ".if(rdx == 0x5BA) {.echo msg 5BA} .else {gc};"
There are several exceptions that activate Windbg. I do not account. And finally, the breakpoint is triggered with the 0x5BA message.
USER32!PostMessageW:
00007ff9`610dafa0 48895c2410 mov qword ptr [rsp+10h],rbx ss:00000000`0326ef88=00007ff6a3496890
:010> r
rax=0000000000000000 rbx=00007ff6a3496860 rcx=000000000005021e
rdx=00000000000005ba rsi=0000000000000004 rdi=0000000000000000
rip=00007ff9610dafa0 rsp=000000000326ef78 rbp=000000000326efd0
r8=0000000000000000 r9=0000000000000000 r10=00000fff28e681da
r11=0000000004010000 r12=00007ff6a3429040 r13=000000000005021e
r14=0000000000000000 r15=0000000000000003
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
USER32!PostMessageW:
00007ff9`610dafa0 48895c2410 mov qword ptr [rsp+10h],rbx ss:00000000`0326ef88=00007ff6a3496890
0:010> k
# Child-SP RetAddr Call Site
00 00000000`0326ef78 00007ff6`a32ba651 USER32!PostMessageW
01 00000000`0326ef80 00007ff6`a32b76d0 explorer!CTray::_RegisterForNotifications+0xf5
02 00000000`0326f000 00007ff6`a32f2b27 explorer!CTray::StartTaskbar+0xf4
03 00000000`0326f050 00007ff6`a32b7880 explorer!CTray::_StartTaskbarApiSurface+0x37
04 00000000`0326f080 00007ff6`a32b7a79 explorer!CTray::_StartParallelTasks+0xd8
05 00000000`0326f0c0 00007ff6`a32b6425 explorer!CTray::_HandleStartupProgress+0x155
06 00000000`0326f100 00007ff6`a32b4112 explorer!CTray::v_WndProc+0x945
07 00000000`0326f630 00007ff9`610d1c24 explorer!CImpWndProc::s_WndProc+0xe2
08 00000000`0326f680 00007ff9`610d156c USER32!UserCallWinProcCheckWow+0x274
09 00000000`0326f7e0 00007ff6`a32bac69 USER32!DispatchMessageWorker+0x1ac
0a 00000000`0326f860 00007ff6`a32f7ae3 explorer!CTray::_MessageLoop+0x149
0b 00000000`0326f8f0 00007ff9`5eef5aad explorer!CTray::MainThreadProc+0x43
0c 00000000`0326f920 00007ff9`60e88364 SHCORE!Microsoft::WRL::Details::RuntimeClass<Microsoft::WRL::Details::InterfaceList<CRandomAccessStreamBase,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IRandomAccessStreamWithContentType,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IContentTypeProvider,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<3>,Microsoft::WRL::CloakedIid<IRandomAccessStreamMode>,Microsoft::WRL::CloakedIid<IRandomAccessStreamFileAccessMode>,Microsoft::WRL::CloakedIid<IObjectWithDeferredInvoke>,Microsoft::WRL::CloakedIid<IObjectWithFileHandle>,Microsoft::WRL::CloakedIid<IUnbufferedFileHandleProvider>,Microsoft::WRL::CloakedIid<IRandomAccessStreamPrivate>,Microsoft::WRL::CloakedIid<ITransactedModeOverride>,Microsoft::WRL::CloakedIid<CFTMCrossProcServer>,Microsoft::WRL::Details::Nil>,Microsoft::WRL::Details::Nil> > > >,Microsoft::WRL::RuntimeClassFlags<3>,1,1,0>::~RuntimeClass<Microsoft::WRL::Details::InterfaceList<CRandomAccessStreamBase,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IRandomAccessStreamWithContentType,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IContentTypeProvider,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<3>,Microsoft::WRL::CloakedIid<IRandomAccessStreamMode>,Microsoft::WRL::CloakedIid<IRandomAccessStreamFileAccessMode>,Microsoft::WRL::CloakedIid<IObjectWithDeferredInvoke>,Microsoft::WRL::CloakedIid<IObjectWithFileHandle>,Microsoft::WRL::CloakedIid<IUnbufferedFileHandleProvider>,Microsoft::WRL::CloakedIid<IRandomAccessStreamPrivate>,Microsoft::WRL::CloakedIid<ITransactedModeOverride>,Microsoft::WRL::CloakedIid<CFTMCrossProcServer>,Microsoft::WRL::Details::Nil>,Microsoft::WRL::Details::Nil> > > >,Microsoft::WRL::RuntimeClassFlags<3>,1,1,0>+0x135
0d 00000000`0326fa10 00007ff9`61a470d1 KERNEL32!BaseThreadInitThunk+0x14
0e 00000000`0326fa40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
The PostMessage call came from the "explore! CTray::_RegisterForNotifications".
explorer!CTray::_RegisterForNotifications+0xc6:
00007ff6`a32ba622 488b4df0 mov rcx,qword ptr [rbp-10h]
00007ff6`a32ba626 488b01 mov rax,qword ptr [rcx]
00007ff6`a32ba629 488d5538 lea rdx,[rbp+38h]
00007ff6`a32ba62d 488b4018 mov rax,qword ptr [rax+18h]
00007ff6`a32ba631 ff15b1191800 call qword ptr [explorer!_guard_dispatch_icall_fptr (00007ff6`a343bfe8)]
00007ff6`a32ba637 85c0 test eax,eax
00007ff6`a32ba639 7817 js explorer!CTray::_RegisterForNotifications+0xf6 (00007ff6`a32ba652)
00007ff6`a32ba63b 4c634538 movsxd r8,dword ptr [rbp+38h]
0:010> u
explorer!CTray::_RegisterForNotifications+0xe3:
00007ff6`a32ba63f 4533c9 xor r9d,r9d
00007ff6`a32ba642 baba050000 mov edx,5BAh >>>>>>>>>>>>>>>>>>>>> breakpoint
00007ff6`a32ba647 488b4b08 mov rcx,qword ptr [rbx+8]
00007ff6`a32ba64b ff158f071800 call qword ptr [explorer!_imp_PostMessageW (00007ff6`a343ade0)]
00007ff6`a32ba651 90 nop
00007ff6`a32ba652 488d4df0 lea rcx,[rbp-10h]
00007ff6`a32ba656 e80534fcff call explorer!Microsoft::WRL::ComPtr<Windows::Foundation::IAsyncOperation<Windows::Foundation::Collections::IVectorView<Windows::ApplicationModel::StartupTask * __ptr64> * __ptr64> >::InternalRelease (00007ff6`a327da60)
00007ff6`a32ba65b 4c897540 mov qword ptr [rbp+40h],r14
Found the code to send the 0x5BA message
The call to explore! CTray::_EnsureImmersiveShellPointer in Winpe will certainly pose a concern.
explorer!CTray::_RegisterForNotifications+0x29:
00007ff6`083eb005 e8dea6ffff call explorer!CTray::_EnsureImmersiveShellPointer (00007ff6`083e56e8)
0:010> p
explorer!CTray::_RegisterForNotifications+0x2e:
00007ff6`083eb00a 85c0 test eax,eax
0:010> r
rax=0000000080040154 rbx=00007ff6085c5820 rcx=0000000000000000
rdx=0000000080040154 rsi=0000000000000004 rdi=0000000000000000
rip=00007ff6083eb00a rsp=000000000361eeb0 rbp=000000000361ef00
r8=000000000361e9c8 r9=00000000000021f5 r10=0000000000000000
r11=000000000361ec30 r12=00007ff608550d20 r13=0000000000030114
r14=0000000000000000 r15=0000000000000003
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
explorer!CTray::_RegisterForNotifications+0x2e:
00007ff6`083eb00a 85c0 test eax,eax
00007ff6`083eb00c 0f8860010000 js explorer!CTray::_RegisterForNotifications+0x196 (00007ff6`083eb172) [br=1]
Code return rax = 0000000080040154 = class not registered.
The jump prohibits sending the msg 5BA.
The function "explore! CTray::_EnsureImmersiveShellPointer"use DCOM.
0:010> u explorer!CTray::_EnsureImmersiveShellPointer
explorer!CTray::_EnsureImmersiveShellPointer:
00007ff6`083e56e8 4883ec38 sub rsp,38h
00007ff6`083e56ec 4881c158030000 add rcx,358h
00007ff6`083e56f3 33c0 xor eax,eax
00007ff6`083e56f5 483901 cmp qword ptr [rcx],rax
00007ff6`083e56f8 0f84fc5c0700 je explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x13bba (00007ff6`0845b3fa)
00007ff6`083e56fe 4883c438 add rsp,38h
00007ff6`083e5702 c3 ret
00007ff6`083e5703 cc int 3
explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x13bba:
00007ff6`0845b3fa 48894c2420 mov qword ptr [rsp+20h],rcx
00007ff6`0845b3ff 4c8d0d92381100 lea r9,[explorer!GUID_6d5140c1_7436_11ce_8034_00aa006009fa (00007ff6`0856ec98)]
00007ff6`0845b406 488d0d139c1100 lea rcx,[explorer!GUID_c2f03a33_21f5_47fa_b4bb_156362a2f239 (00007ff6`08575020)]
00007ff6`0845b40d 33d2 xor edx,edx
00007ff6`0845b40f 41b804040000 mov r8d,404h
00007ff6`0845b415 ff159dee1000 call qword ptr [explorer!_imp_CoCreateInstance (00007ff6`0856a2b8)]
00007ff6`0845b41b 90 nop
00007ff6`0845b41c e9dda2f8ff jmp explorer!CTray::_EnsureImmersiveShellPointer+0x16 (00007ff6`083e56fe)
rcx = explorer!GUID_c2f03a33_21f5_47fa_b4bb_156362a2f239 -->> HKCR/c2f03a33_21f5_47fa_b4bb_156362a2f239/default=Immersive Shell, APPID={316cded5-e4ae-4b15-9113-7055d84dcc97} ( appid/runas=Interactive User )
rdx = NULL
r8 = 404h -->>> CLSCTX_LOCAL_SERVER = 0x4 CLSCTX_NO_CODE_DOWNLOAD = 0x400,
r9 = explorer!GUID_6d5140c1_7436_11ce_8034_00aa006009fa --------------->>>>>>>>>>>>> ?????????????
[HKEY_CLASSES_ROOT\CLSID\{c2f03a33-21f5-47fa-b4bb-156362a2f239}]
@="Immersive Shell"
"AppID"="{316cded5-e4ae-4b15-9113-7055d84dcc97}"
[HKEY_CLASSES_ROOT\AppID\{316CDED5-E4AE-4B15-9113-7055D84DCC97}]
@="Immersive Shell"
"RunAs"="Interactive User"
[HKEY_CLASSES_ROOT\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}]
@="IServiceProvider"
[HKEY_CLASSES_ROOT\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}\ProxyStubClsid32]
@="{A6FF50C0-56C0-71CA-5732-BED303A59628}"
[HKEY_CLASSES_ROOT\CLSID\{A6FF50C0-56C0-71CA-5732-BED303A59628}]
@="PSFactoryBuffer"
[HKEY_CLASSES_ROOT\CLSID\{A6FF50C0-56C0-71CA-5732-BED303A59628}\InProcServer32]
@="C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" ------------------------------>>>>>>>>>>>>> ?????????????
"ThreadingModel"="Both"
How to go further?
-
Actually i work to get mstsc with RemoteDesktop Gateway server.
And i find that my scripts traitement.ps1 can't work with language en-us.
I 'll fix soon.
Constat : scripts not usefull because no one send me that scripts doesn't work.
-
Hi,noelBlanc
nice to see the problem(ShowDesktop) has perfect solution! :thumbsup:
Yes, winPeSe got it since a long time with the use of "wind.exe and MsgHook.dll".
And Yes, this solution is not a good idea because with the next version of winpe, the address will be modify.
You wrong, wind.exe will deal with all version.
I'm not good as your in disassembling program, I just debug explorer.exe with
Visual Studio, find the message.
I hook the massage, and MinimizeAll/UnMinimizeAll the Windows with my code.
(compare to make origin explorer function work, this is easy for me, just write 100 lines code in 1 or 2 hours.)
but follow your description I try and got the same thing in 10.0.15063. :great:
(code has a bit different.)
I want make a hard patch to switch the default jump, but the explorer.exe cann't startup with the change... :confused:
00007ff6`01c96a7f 418887f9020000 mov byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba
00007ff6`01c96a86 84c0 test al,al
00007ff6`01c96a88 0f851f660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a8e 4138bff8020000 cmp byte ptr [r15+2F8h],dil
00007ff6`01c96a95 0f8512660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::` >>>>>>>>> change jne to je
-
Hi slore,
Thank for your feedback. My English is so poor that sometime, someone can't undestrand me.
When i said And Yes, this solution is not a good idea because with the next version of winpe, the address will be modify.
I speak about "my" solution because address base + 2F9 can change with a new version of windows.
And yes, the WinpeSe team's solution with wind+MsgHook" is the best solution because it doesn't use an "hard" address but implement all the code that explorer.exe doesn't do.
And no, i'm not good in disassembling program. I use Windbg like a beginner.
just write 100 lines code in 1 or 2 hours
Bravo! i don't be able to do that.
You said I want make a hard patch to switch the default jump, but the explorer.exe cann't startup with the change
- i use a exe and hook.dll to do that "dynamicaly" and put it on early posts
- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
- can you see with procmon64 some thing or make a save file .PML ?
note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8.
00007ff6`01c96a7f 418887f9020000 mov byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba
00007ff6`01c96a86 84c0 test al,al
00007ff6`01c96a88 0f851f660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a8e 4138bff8020000 cmp byte ptr [r15+2F8h],dil
00007ff6`01c96a95 0f8512660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::` >>>>>>>>> change jne to je
So, twice 6 "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.
See you later
-
hi, noelBlanc
so quick reply.
>just write 100 lines code in 1 or 2 hours
EnumWindow,check window state and save them, then ShowWindow(Sync), some thing like this,
for me that is easy rather than ~"Windbg" things.~
>- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
yes, 0f85xxxxx -> 0f84xxxxx, and PEchecksum.exe explorer_modifed.exe.
- can you see with procmon64 some thing or make a save file .PML ?
I will try this.
>note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8.
sorry, I had a typo on it.I was changed the first jne not the second one.
(learn the windbg skill from you, I follow the Tray::ModeChange message get the BASE+171h in my version,and it is the first check in Tray::_RaiseDesktop)
>use a exe and hook.dll to do that "dynamicaly" and put it on early posts
I change the BASE+171h,or the jne to je in "dynamicaly" with Visual Studio, That also worked.
>twice 6 "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.
I will try the 909090909090
thank again, that you is sharing your research(also the process), and How to disassemble explorer.exe with windbg. :thumbsup:
-
Hi,
@ slore : i hope you get your goal.
I'm happy, i get a winpe for version 1703 (rs2) with my scripts wrote in PS. I detect many bugs.
The first (and i forget it each time i'm in front of a new version) is the missing D2D1.DLL.MUI. With DWM, winpe displays a black screen. Cursors are diplaying but not the border and not the text of a cmd box.
And for research, i use procmon and the functionality "capture on boot" : very friendly in a vhd and mode Flat !
Also, in my last PDF, i put an email address. And i'm happy to receive an email. And happy to help to get a winpe ( 1607 ) producted by ADK and with mstsc and NLA , with nothing else.
For the fun i get mstsc with NLA in the winpe 1703 in which implementation of NLA is a little different than winpe 1607.
Currently, I meet a lot of anomalies with the 1703 version. The main: Desktop/explore hangs with the session System. And also delays for the ADM session.
I'm going to bike for a long time from 15 May. So not sure i can finish PDF and scripts. Maybe in a few months.
-
Hello
Version 1703 imposes many changes in the PDF file and in my scripts.
Several anomalies have appeared with this version.
I have very little tested and I have not made any changes in the scripts since I left in May.
MSTSC with NLA works in this version: This is the only point I really tested.
I just finished the update of the PDF file v 3.6. Main additions:
-an investigative method when switching to a new version when nothing works
-Launch of Procmon.exe automatically when starting WINPE : all activity is captured
-
hello,
After more than a week without understanding why the popup menu "NEW" was empty, I ended up finding what Chrisr and the Theoven team had found Ben long ago.
And besides, I checked in their script as a final check, to be sure I had all the elements in hand.
Bravo to them.
I drop my scripts adapted for the V1709 which do not serve much but which are the result of my long evenings of laborious quest.
I will do a little bit of doc to explain another method of investigation:
From a freshly installed W10 in a VM, explain how to modify the essential hives to get a WinPE with "almost" all elements of W10, services, files, keys and also the elements added by the installation phase of W10 (very Important to keep that in mind)
But since I have to reinstall everything to validate, this will be for later.
In this new version for only v1709:
USB printers are always available. But requires a bit of personal work to inject the drivers of its printer and modify the scripts.
Network printers are available for the ADM session only.
I try to make them visible in the control Panel "devices and Printers"
IE64 ok for ADM, but F12 NOK and download NOK for System
MSTSC works from the System session with the NLA mode
I am trying to run Termservice (incoming call in WinPE). For fun because not really useful
"Tscon.exe 1" resists me.
(Because my bad english i use a translator...)
-
Hi, noelBlanc
nice to see you back, to continue some research. :great:
I will do a little bit of doc to explain another method of investigation:
From a freshly installed W10 in a VM, explain how to modify the essential hives to get a WinPE with "almost" all elements of W10, services, files, keys and also the elements added by the installation phase of W10 (very Important to keep that in mind)
-
hi Slore,
Happy to see you again. :smile:
My goal to occupy this early winter :
- in a VM (hyperV), i install a W10Ent
- i put new objects and modify some others
- and now the VM boot under Winpe with a "big" context ( files, keys, new objects, etc, which came with install)
It's well documented on internet ( perhaps in this site ). It's not the first time i use it. I think it's an other good way to investigate.
it's an easy way to disable services ou drivers, compare files, etc.
Need some time to modify manually.
I try to note the modifications in the attached files before to update my pdf.
The next action ( next week ) is to put the VHD in a USB disk and boot on a physical machine. I hope material recognition will be ok.
The real reason is that I do not find how to make the printers appear in the "classic" winpe configuration panel when they appear well in this "obese" winpe.
Idem for MSTSC from a computer to a winpe machine ( yes, not very usefull to see the screen of winpe on my computer, but funny to search ).
Session ADM not very good in this big winpe.
I just try the VHD in a physical machine : it works very well, mp4, printers, and i can use mstsc from an other computer via RDP.
-
I want to build microwinpebuilder. One time i had built previously and lots of time passed until from that time. Today i try to build but it wants ADK for to be installed. Why it needs ADK? Does it uses boot.wim and other packages from ADK? ADK build, installed system build and the build that is used by microwinpebuilder versions needs to be match each others? Microsoft frequently relases builds and it is difficult to mach versions. Which windows build does it support latest. I want to build from 16299.15.170928-1534 does it supported?
-
Hello vvurat,
Happy to see you.
Be patient with me, because my poor english. I use a translator but ...
When a new version is product by Ms, i forget old ones. Actually, ADK and ISO for public match 16299.rs3.170928. I construct my VHD from this version.
My goal is to investigate how to put explorer.exe and some other elements in winpe. And because MS makes many changes each time, my script should become a long sequence of "if version = x". Too complexe for me.
Yes, like i say in the file PDF (section "Construction scripts") and in the "presentation", the scrips PS is only an help to inject "data" in the file boot.wim that comes from ADK.
So, ADK is mandatory. This is a big difference with winbuilder and the new pebacker.
The first step launch "copype.cmd" of ADK.
The second step launch many "dism" to add packages of ADK. You can modify the script for remove or add other packages, drivers.
When this two steps are done, the script product a file named "boot.wim.AvecPaquetsDeBase.export".
For the third step you can use your own boot.wim file if you want ( with your packages and drivers and so on). My scripts use the tree that becomes from "copype.cdm".
Only rename your file with the good name "boot.wim.AvecPaquetsDeBase.export". You can modify the script "traitement.ps" if you want to change this name.
The third step mounts boot.wim, mounts its hives in the registry, and use some files from the ISO of the OS Win10.
So Yes, the version of ADK much match the version of the ISO of Win10. You must mount the install.wim of this ISO for the script can copy some files (the third parameter in the tab "Entries") .
This step use also some tools (dism...) from the host. So, it's better (perhaps mandatoty ?) that the host machine version matches the ADK.
This step copy files, modify hives of the boot.wim, dismount boot.wim. Because i'm the only one user, the script has a few custom for my site and my use ( drivers, printer). You can modify or i can help you.
Actually, the first time the step 3 is playing, it missed many files. I use this first "step 3" to read the log and see if bigger errors occur.
Perhaps it's time to correct some thing in script.
After this fisrt "step 3", i put my drivers and wifi informations (SIID and password), drivers printers for my site, etc, in the good directory.
There is an "issue" in my scripts, i can't put before the tree is construct by "copype.cmd".
At this time, only one person ask me to use my scripts. At the end of his request, i create a simple script "cmd" for him. He only want to put mstsc with NLA works with a gateway server in his boot.wim without launching my scripts.
I hope this can help you. If not, you can use MP. ( or my email in the pdf or one you know ) :wink:
-
In the middle of your technical explanations (as i understand you want to get rid of "unknown hard error" of explorer.exe) do not want to distrub and ask my stupid and easy questions of "how to build". So want to keep it short but i need a working iso build and that build needs to match my own handmade build so maybe i can find where i make a mistake. As you said there are lots of frequent builds of microsoft it is difficult to match build numbers. I could not find a warez build so i try if i could build myself with other tools. I try with winbuilder but it does not accept 16299.15.170928-1534 source iso or maybe i could not succeed. I thought maybe because iso has install.esd so i converted esd to install.wim but not accepts iso file. I have try your builder on windows 7 but it asks powershell 5.0 so i have succeed to open under windows 10 but confused if (WINDOWS I USE VERSION=?need match=?ADK VERSION=?need match=?ISO I WANT TO USE version) I will try to build but if i could not succed i want you to share prebuild version of yours with me if you mind 16299.15.170928-1534.
You and me looks same because we are alone and try to make somethings by ourselves. There is nobody that can help us. Other projects have teams and when someone stucks at some point they can go on with the help of another person. I wish to help you but you are nearly know as much as me. You know how to use all registry, only thing i could help can be as file list. Because of Microsoft renews iso frequently building winpe is not interesting much. When you finish one version another windows version releases and your all work goes to nothing. People alwas interested to latest versions. For me 10240 or 10586 could be enough but it is not interesting if nobody interests with you same time. When you try to discover the latest version this time if you could not solve a problem and do not know how to solve (registry or file list) nobody could help you so you need to wait until some other projects reach your level and find the solution. I have not try to build windows 10 build last 1-2 years, only watching other projects solve registry file list and give me fundementals for me to build my own. So i do not loose my weeks and months to find them :) this is much better. Sometimes (like now) i try to build on my own not to forget my knowledge and for to remember. I appreciate your effort and courage that you have not gived up to work alone. Up topics you said you have spent long evenings. Why? Is it just a hobby or for your work software you need a winpe. As i remember you were need this winpe for your job.
One time i have try your build (you have send me) It was ok and nice but you keep file list too much. Last user probably will not demand to use it because it is big and lazy. I do not know how it is now, probably big again beacuse you are working on printer and remote desktop. I can advise just make a simple small fast effective build as default after add some powershell files to add more features maybe can pull interest of other people on it.
Best people on building Winpe are chineese people. Because everything is free for them. They can share every file, build, distribution. They do not bother, care, american laws. So there is nothing to stop their development. Maybe there should be password protected subforum close to public to share everything.
Keep it easy. Do not bother with "if version = x". Let the users can customize it. If you can do it take a simple file list txt file, can change in every version 1709.txt maybe. Registry is the most easy stuff convert to X:\, change a few values very simple and customizable.
-
I continue to play with IE11-64bits
Do you have a list of services/files needed for IE11x64? I would like to integrate into my build... btw have you tried x64dbg?
-
Hi bob.omb,
My two lists ( files and keys) is embeded in the script "traitement.ps1".
Perhaps you need to modify it because explorer and InternetExplorer are very dependant.
And it is possible that i use a file for explorer that winpese does not.
In my pdf, i explain the "key" : x86AppPath
And also some limitation for "system" account and "dowload" action.
If you dont find all you need, tell me and i'll post these lists
I use only windbg, too difficult and too late to change.
Ps : sorry for my english, at this time of the nigth i try pour write without using a tranlator
-
noelBlanc,
I pieced together a plugin for IE11 but it is not working correctly. I have the download function working fine but I am missing something else.
Any chance you can take a peek and see what I missed? (If you remember..) Or post list? I didn't get it all.
http://theoven.org/index.php?topic=2385.0 (http://theoven.org/index.php?topic=2385.0)
Source + Host: Win10 1709 16299.15
-
Hi,
@bob.omb
Thank you for reporting that my email "noelblanc.winpe(at)free.fr" is currently inaccessible.
This email account doesn't work since April 2017.
That those who would have wanted to join me at this address excuse me.
I invite them to join me by MP if need be.
...
My email is now ok.
-
Hi,
The idea is to implement the traces in Explorer. exe since there is a WPP record.
But before that, I want to start with an apprenticeship with WinDbg.
The trace mechanism looks identical to me in Explorer. exe and in TERMSRV. dll.
I have long wanted to understand how to implement WinDbg in a service.
And a wrapper around Termsrv. dll caught my attention by the complexity of its code and its few lines.
So I start by trying to implement Windbg to figure out how to enable traces in Termsrv.
The DebugService. txt file contains the log of my "searches".
The note. txt file contains the bits of code that seemed useful to me to progress.
The conclusion after almost a month of reading and analysis:
- ETW traces are available in WinPE
- Their implementation with logman worked only in my "full-flat" environment (see in first post)
- The traces bring information that is not in the event log (terminal...) but are less verbose than I thought. There is no tracking functions (the code is not present or I do not know how to activate it)
- logman produces an ETL file
- MOF files are missing, so TRACERTP does not produce "CSV" and EVENTVWR. MSC does not display anything
Question: Would the "checked" version of the OS binaries bring a better result?
Note: I don't even know how to get it and its volume must be huge.
-
good to see you make progress in bit :thumbsup:
I am good in coding than tracing.(I hope I can do it)
as I develop some Windows program,
the SYSTEM session also called as LOCAL SYSTEM ACCONUT(LSA).
in the session has high file privilages but no NETWORK service access privilage.
so this make IE , printer work hard.
teamviewer need Administrator account.
I hope there is a way to have a option for runas Admin not to
switch to Admin session.
-
Hi slore,
I'm happy th read you. :smile:I know you are a good developper and a good user of debugger with VS.
VS is too complex for me. Windbg is small and simple.
I read all posts in this topic for collect some informations about "security" issues in system session.
I find something and i look in my pdf :
"Procmom displays the message « loading symbol...». But the download does not take place and
therefore symbols not displayed.
It is where the local cache is very useful. We start by making the same consultations with the ADM
session and cache fills. Then we start again with the session System: procmon consults the cache
previously filled"
With windbg (i look in termsrv.dll to get trace) : same issue.
And it works in adm session !
In system session.
-I can install spooler. I can install my printer in local. I can use it . And it's true, i can't install it via a remote machine
-In adm session, i can use local and remote printer !
-IE64 works fine. Also "degugger F12". But feature "download" does not work completely.
File is downloaded on the machine in a directory. But not appear in the directory "download" of the profile.
I explain somewhere that the directory "...\appData\local\microsoft\windows\inetCache\ie" doesn't contain the 4 subdirectories "XXXXX".
But the dowloaded file is stored under "...\IE" directly.
I also note the absence of the environment variable %localAppDAta% in the system session
Nevertheless,in the system session, i can do "net use \\remote..\share /usesr:...".
So System session can access to the network.
Without real research on my part:
- i see some posts ( but where ) about teamviewer and i always think it works in winpe. "my poor english..." if I misunderstood.
- in a sens, mstsc + NLA works fine. From my winpe i can use my win10 normal.
- in the other sens, in my "full-flat" winpe (see newMethodeInvestigation upper), i constat that "remote desktop" works fine. I can take control of winpe from my win10 normal
It's true, i never use teamviewer.
Actually (v1709), "tscon 1" is broken (return to system from adm). Perhaps other features in the futur.
I wonder if it is not easier to look for a workaround for each point blocking
In conclusion, yes, it's a big work to understand the security mecanism in winpe.
I'm not sure i can bring some new things.
Best regards
Ps : are you waiting soon for a baby or an other time i misunderstood
you can use my email noelblanc.winpe (at) free.fr, i think your PM messenger here is disabled
-
Why do you like the system account better than admin?
I personally use admin session even with broken tscon 1 in 1709
I use NSudo to run as system and everything else runs as admin therefore everything works.
I cant think of a good reason to use system account at all.....
-
Hello,
slore seems to prefere system account.
Personnaly, i have no need of winpe because i'm retired. I play with it to add feature and try to understant how....
So, i play with the two accounts.
For my "game", i prefere system account because open adm session is more longer than system session.
I take this moment to say that when I was working in a large company with more than 60000 PCs, it was unthinkable to bring in a program downloaded from the Internet to avoid any risk of infection. Also, we only use MS or pay products in order to be able to take legal action if necessary. Note in the last years, we use WTG (windows togo). Full, rich and efficace. And I guess it's also that reason that pushes "newbies" from the Forum to build/edit them even their WinPE to add one or two features. And it's hard to find rapidely the right information. That's why I tried to provide it with my pdf but I know I failed
But i continue....
-
Hi,
I managed to find the difference between my "full-flat" environment and my WinPE which prevented the operation of Logman.
Logman uses the Schedule service for its schedules. And Schedule uses the TIMEBROKERSVC service. This is this last service that was missing in my WinPE.
-->> AFTER MORE TESTING : "logman create trace ..." is ok but "logman start.." is not ok !!! Why?
My observation: This "full-flat" environment in a large VHD has an advantage because it allows to have a fairly accurate idea of the maximum of features that can be added and run in a WinPE.
But I am aware of its limitations!
So i can return to debug my termservice (port 3389) in my winpe
-
When you put all the files in the wim and get most services working it will be difficult to track termservice. Because all the files,services,reg read write values will be huge to track in procmon. Need to keep it simple and functional. Probably procmon will not be usefull at the end of process because you will end up a point that procmon will not show any missing files but there will be a few files missing. Also it will be usefull to keep procmon working at the start of remote desktop connection. It shows good info about connection state and missing files.
-
Hi vvurat,
Happy to read you.
Yes, more bigger is the number of running processes, more is difficult the investigation. Procmon brings filters. And many hours in the procmon's traces gives me some facility. For exemple, the end of loading the dll before the main of process starts is given by the load of "imm32.dll". And so on for different indices.
And yes, sometime i use procmon to trace the boot (i wrote some words of this in my pdf).
For termservice, it's more simple because i disable it before boot. The advantage of Flat is that you can modify the system hive "directly" because it's the only one that os doesn't kept open (in V1709 i'm sure) and reboot. Update is really easy. No Wim to mount/unmount !
And i'm sure all needed modification are in system hive because i swapp only this hive for it works ( system-from-winpe and system-from-w10-after-installation. And yes i use in the two tests the software hive that came after installation, so a few modifications are possible from software hive from install.wim in ISO). Perhpas too long and incomprehensible.
As i said before, the "full-flat" environment (i suppose it's like ramos in a Chinese site) give me the base of "all" features which are possible to added in winpe "normal" without difficulties. And because port 3389 is open in "full-flat", i think it's possible to get in winpe normal. It was the case with "schedule".
And it's because i want to understand how the wrapper "https :// github.com/stascorp/rdpwrap/" was "invented" that i look in termsrv with its "native" trace. It's a good plate-form to play for me.
Have you try to construct a "full-flat" ( or that else name because i don't understand the term ramos which recovered many notions when i search in web) ?
I put a text file with the very very few number of modifications in post1. And yes, it's too long to install w10.
Bonsoir
-
Hi,
It took me a very long time to find a method to identify the missing item in WinPE for ETW/ETL traces to work.
In my microwinpebuilder environment, "logman start" seemed to loop or wait indefinitely.
I do not describe the investigation phase but I learned a lot.
The key. ..\control\WMI taken on a normal W10 and copied into my WinPE solves my problem. I don't know what's useful inside. It'll be for later.
So I can use ETW traces and ETL files as long as I know which setting to activate. I will continue with traces of TermService and later to "explore"
-
hi,
After about two months of searching and testing, I can now play with "MSTSC.EXE" and "MSRA.EXE" in both directions.
I can use WinPE to drive a normal W10 and the other way around.
As well with "Remote Desktop (MSTSC)" As with "remote Support (MSRA)".
In Winpe MSTSC works both ways and with both accounts, SYSTEM and ADM
In Winpe MSRA works with SYSTEM and ADM accounts in the case of mode "Expert "
But in Winpe MSRA only works with the ADM account in the case of mode "Novice "
The extra size is low.
My winpe64 now has the following features:
The desktop "explorer "
IE (no download for the SYSTEM session)
MSTSC with NLA in both directions
MSRA in both directions (only with ADM session for "Novice " in WinPE)
Printers PDF, XPS and "My " printer (so I can not do other tests)
MMC, MSI, WIFI, LAN, WSMAN, PowerShell (remote PowerShell by reading the PDF),...
MP3 Audio (still some searches for WAV and MP4)
My opinion on the quest for the lowest size for WinPE:
-ISO and/or Boot. wim: For what use?
In my old job, installing Windows via PXE, so fully automated and WinPE built with MDT. So, no need to customize winpe.
For troubleshooting in a professional environment? Can a new installation be more efficient and faster?
-WINPE Flat mode in a VHD:
I use a VHD very often in a USB stick: The size of WinPE is in this case not at all important.
Moreover the loading is much faster and the ramdisk becomes useless.
-WINPE Full-Flat mode in a VHD:
It offers the maximum of features without any investigative work. The installation time is important but then "All " is available without any work. Nevertheless, it is necessary to pay attention to the detection of the material
I will never be able to convince WinPE users of the efficiency of the "full-flat" mode, close to Wintogo.
I can cite: persistence of the files deposited and very easy modification of the hives for the next reboot.
In particular, the SYSTEM hiev is not locked and you can load et modify under winpe, save it and reboot.
It is a pity that they do not test them themselves to check. This is not a judgment, just a remark.
As I do not want to invest in a scripting language like that of WinBuilder/PeBaker, I do not have an efficient constructor.
I understand that modifying PS scripts can scare the neophytes. Yet PS is powerful.
Currently, the construction time is 14 minutes on my PC. It's a long time. This comes in part from the choice I made to use "DISM add-driver " without optimization. And also from to many use of "reg copy"
With the ' MDT method ', a single directory containing all the drivers, I think the time saving would be very important.
And using only one "reg copy" is possible with a script modification.
Again, my goal is pedagogical: collect useful information in a PDF and show with PS scripts how to edit a basic WinPE (and a GUI in PS for fun)
(V16 in the first post)
-
:thumbsup:
good to see you got progress on mstsc.exe.
Teamviewer is a lazy option.
Do you have a plan to see MTP?
As I do not want to invest in a scripting language like that of WinBuilder/PeBaker, I do not have an efficient constructor.
I agree with this.
I use HTML+JS create a GUI to make some settings things and put them in environment variable or build config file,
and run batch file to make PE. In batch file can call any script you like, even the batch file can be set to a powershell file.
and as the builder self is made by only TEXT file, everyone can modify it in any time with little front web front skill(HTML,css,js).
even not a beta release, but the technical identification looks good.
maybe someday you can use it.
http://theoven.org/index.php?topic=2390
-
hi slore,
Happy to read you.
I saw your thread about html+Js. But with my poor english, i couldn't speak about. I don't understand details. In my old job, i use MSHTA+ VBS. But i never learn html language. I only have the basics of language. I wrote with notepad.exe. It was ten years ago. After, i use PS and winform. Realy better for me.
I'll try to understand your tool.
Like any man, i use more easely tools i build. :wink:
I also saw your winXshell. Bravo (in french) :thumbsup:. Did you write it in C++ or C# ?
About MTP, do you speak about "Media Transfer Protoco" ?
I tried ( at the end of 2017) Windows_MediaFeaturePack_x64_1709.msu that at found on MS site. It's for Version N (without media player). I try to install it in winpe. But the engine detects a wrong version (not N). And because i don't find how to progress, i come to MSTSC.
I must try with "full-flat" because it offerts the maxmimum without too many work.
But it's a good challenge for next months.
I hope you can understand what i write with my poor english. And fortunately you do not hear me speak English
-
Salut noeBlanc (ton prénom c'est noel ou c'est juste un pseudo ?)
Congratulations for all your work, your research, your documentation :thumbsup:
it's really interesting and you impress me in your perseverance to go after and catch things, like rewriting SetWoW64 when it already exists.
I think your project would gain a lot, in the eyes of others, if you had some options added in the GUI.
Like installing or not Printers, Scanner (not my stuff) or other options.
Again, bravo for Mstsc with NLA support, Msra,... I always enjoy your works
About the Media Transfer Protocol, I guess that the check during installation is probably related to ProductOptions(Policy - EditionName, brandinginfo or productinfo..!)
:cheers:
-
Hi ChrisR,
Oui mon prénom Noël et mon nom Blanc. Je suis né le 25 décembre et je suis content de cette originalité :grin:
Si tu passes à Nantes un jour, viens voir le Père Noël :great:
Thank you for your encouragement and your valuable advice. It's very nice to have your opinion. :thumbsup:
I know that my pdf is very poorly structured, contains errors, and I don't report everything that is contained in the PS script. It's very complicated to describe the result of a search in winpe and how to implement it later in winpe.
I knew misty is interested in a faster construction mechanism in trying to avoid the ADK uploading. I also searched on this topic. He studied 2 aspects: the work of dism and also the acquisition of the only useful objects via the network
I somewhat traced the functioning of dism. The assurance of getting the right result for MS is paid by long-term treatment. This is where the acceptance of the risk reaches a limit. That's why I think that the quest for the few files that are useful for the proper functioning of dism will be limited to a limited number of contexts, and will can be hard to identify abnormalities. The second point, avoid downloading ADK, seems useful and safe.
But for now, I prefer to look for the small details that remain obscure to me, as wav files which does not work in a winpe but works in full-flat
-
Your winpe works very nice and stable but the rule never use any other sofware is very stupid idea. You have to use at least pecmd.exe and startisback. Your winpe is full of garbage files but i can not blame you because your aim is not to simlify the winpe, your aim is only to get work as much of you can. It is very useless to have such aim because if somebody wants that he should use windows to go if his needs to boot full windows. Also winbuilder is full of garbage. A good winpe have to be 330mb in size and should have at least %80 full windows functionality. It can be done but windows updates more frequenlty then the self motivated winpe warriors. Also hard working chineese could not achieved that but they are more close than everybody in other english speaking forums, they do not have legal limits and they can share everything they want. I have downloaded at least %80 of chineese builds. It needs very hardwork to download them because the great chineese firewall and baidu does not lets to reach them. At least in my country. Most of them are very good but not good enough. They are also in half way to make a good winpe. If someone wants printer support in his winpe he sould be stupid, if someone wants a remote desktop support in his winpe he should be stupid + But everyone needs targets in their lifes. Target could be reachable or unreachable but at least that are targets and helps a person to be motivated. There are always miracles and once upon a future there can be a genious appear from the darkness and create miracles. When a windows 7/8/8.1 winpe can make more then 10's do in less size it will always be useless to work on 10 but people like to be famous and to use latest. I wish luck to my competitors because i have less time to work on but close to %90 to my own targets. If anyone of here have been worked in a work place that end users have been using the oldest hardware and does not have enough money to use the latest software, enough ram to boot such big wims could be understood me. Please get rid of garbages because you can find a full installable windows 10 x64 in CD size from internet that your %30 functionality winpes are more bigger then them. I have not installed them but theese are not winpe, they are installable windows 10 images. It means they have at least 200 mb boot.wim garbage. Your winpes are more bigger then lite images. (https://i.hizliresim.com/dOJoyn.jpg)
-
Maybe someday we can all live up to your standards :lol:
-
Hi, noelBlanc
I saw your thread about html+Js. But with my poor english, i couldn't speak about. I don't understand details. In my old job, i use MSHTA+ VBS.
What I said "html+Js" is MSHTA.It is same thing but JS has lots of plugins now in the open source world, for the filesystem operation what JS can be done =VBS can be done.
but config file like JSON format, JS is native support, and the UI operation with JQuery is really easy,so I use it now.
WinXShell is written by C/C++ to make it less dependency. C# is good for developing, but needs .NET framework, that make it big size for WinPE.
>About MTP, do you speak about "Media Transfer Protoco" ?
YES. why I need it:
WinPE is just use for maintenance the file system and install Windows for my needs.
100MB+'s WIN10PE which without LAN,audio support, and winsxs be reduced winre.wim + some portable applications is good for that.
but some time I need to search on the Internet, and download some files/dirvers...
I can Temporarily use my PHONE for that, but I can't trans them to the PE with only USB cable.
(no WIFI support and driver integration, so also can't use FTP/HTTP server to trans them)
Hi, ChrisR
About the Media Transfer Protocol, I guess that the check during installation is probably related to ProductOptions(Policy - EditionName, brandinginfo or productinfo..!)
thanks for the infomation.
-
Hi, vvurat
The PE is not for end user, but for understanding how to make things to work in WinPE,
more like a study/research project.
>You have to use at least pecmd.exe and startisback.
I don't think so.
add the things can make some actions to be simple, but no essence change for PE.
startisback just some fast entry to run files(shortcut)
and most people know how to add them, it's easy to do is it.
* make wow64 work
* ShowDesktop(Win+D) in native way(explorer's functional)
* printer on SYSTEM
* ...
* ...
this things make essence change and need some one to do/research them.
I think is good that PE builders learn the knowledge here and integrate them for end users.(ShowDesktop function is integrated in PECMD with noelBlanc's work!)
noelBlanc should focus on those things, not waste time to make it "beautiful" now.
>the rule never use any other sofware is very stupid idea.
that is because powershell is too powerful can implement everything he need.
but I agree with you, noelBlanc can use some software temporarily which one he already know how it work,
save some time to fast forward to next survey.
>When a windows 7/8/8.1 winpe can make more then 10's do in less size it will always be useless to work on 10 but people like to be famous and to use latest.
the new hardware make our force to use the new one.
7/8/8.1 pe is in less size you can use them with WIN10PE in one ISO, not expect one PE for every enviroment.
-
Hi all.
@slore and @bob. OMB, thank you for your answers.
@vvurat, thank you for your candor. I know that we are not looking at WinPE in the same way.
Once again, my goal is to understand and share around WINPE.
There are two parts:
a PDF file that contains all the information I think useful to build "sound " WinPE. But it's true that I often forget to change it. The script is sometimes more complete.
a script that makes it possible to check what I advance.
So, I hope the reader will be able to add by itself a feature in "its" WinPE in the absence of package provided by MS.
Now that I'm retired, I like to look for how to add features to WINPE, even if it's no use.
It reminds me a little of the problems I had to face.
Everyone can read my scripts and take ownership of the information contained. Even without knowing PowerShell. It is true that the names of the functions are often in French.
My scripts are poorly written. But it is quite easy to isolate, for each functionality, the list of keys, services, drivers, files, ACLs...
And then each one can integrate this information with his favorite method in his project (Winbuilder/baker, CMD, regedit, Reg. exe or other).
It is true that this last job cannot be done by an end-user not knowing how to build or adapt a boot. wim.
If someone wants to integrate in his project one or two functionalities not yet proposed by Win10SE and which is described in my PDF, as far as he writes the plugin, I volunteer to help him.
When I was contacted to study MSTSC + NLA, I did it with pleasure. This was a bit long before the person could make his own WinPE with his method and CMD. But we have won together and each has progressed.
If I use Powershell (and thus dotnet), it is to hide nothing.
Who did not ask the following question: But what is setwow64. exe for? What does it do and how?
Misty noted on another site that this program has become useless again.
I seem to remember that Vvurat told me the same thing several months ago. But i don't connect in my main.
I no longer use "monsetwow64. PS1 " since version 1709.
It is good to know what this program does and to demonstrate it. Information exists on Chinese sites but is difficult to understand with an online translator.
But how to make these various information accessible around setWow64, for example? Well that's the purpose of my PDF.
Remove Dotnet and PS would be one more project in the WinPE sphere. It takes a long time to list all the necessary files and keys. And it would no longer be possible to talk about sharing information, say how such a feature should be installed.
My goal is not to provide an ISO or a WinPE ready for use but to help whoever wants to add a functionality.
When I was working, I implemented the automation of OS change on over 60.000 machines spread over 14.000 sites. And this from NT4 up to W7.
Very few sites allowed PXE to be used. So I used WINPE in various forms, PXE, FLAT, CD/DVD, VHD, USB disk and in different contexts, physical machines as virtual (among other things for a DOS application that was supposed to work in a 64-bit 2K8 server!)
So I understand that the size of WINPE is important in some cases (PXE for example). I understand that the speed of loading is important too. I understand that physical media are important.
And I don't understand that using a WinPE in FLAT mode is not considered an alternative to a simple boot. wim.
The creation is simple. The evolution of content is faster and easier. There is not the waste of time of loading the OS in the RAMDISK.
And the size of WinPE is no longer a constraint!
It is no longer rare to find USB sticks more than 16GB, or better, USB drives. With a WinPE Flat in a VHD (16GB), I start on a 512 MB VM in HyperV.
Who tried WinPE in flat mode in a physical disk and compared the delays?
Why Winpe10? Simply because it is the OS that is installed on my physical machine. I took advantage of the free migration offered by MS during the launch of WINDOWS10.
And especially because it avoids the difficult to identify compatibility issues when using DISM.
Finally, it is possible not to use MS programs to modify WINPE, to make its USB "bootable ", to modify the BCD, etc.
But the ADK and MS offer all the programs I need to occupy my free time, from WinDbg to ProcMon.
-
Hi,
I finish to identify all files and keys for a full WMP. I'll update script/pdf when i get time.
I'll explain in the pdf what i see and because WMP doen't work in my previous script.
@slore : i read in a MS's document ( but i can't find it at this time ) that MTP comes with WMP. I think it's only for the package...or commercial reasons.
I connect my phone ASSUS ( mode MTP ) to my new winpe : In system\enum\usb i can see the entry VID_0B05&PID_7772 with description = Android
It appears in devmgmt.msc in "other devices" and "the drivers for this device are not installed"
I think it's a good step.
I compare with my windows10 normal : it gives me wpdmtp.inf
I think many things are missing, class ... long job to compare :sad:
I try to get files and manually install...
Baby is ok ? i'm grand father...
-
hi,
On the road of MTP via USB ...
[attach=1]
In setup.dev.log :
!!! dvi: Device not started: Device has problem: 0x25 (CM_PROB_FAILED_DRIVER_ENTRY), problem status: 0xc0000034.
old site : https://blogs.msdn.microsoft.com/iliast/2007/11/28/analyzing-the-installation-of-umdf-and-kmdf-1-5-drivers/
(https://blogs.msdn.microsoft.com/iliast/2007/11/28/analyzing-the-installation-of-umdf-and-kmdf-1-5-drivers/)
But a few of information.
Same error for the SD card Reader in the machine.
With eventvwr :
[attach=2]
-
I have seen quite a few request this, nice progress, i would definately add this to my build when you get it sorted and if I have time will try to help... :thumbsup:
You may need something from here: https://www.microsoft.com/en-us/download/details.aspx?id=19153 (https://www.microsoft.com/en-us/download/details.aspx?id=19153)
-
hi bob.omb,
Happy to read you.
I download it. It's true it's for XP and Vista. And i thing MTP in Windows 10 uses a new version of protocol. But many many ".doc" and source code. Perhaps i find something on the Entry Api of the driver. Or about architecture for USB.
And of course you can help because I really don't know how to go on. We need new ideas!
My current job:
I install a win10 in a VHD. I modify the hives system and software, BCD. Not much change. It becomes a "WinPE ". Then boot. And I'm connecting my smartphone. I look in the log...
But now I need a method to investigate in driver_entry. But which driver, which file ".sys"? Is it possible to modify the driver to get traces? ...
-
Good to see the "MTP USB Device" on the picture. :thumbsup:
you are so fast!
For long time the feature is missing in WIN10PE, so take your time.
I am looking forward to the PDF how to make it work step by step after you finish it.
Baby is ok ? i'm grand father...
hyperactive, heathly...
I lack of some night sleeping time, but it's worth for that.
watching him grow up.
-
Hi slore.
Good new about baby. In France, it is recommended to speak several languages to babies :grin:
About MTP :
I'll begin this night reading "mtp porting Kit" pointing by bob.omb.
But now, I'm stuck. I lack information on the architecture of MTP software layers. I will try to disassemble the code of one of the two drivers with Ida.
It is the first time I'm facing an installation that is successful and with a device that does not respond. 20 years ago I wrote 2 drivers for NT4 without too understand what I was doing. I found the "DOS IRQ". " The IRP was a new concept. But I recognize that I'm not sure use windbg to trace these MTP drivers.
I understand that the installation made in my context WinPE "full-flat " is disturbed. Yet no changes in Software or in System does impact MTP. All other drivers such as RDP, Printers, USB, Disk, etc., work without anomalies. If it is the security mechanism of the OS that is involved, then it will be impossible.
See you soon
edit...
I just did a test with my old ZTE F160 which is not Android and does not use MTP.
I connected it by the USB plug. It exposes a CD with an autorun. exe that installs specific drivers to the constructor.
It works the first time.
A photo for fun... but I know, we're far from MTP.
[attach=1]
-
Hi,
Update for WMP with version 17. Only files missing.
Why it is difficult to give key and files list ? because no one can have the same base of construct Winpe.
About MTP and WPD (the base) :
Harder than I thought :mad:
My first comparison "WinPE in Full-Flat mode " Versus "Win10 normal ": The changes I made do not imply WPD or MTP
In the site "reboot ", a person failed to add a UDMF driver to Winpe4
My first idea:
The "SECURITY" mechanism could be the cause of the anomaly.
I'm still doing a little research.
But for now, I can't identify the useful components or their role.
The site that for now has brought me the most information:
https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/ (https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/)
A presentation in a PPT downloaded from the site of MS:
http://download.microsoft.com/download/f/0/5/f05a42ce-575b-4c60-82d6-208d3754b2d6/FDeveloping-UMDF-Drvs.ppt (http://download.microsoft.com/download/f/0/5/f05a42ce-575b-4c60-82d6-208d3754b2d6/FDeveloping-UMDF-Drvs.ppt)
(in PDF here: https://paperzz.com/download/1809258 (https://paperzz.com/download/1809258))
FAQ: Https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/user-mode-driver-framework-frequently-asked-questions (http://Https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/user-mode-driver-framework-frequently-asked-questions)
Source and WinDbg:
https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/ (https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/)
I must say that source is too bigger for me. And i suppose it's not helpfull for the issue
So, i'll work like a Turtle :turtle: ...
-
Harder than I thought
So, i'll work like a Turtle
take easy.
"SECURITY" mechanism
Administrator account would be work?
-
Hi,
I have read many documents about WPD and especially UMDF/KDMF.
The anomaly encountered during the installation implements many components of the architecture UMDF/KMDF.
On my test machine, the first WPD error occurs during startup when the smart card reader is detected by the PNP mechanism.
This allowed me to understand the links between the displays of "Device Manager" ( details, properties...) and the file "SetupAPI.Dev.log".
Note: There was also a driver missing for this player.
I then became interested in the connection of my smatphone.
I took a trace procmon and stored the files SetupAPI.Dev and Ntbtlog.
Then I looked for how to reproduce this anomaly in order to confirm my idea that took slowly.
This information crossing remains the starting point for my next work with Windbg. But it will be for later.
Following the PNP detection of the smartphone, Drvinst. EXE reports an error when the device is loaded in SetupAPI.Dev.log.
There are two installation attempts and this is confirmed by the loading sequence of the drivers in Ntbtlog.
SetupAPI. Dev. log:
"[Setup online Device Install (Hardware initiated)-USBVID_0B05 & PID_7772H1AXHM02E213W93]--> > My smartphone
...
DVI: {Core Device Install} 21:00:53.210
...
DVI: Install Device: Starting device ' USBVID_0B05 & PID_7772H1AXHM02E213W93 '. 21:00:54.007
DVI: Install Device: Starting device completed. 21:00:54.070
!!! DVI: Device not started: Device has problem: 0x25 (CM_PROB_FAILED_DRIVER_ENTRY), problem status: 0xc0000034.
DVI: Class Installer: Exit "
Summary of ProcMon trace that shows the following sequence:
Drvinst. exe
Wpd_ci. dll: WpdClassInstaller-------------------> class installer
SetupAPI. dll: SetupDiInstallDevice----------------> Install Device
SetupAPI. dll: SetupDiSetupDeviceProperty
Devobj. dll: DevObjSetupDeviceProperty
Cfgmgr. dll: CM_Set_DevNode_PropertyW
KernelBase. dll: DeviceIoControlFile
Then
Wpd_ci. dll: WpdClassInstaller
SetupAPI. dll: SetupDiInstallDevice
Devobj. dll: DevObjRestartDevices---------------->?
Cfgmgr. dll: CM_Get_DevNode_Status
KernelBase. dll: DeviceIoControl
Then
Wpd_ci. dll: WpdClassInstaller
SetupAPI. dll: SetupDiInstallDevice
Devobj. dll: DevObjRestartDevices
Devrtl. dll: DevRtlWriteTextLog devrtl. dll: DevRtlWriteTextLogError----------------> LogError "
With "net start wudfRd", I see the error: "System error 2 has occured The system cannot find the file specified".
But no file access visible in ProcMon.
This new ProcMon trace shows a sequence of function calls that seems to me to match the sequence when writing the error with the installation of the smartphone.
I'm fortunate enough to have IDA. Certainly for the last time in my life.
With the functions/offset provided by ProcMon and the analysis of IDA, the origin of the error could be in this part of the code in wudfRd.sys:
RdDriver::RdDriver
Call RdDriver::InitializeLpcAndConnect
And IDA brings this comment (but where does it find it?)
UMDF Reflector is unable to connect to Service Control Manager (SCM). This is expected during boot, when SCM has not started yet. Will retry when it starts.
Code 0xc0000034 STATUS_OBJECT_NAME_NOT_FOUND (https://msdn.microsoft.com/en-us/library/cc704588.aspx)
As this code uses a Vtable that makes it incomprehensible.
I have to use WINDBG to be able to go further.
This is still my only working hypothesis.
I have never use Windbg with a Kernel driver.
That seems to me to be very complex at the moment.
And will take a very very long time !
-
That seems to me to be very complex at the moment.
And will take a very very long time !
I have seen more progress in the topic than others.
slow is not problem,take your time.
=======================================
I don't know if it be related.
some drivers can't pass the signature check with drvinst.exe.
usally skip the next call check for make it work in PE.
DriverStoreNotifyCallback:
00000001400039BE: FF 15 74 19 01 00 call qword ptr [__imp_pSetupValidateDriverPackage] <=== THIS CALL
00000001400039C4: 8B D8 mov ebx,eax
00000001400039C6: 85 C0 test eax,eax
00000001400039C8: 75 08 jne 00000001400039D2
00000001400039CA: 8B 06 mov eax,dword ptr [rsi]
00000001400039CC: 41 89 47 10 mov dword ptr [r15+10h],eax
00000001400039D0: EB 3B jmp 0000000140003A0D
00000001400039D2: BA 20 00 00 00 mov edx,20h
00000001400039D7: 89 44 24 20 mov dword ptr [rsp+20h],eax
00000001400039DB: 4C 8D 0D 96 26 01 lea r9,[??_C@_0DL@BAACEHAK@Driver?5package?5failed?5signature?5@]
-
Hi,
Just to say that I managed to implement the debugger and put BP in WudfRd. And this confirms the API calls that triggers the 0xc0000034 error. With the vtable, it was impossible for me to identify the requested APIs.
Now I'm going to be able to look at the code a little.
fffff802 ' b0d759e0 ffe0 jmp rax {WUDFRd! WdfLpcInterface:: WdfGetProcessManagementName (fffff802 ' b0d6e880)}
"UMDFCommunicationPortsProcessManagement"
...
fffff802 ' b0d759e0 ffe0 jmp rax {WUDFRd! WDFLPC:: Connect (fffff802 ' b0d6f460)}
Rax = 00000000c0000034
I go to bed
-
Hi,
I continue the investigation with WinDbg but without significant result.
- At the time of the error: the function WudfRd! WDFLPC:: Connect calls the kernel ZwAlpcConnectPort function
And the return is: 0xc0000034. But I can't find any information on this code.
I link it to the information of "DEVMGMT. msc " which reports "(code 37) object name not found ".
I also link it to the contents of the SetupAPI. Dev. txt file that reports an error:
" dvi: Install Device: Starting device completed. 21:00:55.625
!!! dvi: Device not started: Device has problem: 0x25 (CM_PROB_FAILED_DRIVER_ENTRY), problem status: 0xc0000034." - A little investigation with WinDbg and Ida
Inserting the smartphone triggers the PNP mechanism that installs the drivers.
Then the wudfRd. SYS driver is loaded (by whom and how?) as shown in the Procmon traces.
And its initialization fails in "DriverEntry".
The call to ZwAlpcConnectPort, which returns the 0xc0000034 code, is found fairly quickly in IDA. Vtable complicates everything - An object "Windows ": PortName ALPC?
fffff802`b0d759e0 WUDFRd!WdfLpcInterface::WdfGetProcessManagementName (fffff802`b0d6e880)}
-->>> \UMDFCommunicationPorts\ProcessManagement
Winobj. exe shows that "UMDFCommunicationPorts" is an entry in the object tree.
But "ProcessManagement " does not appear. Nor in Winpe. Nor in normal Windows10.... - i also searched for a description of the LPC (old)/APLC (new). But they are rare or too complex.
A good description on this site answers the question "What is LPC" and describes the connection logic:
Https://blogs.msdn.microsoft.com/ntdebugging/2007/07/26/lpc-local-procedure-calls-part-1-architecture/
In short, LPC/APLC is a means of communication between a client and a server.
My hypothesis, assuming the APLC connection logic is identical to that of LPC:
in the case of WPD, and after inserting the smartphone into the USB socket of the PC:
The PNP mechanism loads the drivers winusb.sys and WUDFRD.sys
The driver WudfRd.sys connects to a port already created by a server (Which?)
The client/server connection logic in ALPC is read in AllAboutTheRPCLRPCALPCandLPCinYourPC. PDF:
(video : http://www.securitytube.net/video/10182)
ALPC Server calls NtAlpcCreatePort
o Specifies port name, attributes (such as maximum message length), and security descriptor (who is allowed to open a handle to the port)
o Server receives an “ALPC Server Connection Port” object handle
ALPC server calls NtAlpcSendWaitReceivePort
o Can now receive incoming connection requests (LPC_CONNECTION_REQUEST)
o Blocking call – unless asynchronous operation is used (TBD)
ALPC client calls NtAlpcConnectPort
o Specifies server port name, attributes, and an optional “connection message”
ALPC server wakes up…
The WinDbg script to list ALPC: http://www.zer0mem.sk/?p=542
I do not know what is this server. The name of the port is passed as a parameter seems to be :
"\UMDFCommunicationPorts\ProcessManagement"
Note: the wdf01000. SYS driver is loaded very early when the PC starts.
How to investigate in APLC?
How to find the server that should respond to WudfRd?
I will continue to follow the calls that precede the error with WinDbg but it's long.
Nothing Wonderful for tonight
-
Hi,
About WDP/MTP :
With Windbg, I continued to walk in the code....
I have located the function that generates the error code C0000034: NT! ObpLookupObjectName
I place here some information for future use.
Segment/offset differ at each boot.
The stack before the error:
# Child-SP RetAddr Call Site
00 ffffef02`736b4450 fffff803`d4fad4d6 nt!ObReferenceObjectByName+0x10a
01 ffffef02`736b4720 fffff803`d4fac8bf nt!AlpcpCreateClientPort+0x76
02 ffffef02`736b47c0 fffff803`d4fac322 nt!AlpcpConnectPort+0x257
03 ffffef02`736b4940 fffff803`d4c07553 nt!NtAlpcConnectPort+0x6e
04 ffffef02`736b49c0 fffff803`d4bff370 nt!KiSystemServiceCopyEnd+0x13
05 ffffef02`736b4bc8 fffff800`3f63533a nt!KiServiceLinkage
06 ffffef02`736b4bd0 fffff800`3f6329c9 WUDFRd!WdfLpcCorePortInterface::Connect+0xfa [minkernel\wdf\framework\umdf\common\lpccoreclient\lpccore.cpp @ 298]
07 ffffef02`736b4d10 fffff800`3f62f583 WUDFRd!WdfLpcCommPort::WdfLpcCommPort+0x549 [minkernel\wdf\framework\umdf\common\lpc\lpccomm.cpp @ 172]
08 ffffef02`736b4dd0 fffff800`3f62f4c8 WUDFRd!WdfObjectList<WdfLpcCommPort,WdfLpcCommPortParameters>::CreateNew+0x4f [minkernel\wdf\framework\umdf\common\inc\clientserver\object.hpp @ 755]
09 (Inline Function) --------`-------- WUDFRd!WdfLpc::Connect+0x3e [minkernel\wdf\framework\umdf\common\lpc\lpc.cpp @ 533]
0a ffffef02`736b4e00 fffff800`3f63897b WUDFRd!WdfLpc::Connect+0x68 [minkernel\wdf\framework\umdf\common\lpc\lpc.cpp @ 517]
0b ffffef02`736b4e90 fffff800`3f629183 WUDFRd!RdDriver::InitializeLpcAndConnect+0x23b [minkernel\wdf\framework\umdf\redirector\driver\driver.cpp @ 972]
0c ffffef02`736b4f30 fffff800`3f662235 WUDFRd!RdDriver::RdDriver+0x54b [minkernel\wdf\framework\umdf\redirector\driver\driverpnp.cpp @ 404]
0d ffffef02`736b5140 fffff800`3f627039 WUDFRd!DriverEntry+0x1b5 [minkernel\wdf\framework\umdf\redirector\driver\driverpnp.cpp @ 147]
0e ffffef02`736b5310 fffff803`d4efa57a WUDFRd!FxDriverEntryWorker+0xb9 [d:\th\minkernel\wdf\framework\kmdf\src\dynamic\stub\stub.cpp @ 325]
0f ffffef02`736b5340 fffff803`d4efcc8b nt!IopLoadDriver+0x4da
10 ffffef02`736b5510 fffff803`d4efd2a8 nt!PipCallDriverAddDeviceQueryRoutine+0x1b3
11 ffffef02`736b55a0 fffff803`d4f00009 nt!PnpCallDriverQueryServiceHelper+0xcc
12 ffffef02`736b5650 fffff803`d4f098b8 nt!PipCallDriverAddDevice+0x385
13 ffffef02`736b57f0 fffff803`d4ee53cf nt!PipProcessDevNodeTree+0x164
14 ffffef02`736b5a70 fffff803`d4bb077a nt!PiRestartDevice+0xa7
15 ffffef02`736b5ac0 fffff803`d4ad4e05 nt!PnpDeviceActionWorker+0x43a
16 ffffef02`736b5b80 fffff803`d4ac0f87 nt!ExpWorkerThread+0xf5
17 ffffef02`736b5c10 fffff803`d4c01676 nt!PspSystemThreadStartup+0x47
18 ffffef02`736b5c60 00000000`00000000 nt!KiStartSystemThread+0x16
the function "nt!ObReferenceObjectByName" calls "nt!ObpLookupObjectName".
And in the case of winpe, "nt!ObpLookupObjectName" tests :
fffff803`d4f9adea 4c8badf8000000 mov r13,qword ptr [rbp+0F8h] <<<<<<<<<<<<<<<<<<<<<< [rbp+0F8h] ???
fffff803`d4f9adf1 4d85ed test r13,r13
fffff803`d4f9adf4 0f8572070000 jne nt!ObpLookupObjectName+0x119c (fffff803`d4f9b56c)
fffff803`d4f9adfa bf340000c0 mov edi,0C0000034h <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< !!!!!!!!!!!!!!
Very naively, I would do the test to change this memory box. To see...tomorrow.
-
I know you are probably way farther than this but I just noticed this post by Chris a while back for MTP
http://theoven.org/index.php?topic=2229.msg24141#msg24141 (http://theoven.org/index.php?topic=2229.msg24141#msg24141)
when we were taking peeks at it...
I have to admit, I haven't jumped in yet. I do not have a device I can test on, I use iPhone.. I do hope this feature eventually gets figured out it would be useful...
-
Hi bob.omb,
I am very happy and honored by your interest in my investigations. :smile:
Thanks for the link I did not know.
This is a game for me. No matter what the final utility is. I play with WinDbg on the one hand. And on the other hand I discover WDF (KDMF/umdf) and MPT that I do not know.
Without Android, you can use the WDF(Kmdf/Umdf) framework if your pc own a sd card reader. In Winpe, you need to put the driver for the reader. And after, WDF framework will be loaded. I wrote a little bit about this before...
In the Full-flat version of my winpe, all files and keys are present. If PNP detect a hard, then driver is loaded. The big avantage of Full-flat for investigation (not for working at office). As i wrote before :
Loading the wdf01000 framework drivers is visible in the log file "SetupAPI.dev".
The error 0xC0000034 is visible with procmon and with windbg.
Some new informations...
By realizing the first comparisons in a normal Windows 10, I realize that I have been mistaken since my first observation.
I was deceived by the display of winobj. exe. :mad: The reality is quite different from this display.
Note: WinDbg is launched using the menu "Kernel\local" as shown in the prompt "lkd>".
In a normal WINDOWS10:
:ohmy: WinObj (administrator mode) does not display anything under tree structure "UMDFCommunicationPorts".
I don't know why ( access may be prohibited since access to properties is ).
:lol: Now, the command "! Object UMDFCommunicationPorts" in Windbg displays:
lkd> !object \UMDFCommunicationPorts
Object: ffffda0c51572920 Type: (ffffb08adc6cef20) Directory
ObjectHeader: ffffda0c515728f0 (new version)
HandleCount: 0 PointerCount: 3
Directory Object: ffffda0c51016920 Name: UMDFCommunicationPorts
Hash Address Type Name
---- ------- ---- ----
30 ffffb08ae110c9c0 ALPC Port ProcessManagement
33 ffffda0c543ec990 Directory WUDF
The entry "\UMDFCommunicationPorts\WUDF" contains the following elements:
lkd> !object \UMDFCommunicationPorts\WUDF
Object: ffffda0c543ec990 Type: (ffffb08adc6cef20) Directory
ObjectHeader: ffffda0c543ec960 (new version)
HandleCount: 1 PointerCount: 6
Directory Object: ffffda0c51572920 Name: WUDF
Hash Address Type Name
---- ------- ---- ----
14 ffffb08ae1368bd0 ALPC Port HostProcess-4004d68e-eb65-411f-93f3-267b08b3520f
23 ffffb08adfa09480 ALPC Port HostProcess-bdd92219-ec86-42cc-883e-0cc50d9087b6
ffffb08ade853bf0 ALPC Port HostProcess-68734194-bb9e-4805-bcb6-4c35e12b3f92
35 ffffb08adf64ee20 ALPC Port HostProcess-25da0260-f878-4fe9-afad-dcb47f989a08
All addresses point to "WUDFHost. exe" :
lkd> !object ffffb08ae1368bd0
Object: ffffb08ae1368bd0 Type: (ffffb08adc768f20) ALPC Port
ObjectHeader: ffffb08ae1368ba0 (new version)
HandleCount: 1 PointerCount: 32756
Directory Object: ffffda0c543ec990 Name: HostProcess-4004d68e-eb65-411f-93f3-267b08b3520f
lkd> !findhandle ffffb08ae1368bd0
***NO HANDLES IN PROCESS ffffb08ae0d3b080***
[ffffb08adf631080 WUDFHost.exe]
200: Entry ffffda0c56d34800 Granted Access 1f0001 (Inherit)
The case of "\UMDFCommunicationPorts\ProcessManagement" is even more interesting:
lkd> !object ffffb08ae110c9c0
Object: ffffb08ae110c9c0 Type: (ffffb08adc768f20) ALPC Port
ObjectHeader: ffffb08ae110c990 (new version)
HandleCount: 1 PointerCount: 32710
Directory Object: ffffda0c51572920 Name: ProcessManagement
lkd> !findhandle ffffb08ae110c9c0
***NO HANDLES IN PROCESS ffffb08ae0d3b080***
[ffffb08ae0dba080 services.exe]
1ec: Entry ffffda0c542e67b0 Granted Access 1f0001 (Protected)
lkd> !alpc /p ffffb08ae110c9c0
Port ffffb08ae110c9c0
Type : ALPC_CONNECTION_PORT
CommunicationInfo : ffffda0c5440a520
ConnectionPort : ffffb08ae110c9c0 (ProcessManagement)
ClientCommunicationPort : 0000000000000000
ServerCommunicationPort : 0000000000000000
OwnerProcess : ffffb08ae0dba080 (services.exe)
SequenceNo : 0x00000005 (5)
CompletionPort : 0000000000000000
CompletionList : 0000000000000000
ConnectionPending : No
ConnectionRefused : No
Disconnected : No
Closed : No
FlushOnClose : Yes
ReturnExtendedInfo : No
Waitable : Yes
Security : Static
Wow64CompletionList : No
Main queue is empty.
Direct message queue is empty.
Large message queue is empty.
Pending queue is empty.
Canceled queue is empty.
In winpe : only "\UMDFCommunicationPorts"
Which means I wasn't looking at the right place
My new orientation:
WudfRd cannot get in touch with the server "\UMDFCommunicationPorts\ProcessManagement".
This is not a WudfRd error.
But it is the server that did not create the object that WudfRd search.
We know that several services do not start if SystemSetupInProgress = 1. So, perhaps some thing loke thet for WDF.
How to find the driver that creates the object "\UMDFCommunicationPorts\ProcessManagement"?
An idea?
-
hi,
With spring and summer, i make a very big break.
After, i'll play with WDF/WPD.
See you later.
-
hi,
One word before you leave....
I do not describe the research that allowed me to go from wdfRd. SYS to "services.exe" : too long !
A summary of my findings (not to forget and before going on a trip):
I wasted a lot of time reading docunments on WDF, on the "ALPC Port", as well as analyzing code with WinDbg and Ida.
But I didn't know where to look or what to look for.
Today I sought to make new findings with depends. exe which shows:
"Services. exe " uses "WUDFPlatform. dll" which exports some APIs and uses NtCreateAlpcPort ...
My observation in my Winpe with two important points:
1-the command line of "services. exe":
CommandLine: ' X:\windows\system32\services.exe -Setup '
2-The DLL "WUDFPlatform. dll " is absent in the space of "services. exe"
I infer that the origin of all the impossibilities relating to WPD/MPT could come from this command line.
This opens up new avenues of investigation!
The sequel: It will be for much later. Yes, I'm advancing like a turtle :turtle:
-
Hi,
I try your ps scripts but i stack at the very first step!
See attached icon
[attach=1]
-
Hi dpap,
Sorry for the delay.
I never took the time to get the PS to deal with 3 possible sources containing the decompressed files "install.wim"
So you have to unzip the "install.wim file" version you want in a directory on a hard drive. And you must use/give this unzip path.
As a result, the button will be active.
I'm leaving for a long journey, one or two months. I did not update to the latest version of W10 (V1803).
I'll be happy to get your opinion. You can write me on my e-mail noelblanc.winpe (at) free.fr or by PM.
My contribution aims to describe how to add self even features in winpe. It is a documentary and educational purpose.
Unfortunately, I don't want to use the language of winpe10Se. So sometimes there's an effort to do.
See you later
-
Hi NoelBlanc
unfortunately it didn't help.
I used the path of decompressed wim files (win10PR_SE2017-12-02\workbench\win10PESE\cache\Windows10 S_cloud_10.0.16200.15_x64_el-GR\install_wim) but the buttons still grayed!
-
Hi dpap,
My script tries to discover the language of the OS contained in the unzipped file corresponding to the System hive. The "Launch " button is enabled only if the language is recognized.
After mounting this hive in HKU:\tmp_ref_sys, it uses the key "...\ControlSet001\Control\MUI\UILanguages" to identify the language.
in the main Ps script :
line 317 : it defines the key for language testing
line 693 : the test to activate (or not) the "lancement" button ($button_Excution.Enabled = $true)
Can you mount this hive (from your source) and verify the presence of this keys ? or "send/share" me "your" system hive ?
is your source a "Windows10 S" ?
"win10PR_SE2017-12-02...10.0.16200.15"
i never test them.
Please, if it is possible for you, use my email noelblanc.winpe(at)free.fr or PM
I hope my English is not too bad.
-
Hi,
Some news from WPD-MTP: It works for my microwinpebuilder for a month or two (I can't remember).
It only worked with the kernel debugger WINDBG: So, not practical!
Now it works automatically.
Get MTP, is not so simple as copying "files/keys/install drivers "
When I realized that there was a lack of a ALPC port, I read many documents on ALPC port,WDF-Wumdf platform (for 3 or 4 months).
I do not remember how I understood that I had to look in "services.EXE ". Chance probably.
PPL security hides the loading of DLLs in "Services.EXE".
And I found that the service contains the name of the SALW port and can load "WudfPlatform.DLL".
So I take WinDbg and go..... but I need to learn how to use the kernel debugger!
And I find that I can say to "services.EXE" to load this DLL.
After, MTP works "directly " in my WinPE FullFlat.
Getting "files/keys/services/drivers " for the MicroWinpeBuilder context was long but not too complex.
To get MTP without "WINDBG ", I have two ways: to modifiy "services. EXE "program or to find a bypass
I tried to change the program "Services. EXE". But the PPL security mechanism prohibits the modification of the file "services. EXE".
On another site (why not name it? A lot of people go on both sites), I posted in order to find out if anyone knew a trick for this change.
Impossible for me.
So the workaround is to create a hook as @slore explained.
Now I find that my SmardCard drive in my WinPE does not work. And it uses WUMDF.
It doesn't work in my fullFlat context. So I think it's more complex to get it.
I will be putting scripts and PDFs up to date after Christmas holidays
I will look in January for reader SmardCard
-
Hi, noel
:great: Great thanks for researching my hard request.
YOU sent gift to me early. :xmas-thumbsup:
Look forward to the later update.
:xmas-beer:
-
@slore Thank you very much. And Your help was absolutely necessary for the hook. :thumbsup:
For a long time, the spooler and printers are working in my WinPE context.
And this morning, I finally got what I've been looking for for a long time.
- Can eject a USB device with the icon at the bottom right
- See printers in Devices and printers ( icon at the bottom right also )
It still requires a lot of work to understand and master the reproduction systematic
You can see the picture...
Hope you can put it one day in your context
Good Chrismas
-
I would love to get all three of these working in SE. MTP, Printer support, and USB Ejection, Where do I start? The PDF? There is also a way to ”Enable Feature in Source” for Print components. This may help with your projects...
I am looking at the differences between regular sources and altered sources now...
I am extracting Win10 install media v1809 to C:\Src - Also creating an empty folder C:\Test4
Then I am using the below commands (in Admin command prompt) to prepare my source with a bunch of interesting stuff (Index 10 - Pro for Workstations - to be safe for built in ReFS support)
DISM /Mount-image /imagefile:C:\src\sources\install.wim /Index:10 /MountDir:C:\Test4
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:NetFX3 /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:NetFx4Extended-ASPNET45 /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:SMB1Protocol /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:SMB1Protocol-Client /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:SMB1Protocol-Server /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:SMB1Protocol-Deprecation /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:TelnetClient /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:TFTP /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:Printing-Foundation-LPDPrintService /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:Printing-Foundation-LPRPortMonitor /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:LegacyComponents /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Image:C:\Test4 /Enable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux /All /LimitAccess /Source:C:\src\sources\sxs
DISM /Unmount-Image /MountDir:C:\Test4 /Commit
You can also use:
DISM /Image:C:\Test4 /Get-Features
To list available features in the mounted index (After using the first line above - DISM /Mount-image /imagefile:C:\src\sources\install.wim /Index:10 /MountDir:C:\Test4)
After this the features and reg keys will be baked into your install source waiting for you to pluck them out with whatever build method you choose.
**Note:
In install source after the above method mrxsmb10.sys is present in System32\Drivers @ index 10 now, with this we would have only needed to copy the file instead of the tricks we had to do... also present are .NET 3.0-3.5 files and others, as expected.. This could be an interesting addition to the projects moving forward, preparing the install media before use. (I have a test plugin created, Chris has a copy) :thumbsup: Hopefully enabling the printer features in your source before build will help you get PE components working...
-
hi,
@bob.omb
than you for the method of construct.
i'm now in familly for the week and the celebrations ( chrismas and new year)
i'll reply in january.
I beg your pardon. Familly first.
-
Absolutely :thumbsup:
Have a great holiday! See you in January :wink:
-
Hi bob.omb
Some news about "Eject USB Storage"
Before anything else, I must say: It doesn't work every start.
I did some tests without activating the spooler. I got the expected behavior.
My test context: Boot to USB disk and VHD containing WinPE in Flat mode so there is always a USB device. It is different from Winpese/WinpeXpe.
In the notification area, at the bottom right, the icon with the ToolTip/Balloon"Safety Remove Harware and eject Media" is used to eject a connected (plugged) USB device.
The line displaying "Eject USB Storage" is usually absent in WinPE.
The line displaying the name of the USB device is dimmed.
It was a long time since I wanted to understand why this display was incomplete in this icon.
Chance did the right thing. It was by testing my printer installation that I found the correct display of "Eject Usb Storage".
And a simple change in my environment was necessary.
It is certainly possible to ungroup this view and the printers.
Now I'm going to describe various anomalies and constraints.
Important TimeOut:
With the new change, the line "Eject Usb Storage" appears with a delay of approximately 2 minutes after the DSMSVC service is started.
A random locking operation: My USB drive is present. I'm inserting a USB key. They are therefore visible in the "Safety Remove Hardware and Eject Media" icon at the bottom right!
From the "Eject USB Storage" icon, if one of the USB devices is ejected, the "Explorer" window will be updated 1 or 2 seconds later.
But the bottom right icon "Safety Remove Harware and Eject Media" does not display anything until the key has been removed.
When the device is removed then the icon becomes operational and displays a content: my USB Drive
The constraint related to my environment:
To date, this feature "Eject USB Storage" is embedded in the printer installation
The sequence that works in my context is very simple:
1-Change the value: HKLM: systemsetup-Name systemsetupInProgress = 0
2-net stop dsmsvc (in my "build ", this DSMSVC service is configured with "start = demand")
3-net start dsmsvc
NOTE: 2 minutes after starting the DSMSVC service, the "Eject USB Storage" entry appears if a USB drive was connected (I am using a bootable USB drive for my tests)
4-Wait before changing the value systemSetupnProgress = 1 (see the explanation that will follow)
I had the chance to find a sequence that gives this result but I can't explain why it works or why there is a delay.
And I can not identify the (invisible) elements that are implemented (services requested, Object DCOM...).
A word on the later modification/postponed "systemSetupnProgress = 1":
I don't know when "DeviceSetupManager. dll" will read and process this value. That is why, currently, I do not modify it immediately after the DSMSVC service is started.
I have redone 2 or 3 tests
-by neutralising the start/stop of the DSMSVC service in my script: no display of "Eject USB Storage" even after 10 minutes
-by neutralising the spooler: Correct display of "Eject USB Storage" (and always with the delay)
Regarding the integration of this sequence in another context of "Build":
-I use the Software hive of install. wim. This avoids looking for one by one the necessary keys, work long and without real interest. The difference in size (64MB versus 10MB) is small (in my opinion).
-I installed many services (and almost all addons of MMC)
-I only use the native desktop provided by "Explorer. exe "
It seems easy to install this service DSMSVC and to identify the associated files (dependencies, Services...)
For the keys to the Software hive, this is going to be a little more difficult.
Ways to understand how to eliminate this delay: I don't have any!
I used IDA. But I had very little time to analyze the code. It seems that the test of this key is done from the beginning of the service's "main ". But the analysis will be long.
A long way for 2019 !
PS : A few figures:
t=0 Boot
25s display of rotating points
1'25 "cmdline" black box display
1'40 Display of the small box at the top left of the keys "Setup " to explore
2' Desktop display
3' End script display "ACL printer" = Start/stop dsmsvc and presence of 2 PDF/XPS Printers
Mouse interaction to regularly check the presence of "Eject USB Storage" and open "devices and Printers "
4'40 Display of "Eject USB Storage" and 4 devices in the topic "" Unspecified "
11' Correct display of 2 printers, 'Computer' and 'USB storage' and Remote Desktop printers
If necessary, contact me by PM or email
I have updated my PDF file (first post)
-
Hi
For printers, it's a lot longer to explain than "Eject USB Storage"
In October 2016, I was able to install the PDF and XPS printers as well as my Samsung SCX-4500 printer.
The investigation had been long. It's a solitary job. And there is little help to wait when you misunderstand English.
It was the first time I had embarked on such an adventure. It turned out to be pretty straightforward.
The method of installation adopted is not perfect. And to this day, I have never corrected it.
Having never had a single return on this subject, I saw no reason to do better.
So I read the script "traitement.PS1" To summarize the part dealing with the installation of printers.
And I repeat that this is the result of an old work (fall 2016) and clumsy.
But to this day (January 2019), under Winpe10, my clumsy work remains a potential basis.
Regarding the integration of this sequence in another context of "Build ":
-I use the Software hive of install. wim. This avoids looking for one by one the necessary keys, work long and without real interest. The difference in size (64MB versus 10MB) is small (in my opinion).
-I installed many services (and almost all addons of MMC)
-I only use the native desktop provided by "Explorer. exe"
The Spooler service is the centrepiece of the printer architecture. We need to consider two essential points.
-Identify useful elements to install the spooler
The first step is to start the spooler without error.
Its installation is quite simple and requires little investigative work.
-Enable the Spooler
But like many services (EventLog, TermService...) Its startup is not enough to make it operational.
Because in WinPE, a lot of features are blocked. WINPE is a tool to install Windows.
Many features are not compatible with its efficiency, speed, robustness, etc.
The spooler is inactive if "HKLM\system\setup\systemsetupInProgress" = 1
Boot sequence read in my script:
Set-ItemProperty "HKLM\system\setup\systemsetupInProgress" = 0
Stop-Service Dsmsvc
Start-Service Dsmsvc
Start-Service spooler-------> > > "start = 2 " In my hive "System " but no auto start
PDF and XPS Printers
When you have managed to install the spooler, it starts without error, it is active, then you have to install printers.
Currently, it is the spooler itself that installs the PDF and XPS printers.
It does it 2 minutes after it starts (as in a normal Windows 10)
Some reminders:
The printers in the ADM session may be different from the printers in the system session.
Redirected printers from a "Remote Desktop " Session are replayed to local printers.
The "Devices and Printers" Refresh occurs 3 to 5 minutes after the connection
In the system session, you cannot install a printer shared by another computer
My installation method is flawed:
Currently, the script "PostDemarrageWinpe. PS1" is launched after WinPE is started. It provides several tasks.
-Fixed file names ".inf" In the Drivers Hive
#
# DISM Create oemxxxx entries. So, I need to recreate them with the good names
#
Reg Load Hklmdrivers X:windowssystem32configDRIVERS
$t = "Ntprint. inf ", "ntprint4. inf ", "prnms003. inf ", "printqueue. inf "
$c = get-ChildItem "HKLM: driversDriverDatabaseDriverInfFiles" |? {$ _. Name-like "* OEM * "}
$c | % {$i = $ _; foreach ($s in $t) {$z = GP $i. Pspath; if ($z-like "* $s * ") {copy-item ($i. Pspath) $ (Join-Path ($i. PSParentPath) $s)}}}
Reg Unload Hklmdrivers
-Start of services
Set-ItemProperty HKLM: systemsetup-Name SystemsetupInProgress-value 0
Stop-Service Dsmsvc
Start-Service Dsmsvc
Start-Service Spooler
-Modification of the security (ACL) of.. spoolprinters
-second installation of PrintQueue. inf with MS System32InfDefaultInstall.exe software
I still have work to do to remove these construction anomalies
Printers with "Remote Desktop "
I run WinPE on a remote machine. And I use "Remote Desktop " (MSTSC) to connect to this WinPE.
So my local printers are added to local WinPE printers.
Again, the refresh in "Devices and Printers " is long and takes between 3 to 5 minutes
Note 1: I added 2. mof files for PowerShell
# for Gmwi Win32_Printer
X:windowssystem32wbemmofcomp.exe X:windowssystem32wbemwin32_printer.mof
# for Get-printer
X:windowssystem32wbemmofcomp.exe X:windowssystem32wbemPrintManagementProvider.mof
Note 2: The XPSRCHVW. exe file is missing some details about the installation
The. Cat for Usbprint. sys with v1809: "C:UsersnoelBlancDesktopsigntool.exe" verify/KP/a/v Driversusbprint.sys
Verifying: Driversusbprint.sys
File is signed in catalog: C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}Microsoft-Windows-Client-Desktop-Required-Package00 ~ 31bf3856ad364e35 ~ AMD64 ~ ~ 10.0.17763.1. Cat
The Services installed:
$clesPrinter=@'
;services
Tmp_System\ControlSet001\Services\spooler
Tmp_System\ControlSet001\Services\usbprint
;for printer pdf et xps
Tmp_System\ControlSet001\Services\dsmsvc -------------------->>> used by "Eject USB Storage"
;control
Tmp_System\ControlSet001\Control\Print
'@
For files : see "traitement.ps1" script in my pdf V4 ( too long and depends of your base )
for "software" key : no add because software from install.wim
function printer{
# 1- copy .cat for usbprint.sys for v1809 --> voir $filesPrinter ci-dessus
# Microsoft-Windows-Client-Desktop-Required-Package00~31bf3856ad364e35~amd64~~10.0.17763.1.cat
# 2- dism /Add-Driver ... usbprint.inf... /forceunsigned
# copy usbprint.sys to ...\system32\Drivers : i don't remember if it is necessary with v1809 !
# 3- copy printupg.inf and ntprint.inf to ...\windows\inf:
#printupg.inf used by ntprint.inf : i don't remember if it is necessary with v1809 !
#added V1803 : ntprint.inf
# 4- copy ...\windows\System32\spool\prtprocs\x64 ( should be in copyfile section )
copy-item -Recurse $(join-path $RefWindows "windows\System32\spool\prtprocs\x64") $(join-path $targetWindows "System32\spool\prtprocs\x64")
# 5- dism /Add-Driver ... NtPrint.inf
# 6- printer pdf et xps : installation will be done by spooler service, 2 mn after it starts
# 7- dism /Add-Driver ... NtPrint4.inf
# 8- dism /Add-Driver ... Us008.inf for my printer samsung
# i put all needed files for drivers in a directory. I took them from samsung's package
# 9- dism /Add-Driver ... Prnms003.inf for PDF and XPS printers
#
# attention :
# "DISM Add-driver" rename .inf into OEMxxx.inf
# Drivers hive doesn't contain entry for ntprint.inf nor ntprint4.inf.
# i think spooler needs it. So, a script recreate these entries when winpe starts
# Actually, printqueue.inf must be re-installeds after winpe starts or after remote desktop create printer
# 10- dism /Add-Driver ... printqueue.inf
# for devmgmt.msc can display the good name of PDF/XPS printers
# bug : t's not enought. printqueue.inf must be re-installed after spooler starts and after printers was added by remote desktop
# so, i copy printqueue.inf to ...\inf ( see script postprinter )
# 11 - copy all files needed in system32
CopieDesFichiers $filesPrinter
# 12 - modif v1709 : i create a script that modify an ACL on ...\spool\printers directory
#13 - add V1803 : copy all \inf\ prn*.inf to \inf but i don't kown if it is needed in v1809
}
edit : You must neutralize systemsetupInProgress just before you start printing with "StartdocOpen ".
So systemsetupInProgress = 0 before you start printing.
If necessary, contact me by PM or email (see in PDF)
Still some works for 2019 ...
-
I forget the printer post-script. i add quickly some pieces of PS ( not complexe to understand )
#region printer
# il faut neutraliser systemsetupInProgress juste avant de lancer l'impression avec "startdocOpen"
$PostPrinter=@'
#
#postPrinter dans session System obligatoirement !!!
#
#*******************************************************
write-host -ForegroundColor green "`nPostPrinter et DsmSvc"
#*******************************************************
write-host -ForegroundColor yellow "`tMofcomp"
# pour gmwi win32_printer
x:\windows\system32\wbem\mofcomp.exe x:\windows\system32\wbem\win32_printer.mof
# pour get-printer
x:\windows\system32\wbem\mofcomp.exe x:\windows\system32\wbem\PrintManagementProvider.mof
#
# DISMcreated oemxxxx. i need to recreate with good names: need more investigation
#
write-host -ForegroundColor yellow "`tReg load/unload ...\DRIVERS"
reg load hklm\drivers X:\windows\system32\config\DRIVERS
$t = "ntprint.inf","ntprint4.inf","prnms003.inf", "printqueue.inf"
$c = get-childitem "HKLM:\drivers\DriverDatabase\DriverInfFiles" | ?{$_.name -like "*oem*"}
$c | %{ $i = $_; foreach($s in $t){$z=gp $i.pspath;if($z -like "*$s*"){copy-item ($i.pspath) $( join-path ($i.PSParentPath) $s) }}}
reg unload hklm\drivers
set-itemproperty hklm:\system\setup -name systemsetupInProgress -value 0
write-host -ForegroundColor yellow "`tStart-service dsmsvc"
Stop-service dsmsvc
Start-service dsmsvc
write-host -ForegroundColor yellow "`tStart-service spooler"
start-service spooler
# don't do that too fast : so, i never do that !
#set-itemproperty hklm:\system\setup -name systemsetupInProgress -value 1
write-host -ForegroundColor yellow "`tNew for V1709 : modify ACL on directory ...\spool\printers"
$scripAclPrinteV1709="x:\modifAclPrinterV1709.ps1"
if ( test-path $scripAclPrinteV1709){
$p = start-process "powershell.exe" -ArgumentList "-file $scripAclPrinteV1709 " -passThru
}
'@
$CodePourV1709=@'
#New with V1709 !!!
write-host -ForegroundColor yellow "`tNew for V1709 : modify ACL on directory ...\spool\printers"
#spooler.exe will create this directory 2 minutes after it starts
$cible = "X:\windows\system32\spool\printers"
while(!(test-path $cible)){
start-sleep -m 500
}
$aclBase = get-acl $cible
# create ace
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$NTsystem = [system.security.principal.SecurityIdentifier]'S-1-5-18'
$rule1=New-Object System.Security.AccessControl.FileSystemAccessRule($NTsystem,"FullControl",$allInherit, $allPropagation,"Allow")
# on ajoute cet ace dans l'acl finale
$aclBase.SetAccessRule($rule1)
$aclBase | set-acl -Path $cible
#add : re-installation of printqueue
while ((get-printer).count -ne 2){
start-sleep -s 1
}
x:\windows\system32\InfDefaultInstall.exe X:\windows\inf\printqueue.inf
'@
-
Hi
For WPD-MTP ( smartphone in winpe ), please, see the post created by slore.
He explains better than i can do.
http://theoven.org/index.php?topic=2390.msg30428#msg30428
We work together and he makes the hook dll.
Enjoy.
I'll continue to work on the smartCard reader which use also WUMF
-
Thank you I am looking at this now. Good read :thumbsup:
Thanks for all your hard work I will start with your and slores MTP for cameras/phones then move into printing/usb ejection.. at the least being able to print to PDF is very useful
-
Hi,
As I said, I tried to install the SmartCard reader again.
By doing a test with my environment "full-flat", I found that by connecting the network the Wuauserv service would automatically install the drivers for that drive. This simplifies the investigation :grin:
And so, for my SmartCard reader, it was simply missing the driver brought by Rtsp2storx. inf (oz776x64.inf already present)
Anomaly: the "Eject USB Storage " Part is very disturbed. :sad:
The SmartCard ejection does not allow you to find a correct display.
It seems that the removal of the device is not reported to the various windows.
"Kill/Restart Explorer " is not a solution.
In my full-flat environment, I also noticed the installation of the Bluetooth stack and its proper functioning.
It is therefore posible to integrate it into another environment.
But I'm not sure it would be helpful. So I'm going to deal with something else.
Detail:
I read on a site that it is possible to change the name of the icon "This PC". I think it's very much in the right.
$cle = join-path $tmp_soft_PS 'Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}'
$null = Set-ItemProperty $cle -name 'LocalizedString' -value '%computername% %userName%' -Type ExpandString
There is still some work to search with "Eject USB Storage" :bike:
-
Hi,
Problem "Eject USB storage" When 2 USB devices are connected and one is removed:
When removing the device, a process is created and remains blocked:
"X:windowsSystem32RunDll32.exe" X:windowssystem32hotplug.dll, HotPlugSafeRemovalDriveNotification USB-MicroSD (K:)
The icon at the bottom right "safely remove... " is no longer displayed
If I kill this process, the icon does not reappear
I wait 5 minutes for the case where a timeout fixes: no fixe
If kill/restart "Explorer": Icon is OK
I assume COM/DCOM communication is blocked.
Possible track: "runas" to delete somewhere. I delete only entries "runas=interactive user"
If someone can give me an idea...
-
hi,
For a long time I wanted to find a way to back up the system and software hives in WinPE.
Indeed, after installing an application in WinPE, the additions in these hives are lost with reboot.
The context that I am imposing:
-Do not use a product like "Winbuilder " and its plugins,
-Do not modify my script because the search for changes (useful!) made by the installation of a program can be long and useless (like Citrix for example)
-use WinPE in Flat mode to benefit from the "Persistence " files (USB key and/or VHD!)
So I use the method, simple but a little restrictive, which is to save the 2 hives before shutting down Winpe (Reg save...).
Then you have to reboot on the same disk but with a second WinPE. And since this second WinPE, we can edit the files of the first WinPE. And so copy the system and software hives backed up and crushed the old ones.
And at the next reboot on the first WinPE, it will find its application ready for use.
The solution is simple in my case: Build a BCD for a second WinPE.
I have not been able to make these 2 copies from the software "native. exe" launched thanks to "BootExecute ".
And watch out for viruses!
-
hi,
No news from me about winpe ( computer is not my friend at this time ).
I go on a bike trip until the end of the summer.
If some want to test my ISO for build 1809 (October 2018?) size = 870Mb to test printers for example, here is a link :
https://1drv.ms/f/s!Ao1n1sCvil3_ildf_aE9xbH7_2vD
name of iso file : winpe10V1809.ISO
It comes with a french keyboard but you can easy change for English keyboard.
Of course there are not all drivers. But you can add your own with DISM commands.
And be sympathetic, give me a return whatever it is.
-
hi,
A long time ago ...
As everyone, i try V1903.
My news : PDF, XPS printers are ok but it was long to find it.
First of all, I thank Slore who is very supportive and actively helps me in my research.
With the V1903 version I find that the installation of PDF and XPS printers are no longer automatically installed.
Normally, they are installed 2 minutes after the start of the spooler
But with my winpeV1903 FULLFLAT version (from a real installation of w10 "degraded" in winpe by modifying the hives), Pdf printers and xps are available without anomalies.
After much research with Windbg and IDA V7 (free), I found that localspl.spl was testing an event every 30 seconds.
But this event did not change and the dll did not come out of its loop.
localspl.dll!IsSystemCurrentlyUpgrading calls : spoolss.dll!SplIsUpgrade
spoolss.dll!SplIsUpgrade calls : spoolsv.exe!PrvSplIsUpgrade
spoolsv.exe!PrvSplIsUpgrade calls in a loop:
lea rcx, WNF_DEP_OOBE_COMPLETE
call cs:__imp_NtQueryWnfStateData
After much more research, I found some information in the following sites:
https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html
https://gracefulbits.com/2018/08/13/find-which-process-is-using-the-microphone-from-a-kernel-mode-driver/
http://redplait.blogspot.com/2012/09/wnf-notifiers.html
http://redplait.blogspot.com/2017/08/wnf-ids-from-perfntcdll.html
"A3BC0C75 - 41960B29 WNF_DEP_OOBE_COMPLETE
This event triggers when the system has completed OOBE (Windows Welcome)"
The question: what is the indicator of "the system has completed OOBE (Windows Welcome)"?
It is understood that there are two tracks to follow, modify the dll or look for the indicator WNF_DEP_OOBE_COMPLETE
1 - First method: change localspl.dll!IsSystemCurrentlyUpgrading
Very easy with IDA V7 (extraordinary free tool)
C:\Windows\System32>fc /B "C:\Users\noelb\Desktop\ida-asm\1-v1903\localspl - New.dll" C:\Users\noelb\Desktop\ida-asm\1-v1903\localspl.dll
Comparaison des fichiers C:\USERS\NOELB\DESKTOP\IDA-ASM\1-V1903\localspl - New.dll et C:\USERS\NOELB\DESKTOP\IDA-ASM\1-V1903\LOCALSPL.DLL
0001417E: 31 85
00014180: 90 0F
00014181: 90 95
00014182: 90 C0
2 - Second method: understand the WNF mechanism and act on the indicator WNF_DEP_OOBE_COMPLETE
I tried to follow with windbg the call of NtQueryWnfStateData in the "kernel". But too complex for me.
So I did more research on the WEB.
I found a real "bible" on WNF in the site:
http://www.alex-ionescu.com/Publications/BlackHat/blackhat2018.pdf (http://www.alex-ionescu.com/Publications/BlackHat/blackhat2018.pdf)
And an example of code in the site:
https://gist.github.com/msmania/472912cd6e9ab067be3211ba3f5f0f9e (https://gist.github.com/msmania/472912cd6e9ab067be3211ba3f5f0f9e)
But the code was not very helpful to me.
The information from "blackhat2018.pdf" is extraordinary. And I quickly realized that WNF_DEP_OOBE_COMPLETE 0x41960B29A3BC0C75:
- is a permanent notification despite the PC reboots,
- is stored in the software hive (which I already knew thanks to fullflat),
- where it is located in the hive of a normal w10 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications
( exactly here : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data
41960B29A3BC0C75 REG_BINARY 01 00 00 00 01 00 00 00
but i prefere copy/paste all "notifocations key)
With its new data in hand, I made a "copy/paste" of the right key (…\notifications) in the "software" hive of winpe.
Don't forget to reset SystemSetupInProgress, start spooler, and fax, PDF, XPS printers have been installed.
And Pdf Printer creates a file in my winpe.
It's a busy week of rain. And for the next week of rain, I have to look for why "termservice" displays a black screen.
-
Hi,
Good news about termservice in V1903
A long time...a long job...and many bad ways for research.
Now i can connect a W10 remote computer (running mstsc.exe) to my Winpe v1903 computer (using termservice) and get the "good" display, not a black screen.
Some words....
First, i searched around indirectkmd.sys. Ms changes something in the architecture of the graphic drivers.
https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-deprecated-features
DDM-based remote display driver
Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release.
Second, because i didn't find the missing files with procmon, I searched on registry/drivers/services side... for a long time.
Third, I thougth "wdmf" driver installation was the key. But too complex for me and no informations in french to study.
Fourth, MSRA.EXE (novice in winpe asks for help) had the same "black screen". I looked sometime with it. But it's not the same origine ("novice MSRA" doesn't work in session system).
Fifth, these last days, i test "my" hives in my fullflat environment where "termservice is OK". After corrected BSOD (long time), display of termservice is ok. So, i thougth it was only missing files.
4272 file in system32 in fullflat, 1900 files in "my" system32 in winpe !
Note : don't forget that these 2 files are not good in winpe : WallpaperHost.exe and windows.immersiveshell.serviceprovider.dll. So, rename it if needs.
I spend many many time to test (dychotomy and chance) and find 3 missing files :
;add V1903
windows\system32\Windows.Graphics.dll
windows\system32\DispBroker.Desktop.dll
windows\system32\DispBroker.dll
Procexp shows that DWM.EXE is using the three files ! And when i trace with procmon, i always remove DWM.exe. It's why research takes a so long time for me !!!
Before launching mstsc and for a first test, i install rdpidd with "pnputil /add-driver rdpidd.inf /install"
And termservice becomes ok.
Perhaps the picture can shows you the remote screen.
ps : i put an iso (fr) here https://1drv.ms/f/s!Ao1n1sCvil3_ildf_aE9xbH7_2vD
-
Hi,
With V1909, for my build, I use the boot.wim file of ADK 1903: it's normal because MS says it's normal.
But when I start from this winpe, I get a black screen.
In the VM I can see a short time the window of starnet.cmd.
So I understand that I need more thought.
3 methods:
- use Flat Winpe and use a core debugging session but where to put BP?
or
- use Flat Winpe and create/analyze a drain file when the error occurs
or
- use Flat Winpe, procmon boot loggin and look at the WER logs
The last one is easier.
1 - Procmon boot logging in the mode Flat:
it shows that no file is missing for the DWM feature/composant
2 - WER ( werfault ans its report ) in the mode Flat
WerFault creates an error report file in:
"X:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dwm.exe_4768d7780538cee7b2f2bfca411f3c2ad93d_25529819_91290e5f-a5ec-424f-a05b-d0cb38a59f2c\Report.wer"
It contains :
"
EventType=BEX64
NsAppName=dwm.exe
Sig[3].Name=Fault Module Name
Sig[3].Value=ism.dll
Sig[6].Name=Exception Offset
Sig[6].Value=0000000000031da0
Sig[7].Name=Exception Code
Sig[7].Value=c0000409
"
And the report lists the loaded dll for this process.
I can't go any further in analyzing the code of this minidump file.
The creation and analysis of a minidump file shows that ism.dll calls a Win32u.dll function that triggers a system call (int2E or syscall).
error address : ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+1c8
system call : win32u!NtMITCoreMsgKOpenConnectionTo
See the file I'm joining for fun.
The questions become:
- what is the role of win32u.dll?
- is it normal that this function of ism.dll runs?
- is it its environment that is disturbed?
Answer: I have to think more!
3 - Cogitation around the lack of ADK for this version of the OS
MS does not provide ADK for Windows10-V1909 and imposes the use of V1903 ADK
However, many exe/dll have evolved and changed versions. This is the case for various DWM components.
The observation when booting: a loop of dwm.exe crashs.
A Bug report in "X:\ProgramData\Microsoft\Windows\WER\ReportQueue" refers to ISM. DLL as the source of the error.
The file analysis shows that ism.dll calls win32u.dl.
4 - My first idea
This dll belongs to WinSxS-amd64_microsoft-windows-win32k_... which contains 3 files
i associate with win32kBase.sys from 'WinSxS' amd64_microsoft-windows-win32kbase_...
The idea is to use the versions of ISO V1909 for these 4 files.
And it works!
Conclusion:
You can't mix different versions of dll with impunity in a winpe
note : the same goes for the consistency of WinSxs files and SideBySide keys
The anomaly is not visible if you use WinRe.wim because the WinRe files are identical to those of the OS
Other components other than DWM may suffer from this version difference of some DLL
Perhaps WinRe is a more robust construction base than Winpe ? :lol:
-
Most OEM's that create boot media, now prefer WinRE.wim (over ADK PE)
-
Hello,
An information about PDF printer and the displaying extension "*.prn"
I searched long-time for the following anomaly when using the PDF printer in Winpe:
the extension "*.prn" appears in the file-type editbox of the file name entry window
To locate the discrepancy with my FullFlat winpe which clearly displays "*.pdf" in the editbox:
- comparison of the "procmon" traces of the 2 environments
- on winpe:
no reading of the top HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-Print-Printers-Microsoft Print to PDF-PrinterDriverData-SaveAsExtensions
- on winpeFullFlat:
reading this key
The discrepancy appears after reading the Value SaveAsExtensionFromBaseMan (non-existent value in both cases)
- analysis of the stacks of the "procmon" traces to identify the functions of the dll put into play:
upthe stacks from the WINSPOOL api code! GetSaveFileNameDialog
- analysis of the code of these dll with IDA7free
- a lot of time with windbg to find the divergence:
The code searches for data that is in the registry but does not read the registry, so these calls are invisible in procom
I came to understand that the data was read when spoolsv.exe was booted and memorized in an internal structure of localspl.dll
A few days later, I find the data that generates the discrepancy:
"HKLM-SYSTEM-CurrentControlSet-Control-Print-Environments-Windows NT x86-Drivers-Version-3-Microsoft enhanced Point and Print compatibility driver"
Once the discrepancy is located, we must look for why this data is absent in my winpe.
The name of the key makes me think that I'm missing drivers for ""...Environments-Windows NT x86..."
After a few more days of research, I find an obvious difference with procmon when starting the spooler:
Enumeration of HKEY_LOCAL_MACHINE-DRIVERS-DriverDatabase-DriverInfFiles-ntprint.inf
- On wineFullFlat:
HKEY_LOCAL_MACHINE-drivers-DriverDatabase-DriverInfFiles-ntprint.inf
default: ntprint.inf_x86_ce3301b66255a0fb
ntprint.inf_amd64_ce3301b66255a0fb
active: ntprint.inf_amd64_ce3301b66255a0fb
HKEY_LOCAL_MACHINE-drivers-DriverDatabase-DriverInfFiles-prnms003.inf
default: prnms003.inf_x86_86cc1f2b72147922
prnms003.inf_amd64_e4ff50d4d5f8b2aa
active: prnms003.inf_amd64_e4ff50d4d5f8b2aa
- And on my winpe, I don't have the references to "_x86_"
Question: But where does this data come from?
I try an installation with "dism /add-driver" after doing the "mount" of my boot.wim.
"dism" reports: installation OK
But looking at the log file "setupapi.offline.log" I notice the absence of a real installation.
So I use the "elephant" method, I copy the ISO Drivers hive in my winpe.
And the extension ".pdf" is visible in my winpe.
I don't understand why "Dism/add-driver...inf_x86_ce3301b66255a0fb..." failed.
I did not do the test twice.
But I'd be delighted if someone gives me an explanation on that last point.
Yes, of course, I can use win10XPE or WimBuilder2.
But to each his hobbies: I like to understand.
Important note for francophones like me: WimBuilder2 is translated into French :cheerleader:
If your OS is "FR" then you will read French on the screen.
-
Hi
@Lancelot
I would like to ask you:
you will be able to create a new topic in win10XPE
and move the messages from this "post" dealing with the problem "extension .prn with PDF printer"
from the message "Reply #214 on: December 26, 2019, 03:28:52 PM"
http://theoven.org/index.php?topic=1639.msg36000#msg36000
If there is any concern or risk offending anyone, forget my request.
It seems to me more consistent to have a "topic" specific to this problem.
And also because, during last upload I received the warning informing me that this "thread" had reached the maximum size. So I deleted several files too old.
I try to keep in this forum the small place that you gave me a few years ago (2016).
Which I'm indebted to you for.
Thank you for your intervention
Ps : I hope the translator doesn't betray my point
-
Hi noelBlanc,
I fully understand you. :thumbsup:
Done http://theoven.org/index.php?topic=3019.0
If you have other posts you like to move, let me know. :thumbsup:
*
I received the warning informing me that this "thread" had reached the maximum size. So I deleted several files too old.
I guess this is attachment limit,
If you like I can add your files to http://lancelot.theoven.org/noelBlanc/
so you will not need to delete old files. ? :wink:
ps: I like to keep information. :xmas-cool:
If yes, just send me files with dropbox etc. with pm etc. :xmas-beer:
:turtle:
Edit:
Following noelBlanc request, posts moved to other topic: http://theoven.org/index.php?topic=3019.0
-
Hi,
About Bluetooth….
Since the bluetooth worked in my FullFlat winpe, I always postponed the investigation. When I say "bluetooth works" I mean that the bluetooth driver of my pc installs without error, that the icon appears in the bare of tasks at the bottom right. But that the menus of this icon remain inactive because they use the graphical interface "METRO".
Bluetooth context is easy to installe in v1903 which is the only one version that i get in my disk (i'm in family, not at my home).
My context of this first test:
winpe V1903FR ( but i think no many complex change because no change in architecture)
Drivers Hive from Install.wim
DISM.exe for installing drivers (you can adapt to your own method easy)
1 - Files for bluetooth
;system32
windows\system32\Bluetooth*.*
windows\system32\BTAGService.dll
windows\system32\BTH*.*
windows\system32\fsquirt.exe
windows\system32\Microsoft.Bluetooth*.*
windows\system32\Windows.Internal.Bluetooth.dll
;drivers
windows\system32\drivers\bth*.sys
windows\system32\drivers\rfcomm.sys
2 - Service for Bluetooth = with Drivers hive there is only one needed service (perhaps more depend on other Bluetooth service uses, but i never use Bluetooth with my pc)
Tmp_SYSTEM\ControlSet001\Services\bthserv
3 - Dism /add-drivers for these drivers
bth.inf_amd64_*
bthleenum.inf_amd64_*
bthpan.inf_amd64_*
bthprint.inf_amd64_*
tdibth.inf_amd64_*
4 - DriversRepository :
i copy these directories from install.wim into mount\...\filesrepository
(not sure at this time this copy is needed)
Because i use dism, i copy all .sys in \Drivers and .inf in \INF. ! i don't know at this time if it is needed !!!
5 - Installing the driver of my pc: bcbtums-win8x64-brcm.inf_amd64....
But this driver is too old and is not in the driverstore.
In a normal W10, it is installed from the "WindowsUpdate" for the device during installation.
So I use a copy of this drivers.
6 - When winpe starts, bluetooth drivers are not installed.
For this first test, I need to use DEVMGMT. MSC to install this driver. The "Setup" engine looks into the winpe disk and finds the drivers in the driverstore.
And after that, everything is good as you can see in the picture.
Nevertheless, and because many internal tools are written for "METRO" GUI, it is not possible to get a MS graphical interface to make the device pairing
I'll look for writing an application to do "paired device" : for my fun .
And i prefere to try to build my own application for pairing the device than using one better application but coming from other place.
-
Noel,
I can Confirm Driver Installation & Bluetooth Tray Icon - Tray Bluetooth Menu Useless
Exported My Intel Bluetooth Driver From Host...
[attach=2]
Here Are The Bluetooth Files I Used
[attach=1]
-
Hi,
Here, i put the first job i did to investigate the issue "timeout 10 minutes before DSMSVC displays the complet screen for devices"
My ultimate goal: to better understand the implementation of ETW/WPP traces
Quick introduction of ETW and WPP technologies.
I think I understood the concepts of Providers, Controlers, Consummers.
Here is the site among all those I consulted that sums up well what I understood:
https://www.magicsplat.com/book/event_tracing.html
My main documentation for TMF files:
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
Analysis of DeviceSetupManager.dll (DSMSVC) code with IDA:
- to identify the guids
- to understand the use of WPP_xxx functions
The attached file describes a little more the method to produce the TMF file
without this work, i think i never find a workaround of the timeout "10 minutes for DSMSVC"
No really usefull, but i must stay at home even when sun is shining
-
Here, how i find a workaround for the issue "timeout 10 minutes before DSMSVC displays the complet screen for devices"
If someone can explain why cfgmgr32.dll waits 2 minutes for each call and why the result of the calls is not important....
The use of printers becomes a little more comfortable and a little more aesthetic.
But above all it opens up the possibility of exploiting some simple bluetooth devices, audio like my little speaker
I use a piece of code to do the coupling. But it was absolutely necessary that the timout does not exist because I use "Devices And Printers" to activate the various BTH services of the devices.
But Bluetooth LE is not possible (by design, if i well understand the MS doc, metro stule GUI only)
-
The microphone of my computers did not work in winpe but now "i can speak !" :lol:
1-1- before anything else, you have to understand the following 2 cases:
a- The manufacturer's drivers can be used for the computer 'targeted'
about 300MB extra! Too big. I'm not testing!
b- Generic MS audio drivers can be used
I find that these generic audio drivers do not recognize the microphone built into one of my computers
I checked with WI0 "normal" by disintalating the drivers of the manufacturer and installing these generic drivers:
-on one of my computers, fujitsu LifeBook E752:
Built-in microphone is not recognized
the microphone plugged into the jack jack is well recognized and operational
-on the other computer, fujitsu LifeBook P702:
the 2 microphones, built-in and external, work properly
--> I realize that, in Winpe, it will not be possible to operate the built-in microphone of my E752
This may be the case on your computer too!
--> you must test your hardware with generics drivers if you want to know if you can use it in winpe
1-2- What worked in my Winpe V1903 and with my 2 computers
My observation: the microphone (according to the computer) works in winpe FullFlat
After a week of research, I identified this:
By adding in winpe the CamSrv service and the few files needed: the microphone works
files : CapabilityAccessManager.dll, CapabilityAccessManagerClient.dll
note: I read in a site that the volume level setting was not correct. I do not see that point.
For my part, the volume setting of the microphone proposed by "MMSYS. CPL" (booster/amplification, volume) satisfies me
Now I can use the microphone in Zoom with winpe...... hmmmmm....not usefull
-
Enjoy your bluetooth :lol:
1- Some words about bluetooth architecture
the MS's bluetooth stack is not the only one ( i think so ). I use only MS's stack
"Devices" install/need OEM drivers and use many drivers of MS
Many types of device and protocols exist : so, i can't say "all devices are OK"
2- the list of elements to add in winpe depends on the base of winpe ( i use "my" builder ) and come "after"
3- the first step : The common elements ( drivers, files, registry )
They were disponible since many weeks in my context.
But i was careful because the microphone in my bluetooth speaker didn't work in winpe although it worked in "winpe fullFlat"
Some things were not good or missing.
4 - Bluetooth and the microphone of my Sony SRS-XB10 speaker
Since I use this Bluetooth speaker, I consate that the microphone (hand free) does not work.
I thought the microphone malfunction with the generic audio drivers was related to the malfunction of the microphone in my speaker.
So I looked for both anomalies at the same time. But the two malfunctions are not related.
5- Over the course of my research around "microphone", I copied the "system\driverDataBase" keys from fullflat in winpe and "it works"
I kept looking and I identified this key change ( many weeks ! ) :
SYSTEM-DriverDatabase-DriverPackages-microsoft_bluetooth_hfp_ag.inf_amd64_5aa03f8938eb548b
SignScore - 8000000 - d000003
SYSTEM-DriverDatabase-DriverPackages-microsoft_bluetooth_hfp_hf.inf_amd64_149f09e994e553d1
SignScore - 8000000 - d000003
I don't have any information on the values of "SignerScore".
Note: I must add that I installed the bluetooth drivers in my winpe with "Dism /add-drivers". This anomaly may not appear with another method of installing pilots.
6- warnings
And so I'm not in a position to know if this solution can be suitable for other Bluetoth devices
It seems bluetooth LE devices are not paired with Win32 API
-
Hi noelBlanc,
thanks for sharing your research with Microphone, BlueTooth
Your posts are very nice and understanding easy. :cheers:
I will try to follow your footsteps when I can find some free time. :thumbsup:
:turtle:
-
Hi Lancelot
Thank you for your interest in me. :worship:
For bluetooth:
I need a little time to explain how to integrate bluetooth into a winpe
And still a little time to make a list of the various elements.
And it will take time to make a script for winbuilder.
Time for containment....
In these simple cases of investigation (without windbg...), I say "thank you" to FullFlat!
:bike:
-
bonsoir noelBlanc
By adding in winpe the CamSrv service and the few files needed: the microphone works
files : CapabilityAccessManager.dll, CapabilityAccessManagerClient.dll
this is what was the difference .... :grin: :wink:
edit
tested with ree-sound-recorder & work :great:
Enjoy your bluetooth
not yet ... :undecided:
-
Hi,
some words about Winpe FullFlat.
The origin of "FullFlat":
I am not the originator of this environment. I am not the creator.
I use the information I found on the sites a few years ago that I do not find now.
In these sites, there was no name to describe the topic of discussion. Maybe 'ramos' but I'm not sure, it's too old.
Why the name "Winpe FullFlat"?
I haven't found a term that already exists and describes this "environment/tool."
And I wanted to use a name to differentiate this "environment/tool" from other notions that I never understood (because of my lack of skills!):
- "RamOs" described on Chinese sites
- "RamOs" used with WinBuilder in an "other" site.
All this led me to choose this name of "Winpe FullFlat"
What is that 'Winpe FullFlat'?
It is an environment for carrying out intestigations, researches around internal mechanisms of 'wninpe'.
It has no other use.
How is it built?
It is a complete installation of W10 "downgrade" in Winpe.
The use of a VHD allows you to benefit from the persistence of the files. And speeds up the changes.
A complete W10 installation: It's a long time! But all the files are present, the hives are complete.
The change to demote:
I describe it with some details in the attached file but it is very easy and carries on:
SAM, SECURITY, BCD, some files
Software and system: a little longer but not complex
For whom?
In my opinion, the population of winpe users is divided into several families:
- users who need an efficient, fast product, adapted to their job or their need to carry out maintenance operations
- the designers of these ready-to-use "winpe", the people who develop the scripts for WinBuilder or an equivalent
- "players" with no other purpose than to want to understand how to add an absent winpe feature (often unnecessary addition)
There is no hierarchy in this classification.
This is of course the few "players" who may find a relative interest in this test environment.
What's the point for me?
- identify the complexity of a potential addition to winpe
After building a "Winpe FullFlat," I quickly see features that will work in "Winpe" or that will be "easily" added (for example, those that are banned by an indicator like "SystemSetupInProgress")
This lets you know what "energy" you will need to deploy to try to achieve an addition.
For example, answering the following question:
Is it easy to add printers, the audio microphone with the generic drivers, bluetooth (in part)?
Since these features are operational in "Winpe FullFlat," then injecting them into winpe only requires time and patience.
We will simply have to identify the right elements. But there will be no software development as for "SendMessage 05BAh" or "WPD/MTP" or "lsm" (by NyaMisty in github.com/NyaMisty/PELSMHooker)
- perform the research by comparing/cutting/moving pieces of the OS
Once you know that a feature is operational in "Winpe FullFlat," you need to look for useful items (files, registries) and add to "Winpe"
To do this, you sometimes have to copy sets of keys and files from one environment to another.
It is possible to make these copies from a Windows10. But it is difficult to do the reverse test.
Is it useful? Can't we "work" differently and use the elements (files, hives) of windows10 normal?
Yes of course. But the security environment requires more competence than mine.
I have been using this environment/investigative method for years.
It seems easier to me not to have to look at whether the impossibility of an addition comes from the contexts "METRO/UWP" or from "Winpe's special security".
Is it easy to move items between "Winpe FullFlat" and "Winpe"?
There are a lot of pitfalls. Many BSODs occur if you are not a little used to juggling "necessary" or "mortal" drivers depending on the environment.
To conclude
It was while playing with "Winpe FullFlat" that I found how to use the printers, the bluetooth (partly!), the microphone (generic MS driver on compatible hardware)
I'm not trying to convince. It's just a sharing.
Ps: I only use Sysinternals or MS software, procmon, bcdedit, dism, windbg, etc., or PS scripts written as needed
-
Hi, noel
I got bluetooth worked with WimBuilder2's 20 lines batch code. :thumbsup:
I kept looking and I identified this key change ( many weeks ! ) :
SYSTEM-DriverDatabase-DriverPackages-microsoft_bluetooth_hfp_ag.inf_amd64_5aa03f8938eb548b
SignScore - 8000000 - d000003
SYSTEM-DriverDatabase-DriverPackages-microsoft_bluetooth_hfp_hf.inf_amd64_149f09e994e553d1
SignScore - 8000000 - d000003
I don't have any information on the values of "SignerScore".
As WimBuilder2 copied the install.wim's DRIVERS HIVE, It was 8000000 - d000003, so I don't do this.
I don't know why yours is different.
Bluetooth is very easy to add, as it just copy files and registry, no needs to modify some system dlls.
Thanks for sharing the information.
[attach=1]
[attach=2]
I just have smart phones and a Bluetooth speaker,
I can't test other devices.
-
@Slore : :great:
about "SignerScore" : i don't copy the DRIVERS hive from ISO. So i think it's why i need that.
about BTH-LE : i can't test because i dont own this device
Last week, with FullFlat, i play with "optionalFeature.exe" and try to install "hyperV". But i can't save hives before computer is shuting down. I also add BITS to download files from the WEB. Yes, not usefull. But i like BITS because i use intensively when i worked, in my old job. Funny week !
-
Hi,
some words about Winpe FullFlat.
The origin of "FullFlat":
I guess:
Flat name come with none iso-wim boot :wink:
(not inside iso or wim, It is flat)
Full when you do not use ms official WinPE (boot.wim) with explorer etc.
and If you put Flat to Ram (eg. read all .vhd to ram first with a boot manager) instead of direct disk boot, It becomes "RamOS"
If it is WinPE --> "WinPE-RamOS" or "RamOS PE"
(there was Win98 RamOS :wink:)
In the past, It was easy to me test with FullFlat on a separate disk by using a Virtual ...
But now I have a very low time, I quickly build and figure out what is required ...
In my opinion, the population of winpe users is divided into several families:
My Real use: I only use once or twice (or more) a year for special cases on my single PC (no need network audio etc. to my real use)
at XP/2k3 times I was using a lot more frequently.
The rest of my interest is all curiosity at different levels. :cool:
*
Thanks to FullFlat.7z , nice to read :great:
:turtle:
-
@Lancelot
I'm glad to read you. Thank you.
I add a precison for "FullFlat": it does not use winpe, changes only a few hives and files. The starting point is really a "successful" installation of w10 (16GB !).
With your explanation, I understand better what I missed with "RAMOS":
you put Flat to Ram (for example read all .vhd to ram first with a boot manager) instead of direct disk boot
I don't know how to do that. I'll look for when winter comes.
But now I'm making a big break with winpe: it's time for me to go on the roads of France with a bike
-
I don't know how to do that. I'll look for when winter comes.
Long Story to short check this:
https://alychitech.com/windows-xp-in-ram-memory/
+
Easier to test with NT5 :wink: no 16 GB at all :lol:
on picture XPLite 412 MB :wink: = XP-RamOS
+
On Gena:
- we already use "WinVBlock_0.0.1.8-Dev-20110611" to have BootDI builds (Gena inside .img) = Gena-RamOS = WinPE1-RamOS (SystemDrive is disk ;))
(same method with https://alychitech.com/windows-xp-in-ram-memory/ only Gena is PE1)
- "WinVBlock_0.0.1.8-Dev-20110611" also make simple "CreateISO" builds (Gena inside .iso) boot by loading all .iso to memory = Gena-RamOS = WinPE1-- RamOS (SystemDrive is cd ;))
both Gena-RamOS (CreateISO and BootDI) lost popularity since .wim is smaller compared to disk image (WimBoot on Gena) :wink:
Summary: It is an old story :wink: and more info .... but I keep short now.
I am sure https://alychitech.com/windows-xp-in-ram-memory/ will quickly give you the big picture
After NT5 ms create vhd format and add support to get windows boot from vhd
which we were already doing with some drivers and .img with NT5 (XP/2k3) and Linux world already doing that.
+
A few years ago I had used WinNTSetup to create .vhd of Win7,
but not for Ramos only to boot on a separate disk image,
but It should be easy to boot all to Ram as far as I can remember ...
The same must be valid for Win10. First check WinNTSetup tool by JFX, JFX knows a lot on this subject.
But now I'm making a big break with winpe: it's time for me to go on the roads of France with a bike
I will be after you to have a big break a few days later. :great:
Have a nice Summer :bike:
:swimmer:
-
Hello
The 20h2 version brings little new stuff, other than Edge.
note: QuickAssist.exe is ok only in the "ADM" session
To occupy these days of rain and cold, I looked why PDB symbols are not accessible on the MS servers in the "SYSTEM" session.
This anomaly forces me to implement their recovery since the ADM session (waste of time).
Procmon.exe and Windbg.exe both use dbghelp.dll APIs. Both encounter this anomaly.
It took me a long time to find a lead. I used, in addition to procmon and windbg:
- the "network" tracks with netsh,
- fiddler to track HTTPS traffic and installed its "proxy server" (good tool but i use 1% of its feature)
I make a copy/paste of the method that allowed me to find the solution.
Context for my test: Winpe 20h2 in Flat mode in a vhd
Observation:
In Winpe's System session, the symbol files (". PDB") are not accessible in the MS Symbol Server
But they have been since the Administrator session.
The 3 software tested that cannot access the HTTPS MS Symbol Server: windbg, procmon64, symchk
First element of analysis: communication uses HTTPS protocol
The three offending programs (Windbg, Procmon64, Symchk) use Dbghelp.dll and Symsrv.dll
The Dbghelp.doc documentation (present in Windbg's directory) explains the possible course.
Symsrv.dll contains calls to HTTP API and WinInet, two different families.
First tests in the System session:
With a PS script, download a file via HTTPS: OK
With Edge: OK, visiting HTTPS sites succeeds without any problems, idem download
With "Bitsadmin.exe" /TRANSFER "test" /DOWNLOAD https://go.microsoft.com/fwlink/?linkid=2120254 "x:test" : OK
--->>> but do these programs use winhttp.dll?
With symchk.exe: failure!!!
"X:\Debugger\symchk.exe x:\debugger\symchk.exe /s srv-https://msdl.microsoft.com/download/symbols"
Complement to be expected: Take a test by writing a piece of code in C/C++ and using WinHttp.dll
Second element of analysis:
When I take a trace with Procmon64, I find that only the WinHTTP API is requested.
With IDA, it is now easier to identify the sequence of API calls.
I activate the network trace with:
"netsh trace start scenario-InternetClient captures-yes report-yes"
With Windbg, I observe the Symchk.exe program:
After putting breakpoints on important calls, I notice the error:0x800C2EE7 :thumbsup:
The use of the environmental variable "set DBGHELP_LOG X:dbghelp.log" confirms this error:
"
DBGHELP: new session: Mon Dec 7 18:45:50 2020
DBGHELP: _NT_SYMBOL_PATH: srv*https://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: .;srv*https://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: srv*https://msdl.microsoft.com/download/symbols
SYMSRV: BYINDEX: 0x1
https://msdl.microsoft.com/download/symbols
FLTMGR.SYS
5510C2C86f000
SYMSRV: UNC: X:\windows\TEMP\sym\FLTMGR.SYS\5510C2C86f000\FLTMGR.SYS - path not found
SYMSRV: UNC: X:\windows\TEMP\sym\FLTMGR.SYS\5510C2C86f000\FLTMGR.SY_ - path not found
SYMSRV: UNC: X:\windows\TEMP\sym\FLTMGR.SYS\5510C2C86f000\file.ptr - path not found
SYMSRV: WinHttp interface using proxy server: none
SYMSRV: HTTPGET: /download/symbols/index2.txt
SYMSRV: WinHttpSendRequest: 800C2EE7 - ERROR_WINHTTP_NAME_NOT_RESOLVED
SYMSRV: HTTPGET: /download/symbols/FLTMGR.SYS/5510C2C86f000/FLTMGR.SYS
SYMSRV: WinHttpSendRequest: 800C2EE7 - ERROR_WINHTTP_NAME_NOT_RESOLVED
SYMSRV: RESULT: 0x800C2EE7 :thumbsup:
"
My first idea: use Fiddler to see https traffic between Windbg/Symchk and MS Symbol Server
Two possibilities :
use Fiddler as "Proxy Server" and install it on a PC accessible from Winpe
Advantage: Avoid installing Fiddler on Winpe
or install Fiddler on Winpe and trace HTTPS traffic
disadvantage: install Fiddler on Winpe
Method "use Fiddler on winpe"
- Installation of Fiddler on winpe :
The installation program is 32bits: OK in my winpe build with my hand :grin:
This leads to a few surprises, including some that I had already noticed during the zoom installation:
The app's file installation directory:
"X:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs\Fiddler Everywhere" :ohmy:
- Fiddler configuration: you need to enable HTTPS decryption and enable "proxy server"
https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert
https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/MonitorRemoteMachine
- Redirecting HTTPS traffic to Fiddler's "proxy server"
We want to trace the windbg/sysmchk traffic that uses winhttp.dll
https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureWinHTTPApp
"netsh winhttp set proxy 127.0.0.1:8866"
What changes:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable : dw 1
ProxyServer : sz 127.0.0.1:8866
Now that the observation tools are in place, I can launch "symchk.exe" to acquire a symbol file.
"X:\Debugger\symchk.exe x:\debugger\symchk.exe /s srv-https://msdl.microsoft.com/download/symbols"
And, Oh surprise, there is no error, the symbol file is actually downloaded from the MS Symbol Server. :embarrassed:
I've done various tests to check. It is the presence of the "proxy server" and perhaps the Certificate of Fiddler used for decoding that allows this download.
question: why and how to do without it?
Quickassist test: No Ok, so it's not the same problem
THE HTTPS traffic visible in Fiddler contains the following channel: "This function is not supported by the system"
So I didn't make any progress.
I remember that I didn't take the time to exploit the file of the network trail "x:windows-temp-NetTrace.etl" :wink:
The format conversion. ETL in . TXT introduces texts in the local language (Fr for me). And no need to create .TMF files :tongue:
But the main one remains understandable.
It contains:
"
- 0CD4.0D30::2020-12-09 13:33:27.883552300 [Microsoft-Windows-WebIO]0x24ADD2A8620 : =====Init Request===================
[0]0CD4.0D30::2020-12-09 13:33:27.883553300
[Microsoft-Windows-WebIO]0x24ADD2A8620 : CréerDemandeHttpWeb s’est terminé correctement. (Session 0x24ADD241980[0xFE00000020000001]) (Méthode GET) (URI https://msdl.microsoft.com/download/symbols/SymChk.pdb/F371EE66D4C70D7E1558DE921D7E36D11/SymChk.pdb) (Version 0x1.0x1) -> (Handle de demande 0xFD00000030000002)
- 0CD4.0D30::2020-12-09 13:33:27.883554900 [Microsoft-Windows-WebIO]0x24ADD2A8620 : WebSetHttpRequestInformationRoutine terminée avec succès. (Handle 0xFD00000030000002) (Indicateurs 0x80000000) (Routine d’informations 0x7FFCA6945B70) (Contexte d’informations 0x24ADD2CDA30)
[0]0708.0A2C::2020-12-09 13:33:28.288830300
[Microsoft-Windows-DNS-Client]La requête DNS a été envoyée au serveur DNS ff02::1:3 pour le nom symsrvbogusproxy et le type 1
"
Why searching "symsrvbogusproxy" in a DNS server ?
A search on the WEB gives:
https://microsoft.public.windbg.narkive.com/TPEDtmfW/using-symbol-server-symsrv-from-local-system-account
https://microsoft.public.windbg.narkive.com/rBkpB7ZF/6-6-3-5-symsrv-dll-doesn-t-work-without-using-a-winhttp-proxy-when-used-with-symproxy-dll
"Normally, symsrv uses the WinInet interface to grab symbols from the
internet. This interface provides rich support for credentialing through
proxies and protected web sites. When symsrv is run under a service, it
switches to using the WinHTTP interface. This interface does not have this
functionality. The reason for this is because normally when run from a
service, it is unmonitored by a user and sometimes it is imposible to
display UI. So hangs can occur unless I switch to the WinHTTP interface,
that does not have the same capabilities. WinHTTP is also able to run in a
multithreaded app such as the SymProxy ISAPI filter. WinInet is not able to
do this."
Of course, this is old information. But it certainly gives a lead that I don't understand yet.
The "symsrvbogusproxy" string is present in SymSrv.dll. :grin:
If I'm going to sum it up without a mistake --- i hope ---- :
In the "System" session :
- in the absence of Fiddler (! ), SymSrv.dll uses WinHTTP APIs.
But SymSrv.dll detects a "proxy server" that doesn't exist, and therefore fails.
- In the case where Fiddler's "proxy server" is present, SymSrv.dll detects this "proxy server" and therefore succeeds.
It seems to me that the key points for Winpe would be:
Which indicator generates Symsrv.dll to WinHTTP APIs?
Which indicator generates the detection of a "proxy server" that does not exist?
Search with IDA in the disassembled code...long time ....I rely on my intuition and I do the following test by adding this in winpe:
[HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Symbol Server]
"NoInternetProxy"dword:00000001
And bingo, it works! Procmon64, SymChk now charge symbols from MS Symbols Server in System session
Now, viewing the "stack" promon menu is easier in the "system" session
Well friendly
Noel
-
hi,
New Goal: Added SandBox in winpe
- inline mode with "optionalFeatures.exe"
- offline mode with Dism
SandBox is a FOD implemented with CBS
Some concepts and technical components implemented :
FOD - Features On demand
Uses the same tools and techniques as OS updates
CBS: a little-documented architecture (see the sites attached)
Hive "Components"
Keys HKLM-SOFTWARE-Microsoft-Windows-CurrentVersion-Component Based Servicing
WinSxs Directory
Keys HKLM-SOFTWARE-Microsoft-Windows-CurrentVersion-SideBySide-Winners
Service "trustedInstall"
TiWorker.exe
PoQexec.exe
WuAuServ service: allows you to pick up missing or altered items at MS
First phase: implementation of "optionalFeatures.exe" in winpe
A long series of catches/traces with procmon allows you to find the elements to add
It is also necessary to analyze the file "cbs.log"
Preparing a boot.wim file
I chose to copy the complete hive "components" of ISO in Winpe
After many attempts/corrections, the addition of Sandbox seems to becomes possible from "optionalFeatures.exe" in winpe.
Changes generated by CBS/TiWorker/PoqExec must now be captured
Second phase: captures changes
Some of the changes take place before the restart.
So we can make a backup of the 2 hives that winpe does not save
After the restart, the changes continue.
The pending.xml file describes these changes that the PoQexec.exe software must make.
But the poqexec.log file reports an error at the beginning of the program.
Failed!
I tried to turn winpe into a win10 by changing the usual keys (the opposite of Fullflat).
Same mistake of Poqexec
End of search with the "online" method.
-----------------
poqexec content.log
1d6e05a74cb568f: 0, 0, 0, 0, StartTime ;
1d6e05a74c8f43b: 27b, c0000428, 0, 0, onecore\base\wcp\tools\poqexec\poqexec.cpp, ValidateQueuedOps(635): ;
1d6e05a76e3c330: 0, 0, 0, 0, EndTime ;
NTSTATUS Values c0000428 :
The hash for image %hs cannot be found in the system catalogs. The image is likely corrupt or the victim of tampering.
With IDA, i look at in the code and find :
ValidateQueuedOps :
call NtSetCachedSigningLevel
https://www.tiraniddo.dev/2020/02/dll-import-redirection-in-windows-10_8.html
----------------------------
Third phase: Dism "Offline"
I now have the elements that allow the installation of Sandbox "inline" with "optionalFeatures.exe"
These elements are correct for the CBS part because it is the "injection of changes" part that fails.
The idea is to add SandBox in offline mode with Dism because it avoids the activity of PoqExec.
The addition succeeds the first time : The drivers are present in the "system" hive. They were absent with the "inline" method
After the restart, I launch windowsSandbox.exe which displays the "absent hypervisor" error.
After many traces/log analysis, reading eventvwr.msc...
I come to understand that the Environment of SandBox is not complete.
IDA and Windbg allow me to find out how the hypervisor presence test is done.
It is the "CpuiId" assembler "opcode" that brings up the information of the hypervisor in the "user" mode
Too long to describe.
The question now: who sets up the CPU? And when?
It must be winload.exe. A search with notepad shows strings with "hypervisor."
And the name of a file: hvloader.dll
The addition of all HV files (with their .mui) allows us to move forward.
The launch of windowsSanbox.exe shows another error (which I didn't notice).
Eventlog reports that services and drivers have not started.
Files for these drivers are missing in "CatRoot"
The addition of these files allows us to advance a little more.
DevMgr.msc reports that 2 devices are in error
vmbusr can't find winhvr.sys
vpcivsp.sys cannot find winhvr.sys
Eventlog also contains information about these errors.
New question: where does this winhvr.sys driver come from?
Winhv.sys and winhvr.sys files are not associated with an entry into the hive system.
In "fr" ISO the winhv.sys file is present in the Drivers directory
So I copy winhvr.sys in the Drivers directory
New test: now errors in devmgmt.msc for the 2 "system" devices have disappeared.
But windowsSanbox.exe displays the error 0x800706d9 "There are no more End Points available from the Endpoint mapper"
I see this:
- In a normal win10 with the SandBox addition, the firewall contains rules for the "HNS" service
These rules contain an "randoming" GUID: "HNS Container Networking - DNS (UDP-In) - A0F3D698-9D26-4CB0-AAEB-0C4502720716 - 0"
They exist on a machine with HyperV without Sandbox and with other GUID of course.
And there are none in my winpe.
- With the "En-Gb" version of my winpe, eventlog displays 2 errors:
"The Hyper-V Host Compute Service service depends on the following service: Wcifs. This service might not be installed.
The Container Manager service service depends on the following service: HvHost. This service might not be installed."
New questions:
Can there be a link between the 0x800706d9 error and the firewall? Who creates these rules? And when?
Why aren't these two services created with "Dism Offline"?
Well friendly
-
hi,
a new step ... But something not compatible as it says in the picture.
-
hi, it's been a long time....
Hi,
I don't advance much in my quest for Hyper in Winpe (and not the other way around).
Also, as Winpe's start times are quite long, I tried in understanding the various origins of this delay.
Of course, finding and installing all devices takes time.
The reduction would require a selection of useful drivers. That's what WinTOGo does/did.
But what interests me a lot more is what happens in the next phase.
While loading devices (and ?), Winpe displays small dots rotating in the middle of the screen under the small window cut into 4 frames.
Then, on my old PCs, the screen stays black for about 30s.
It's this all-black screen that appeals to me. I kind of looked at why this is happening.
Reading the log files wpeinit.log and winpeshl.log gives information.
Different tests give different values but the order of magnitude is relatively constant.
I make a summary of the timeline:
14:45:33.731, winpeshl Beginning PNP initialization.
14:45:33.763, winpeshl Launching [wpeinit.exe]
14:45:43.566, winpeshl PNP initialization succeeded; terminating thread.
14:45:43.660, wpeinit No unattend file was found; WPEINIT is using default settings to initialize WinPE
"spent 9266ms initializing removable media before unattend search"
"spent 5062ms installing network components"
"spent 5891ms installing network drivers"
14:45:57.290, wpeinit Applying WinPE unattend settings
14:46:00.182, winpeshl Launching [cmd.exe /c start X:\Windows\explorer.exe]
-->> Wpeinit starts when the winpeshl's PNP Thread is finished !
-->> wpeinit is very long (17or19s)
-->> the screen stays black until explorer displays the desktop.
I've been looking at how to reduce these delays and how to display a wallpaper" during these initializations.
A - first idea: the keys read by winpeshl.exe in "hklm-software-microsoft-windows nt-currentversion-winpe"
instRoot: what use?
CustomBackground: it seems to be talking about a wallpaper
DisableRemovableStorageInit: what use?
But I can't find any links on the MS doc
B - an analysis with winpeshl IDA.exe
B-a - CustomBackground: name of an image file
If the image file exists, Winpeshl enters this new "wallpaper" in the winpe settings
with the API : systemParametersInfoW and parameter : SPI_SETDESKWALLPAPER 0x14
Winpeshl.exe does nothing else with this image file
So it is, in my opinion, wallpaperHost.exe that would display this image if it were launched!
So this key is useless in my Winpe with "explore"
An idea: write a piece of program that replaces a little wallpaperhost.exe and that would leave room to "Explore" then.
B-b - DisableRemovableStorageInit:
(get from Ida) this key removes the call from WpeUtil.dll! WpeInitializeDriversOfClass
param: GUID_DEVCLASS_1394, GUID_DEVCLASS_ENUM1394, GUID_DEVCLASS_SBP2, GUID_DEVCLASS_USB
I used procmon to have another source of information and see a long job with ".inf"
My idea: The search for the presence and installation of such devices takes time
and is useful in cases I don't know about.
My test: create this value : DisableRemovableStorageInit = -1
The line "spent xxxxms initializing removable media before unattend search"
no longer appears in wpeinit.log
I checked that a USB key plugged in later is well recognized and readable
C - WinPE optional components: 3s
The keys can be prepared during the "build": no research.
D - "Spent 5062ms installing network components"
As I remain the only one to use "Winpe from ADK", I tell myself that I must gather all the "netcfg.exe"
and if possible inject the information during the "build"
Dism does not propose anything for this (if I understood everything)
The WinRe solution integrates its network building information
After some research, I focused on the keys:
System-network and system-networksetup2
My test: make a "snapshot" of these keys in my active winpe and drop them into the hive system for a next start
Result: there is no visible gain in wpeinit.log!
But confirm the "netcfg" are useless . Same thing by placing the associated services in ..\setup\allowstart (which avoids "net start" . So this simplifies the start-up script.
Control: Since this data includes "network cards/interfaces", I tested this modified Winpe on my second PC: OK
E - a bug ? Drivers incompatibles with KDNIC DEBUGGER ( bcdedit /debug on )
With the "old" drivers for my old PC ( e1c62x64.inf ) : no problem
With the new one (net1ic64.inf) automaticaly installed by winpe :
wpeinit (and, under, drvinst) try during 8mn (!) to install this drivers without good result
That's the real reason I'm looking why I get a black screen for so long.
Conclusion:
Visually, I don't see any improvement in start-up time.
The start-up script is simpler
The build script is bigger
Note: Winpeshl debug mode.exe
winpeshl.exe offers 2 command-launch control logics:
If winpeshl.ini is present:
The launch of orders is not switchable
I did not check if "startnet.cmd" is launched
If winpeshl.ini is absent:
a "debug" mode is possible by pressing the CTRL button
it then launches "cmd.exe"
without tying to CTRL, it launches the first order in the following order:
x: $windows.-bt-sources-setup.exe
x:-setup.exe
x:windows-system32-cmd /k startnet.cmd
-
hi,
Not long ago, I tested the WinRe-based version produced by Wimbuilder2 of Slore.
The WinRe-based version displays the mouse pointer (mouse cursor) as soon as the small rotating points disappear.
This prevents an all-black screen from being displayed for tens of seconds.
On my WinPe-based version, this mouse pointer display is missing and the screen stays black for too long.
This lack of display suggests that WinPe is "bad or hangs up".
I looked for where this difference came from and found this:
https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/no-mouse-cursor-during-osd-task-sequence
HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Windows-CurrentVersion-Policies-System
EnableCursorSuppression - 0 Mouse cursor is not suppressed
I also tried to replace the various commands "netcfg" to set up the network as does WinRe.
I didn't really understand the structure of the Network and NetworkSetup2 keys.
I will try to prepare them during the construction phase.
I also can't figure out how WinRe sets up the settings for the video
If anyone can give me any information, that would be nice.
-
Hi noelBlanc,
Sorry, too late. if I had known You were looking for visible mouse pointers at PE-startup (EnableCursorSuppression),
I would have loved to share the info with You, which can be found @ TheOven here:
Reply #16 on February 06, 2018, 07:56:03 PM by oxydw @ http://theoven.org/index.php?topic=2050.msg25838#msg25838
For a long time I have been following your efforts to get things going with great interest and respect. Thanks a lot for sharing.
In particular, I read your comments about Bluetooth very carefully, which helped me to integrate the M$ Bluetooth Subsystem into Win10PESE.
But at the moment the device pairing process doesn't work here.
I start the search process with "X:\Windows\System32\DevicePairingWizard.exe" on the command line
but it ends after a while without finding My bluetooth device that is nearby.
As is well known, this also works successfully in normal Windows in addition to the modern app options.
When I use NiSoft's bluetoothview.exe it shows My Bluetooth device but clicking on connect ends with error 10049.
So, I think it maybe has to do with the authorization of bluetooth devices or something. Do not know what is missing.
I also saw reply #226 by Slore in this topic but did not found info about the comment "I got bluetooth worked with WimBuilder2's 20 lines batch code."
in his packages WimBuilder2-Full.v202x-xx-xx.7z
May I ask you if You have come a little further with Your announcement from Your reply #223 in this topic regarding: "... integrate bluetooth ..."?
Or You have an idea how to get pairing working?
I use latest Win10PE_SE_2020-03-28.zip with source Win10 1809 DE x32 iso on host Win10 1909 pro x64.
Regards
-
hi HeyJoe
First, thank you very much for your good words. I am very honored, sincerely, because I am not a guru, just a perpetual novice who occupies my retirement time
i can't read english texts and i misunderstand very often what i read in officlal documentation like ones come from MS and others. My knowlegde is limited. Sometimes i'm wrong but i don't know i'm wrong. And what is good in a winpe version is not necessary good in the next one.
I always try to explain how I found a feature or information (citing my sources, trace windbg...) because I'm sure the method is more important than the gross or raw result for some end users who can then adapt the method to their needs. And in this time of virus "ransonware and co...), my fear of using one program written by another takes on its full value. I use scripts (readable sources) or programs that don't work very well but that I write myself.
About Bluetooth, i just try in my 20h2 version:
- i can connect ( i use "my" exe to connect, device...wizard.exe : not ok !) to my headless device
- but i cant' see it in the "sound panel".
Something is wrong in my work with this 20h2 version :confused: and :-(( :sad:
I didn't test it in the new versions because i'm lazy.
I'll search and write more later.
And i must begin with a test in "fulflat" ( a long time !)
Sorry.
-
Hi, Noel
The WinRe-based version displays the mouse pointer (mouse cursor) as soon as the small rotating points disappear.
call Winpeshl.exe will show the mouse cursor on booting, or change the registry item you found.
https://github.com/slorelee/wimbuilder2/blob/master/Projects/WIN10XPE/00-Configures/x-Account/Admin/SwitchToAdmin.bat
rem Enable Mouse Cursor (EnableCursorSuppression=0) or use Exec = Winpeshl.exe in PecmdAdmin.ini
reg add HKLM\Tmp_Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
This is in WIN10XPE's PecmdAdmin.ini for long time.
On my WinPe-based version, this mouse pointer display is missing and the screen stays black for too long.
I think yours had lots of devices need to load the 3rd part drivers.
Try to disable the Network feature on booting,
call winpeinit.exe, wpeutil.exe InitializeNetwork after the shell.
Maybe the black screen will be in shorter time.
You can check the winpeshl.log, wpeinit.log, INF\setupapi.dev.log to see which phase takes the boot time.
I didn't really understand the structure of the Network and NetworkSetup2 keys.
I don't understand, too. but if you remove the ms_pacer filter, the network tray icon will show the right status directly.
https://github.com/slorelee/wimbuilder2/blob/master/Projects/WIN10XPE/01-Components/02-Network/_networklist.bat
call RegCopy HKLM\System\ControlSet001\Control\NetworkSetup2\Filters
rem remove ms_pacer filter(QoS Packet Scheduler)
reg delete HKLM\Tmp_System\ControlSet001\Control\NetworkSetup2\Filters\{B5F4D659-7DAA-4565-8E41-BE220ED60542} /f
Winre.wim has the Narrator.exe(Read the screen information) by default, so the basic audio serive in RUNNING.
No sets up the settings for that.
For video, you'd better to add display card driver, some dll files of Direct3D.
-
Hi, HeyJoe
I also saw reply #226 by Slore in this thread but did not found info about the comment "I got bluetooth worked with WimBuilder2's 20 lines batch code."
in his packages WimBuilder2-Full.v202x-xx-xx.7z
It is not release to the public so far, I committed it on gitee.com (the Chinese source repo service).
https://gitee.com/slorelee/wimbuilder2/blob/master/Projects/WIN10XPE/01-Components/Bluetooth/main.bat
It will be included in the next WimBuilder2-Full.v2021-03-03.7z package. My can download the main.bat and add it manually,
or change the source URL to gitee, and execute next command in Advance page.
call _updater --file Projects/WIN10XPE/01-Components/Bluetooth/main.bat
(The Bluetooth feature shows in the Developer Mode of WimBuilder2)
I tested this file list, and drivers for my smart phone device, it still works with Windows 20h2 source.
Next options are required:
1. full SOFTWARE hive
2. Devices And Printers - Printers
In the WinPE, you have to wait 10 minutes for the Control Panel\Devices And Printers to init,
then you can see your bluetooth device and click the Add new Device button to use DevicePairingWizard.exe to pair the device.
I don't have other Bluetooth device, I just tested with my smart phone.
[attach=1]
-
Hi,
I test in "my" winpe and my bluetooth headless works well.
In the WinPE, you have to wait 10 minutes
I don't see this delay in "my" winpe". But it's true, i modify some prg and i don't remember which and why i do that.
But i think i modify deviceSetupManager.dll about this delay of 10 minutes. i write this somewhere in this "thread".
I notice that devicePairingWizard.exe take delay to sea a device. it's why i write my own program. Need some tests for me later.
-
@ Noel,
Your Reply #237 : I am thrilled when I see what effort You make. Take Your time.
I was looking for a useful solution regarding bluetooth issues myself for months.
And it seems to Me (thank to Slore's quick and friendly delivery of "..\01-Components\Bluetooth\main.bat")
it shines light on the tunnel.
@ Slore,
Many thanks for sharing. I copied and pasted Your "https://gitee.com/slorelee/wimbuilder2/blob/master/Projects/WIN10XPE/01-Components/Bluetooth/main.bat" and I am impressed by Your work. Now I go to evaluate Your code work and try to insert it somehow into my PE and to test it.
It will take some time then I'll report back.
Have a nice day everyone.
-
@ Noel,
don't worry about session system/admin... I am sure You will get it.
I applied Your fantastic ISO work. This file was servicing to Me verry well (as excpected !). Not only in virtual box but also with a machine which is a bit older (about 2005 or so). BTW, during testing I noticed that the machine is x64-capable (great :smile: I didn't care until then about its capability).
Your ISO is x64 v2009. I use x86 v1809 as I wrote. Using x86 s my intention because a lot of friends around Me use older machines (not all of theese machines are x64 capable ones) that is completely sufficient they say, so they don't want renew. And so, I can assis themt sometimes in repair tasks or other technical matters.
So, bluetooth now works.
What next? Maybe the often helpfull M$ event logging systen I saw You got working. Let's see.
Finally, I would like to thank you very much for your kind support.
@ Slore,
again big thank to You for "..\01-Components\Bluetooth\main.bat".
Strangely enough, only a few files and registry entries were missing.
Together with Noel's unbelievable effort it seems done for Me.
I'm really looking forward to your next announced compilation "WimBuilder2-Full.v2021-03-03.7z package"
@ Noel + @ Slore
You are great buddies.
Stay healthy and have a nice day everyone.
-
Hi,
because I am not allowed to edit My last post yet.
here is what I missed:
If,ExistFile,%Source_Sys%\btwdi.dll,Require_FileQ,btwdi.dll
Require_FileQ,PlayToDevice.dll
Require_FileQ,playtomenu.dll
Require_FileQ,PlayToReceiver.dll
Require_FileQ,PlayToStatusProvider.dll
Require_FileQ,dafAspInfraProvider.dll
Require_FileQ,DafDnsSd.dll
Require_FileQ,dafDockingProvider.dll
Require_FileQ,DafGip.dll
Require_FileQ,DAFIoT.dll
Require_FileQ,DAFIPP.dll
Require_FileQ,dafpos.dll
Require_FileQ,DafPrintProvider.dll
Require_FileQ,dafupnp.dll
Require_FileQ,dafWCN.dll
Require_FileQ,dafWfdProvider.dll
Require_FileQ,DAFWiProv.dll
Require_FileQ,DAFWSD.dll
Require_FileQ,QuickActionsDataModel.dll
Require_FileQ,irprops.cpl
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Control\DevQuery
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Control\mediaCategories
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Control\mediaInterfaces
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Services\DeviceAssociationBrokerSvc
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Services\DeviceAssociationService
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Services\SWENUM
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\WinSock
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\WinSock2
Many greetings from Germany to everyone in this impressive community.
-
HeyJoe,
Just a small tip about "file-copy" syntax to get it more compatible and easier to write :
Require,FileList,,My_List
//-
If,%BuildClass%,Equal,2,Begin
If,ExistFile,%Source_Sys%\btwdi.dll,Require_FileQ,btwdi.dll
End
//-
If,%BuildClass%,Equal,3,Require,FileList,,My_List_btwdi_dll
[My_List_btwdi_dll]
btwdi.dll
[My_List]
\Windows\System32\PlayToDevice.dll
\Windows\System32\playtomenu.dll
\Windows\System32\PlayToReceiver.dll
\Windows\System32\PlayToStatusProvider.dll
\Windows\System32\dafAspInfraProvider.dll
\Windows\System32\DafDnsSd.dll
\Windows\System32\dafDockingProvider.dll
\Windows\System32\DafGip.dll
\Windows\System32\DAFIoT.dll
\Windows\System32\DAFIPP.dll
\Windows\System32\dafpos.dll
\Windows\System32\DafPrintProvider.dll
\Windows\System32\dafupnp.dll
\Windows\System32\dafWCN.dll
\Windows\System32\dafWfdProvider.dll
\Windows\System32\DAFWiProv.dll
\Windows\System32\DAFWSD.dll
\Windows\System32\QuickActionsDataModel.dll
\Windows\System32\irprops.cpl
+ add mui files
:turtle:
Edit: fix codes and add notes, thanks to HeyJoe
-
Hi Lancelot,
Nice to see You around from time to time.
I am honored to receive a tip from You in spite of Your limited time to answer.
BTW: I mainly use buildclass 2 for coding.
So, "Require_FileQ,..." seems sufficient to Me. There is the advantage: You don't need to write down the * .mui files separately.
May I insert some example chars to Your example:
...
If,%BuildClass%,Equal,2,Begin
If,ExistFile,%Source_Sys%\btwdi.dll,Require_FileQ,btwdi.dll
End
[My_List]
\Windows\System32\PlayToDevice.dll
\Windows\System32\playtomenu.dll
...
\Windows\System32\??-??\PlayToDevice.dll.mui
\Windows\System32\??-??\playtomenu.dll.mui
See You
-
Thanks HeyJoe,
I become rusty ... fixed my previous post.
+
So, "Require_FileQ,..." seems sufficient to Me. There is the advantage: You don't need to write down the * .mui files separately.
Incompatibility comes with "If,ExistFile,%Source_Sys%\btwdi.dll" :wink: , Require_FileQ all compatible :thumbsup:
ps:
BuildClass3 - source not mounted not extracted, files extracted from install.wim --> If,ExistFile,%Source_Sys%\btwdi.dll always returns FALSE cause trouble... :wink:
so midway:
If,%BuildClass%,Equal,2,Begin
If,ExistFile,%Source_Sys%\btwdi.dll,Require_FileQ,btwdi.dll
End
If,%BuildClass%,Equal,3,Require,FileList,,My_List_btwdi_dll
Require_FileQ,PlayToDevice.dll
Require_FileQ,playtomenu.dll
Require_FileQ,PlayToReceiver.dll
Require_FileQ,PlayToStatusProvider.dll
Require_FileQ,dafAspInfraProvider.dll
Require_FileQ,DafDnsSd.dll
Require_FileQ,dafDockingProvider.dll
Require_FileQ,DafGip.dll
Require_FileQ,DAFIoT.dll
Require_FileQ,DAFIPP.dll
Require_FileQ,dafpos.dll
Require_FileQ,DafPrintProvider.dll
Require_FileQ,dafupnp.dll
Require_FileQ,dafWCN.dll
Require_FileQ,dafWfdProvider.dll
Require_FileQ,DAFWiProv.dll
Require_FileQ,DAFWSD.dll
Require_FileQ,QuickActionsDataModel.dll
Require_FileQ,irprops.cpl
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Control\DevQuery
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Control\mediaCategories
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Control\mediaInterfaces
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Services\DeviceAssociationBrokerSvc
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Services\DeviceAssociationService
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\Services\SWENUM
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\WinSock
Call,RegCopyKey,HKLM,Tmp_System\ControlSet001\WinSock2
[My_List_btwdi_dll]
btwdi.dll
ps: Require,FileList do not give warning if file exists, Require_FileQ always give warning if file not extracted. That is the reason of writing that way (I ignore warning using Require,FileList ... )
It is quite easy to support BuildClass3 since syntax already compatible, but some logics like "If,ExistFile,%Source_Sys%.... " can not be compatible ......
tip: .mun files also automatic like .mui with Require_FileQ ......
ps: I can not remember if I made adjustments for Require,FileList + mui files, you need to test to see ....
Anway, Keeping short, I do not want to interrupt MicroWinpeBuilder topic with current Bluetooth focus anymore :thumbsup:
As you see it is few lines to get BuildClass3 compatibility following simple logic which will be useful for your plugins ....
Have fun. :cheers:
:turtle:
-
@ Lancelot,
You rock! Thanks a lot.
BuildClass3 - source not mounted not extracted, files extracted from install.wim --> If,ExistFile,%Source_Sys%\btwdi.dll always returns FALSE cause trouble.
That's importent point to Me: I always use extracted ISO since there is space a lot on hd.
Regarding compabilty I respect and stick to it.
Now continue with Bluetooth.
@ Noel,
Ansering to Your latest PM so the interested public can follow.
I tested Your iso (unmodified by Me) in Virtual Box OK. Of course without BT hardware - just wanted to check whether iso is bootable. It is OK.
And tested also (Your iso written by rufus-3.13.exe on an usb3.0-stick) with a new HP-laptop Probook 470 G5 and an older desktop computer.
1.) My Laptop has inbuild BT-chip by Intel (c). Installed matching driver and voilà it's working OK.
2.) For that older (~ 2004 year) desktop computer I connected a v5.0 Bluetooth adapter to an usb2 port - let it boot OK -NO additional driver needed - voilà it's working OK.
Calling DevicePairingWizard.exe did the job each.
Similarly good result with Slore's WimBuilder2 compilation v.2021-01-01. After inserting downloaded "main.bat" to "..\Projects\WIN10XPE\01-Components\Bluetooth\" - did a build - wrote iso to usb3-stick - connected to machines one after another - same procedure - voilà it's working OK.
BTW. Using Slore's iso boot: In Windows control panel "Devices and Printers" all items take time about 10 mins to appear as Slore wrote. But Yours about secs :smile: that's a surprise to Me.
I wish i could find out the Bottleneck --> but no time in the moment because other things are more important: namely the completion of the bluetooth integration in My Win10PESE.
In this sense, take care and see you soon.
-
Hi HeyJoe,
Thank you for your return.
One point because i don't sure i well understand :
But Yours about secs
Do you want to say "with Noel's ISO, all items are visible in 10 secondes" or "Noel, with your ISO, all items take 10minutes to be visible " ?
If it's the first point :
I don't remember the delay for this test in my VHD (because i'm looking for an other bug on "my" ISO).
If "my" is faster, i think it's because i modified DeviceSetupManger.dll for "DSMSVC" service. And if this point is good, i think Slore forgets to add the same modification. We worked on this bug a long time ago.
If it's the second : also a next work for me !
Take care !
PS : i hope i'll can bike in germany along the danau ( danube ) river in july....if virus died.
-
Hi,
"SharpPe" said to me that my ISO is not good with ADM session : he is rigth ! :thumbsup: And i'm too lasy ! :embarrassed:
I very rarely use the Winpe boot with an ISO file (in VM or CD/DVD).
And I don't do all the tests in this setup.
And of course, the 20H2 version (2009) that I had created with my script did not work for "adm".
The problem was common when the "ADM" login.
The service "profsvc" failed when reading the usrClass file.dat.
This anomaly only appears with a "boot on ISO."
In a Winpe Flat mode in VHD, this anomaly does not appear.
Of course, this detail has been known for a long time. But because I don't understand English well, I miss a lot of information.
http://theoven.org/index.php?topic=2390.msg34825#msg34825
Congratulations to ChrisR and Slore who founded the solution a long time ago.
But I had not found their solution. So I searched with "procmon" for at least a day.
My initial observation:
session adm = Ok : session adm not Ok:
X:\windows\system32>set user X:\windows\system32>set user
USERDOMAIN=MicroWinPe USERDOMAIN=MicroWinPe
USERDOMAIN_ROAMINGPROFILE=MicroWinPe USERDOMAIN_ROAMINGPROFILE=MicroWinPe
USERNAME=Administrator USERNAME=System
USERPROFILE=x:\users\Administrator USERPROFILE=x:\users\Temp
In case anyone is interested in the method I used to locate this anomaly, I attach an excerpt from the procmon capture file.
Of course, you have to take the time to look at the names that suggest the functions that appear in the stack.
That's why I'm glad to finally find a way to dispose of the debug symbols in the "system" session. One can of course take the trace "Procmon" in Winpe and analyze it in another Win10. But, for me, it is an additional constraint.
To return to "usrClass.dat" there are two possibilities:
- find such a file in a normal Windows 10
- or create it when building Winpe: it's my choice now.
For this, I mount the hive system of Winpe. Then I create a key in this hive. And I'm backing it up
with "reg.exe save" in a file I call "usrclass.dat." I file in the profile directory of ADM
I always have in mind the idea of continuing to provide a set of information and details so that everyone can build their own "Winpe".
This anomaly will find a place in my PDF.
In my opinion, the most important thing is to find the origin of this difference in Winpe behaviors according to the boot method.
Regarding the time it takes to open the ADM session in a VM:
variable, 30 to 60 seconds during a boot on ISO
about 5 seconds during a flat boot in a VHD
The peculiarity of a Winpe flat mode in a VHD is the persistence of files.
So you have to make the comparison by taking a capture "Procmon" during the first boot (which is not the case here). Also, it'll be a test for another day.
-
Hi Noel,
thank You for Your reply #248.
To clarify My comment a bit more:
I saw while testing with Noel's ISO --> after boot completed nearly all items are visible in just about 10 secs. (on SYSTEM session) - that is We can say "immediately" :)
Testing Slore's: about 10 mins to appear - but on ADM session.
BTW. I'm pretty sure Slore also did modifications in "DeviceSetupManager.dll" (in "spoolsv.exe" too) regarding unicoded text "SystemSetupInProgress".
So I guess that is not the reason of diffrent delays.
PS : i hope i'll can bike in germany along the danau ( danube ) river in july....if virus died.
You Great fellow, very brave :thumbsup:
I wish you a lot of fun.
Stay healthy and have a nice day
-
Hi HeyJoe
:undecided:
Is this delay exist/occurs for printers or only for Bluetooth devices?
I often mix my informations. My memory is not very good. I just reread some of my notes.
- SpoolSv.exe doesn't contain a string SystemSetupInProgress. I search again with procexp64.exe from systinternals (select spoolsv.exe, double clic, strings tab).
And there is not a such modification in my script
- SpoolSv.exe contains a hardcoded value for delay of 2 minutes ( delay from the start of service spooler and the installation of PDF/XPS printers
i used IDA for localised this value 0x1D4C0 in spoolSv.exe
- DeviceSetupManager.dll contains a string SystemSetupInProgress
- DeviceSetupManager.dll contains a hardcoded value for delay of 10 minutes before devices were displaying in "devmgmt.msc".
i suppose this delay occurs for Bluetooth devices like it occurs for printers ( i can't do this test actually)
You can control "yours" 2 files with "fc.exe /b [iso]DeviceSetupManager.dll [winpe]DeviceSetupManager.dll". If identical, modification is missing .
i'm sure you see the "SystemSetupInProgress" bloc of modification (some bytes stay identical in the string, so the string is not complete)
Perhaps you don't see an second little bloc of modification in this result.
I make this comparison and i don't see the second bloc for the value of delay. But i'm not sure i took the good options when i built with wimbuilder2.
In my script, i used:
$oldBytes = ( 0xFF, 0xC6, 0x81, 0xFE, 0x20, 0x03, 0x00, 0x00 ) ---> 0x320
$newBytes = ( 0xFF, 0xC6, 0x81, 0xFE, 0x01, 0x00, 0x00, 0x00 ) ---> 1
(offsets change with versions, so my script don't use the offset notion for the "search and replace" logic)
Perhaps you need to select the "other good" option in WimBuilder2. Sometime, dependancies between components are not well documented.
About delay "2minutes before install PDF/XPS printers" in Spooler :
SpoolSv.exe version Fr 10.0.19041.423
[offset IDA is from beginning of section , not from beginning of file !]
.text:0000000140027C7B ; ---------------------------------------------------------------------------
.text:0000000140027C7B
.text:0000000140027C7B loc_140027C7B: ; CODE XREF: PreInitializeRouter(SERVICE_STATUS_HANDLE__ *)+1D↑j
.text:0000000140027C7B mov [rax], rdi
.text:0000000140027C7E lea rax, off_140075338
.text:0000000140027C85 mov [rbx+8], rax
.text:0000000140027C89 call ?IsContainerOS@@YAHXZ ; IsContainerOS(void)
.text:0000000140027C8E test eax, eax
.text:0000000140027C90 jnz short loc_140027CAA
.text:0000000140027C92 mov rcx, cs:?hPhase2Init@@3PEAXEA ; hHandle
.text:0000000140027C99 >>>>>>> mov edx, 1D4C0h ; -------------->>>>>>>>>>>>>>>>>>> dwMilliseconds
.text:0000000140027C9E call cs:__imp_WaitForSingleObject
.text:0000000140027CA5 nop dword ptr [rax+rax+00h]
.text:0000000140027CAA
.text:0000000140027CAA loc_140027CAA: ; CODE XREF: PreInitializeRouter(SERVICE_STATUS_HANDLE__ *)+40↑j
.text:0000000140027CAA cmp cs:?g_bNoPrintersMode@@3_NA, 0 ; bool g_bNoPrintersMode
.text:0000000140027CB1 jz short loc_140027CE8
.text:0000000140027CB3 mov rcx, cs:WPP_GLOBAL_Control
.text:0000000140027CBA lea rax, WPP_GLOBAL_Control
.text:0000000140027CC1 cmp rcx, rax
.text:0000000140027CC4 jz short loc_140027CE1
.text:0000000140027CC6 test byte ptr [rcx+44h], 2
.text:0000000140027CCA jz short loc_140027CE1
.text:0000000140027CCC mov rcx, [rcx+38h]
.text:0000000140027CD0 lea r8, WPP_b7011c64eaec36f58e65b126635153ea_Traceguids
.text:0000000140027CD7 mov edx, 1Bh
.text:0000000140027CDC call WPP_SF_
------ 1D4C0h ; dwMilliseconds -> C0 D4 01 00
0000000140027C60 00 00 E8 19 A5 FD FF 48 8B D8 48 85 C0 75 0C 48
0000000140027C70 8B 5C 24 30 48 83 C4 20 5F C3 CC 48 89 38 48 8D
0000000140027C80 05 B3 D6 04 00 48 89 43 08 E8 F6 AF FE FF 85 C0
0000000140027C90 75 18 48 8B 0D C7 72 08 00 BA C0 D4 01 00 48 FF <--- C0 D4 01 00
0000000140027CA0 15 B3 75 06 00 0F 1F 44 00 00 80 3D CF 5A 08 00
0000000140027CB0 00 74 35 48 8B 0D 3E 56 08 00 48 8D 05 37 56 08
0000000140027CC0 00 48 3B C8 74 1B F6 41 44 02 74 15 48 8B 49 38
Old : 75 18 48 8B 0D C7 72 08 00 BA C0 D4 01 00 48 FF ------------>> 2 minutes
New : 75 18 48 8B 0D C7 72 08 00 BA 10 00 00 00 48 FF ------------>> 10 ms
Because i search the bytes in the file, i don't need the offset. If i find many signatures, i need to try an other logic. But, at this time, this logic works for me.
Best regards
-
Hi Noel,
Will give You more info tomorrow - have to go to sleep because day is about to end. :sad:
Juste tellement pour le moment:
Just so much right now:
Is this delay exist/occurs for printers or only for Bluetooth devices?
Printers (pdf fax xps) have ~120 secs. delay. ~ 10 sec. to show up in panal "Devices and Printers"
My BT device appears immediately after I plugged it in and ready to connect.
Regards.
-
Hi Noel,
I quickly add ...
My BT device appears immediately after I plugged it in and ready to connect.
My BT device appears immediately after I plugged it in and ready to connect. -- > I plug it in directly after boot is compleded, that is explorer has just started.
Regards.
-
Hi HeyJoe
I think you want to say "Seulement ceci pour le moment: blabla". I appreciate you try the french language.
And i understand that many people must reorganise the words of my sentences when i write in English ( even with a translator because i don't really know if the translation is good or not).
have to go to sleep because day is about to end.
It seems to me that you're going to sleep when the sun rises (if hours in the reply text are good)
About the delay "2minutes before Spooler installs PDF/XPS printers": I searched and found the way to stop this delay. I shared with Slore. And i think Slore added or will add in his Wimbuilder2.
But I didn't put that "stop delay" in "my" ISO that you got because i'm a lot lazy and i worked on Sandbox/hyperV into Winpe ( not winpe in hyperV/sandbox, and i know it's not usefull and Linux is better ! ) and with irfanview for a scaner.
For bluetooth devices, there are too many devices with many features/goals/usages that it's complex to "see" all cases. It's like printers or scaners. It's difficult to test all devices. The test i made last week showed me that for my BT "Headphones" (i wrote sometime "headless") the pairing wizard didn't find/show it quickly. But i'm happy if it's good for you with winpeSE/winpeXPE
Best regards
-
Hi Noel,
I hope Google tranlated "Seulement ceci pour le moment..." is good english "Only this for now..." that is because it was late in the evening really. I wrote french words just wanted to be friendly.
It seems to me that you're going to sleep when the sun rises (if hours in the reply text are good)
Yes. Almost right. :smile:
Back to Your Reply #251 :
You are right, in 20H2en x64 (v.2009 build 19042.631) which You applied as source to build the iso file from (which I was allowed to downloaded - again thx a lot for this):
1.: the spooler "SpoolSv.exe" does not contain no string "SystemSetupInProgress" at all.
So, does it mean that We do not need changed registry key "HKLM\System\setup\SystemSetupInProgress" value from 1 to 0
before start spooler (and back later) anymore in version 20H2 and above ?
Please remember: I am not about to check by Myself because I use v.1809 x86 de (sufficient to Me for now and later...
let's see).
2.: the spooler "SpoolSv.exe" does contain hex string "75 18 48 8B 0D C7 72 08 00 BA C0 D4 01 00 48 FF" = 120000 ms.
not 10 ms (if I understood you correctly) - but still the things in "Devices and Printer" panel show up immediately ? I would
expect two minutes ? Please see today's edit in Reply #252
3.: in "DeviceSetupManager.dll" We can find zero separated string "SystemSetupInProgress"--> saw changed initial letter S to T.
That's for now. See You.
Have a nice day.
PS. Note: mentioned files I extracted from Your iso file. So, check files content was made offline.
-
Hi, HeyJoe
1.: the spooler "SpoolSv.exe" does not contain no string "SystemSetupInProgress" at all.
So, does it mean that We do not need changed registry key "HKLM\System\setup\SystemSetupInProgress" value from 1 to 0
before start spooler (and back later) anymore in version 20H2 and above ?
No. It is the opposite. Before 20h2, we can change the "SystemSetupInProgress" string to other, so the spoolsv service can start without changing registry key,
Now, it is not in spoolsv.exe, so we have to change the key's value from 1 to 0.
I shared with Slore. And i think Slore added or will add in his Wimbuilder2.
"E:\WimBuilder2\Projects\WIN10XPE\01-Components\Devices and Printers\last.bat"
rem DsmSvc Patch Feature
binmay.exe -u "%X_SYS%\DeviceSetupManager.dll" -s u:SystemSetupInProgress -r u:DisableDeviceSetupMgr
fc /b "%X_SYS%\DeviceSetupManager.dll.org" "%X_SYS%\DeviceSetupManager.dll"
del /f /q "%X_SYS%\DeviceSetupManager.dll.org"
rem Remove 2 minute delay for printers
binmay.exe -u "%X_SYS%\spoolsv.exe" -s "C0 D4 01 00 48 FF" -r "10 00 00 00 48 FF"
fc /b "%X_SYS%\spoolsv.exe.org" "%X_SYS%\spoolsv.exe"
del /f /q "%X_SYS%\spoolsv.exe.org"
Yes, it is in my WimBuilder2 for months, but as Microsoft change the 'SystemSetupInProgress' in spoolsv.exe.
I hesitate to commit it into GitHub(belonged to Microsoft).
Would it be more hard to patch for next version?
"E:\WimBuilder2\Projects\WIN10XPE\01-Components\Devices and Printers\_printer.bat"
rem update spoolsv.exe binary
binmay.exe -u "%X_SYS%\spoolsv.exe" -s u:SystemSetupInProgress -r u:DisableSpoolsvInWinPE
fc /b "%X_SYS%\spoolsv.exe.org" "%X_SYS%\spoolsv.exe"
del /f /q "%X_SYS%\spoolsv.exe.org"
Anyway, I share the batch code here, If someone need the printer feature, who can add a custom patch of WimBuilder2 by himself.
-
Hi Slore,
nice to hear from You. Thanks for clarify. Great. Will test it out once more.
I saw in mentioned *.bat the two binmay'd files regarding "S.S.I.P."
but sorry not "Remove 2 minute delay for printers". Now I know. Thank You and Noel for all Your nive feedback.
Regards.
-
@ Slore + Noel
sorry, didn't find hex pattern "C0 D4 01 00 48 FF" neither in "spoolsv.exe" nor "DeviceSetupManager.dll" to remove 2 mins. delay.
on panel "Devices and Printers" - files were extracted from My iso file - My source: v1809 x86
It would be nice to have all items in My winpe_se build iso faster visible, but for now it is more important to Me: bluetooth plugin
works OK. The next step is to clean up plugin itself and the plugins involved.
You rock. Have a nice day.
Regards.
Another info: --> OK. Found three times "C0 D4 01 00" in spoolsv.exe. Trying to find out which one is it.
-
Oh, the code is for x64. For x86 needs a byte to make it be unique. I think it is the second one.
-
Hi HeyJoe
Small tip/hand: Here are some ready lines for binmay (taken from other plugins slightly modified, not tested but I believe all will work fine .... )
If,Not,ExistFile,%ProjectTemp%\binmay_M\HostOS\binmay.exe,Run,%ScriptFile%,binmay_Ready
//-
If,Not,ExistFile,%Target_Sys%\DeviceSetupManager_Original.dll,FileCopy,%Target_Sys%\DeviceSetupManager.dll,%Target_Sys%\DeviceSetupManager_Original.dll
If,ExistFile,%Target_Sys%\DeviceSetupManager_org.dll,Call,FileDelete,%Target_Sys%\DeviceSetupManager_org.dll
FileRename,%Target_Sys%\DeviceSetupManager.dll,%Target_Sys%\DeviceSetupManager_org.dll
ShellExecute,Hide,%ProjectTemp%\binmay_M\HostOS\binmay.exe,"-i #$q%Target_Sys%\DeviceSetupManager_org.dll#$q -o #$q%Target_Sys%\DeviceSetupManager.dll#$q -s #$q5C004D0069006E0069004E0054000000#$q -r #$q5C004E0069006E0069004E0054000000#$q"
Call,FileDelete,%Target_Sys%\DeviceSetupManager_org.dll
FileCopy,%Target_Sys%\DeviceSetupManager.dll,%Target_Sys%\DeviceSetupManager_Patched.dll
//-
Retrieve,Md5,%Target_Sys%\DeviceSetupManager_Original.dll,%Md5_Before_DeviceSetupManager_dll%
Retrieve,Md5,%Target_Sys%\DeviceSetupManager_Patched.dll,%Md5_After_DeviceSetupManager_dll%
If,NOT,%Md5_Before_DeviceSetupManager_dll%,Equal,%Md5_After_DeviceSetupManager_dll%,Call,Echo,"Error: MD5 Mismatch - DeviceSetupManager.dll Patch do NOT work",Warn,,MessageError,10
[binmay_Ready]
If,ExistFile,%ProjectDir%\Utils\Utils_Tools_001.Script,Run,%ProjectDir%\Utils\Utils_Tools_001.Script,Extract_binmay,%ProjectDir%\Utils\Utils_Tools_001.Script
Else,Begin
If,Not,ExistFile,%BaseDir%\Projects\Yomi\UtilsY\Utils_Tools_001.Script,Call,Download,%BaseDir%\Projects\Yomi\UtilsY\Utils_Tools_001.Script,http://yomi.cwcodes.net/Yomi/UtilsY/Utils_Tools_001.Script
If,ExistFile,%BaseDir%\Projects\Yomi\UtilsY\Utils_Tools_001.Script,Run,%BaseDir%\Projects\Yomi\UtilsY\Utils_Tools_001.Script,Extract_binmay,%BaseDir%\Projects\Yomi\UtilsY\Utils_Tools_001.Script
End
If,Not,ExistFile,%ProjectTemp%\binmay_M\HostOS\binmay.exe,Call,Echo,"Halt: Can not get binmay.exe Ready.",Warn,,MessageError,,Halt
when the unique byte found, change binmay.exe patch line
ShellExecute,Hide,%ProjectTemp%\binmay_M\HostOS\binmay.exe ......
(current line is from RDC plugin :lol: )
:turtle:
-
Hi,
Too complex for me because my poor english...
Two or three years ago, maybe more, I had been looking at how to install printers and scanners.
Recently, I retested with my scan because I was asked about it.
In my PDF document, I said that part of the installation required a "manual" intervention.
I meant that action was needed after the pilots were installed to scan.
This prompted me to look for why there was this "manual" step.
And today I finally found the key to this mystery.
In my PS script, it missed a value to activate the installation of the elements of the "stillimage" class. ( sti_ci.dll was not activate ).
On the attached image, I use the wiaacmgr.exe windows software and I did a "preview" with the scan.
But I don't have the assurance that it will work for other scanners. I only have one.
If I had a more modern scan, I'd like to look at how to use WSD scan that I don't know at all.
https://docs.microsoft.com/en-us/windows-hardware/drivers/image/installing-a-wia-scanner-driver-with-wsd
By the way, I made a point about the modification of FbWF.sys (ramdisk).
There have been changes at MS regarding the parameters of the signature tool. But it amused me (like a child!).
There is no point in using the standard winpe driver. I know!
But it makes me happy to know that I can still do this kind of pirouette.
Don't forget to modify the BCDfile with "TESTSIGNING ON" :wink:
To go back to the scan, it is difficult for me to propose a script/pluggin for winbuilder because I am unable.
And I don't want to invest time in that learning.
I'm going to resume my testing with HyperV and SandBox. It's a lot more fun for me.
For now, I managed to add these 2 FOD (features on demand) with "DISM /add-package".
I was also able to add these 2 FODs to the Winpe FullFlat environment. But no HyperV yet.
And that's where I am.
I also add a new version of my scripts in the first page ( a backup for me )
-
@ Slore,
Your reply #259
Oh, the code is for x64. For x86 needs a byte to make it be unique. I think it is the second one.
Thanks for the right tip (C0 D4 01 00 FF 35). It leads print spooler more quickly to be "ready for operation" (tested via notepad).
But sorry, it does not lead to more quickly visible elements in panal "Devices and Printers" which stay "install in progress" at about 10 minutes. I guess there must be something else.
I tested v.1809 x86 with Vbox.
Edited :
pic "InProgress.png" --> some secs after explorer start
pic "PrgressFinished.png" --> ~ 6-10 mins later (depending on power of machine).
Regards.
-
@ Lancelot,
Your reply #260
Many thanks for tip.
Small tip/hand: Here are some ready lines for binmay (taken from other plugins slightly modified, not tested but I believe all will work fine .... )
It works.
Have a nice day.
-
Hi HeyJoe
Don't forget my poor english... i can misunderstand what are your need.
it does not lead to more quickly visible elements in panal "Devices and Printers" which stay "install in progress" at about 10 minutes
In Posts: 237, i explain how i find how to suppress this delay (but i can't find the origine).
I modify DeviceSetupManager.dll (DSMSVC).
Because x86 is not my friend ( parameters in the stack is not at the same place, usage of BP is different...), i can't play with it. Perhaps Slore modifys it in his tool Wimbuilder2 for x86.
Hope this help you
Some thing else without link. I try to play with FBWF.SYS and i modify this driver. Now i can get a size 2GB for the RAMDISK in the case of boot on ISO(DVD, VM). I make this ISO boot try ONLY because i try to help a person which can't use VHD. For me (only for me), it's not a good environment and i "never" test it. Because winpe detects thatt the binary code is modified, i need to use "testsigning" in BCD for MBR and also i must stop "Secure Boot" in EFI computer. contrary to what I've read on a site, the " NoIntegrityChecks " parameter of BCD has no impact on the boot EFI when fbwf.sys is binary modified. I think the concept of "integrity of control" is different from the concept of "driver signature". If anyone can explain to me....in french...
-
About scaner... i forget to document the missing key (in my context):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}]
"Installer32"="sti_ci.dll,ClassInstall"
I hope Slore can add in his WimBuilder2 tool.
-
Hi noelBlanc,
Some thing else without link. I try to play with FBWF.SYS and i modify this driver. Now i can get a size 2GB for the RAMDISK
Some minor info :
1)
If you do real test with increased FBWF you may see it can not use all free space as it writes.
Real Test eg : Try to copy 2GB of files (eg. pictures) to X:\Test\ :wink:
2)
People prefer big FBWF size to install and test some software * that requires big free space at X: (at X:\Program Files\ )
software * : I can not remember an example now.
Have fun :bike:
:turtle:
-
Some thing else without link. I try to play with FBWF.SYS and i modify this driver. Now i can get a size 2GB for the RAMDISK in the case of boot on ISO(DVD, VM).
For the origin Windows 10's fbwf.sys driver,
reg add HKLM\Tmp_System\ControlSet001\Services\FBWF /v WinPECacheThreshold /t REG_DWORD /d 4095 /f
You will get 4GB ramdisk of X drive without modifying the fbwf.sys.
If you use WES 8.1's fbwf.sys, you can use fwbf.cfg to use 8G/16GB/../128GB ramdisk.
WES8.1 is better than Windows 10's fbwf.sys.
* It supports symbol link, mklink command can link file/folder to X:\.
* No needs twice memory for copy big file to X:\.
But it is not good with Administrator's profile folder for 20H1 and later.
For the fbwf.cfg, you can see:
"Z:\WimBuilder2\Projects\WIN10XPE\00-Configures\System\"
-
In future, I will use your file list/registry items to make next patch.
Devices and Printers\
_printer.bat
_bluetooth.bat
_scanner.bat
I don't have any scanner, so I can't test if it works.
:sad: I can't get the pdb files from MS symbol server, so it will take long time for me to remove the 10 minutes delay for x86 system.
I'm quite busy this month, The improve/update of 0303_Dev will be release with [Update] button, The full package WimBuilder2 will be released in 2021.04.04.
-
@Lancelot and @Slore : thank you for all this details that I did not know about Fbwf.
My goal with FBWF: Use a driver's signature process once again, not using the fbwf ;-))
I only use winpe into a VHD, not ISO/DVD/RAMDISK : it's not a good environment for my "research".
In my big VHD, i can add all i want ( files and even programs). All files keep in place. Idem for programs but it's too complex for many people ( i explain in this site how to save and modify the 2 hives). So, really, i don't understand why people still use ISO/DVD. But i't true, i'm not a worker, i'm retired sine a long time.
If comes the day when I can't use IDA and Windbg, then I'll stay in bed and wait until the last day. Winpe is only the way for me to use my mind with IDA and Windbg.
Somewhere,in this site, i read the word "competition". Because i can't understand all the idea and intention behind the text, i'm surprise : I try to share, only to share. But i can't explain ... because my poor english !
@ Slore : i sent you a list about eventlog. I know you are busy,...only to know if you received it.
I'm happy, i run 45 minutes today. A real competition...against my old boddy !
Have a good day.
-
Hi Noel,
Don't forget my poor english... i can misunderstand what are your need.
Don't worry. Your posts are clearly and well understandable.
Even if only after reading it 2 or more times
I also often use the translater by big G. in the hope of clear translation of what I want to say.
... at about 10 minutes
...
In Posts: 237, i explain how i find how to suppress this delay (but i can't find the origine).
I modify DeviceSetupManager.dll (DSMSVC).
Observations:
While checking x64 hex dump I found pattern "20 03 00 00" modified to "01 00 00 00".
This change apparently ensures that the elements in the "Devices and Printers" panel of your running ISO are immediately visible as they should look.
Assuming this is on purpose and has to do with timings of service DSMSVC, I inspected the x86 version.
I found the same pattern twice and choosed second one to modify. (First resulted in no booting of iso file).
Results while testing in Vbox:
The elements in the "Devices and Printers" panel were actually immediately visible as they should look.
But now there are many problems:
First of all, the Vbox drivers no longer work properly at all. Ex.: mouse catcher, graphics, VirtualBox Windows Guest driver etc.
WMIC calls result in errors.
...
...
Halving the timing "20 03 00 00" to "90 01 00 00" also resulted in the same game and now the panel elements needed more time for themselves again.
Further timing changes did not help either.
I think My changes in timing are risky.
So no luck at the moment.
Regards.
-
Hi noelBlanc,
*
Do not worry about a post related to "competition". We are around for a long while to know each other well. :thumbsup:
It is only a comment from a new user about what things look like for someone who is not around.
Well everything can look like a competition. :wink:
eg. You believe documenting findings is better. -> you have a competition with other ideas. :lol:
With open source, we all share findings. :xmas-beer:
*
i don't understand why people still use ISO/DVD
I guess most do not use ISO/DVD. At least at the Part of the world where there is a lot internet access.
(I do not use a real ISO/DVD since >5 years. Maybe >10 years ....
But ".iso files" are very useful and popular since It is a very old file format like .zip files so all OS can use it. :wink:
+
First of all creating ".iso file" is quite easy, just a single line with .cmd.
Creating ".vhd file" ... not fun with .cmd. :wink:
+
for PE : boot from ".iso file" has advantage that nothing change in .iso on next boot.
Generally boot ".iso file" that is at a usb stick. :wink: Not a real ISO/DVD.
(
with vhd it is not possible ...
Shortly:
".iso file" is solid, ".vhd file" is not solid.
".iso file" is stable ".vhd file" is flexible.
".iso file" you are sure you always get same result. ".vhd file" you can not be sure if something change have effect.
)
when you send a bootable PE .iso to a friend, you are sure your friend did not accidentally change content of .iso .
ps:
I still use Gena.iso (PE1) I made at 2016 and Win7PESE.iso I made at 2012 knowing they are static and enough for me.
+
Virtual World (VirtualBox/VMWare) :
1) ".iso file" make it easy to install any OS
2) ".iso file" make it easy to transfer files to Virtual_OS without "Guest Addition". (eg. DOS, Windows at early install stage without Guest Addition)
+
One can use ".iso file" as a container for personal files to tidy up disk since it is quite fast and easy to mount a .iso file on any Desktop OS.
eg.
My_Pictures_2000_2019.iso
My_Documents_PE.iso
But we can not mount iso at Android Phones and Iphone (IOS) for regular users.
At this point for Desktop OS users (eg. Windows) this is a good idea, for Android and Iphone (IOS) users still .zip works better in practice.
+
If you make a research and print that research (doc, xls) . It is a good idea to put a cd inside that research book.
(At this point I like mini CD :wink: )
*
I'm happy, i run 45 minutes today. A real competition...against my old boddy !
Bike and Run. Very very Nice. :great:
Since 5 years, I like to go swimming at swimming pool.. :swimmer:
Have fun :bike:
:turtle:
-
@ Lancelot
The following does not belong directly to the current technical topic.
But anyway.
I believe one day Bob.Omb will come back.
I hope that too.
Step 2) add Linux to PE with a plugin. (I feel some quick DirCopy and RegCopy will be enough for headstart)
...
Just look at the codes of plugin that was designed for Step1) (probably got old now) and rest have fun If you are interested.
Sorry, I'm not verry mucho interested for now. However, never say no.
But because they are Bob.Omb's babies, I think He'll do it himself.
We can already look forward to it.
Hi noelBlanc,
*
Do not worry about a post related to "competition". We are around for a long while to know each other well.
It is only a comment from a new user about what things look like for someone who is not around.
...
With open source, we all share findings.
That speaks to Me from My heart.
I still use Gena.iso (PE1) I made at 2016 and Win7PESE.iso I made at 2012 knowing they are static and enough for me.
And that's how I've sometimes been doing it since The Good Old BartPE Days.
@ all - Have a nice day.
-
But now there are many problems:
First of all, the Vbox drivers no longer work properly at all. Ex.: mouse catcher, graphics, VirtualBox Windows Guest driver etc.
WMIC calls result in errors.
...
...
Halving the timing "20 03 00 00" to "90 01 00 00" also resulted in the same game and now the panel elements needed more time for themselves again.
Further timing changes did not help either.
I think My changes in timing are risky.
So no luck at the moment.
Regards.
Yes, "Z:\WimBuilder2\Projects\WIN10XPE\01-Components\Devices and Printers\last.bat" made them show immediately for x64.
if "%WB_PE_ARCH%"=="x64" (
binmay.exe -u "%X_SYS%\DeviceSetupManager.dll" -s "81 FE 20 03 00 00" -r "81 FE 01 00 00 00"
)
fc /b "%X_SYS%\DeviceSetupManager.dll.org" "%X_SYS%\DeviceSetupManager.dll"
del /f /q "%X_SYS%\DeviceSetupManager.dll.org"
For VirtualBox Windows Guest driver, WimBuilder2 has a patch for that already.
[Customize]
Test\
VBoxGuestAdditions\
Oracle VM VirtualBox Guest Additions For:
@ Auto
O 6.1.x
O 6.0.x
* Drag and drop files or folders between host and guest
* The clipboard of the guest can optionally be shared with the host
-
@Lancelot : thank you for your good words and for your explanation.
I hope the water in your pool is not as cold as in France.
I agree with you in every way. However, I would like to clarify. When I worked in a large company, shortly before I retired, I used Winpe to install PCs. Often via PXE. Sometimes with ISOs deposited in USB media. But still to install Windows "Silently" with the W7 (or older) settings set by the company. But sometimes I used winpe for a troubleshooting. I very quickly use the flat mode on a USB holder. I must say that I am not conservative and I have never kept a winpe of an older version. Nor x86 when i get i PC 64bit.
My question: is there an action, a troubleshooting, that would not be possible since a winpe 64 latest version targeting an old OS x86 (XP for example)?
I am too old to face such a context.
About X86 and DeviceSetupManager.dll : i didn't download an x86 windows. Too Long with my slow connection Wan.
It's possible that the logic is the same in x86 and x64.
If i well remember the logic for x64, DeviceSetupManager.dll ask something to cfgmgr32.dll which sent the request to a driver ( i forget which one). DeviceSetupManager.dll waits for a return. If no return from the driver, DeviceSetupManager.dll returns "error" to the caller.
I can understand the link with this this wait and Vbox. It seems to me that the bytes to search is not 0x320 in x86. It's why i need the x86 file.
I'll try to download an x86 and use IDA.
-
Hi Noel,
About X86 and DeviceSetupManager.dll : ...
...
I guess You are talking to Me, right?
If yes I can do... Own a good wan.
See You.
-
Hi HeyJoe, thanks for your help (in my last post, I deleted my request of what you offer me because I thought no one would do this for me)
This nigth, i download a x86 file. And this morning i use IDA.
deviceSetupManager.dll : version 10..0.1.19041.546 En-us size:230400 Thursday 19 november 2020, 03:32:05
The code is very similary for the "part around" the "0x320" area (see picture).
I notice the same function name, the same loop, the same constants...
$old = ( 0x45 ,0xf8 ,0x3d ,0x20 ,0x03 ,0x00 ,0x00 ,0xf2 ,0x82)
offset for this serie :3402 ( base 10, not hexa)
@HeyJoe : please, if you get free time, verify that you use this offset/signature when you last test.
If you use the "same" signature, i can't understand the link with VBOX.
I use HyperV extensively and I never notice such a problem with the hardware (yes, no usb in hyperv)
-
@ Noel + Slore,
Please see edited reply #270
Reason (please do not laugh): I accidently modified one of My iso's which was not intended for that.
Sorry for the inconvenience and the loss of time you have had by posting hints. :embarrassed:
"... about 10 minutes ..." --> its working now as it should (as always expected: whatever comes from You works).
This is what My favorite hexeditor told Me:
Inspecting file: DeviceSetupManager.dll v.10.0.17763.1 --> it is x86 in v.1809
Byte order: little endian
...
000176C4 45 F8 inc ebp
000176C6 3D 20 03 00 00 cmp eax,$00000320
000176CB 0F 82 CF 44 FF FF jc dword $FFFF44D5
...
Any decreased timing results in faster visibility of mentioned elements the way they should look. :smile:
Have a good time.
See You.
Edit: First tested in Vbox. USB-stick on real target machine will follow. (I hope soon :smile:)
-
@HeyJoe : no problem. if all things are correct for you and work the way you want, that's enough for me and I'm happy.
You said something about Bob Omb and linux. Because my poor english, i don't follow thread that speak about pluggin and the langage of winbuilder.
But i communicate in the past with Bob Omb. Please give me some news about him and some simple informations about linux in winpe.
Merci.
-
Hi Noel,
@HeyJoe : no problem. if all things are correct for you and work the way you want, that's enough for me and I'm happy.
Thanks mucho.
You said something about Bob Omb and linux...
...
... communicate in the past with Bob Omb. Please give me some news about him and some simple informations about linux in winpe.
Merci.
I will collect more info for You. Will post soon. Please remind Me if time exceeded in case I forget about.
Passe une bonne journée. - par big G. traduit: Have a nice day. / Have a good time - in deutsch: Schönen Tag noch.
See You.
-
Hi noelBlanc,
I hope the water in your pool is not as cold as in France.
I do not have a pool, I use City Pool which is enough warm. :thumbsup:
(https://www.karsiyaka.bel.tr/public/uploads/mobile-file-1574931430073-42.png)
But since covid .... you know the rest.
ref. https://www.karsiyaka.bel.tr/tr/kapali-yuzme-havuzu-5d80d902ef7aae463d11d75b
*
I fully understand how you use WinPE :great:
Since I do not have a job like yours, My WinPE usage is only for my 2 or 3 pc/laptop,
so I do not much spend time creating a new WinPE as long as existing work enough for me.
*
My question: is there an action, a troubleshooting, that would not be possible since a winpe 64 latest version targeting an old OS x86 (XP for example)?
To me:
For "Very old PC" better use older PE (Gena or Win7PESE) .....
I do not have "Very old PC" :lol: I use Gena on my laptop only following my old habit since I have massstorage driver of my Laptop and PC working both with Gena_x86 and Gena_x64 ...
ps: And I do not use WinPE much anymore, Win10 is quite stable with OS updates, I use WinPE maybe once a year.
This question better goes to HeyJoe. Why HeyJoe prefers 10PEx86 I have no idea.
*
i don't follow thread that speak about pluggin and the langage of winbuilder.
It is batch syntax, like .cmd files, easy to read once you get familiar with it.
ShellExecuteex,Open,notepad.exe
=
Start notepad.exe
see Lancelot Reply 15 http://theoven.org/index.php?topic=2390.msg29318#msg29318
But i communicate in the past with Bob Omb. Please give me some news about him and some simple informations about linux in winpe.
My mistake.
Correct is : "Linux Bash Shell" in WinPE :wink:
https://www.laptopmag.com/articles/use-bash-shell-windows-10
The idea is first to install Bash Shell to source (Step 1) , later copy files+registry to PE. (Step 2)
Bob.Omb had done Step1 in the past (~ 2 years ago) ..... I asked HeyJoe if HeyJoe has any interest with Step2. That is all. :thumbsup:
:turtle:
-
Hi Noel,
I will collect more info for You. Will post soon. Please remind Me if time exceeded in case I forget about.
Just noticed Reply #280 by Lancelot concerning "... Linux Bash Shell in WinPE ...".
... Because my poor english, i don't follow thread that speak about pluggin and the langage of winbuilder.
If I can support You with further info about plugin written by Bob.Omb please let Me know.
I would like Bob.Omb to read your request and get in touch if he can.
Have a good time.
See You.
-
Hi Noel,
sorry, late reply. Was busy w/ other things.
Your PM send to Me on March 05, 2021, 01:47:11 AM
I ask you an other help : I push a new ISO in the link and make modification for "scaner". So, if you have free time and if you get an other device than mine, it really helpfull for me if you can test scan for a new device.
You understand that in this site, i can't make my link public. it's unethical on this site.
Only today can I tell you about my test results.
Test enwironment:
Your iso file name: winpe10V20H2en-GB.ISO --> x64 v.2009 (20H2) build 10.0.119042.631
Created: 2021-Mar-05 by Noel buddy
Downloaded from the link kindly given: 2021-Mar-05
Size: 972 MB - 1.019.707.392 Bytes
Written to usb3-stick by "rufus-3.13.exe" --> mbr-mode
Target machine: HP ProBook 470 G5
Printer: Samsung CLX-3185 series - borrowed from a friendly neighbor because Mine has been in the workshop for repairs already for 3 weeks :sad: :sad:
OK let's go...
Booted up the laptop into system session - OK.
Typed in commandline: tsdiscon.exe (as it was written by You: "... Lancer tsdiscon.exe si besoin ...") - continue booting into admin session - OK.
(It was a bit cumbersome because I just didn't remember how to switch quickly - from Your French ? - to the German keyboard layout. No matter, continue!)
As expected: Devices in "Printer and Devices" panel were immediately visible as they should look like in real OS. :smile:
BTW: How did You manage (in admin session) that the explorer remembers the setting changes?
Ex.: After changing the icon view (or other things) and reloading the panel, the icon view was not lost unlike in my PESE!
I established an usb cable connection to the printer - working OK w/o additional driver package for now.
I ran "wfs.exe" (Windows Fax and Scan) resulted in warning: "No scanners were detected..."
Therefore first downloaded installer package for CLX-3180 series Printers x86/x64 from HP website - installed --> OK
Then downloaded installer package for Universal Scanner x86/x64 from HP website - installed --> OK
I ran again "wfs.exe" --> scanner found immediately.
Started a "New Scan" from gui menu results in errors:
"An error occurred while setting the scanner properties ..." which one?
"... another program is running - wait for completion ..." or something like that
"A problem prevented the document from being scanned ..." Dunno which one.
BlueTooth and other features not tested.
Spend a couple of great hours.
Hopefully You can do something with this information.
Have a nice time. Take care.
See You.
Edit: Just found:
...because I just didn't remember how to switch quickly ... to the German keyboard layout ...
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c?redirectedfrom=MSDN
Scroll down a bit.
Assuming one has the Input Indicator in systray bottom right visible - which is not an obligation but useful in case one wish mouse clicking (if don't, one may look for it @TheOven) then at PE runtime:
run commandline: start ctfmon.exe & wpeutil SetKeyboardLayout 0x0407:0x0407
Regards.
-
hi,
I spent several days helping a friend who builds his house. And it was impossible for me to connect.
Sorry for the delay.
@Lancelot: thanks for the photo. I kind of visited the site of the municipality.
It's a real change of scenery for me who doesn't leave my house often.
I was pleasantly surprised by this presentation: Karyaka'da Toplumsal Cinsiyet E-itli-i Paneli'nin Oturumu Tamamland
It's a subject close to my heart.
Maybe one day I will visit the rest of the world as there are beautiful things to see.
@HeyJoe: thank you for the test. It is already a very good thing that the scan is recognized.
It is therefore that all the common elements are present.
For the "New Scan" menu: only if you have time, you could take a track/catch with procmon.
This would allow me to confirm that the missing objects are linked and depend on the hardware, the device.
For example, my Samsung scan uses a lot of dll/exe in 32bit mode.
This morning, again, I played with VirtualBox. My winpe version is based on ADK's Winpe. The additions of dll generates a "hell" with the versions.
The ADK's many DLL/EXE version of Winpe is older than ISO 20H2.
And the VirtualBox installation failed ("The procedure entry point CheckIsMSIXPackage could not be located in the dynamic link library OpenGl32.dll").
ADK's KernelBase.dll Of Winpe file does not export the offending api.
Now I can use winpe, launch virtualbox, create a VM (winpe because it's fast), stop/start my winpe host and find the entire VirtualBox environment with the VM created.
But you have to copy the two hives system and sofware. That's the most annoying point.
It is true that there is no point. But it amuses me.
I tried to install HYPERV: failure for now.
As I once said, HyperV, SandBox, WSL are FODs.
I managed to install FODs. It's a bit of a complex environment especially if FOD requires a reboot like Hyperv
One day I would try WSL.
Can't wait for the end of this pandemic.
See you soon
-
Hi Noel,
Hopefully You are fine.
So sorry, late reply. Was verrrry busy w/ urgent obligations.
Test enwironment:
...
Printer: Samsung CLX-3185 series - borrowed from a friendly neighbor because Mine has been in the workshop for repairs already for 3 weeks :sad: :sad:
...
Own printer (same model) is back home since days. Thank God. :smile:
...
@HeyJoe: thank you for the test. It is already a very good thing that the scan is recognized.
It is therefore that all the common elements are present.
For the "New Scan" menu: only if you have time, you could take a track/catch with procmon.
This would allow me to confirm that the missing objects are linked and depend on the hardware, the device.
For example, my Samsung scan uses a lot of dll/exe in 32bit mode.
You are welcome.
I can't test before next week, or so. :sad: Please be patient...
...
I think you want to say "Seulement ceci pour le moment: blabla". I appreciate you try the french language.
...
I'm sorry My friend. I only know a few French words. But I love to use them sometimes to make others smile - and hopefully they are translated correctly. :smile:
Translator by big G. told Me:
Je suis désolé mon ami. Je ne connais que quelques mots français. Mais j'aime parfois les utiliser pour faire sourire les autres - et j'espère qu'ils sont correctement traduits.
Does it sound good in Your ears ?
Have a good time. Stay healthy.
See You.
-
@HeyJoe
This sounds really well ! :great:
I like to speak in French because I understand better what I read and also what I write. But I'm afraid to talk to myself.
About the scaner test : take your time, i'm retired and covid limits my activities.
About "How did You manage (in admin session) that the explorer remembers the setting changes?" : i'm sure i don't understand.
Ex.: After changing the icon view!
Sorry, i don't understand what is an icon view.
(or other things) and reloading the panel,
Sorry, i don't understand what is this panel.
the icon view was not lost unlike in my PESE!
I understand that you loose something. Maybe if you talk to me like you're talking to a baby...
I also have an question about PESE : what is the B: drive and what are its particularities ( write protected...) ? (Yes, i can search by myself but i'm lazy to do that. I prefere trying/playing with hyperV/SandBox in winpe)
Thank you
-
Hi noelBlanc,
I also have an question about PESE : what is the B: drive and what are its particularities ( write protected...) ? (Yes, i can search by myself but i'm lazy to do that. I prefere trying/playing with hyperV/SandBox in winpe)
Thank you
B: is RamDrive.
Using ramdrive with pe is one of the oldest feature since PE1. I remember there is ms ramdrive too but not popular.
(ms ramdrive 2k days https://www.itprotoday.com/compute-engines/jsi-tip-3515-great-ram-disk-and-more )
Gavotte RAMDisk was popular a long time with PE1 and XP, later Imdisk popular with PE. (Imdisk certified)
These days ramdrive option with Imdisk available with all Projects now (WimBuilder LiveSystemPro Azin Gena ... ).
With your FlatBoot, It will not be important to you. Temp size is the size of your boot disk. :great:
With .iso boot, RamDrive is more helpful :
+
Without RamdRive -> Installing an application both app + temp size follows available fbwf (X:) free space. :sad:
With RamDrive -> Temp at B: -> Installing an application only app follows available fbwf (X:) free space. :smile:
+
Disable fbwf -> you will need a writable environment for temp and other things -> Ramdrive always ready out of box :smile:
Bonus:
Symbolic links (hardlink, junction etc.) works out of box with ramdrive when you need such things. (mostly NTFS ramdrive used)
Imdisk Bonus: Ramdrive size can be increased without restart ramdrive when you need.
Imdisk Bonus: you can use imdisk features like mount .iso etc. files
I hope this info helps.
:turtle:
-
@ Lancelot,
You're faster than Me turtle :wink:
@ Noel,
...
As expected: Devices in "Printer and Devices" panel were immediately visible as they should look like in real OS. :smile:
BTW: How did You manage (in admin session) that the explorer remembers the setting changes?
Ex.: After changing the icon view (or other things) and reloading the panel, the icon view was not lost unlike in my PESE!
...
better explained by pics:
1st pic shows "Printer and Devices" panel at first callup with large symbols (icons)
See pic_1.png
Now I change the icon (symbol) view from large to less large that looks like this shown in 2nd pic:
See pic_2.png
Now I close "Printer and Devices" panel then open again (reloading the panel).
See pic_3.png
You can see: nothing was saved by explorer --> whereas real OS does and iso of Yours too.
That is: 1st pic looks same as 3rd pic :sad:
+
...
I also have an question about PESE : what is the B: drive and what are its particularities ( write protected...) ? (Yes, i can search by myself but i'm lazy to do that. I prefere trying/playing with hyperV/SandBox in winpe)
...
Drive B: is a fully writable RAM-disk created at pese startup by executing command e.g.: 'ImDisk.exe -a -m B: -s 716M -p "/FS:NTFS /C /Y'
ImDisk is (c) from great Olof Lagerkvist, author of ImDisk, e.g.: https://sourceforge.net/projects/imdisk-toolkit/
This ram-disk is not really (I guess) really needed in PE's - but verrrry nice (imho)
See pic_4.png + pic_5.png
Have a nice time. Stay healthy.
See You.
-
@Lancelot : thank you for your good help. I try to understand why, in a WinpeXPE, an MSI's file doesn't works when launched from B:\xxx.msi and works well when it launched from x:\xxx.msi. I see in the Procmon's file PML that a copy failed ( perhaps from b:\xxx.msi to %temp%\yyy but i don't get some needed logs at this time).
@HeyJoe : thank for your information about B:. I understand better where to look for in this MSI's echec.
And about the visual effect (Thank you to take time to explain ), i never played with the icon size before today. So i can't find instantanely the tips. But if you send me a boot.wim, i can try to compare. A long way.
An other question : with explorer as desktop ( not startisback or other ) can you move the icons on the desktop?
Actually, i play with HyperV/SandBox. I get a new step. But it's not the end. I hope this the last error : the virtual network doesn't work.
See you soon....if the country's door stay open ( i hope my humour is not so bad )
Take in good health
-
Hi HeyJoe,
Small forum tip :
You can insert picture on your reply
eg.
Test with Edit your previous reply this way :
1st pic shows "Printer and Devices" [b][u]panel[/u][/b] at first callup with large symbols (icons)
See pic_1.png
-->
1st pic shows "Printer and Devices" [b][u]panel[/u][/b] at first callup with large symbols (icons)
See pic_1.png
[attach=1]
*
You're faster than Me turtle :wink:
Mostly not, sorry for the delay on the other topic, I was quite busy and you are really very fast.
:tomcat:
:turtle:
-
Hi noelBlanc,
@Lancelot : thank you for your good help. I try to understand why, in a WinpeXPE, an MSI's file doesn't works when launched from B:\xxx.msi and works well when it launched from x:\xxx.msi. I see in the Procmon's file PML that a copy failed ( perhaps from b:\xxx.msi to %temp%\yyy but i don't get some needed logs at this time).
On very very rare cases :
RamDrive used with Imdisk are mostly MediaType "RAM Drive" not "Fixed Media" which very rarely make some "app" mixed things fail.
I forgot details, It is very rare very old and I do not face that for lots of years now.
ps: "Fixed Media" can be called "Harddisk Emulation" on internet and other ramdisk apps which as far as I can remember slower ........
:turtle:
-
@ Lancelot,
Did not understand.
What do You mean with:
...
[ Attachment Invalid Or Does Not Exist ]
...
Can it be that I crossed Your post.
However I guess all My attached pics are valid, right?
Regards.
-
Hi HeyJoe,
Sorry, forumengine auto change my reply, I mean this :
[attach=1]
See also this:
[attach=2]
However I guess all My attached pics are valid, right?
:thumbsup:
:turtle:
-
To Lancelot,
Clarified :smile:
See You.
-
@ Noel,
...
And about the visual effect (Thank you to take time to explain ), i never played with the icon size before today. So i can't find instantanely the tips. But if you send me a boot.wim, i can try to compare. A long way.
...
A very very loooong way (at least from My experience). Don't worry. Let it be good, mon ami.
I only thought that You were busy with that matter in the earlier past, so You can quickly remember some details.
I don't want to waste Your valuable time.
Better I want to go on My way -> search .. search .. search.
...
An other question : with explorer as desktop ( not startisback or other ) can you move the icons on the desktop?
...
Explorer makes the desktop as usual. No limits regarding: "...move the icons on the desktop...".
StartIsBack manages startmenue. No limits.
See you soon....if the country's door stay open ...
I hope so.
Have a good time. Stay healthy.
See You.
-
Hi noelBlanc,
Related to HeyJoe question:
In your MicroWinpeBuilder, do you have Folder Options-View-"Apply to Folders" Button working ?
I mean:
[attach=1]
:turtle:
-
Hi HeyJoe,
...
And about the visual effect (Thank you to take time to explain ), i never played with the icon size before today. So i can't find instantanely the tips. But if you send me a boot.wim, i can try to compare. A long way.
...
A very very loooong way (at least from My experience). Don't worry. Let it be good, mon ami.
I only thought that You were busy with that matter in the earlier past, so You can quickly remember some details.
I don't want to waste Your valuable time.
Better I want to go on My way -> search .. search .. search.
Maybe helps:
http://www.nirsoft.net/utils/shell_bags_view.html
Inside PE (System User) since Bags not created views not saved, as a result, NirSoft ShellBagsView result empty.
(first browse some folders and change their view settings)
"Apply to Folders" button greyed out makes me feel something missing but maybe not related.
(at least something to check with procmon etc. :wink: )
+
When you add Administrator Account (tested with WimBuilder) and login as Administrator,
View works :thumbsup:
With other words, folder view settings saved, Bags created :thumbsup:
ShellBagsView do not show empty :thumbsup:
*
Summary:
PE: Administrator-View Change works
PE: System-View Change do not work
I hope the above info gives you a head start.
Further good luck with your research. :great:
*
Waiting for your next on the other topic, I hope you have free Saturday time. :cheers:
Good night
:turtle:
-
to Lancelot: yes, "my" winpe gets "apply to folders" ! like a normal Windows : only if you select an other item than "this pc". In the 2 sessions, system and administrator. I make some choices when i build : for sample, i use the software hive from install.wim because i don't want/need to find each needed keys. I a Big VHD, 10GB, there is too much space.
[attach=1]
to HeyJoe : in france, we're going to an other containment. So, i can download winpese/winbuilder but understand how to build takes too much time for me (days and perhaps weeks). But it's really better for me if you can put in a share a boot.wim for me.
note :I got discouraged several times over the years spent by the winbuilder GUI. I didn't understand anything. Which is the source...etc. And i didn't understand the words and concepts. Not because winbuilder is bad but only because my english is bad ! That's why I chose to build my own builder, ugly and heavy but I understand and master. I understand the PS language (I don't use any application/program other than those offered by MS). The winbuilder language is too abstruse for me.It's true, winbuilder is a wonderful tool for professionals. But I'm an eternal amateur.
On the picture, you can see a first screen of hyperV : Yes, it doesn't work at this time !
And Yes, like VirtualBox in winpe, HyperV in winpe in not usefull. But it's a good game for me.
take care
:bike:
-
Hi noelBlanc,
to Lancelot: yes, "my" winpe gets "apply to folders" ! like a normal Windows : only if you select an other item than "this pc". In the 2 sessions, system and administrator. I make some choices when i build : for sample, i use the software hive from install.wim because i don't want/need to find each needed keys.
Thanks for the report. :thumbsup:
Personally, I am fine PE not save folder view settings.
I made some tests with Wimbuilder, + "Build Full Winre.wim" + "Use full install.wim's Software hives" + "Use Full Catolog" , no success.
Further slore knows better.
I hope all these posts will be a nice head start to HeyJoe.
because i don't want/need to find each needed keys.
I deeply understand you. :cool:
I a Big VHD, 10GB, there is too much space.
10GB :lol: , As I wrote previously, You do not need ramdisk. :thumbsup:
Still, I advise you to spend some time with Imdisk, It is a very useful tool.
See you.
:turtle:
-
Hi Lancelot :
no success
sorry, my bad english... i can't understand what is the"no success" subject. If it is the "view folder", i can see in Slore's WimBuilder because i build one on the begginiing of the year when we search something about termservice.
I'll try it ("view folder" settings) .... it is ok in "my" Slore's Wimbuilder2 that i put in a VHD ( because i investigated and ISO is not a good media for research into winpe)
[attach=1]
About ImDisk, it's only because a friend is facing an issue with .msi in winpeXpe.
I can't imagine msiexec.exe not working with a volume like B:. I 'll try to look at in the msi file with orca if i find it (orca).
My philosophy is : i use MS's OS, so, i use MS's programs. Else i should use Linux. I hope not to upset any of you.
See you soon.
-
it is ok in "my" Slore's Wimbuilder2 that i put in a VHD
Maybe that cause view not saved here, I boot with ISO .
"no success" :
I see that with your VHD boot, explorer save view settings and and "Apply To Folders" button work.
Thanks for reporting It also works with slore's wimbuilder on vhd you made. :thumbsup:
You can save view settings and "Apply To Folders" button work.
When I boot with ISO :
explorer do not save view settings (HeyJoe Reply 287 with pictures ) and
"Apply To Folders" button do not work. (Lancelot Reply 295 Picture) = I have no success. = I am unsuccessfull.
ps: HeyJoe Reply 287 http://theoven.org/index.php?topic=1639.msg40000#msg40000
You can quickly test and see what I see with Wimbuilder:
Wimbuilder-Getting Started----->Select source
Wimbuilder-Building----->Enable "Create Iso after building" checkbox
Wimbuilder-Building----->Click "1-build(log)" button
====>
You will get .iso file at
.\_Factory_\BOOTPE.iso
Test BOOTPE.iso with emulator.
I hope all clear now.
i use MS's programs. Else i should use Linux. I hope not to upset any of you.
I have to use MS2s programs, Else I should also use Linux or MacOS. :great:
:turtle:
-
Hi noelBlanc
+
Boot with ISO -> I mean boot with WIM. :wink:
:turtle:
-
Hi Lancelot,
I build an ISO file from the boot.wim file built by WimBuilder2 (january2021). (Oscdimg is good for me)
So, no VHD, only ISO. ( Yes, i understand ISO=BOOT.WIM for me).
(Note : i use the "This PC" icon to display the version of the builder. I think it's a good way for this data, i see quickly if i boot on the target version and i boot many and many time with many VHD with many content...with many echecs ! To each his need, his tool, his trick...)
And the "view folders settings" is good but, as i said, i must choose other target that "this PS". I open an folder, "X:\" and i click "view\Options\Change folder and search options", after i clic in "folder Option" window the tab "view" : -> "Apply to Folders" is enable and actif.
I use an ISO from technbench ( En-Gb not en-us ! why? because i choosed it randomly, i never used other than fr-fr !)
So, VHD/ISO = ok for me, but with old versions for tools and source W10.
Perhaps we need to search in options of the tool.
In this ISO/Slore and in in "my" VHD/Slore, i see the "issue" about "device and printers" (like HeyJoe).
I think the two "questions" are not correlated.
i also notice in ISO/VHD/Slore that i can't really "create" a shortcut on the desktop : clic on desktop, create seems to work but i can't give the target with "property".
I know i only use explorer, not winxshell nor ....So it's not an issue for WimBuilder2. But perhaps it gives informations on the two "issues" above.
And "issue" is not the good word but my poor english....i prefere to say "it's not like in W10".
See you soon
-
Hi noelBlanc,
Perhaps we need to search in options of the tool.
*
Your reply makes me discover something :
When I add Wow64 support to Wimbuilder (Wimbuilder - Customize - Configures - Build - enable "WOW64 Support")
"Apply to Folders" is not actif.
When I do not add Wow64 support to Wimbuilder (Wimbuilder - Customize - Configures - Build - disable "WOW64 Support")
"Apply to Folders" is enable and actif as you reported. :great:
Result 1 :Wimbuilder "WOW64 Support" effects "Apply to Folders"
*
with or without "WOW64 Support" folder settings not saved.
eg.
Explorer:
+ Create folder D:\12\Test\
+ Add File D:\12\Test.txt
+ Select folder D:\12\
+ Explorer-View-Select List
+ Close Explorer
+ Open Explorer again, go to D:\12\ folder + It is Details again not List
--> HeyJoe case
Further on slore and HeyJoe hands.
*
i also notice in ISO/VHD/Slore that i can't really "create" a shortcut on the desktop : clic on desktop, create seems to work but i can't give the target with "property".
I know i only use explorer, not winxshell nor ....So it's not an issue for WimBuilder2. But perhaps it gives informations on the two "issues" above.
I believe I did not understand.
Wimbuilder ->
Drag and Drop to Desktop "Create Shortcuts here" works fine.
Right Click to Desktop - New - Shortcut ---> does not popup "Create Shortcut" screen, still a shortcut created, but since I do not use that I am fine with it.
*
And "issue" is not the good word but my poor english....i prefere to say "it's not like in W10".
:lol: :lol: :lol:
All "issue" about PE is equal to "it's not like in Windows" since first PE. :lol: :lol: :lol:
See you
:turtle:
-
Hi Lancelot,
enable "WOW64 Support") --> "Apply to Folders" is not actif.
I look at in "my" last_wimbuilder.log file and see : "opt{build.wow64support]=true"
So : ?
About "folder settings" : i don't use it. i prefere only one configuration, a default configuration (the same for all drives), "details" without "type" ( I hate losing space with this stupid "type" who tells me that the txt extension is a type of text document, I prefer to see the extension). And i don't know how to set "this" default setting ( without "type" )
About "new shortcut":
It is this case :Right Click to Desktop - New - Shortcut ---> does not popup "Create Shortcut" screen, still a shortcut created
No popup, so you need to rigth clic on the icon, clic "property" --> and you can't enter the target !
I use this feature intensely when searching in Winpe.
It's time to eat, in France.
Take care
:bike:
-
hi,
I update my script in the first post (minor changes) and i add two PDF files (Fr and En) for a generale documentation around "winpe-core".
And a picture about hyperV : [attach=1]
I hope the virtual network is the last pitfall. But it seems to be hard ! i don't find a "handle" for investigation (driver perhaps, but they seem ok, comparaison, but it's complexe ...)
I don't think anyone will be interested in the method I used to add these FODs (I prepared HyperV, SandBox and WLS). Anyway, I will try to put a short story here.
take care.
:bike:
-
Hi,
About Shortcut (rigth clic on the desktop ), i found that in my "general document PDF " in the first page :
[attach=1]
Actually, i can't test for WimBuilder2 because i go out of my house for all the day.
:bike:
-
Hi noelBlanc,
hi,
I update my script in the first post (minor changes) and i add two PDF files (Fr and En) for a generale documentation around "winpe-core".
Thanks for the updates. :you_rock:
*
About Shortcut (rigth clic on the desktop ), i found that in my "general document PDF " in the first page :
Thanks noelBlanc,
test WimBuilder with 2 files on your picture.
Still failure here.
=
Right Click to Desktop - New - Shortcut ---> does not popup "Create Shortcut" screen
(
Also "New Shortcut.lnk"-Right Click-Properties-"Open File Location" does not work as you write.
ps:I feel "Open File Location" does not work since normally ;) "New Shortcut.lnk" should not exist,
"Create Shortcut" screen delete "New Shortcut.lnk" when you do not fill location and click cancel.
)
I use following abstruse commands to add files
Require_FileQ,appwiz.cpl
Require_FileQ,osbaseln.dll
:wink: :lol:
Have fun :bike: , it is a sunny Sunday here
:turtle:
Edit
-
Hi noelBlanc,
About other things I missed before:
*
i prefere only one configuration, a default configuration (the same for all drives), "details" without "type" ( I hate losing space with this stupid "type" who tells me that the txt extension is a type of text document, I prefer to see the extension). And i don't know how to set "this" default setting ( without "type" )
I am not sure what you are looking for.
I believe you are not looking for disabled "Hide Extensions for known file types"
With Explorer:
1) Open only 1 Explorer,
2) Change your view settings ....
3) Click "Apply to Folders" we mentioned on previous replies
4) Close Explorer
-->
This should make all folders look same with new setting.
(
If not, at step 0) delete all (most) Bag registry first :wink:
)
But explorer continues to save folder special settings as long as you play with them.
(There should be a setting I can not remember now)
I use Q-Dir instead of Explorer (home pc and pe)
Here with all my personal settings (but my personal view settings not included) that looks and behaves like Explorer
http://theoven.org/index.php?topic=3349.msg39896#msg39896
In addition:
Q-Dir shows all folders with only one configuration, a default configuration (the same for all drives) :thumbsup:
+
Q-Dir -> Right Click at "Name Size ..." and remove Type ---> Type not exists anymore
https://www.softwareok.com/img/faq/Q-DIR/Change_Column_Settings_in_Q-Dir_2017-12-18-17-34-47.png
On Q-Dir I always see Name-Size-Date with same width, Q-Dir save this setting internally.
Here is a picture from my Q-Dir
[attach=1]
*
An other question : with explorer as desktop ( not startisback or other ) can you move the icons on the desktop?
I use explorer as desktop with Gena :lol:
It is controlled by a registry setting which I believe you know
I prefer the following abstruse command :
//"Auto Arrange icons" false - "Align icons to grid" true
RegWrite,HKLM,0x4,Tmp_Default\Software\Microsoft\Windows\Shell\Bags\1\Desktop,FFlags,1075839524
ps: It is one of the preexisting Bags like Explorer special folder settings :wink: - This PC - Desktop - Printers .....
+
for MicroWinpeBuilder maybe this helps:
Within the Local folder select the IconCache file and click Delete
https://support.lenovo.com/tr/en/solutions/ht504726
See You
:turtle:
-
Hi Lancelot
Not sure my poor english can send the good idea/concept/words/philosophy over the sea.
About "Rigth clic/ New Shortcut" in "my" (january WimBuilder2), i can't create a new shortcut with this method.
As i said above, i must add osbaseln.dll, AppWiz.cpl and its .mui. With these 3 files, New shortcut is created, on big popup is opened and i can enter the target.
The pic1 shows the result when i rigth clic on the desktop "explorer". The pic2 shows the "Create Shortcut" window, the pic3 shows 2 of 3 added files.
Without these 3 files, when i irgth clic on the desktop, an icone is created on the desktop (explorer) and it is impossible to enter the good target.
[attach=1][attach=2][attach=3]
About I believe you are not looking for disabled "Hide Extensions for known file types"
It's simple in french but complex in english. When i launch a "explorer" window and choose/select/open a folder like "X:\", explorer shows some columns on the rigth panel. Because i prepared a key for explorer during the build, the extension "item" is displaying with the name of the file. No problem.
But one column is named "Type". And i hate this column. I don't find a key ( i not really search because i prefere to play with HyperV at this time) to prevent this column is displaying.
The "folders setting" is manually. This should make all folders look same with new setting.
Not an help for me.
I hope pic4 is more easy to understand than by poor english
[attach=4]
I'll try this mp_Default\Software\Microsoft\Windows\Shell\Bags\1\Desktop,FFlags,1075839524
Thank you for your explanation
Like I said, I don't use "any other" program/application than the onces that come with Winpe/Windows/MS. Explorer is good for me !
about can you move the icons on the desktop?
I ask that because in the past i spend a long time to find why i can't move icon on the desktop. And, when i asked that, i was trying to find all contexts taht i meet in the past and that can help me to find the solution about the first question which was "floder settings ....". No problem for me.
But my poor english is the great source of misunderstanding.
Yes, a good sunday with most sun in France also.
:bike:
-
Hi noelblanc,
As I wrote before try this :
1) Open only 1 Explorer,
2) Change your view settings ....
see picture here: https://answers.microsoft.com/en-us/windows/forum/windows_8-files/how-do-i-permanently-get-rid-of-the-type-column-in/88240ed4-657c-44d5-b645-9343d29034c2?auth=1
-->
Remove Type
3) Click "Apply to Folders" button we mentioned on previous replies
"Apply to Folders" button --> see picture here
http://theoven.org/index.php?topic=1639.msg40015#msg40015
4) Close Explorer
Open Explorer and browse other folders, you will notice there will be no "Type" :great:
ps:
Method is same since XP or before.
I hope my bad english is helpful this time.
:turtle:
-
Hi noelBlanc,
About "Rigth clic/ New Shortcut" in "my" (january WimBuilder2), i can't create a new shortcut with this method.
As i said above, i must add osbaseln.dll, AppWiz.cpl and its .mui. With these 3 files, New shortcut is created, on big popup is opened and i can enter the target.
The pic1 shows the result when i rigth clic on the desktop "explorer". The pic2 shows the "Create Shortcut" window, the pic3 shows 2 of 3 added files.
Without these 3 files, when i irgth clic on the desktop, an icone is created on the desktop (explorer) and it is impossible to enter the good target.
Having 3 files you mentioned :thumbsup:
Tested with WimBuilder2-Full.v2021-02-02
and Win10_20H2_v2_English_x64.ISO (10.0.19042.631)
I can not get your pic2 "Create Shortcut" window
Probably something changed with windows. :wink:
:turtle:
-
Hi Lancelot
"Apply to Folders" button .... you will notice there will be no "Type"
An other time, me poor english.... don't be attacked by my poor vocabulary. I will try to make you understand that I absolutely do not want to use manual "Apply to Folders" . But that I want is to change the default behavior of explore/view
If explorer/wview displays some columns ( name, type, size ...), it's because these columns are defined somewhere and which is the default settings. And This is "This somewhere" that i want to discovery....perhaps one day.
About Having 3 files you mentioned
it works well for "my" WimBuilder2 january.
I use the same ISO windows. The build of windows is visible in pic3. It also works in "my" winpe built with "my" script. So i don't think the change is in windows. It's difficult for me to try other things. "tools options"? in this week, if you put your boot.wim on a share, i can download it and try to search. I can't do more.
I hope my bad english is helpful this time.
You english is good. No problem. As i said, i can't explain correctly in english. The source of the misunderstanding is myself. I know that. Because I'm like a black sheep in the middle of all the white sheep. I don't use the same tools as others, etc.
thank you for your patience towards me and your kindness
:bike:
-
Hi noelBlanc,
"Apply to Folders" button .... you will notice there will be no "Type"
An other time, me poor english.... don't be attacked by my poor vocabulary. I will try to make you understand that I absolutely do not want to use manual "Apply to Folders" . But that I want is to change the default behavior of explore/view
If explorer/wview displays some columns ( name, type, size ...), it's because these columns are defined somewhere and which is the default settings. And This is "This somewhere" that i want to discovery....perhaps one day.
I replied that before, somewhere is Bags registry
See Reply 296 http://theoven.org/index.php?topic=1639.msg40009#msg40009
follow nirsoft link for more information about bags registry location
+
Additional info:
There is also
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000001
I guess after having bags registry you like, with NoSaveSettings 1 they will not change. (not tested)
For now, It is not required, since today PE can not save bags as HeyJoe reported.
--->
eg. HeyJoe case: Printer view -- Find "Printer .. " bags on registry (nirsoft utility mentioned before maybe useful to figure out which bag registry), add to your offline pe, see if explorer works as expected after pe boots.
Further on your hands. :great:
:turtle:
-
+
Reminding:
Also written at Lancelot Reply 308 http://theoven.org/index.php?topic=1639.msg40037#msg40037
Desktop setting is also Bags registry
Software\Microsoft\Windows\Shell\Bags\1\Desktop
***
For today maybe bags can be written before to get expected result.? (not tested)
What is missing is, as HeyJoe wrote, when PE Boots, Explorer do not write Bags registry like in normal windows. :wink:
I hope I could clear, .... further on your hands. :great:
-
Hi noelBlanc
About Having 3 files you mentioned
it works well for "my" WimBuilder2 january.
I use the same ISO windows. The build of windows is visible in pic3. It also works in "my" winpe built with "my" script. So i don't think the change is in windows. It's difficult for me to try other things. "tools options"? in this week, if you put your boot.wim on a share, i can download it and try to search. I can't do more.
No problem to me, I do not use this anyway, I only test to feedback.
Further:
WimBuilder2-Full.v2021-02-02
source 1809 Enu x64 ( 10.0.17763.1 )
added 3 files
New-Shortcut menu not exists :lol:
Further slore knows better. :great:
In fact I like more not having this feature anyway. :wink: Only curiosity on my side how it works.
You english is good. No problem. As i said, i can't explain correctly in english. The source of the misunderstanding is myself. I know that. Because I'm like a black sheep in the middle of all the white sheep. I don't use the same tools as others, etc.
thank you for your patience towards me and your kindness
You are white sheep in the middle of all white sheeps or maybe we are all black sheeps. :thumbsup:
Builders helps to easy get reproducable results on development. It is not important you use builder or create manually.
You can have my results by using same source and same builder.
I hope you have fast internet connection that downloads fast ?
See You
:turtle:
-
hi Lancelot,
about "type" in explorer/view :
thank you for these clarifications. I think I understand better: bag is the key. I follow the link...It sounds complex. In fact, I prefer retun to HyperV in Winpe.
about "new shortcut":
I'm sorry that adding the 3 files does not allow you to create a shortcut on the desktop because it works for me: and I do not like not understanding.
Oh, by the way, i'm looking for some thing like the old ORCA.exe to analyse Msi file. if you know one tool...
Once again thank you for your patience. I don't understand everything I read. And translations are not always good help. If I could send you back what the translator sometimes shows me you would understand my troubles. Yes, I can still learn English. But the one who invented Babel and his story complicates my life just as much as the new virus.
:bike:
-
Hi noelBlanc,
Oh, by the way, i'm looking for some thing like the old ORCA.exe to analyse Msi file. if you know one tool...
I only use old ORCA
v3.1.4000.1830
http://lancelot.theoven.org/TheOvenAttach/Orca.Msi
http://lancelot.theoven.org/TheOvenAttach/Orca.7z
*
Once again thank you for your patience. I don't understand everything I read. And translations are not always good help. If I could send you back what the translator sometimes shows me you would understand my troubles. Yes, I can still learn English. But the one who invented Babel and his story complicates my life just as much as the new virus.
:bike:
I know you for a long time now, no problem. :great:
Have fun. :great:
Good Night
:turtle:
-
Hi,
I think i get it ( kill the "type" in explorer/view ).
Procmon is a good tool.
In pic1 : the default displaying
In pic2 : what i want to be displaying
Between, the key i modify and the kill/start of explorer.exe.
[attach=1] [attach=2]
Perhaps tomorrow, i see i'm wrong. But at this time, i get what i wanted.
I can go to sleep.
:bike:
-
Nice finding:
I guess this kind of settings added to Windows with Win7.
If you need wider "Nom" you will still need to deal with bags :wink:
Here is a nice topic that explains what you do at one of the solutions :
https://superuser.com/questions/1223949/how-does-windows-7-or-later-determine-what-folder-view-to-apply-to-a-known-sp
In addition, since you like pdf here is bag story :
https://digital-forensics.sans.org/community/papers/gcfa/windows-shellbag-forensics-in-depth_9576
but for HeyJoe case:
HeyJoe need to figure out special bag for printer special key and change view to large ....
Maybe {2c7bbec6Oc844O4a0aO91faOcef6f59cfda1}
As written, AllBags for all folders except special folders
see superuser link line starting with:
On your computer, you can find special folders listed in:
:thumbsup:
Still, PE not saving folder settings after boot is the main "issue" . :lol: :tongue:
:turtle:
-
Hi noelBlanc
Thanks for the info, It is useful :thumbsup:
We can set default detail view columns
More info:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Defaults]
"{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}"=hex:...........
It overrides (superior) your setting with
\FolderTypes\{5c4f28b5-f869-4e84-8e60-f11db97c5cc7}\TopViews\{00000000-0000-0000-0000-000000000000},ColumnList
eg. ColumnList type disabled (1System.ItemTypeText) --> If there is Streams\Defaults --> windows use Streams\Defaults and ignore ColumnList
For now I do not know Bags position with this, but from what I read so far I feel:
Streams\Defaults > Bags > ColumnList
> means superior
PE at first does not have Streams\Defaults, they are created if the user change some view settings
eg.
1) Change Nom column width
2) "Apply to Folders" button
3) check your HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Defaults :wink:
@HeyJoe
Bag save do not work inside PE as you reported, Procmon shows explorer do some read at bags but it does not write.
Anyway
From your picture I see you need Medium icons
LogicalViewMode 3 is Medium icons, but I do not know your special folder id
Giving example :
Changing Generic special folder view setting to Medium Icon use this :
RegHiveLoad,Tmp_Software,%RegSoftware%
RegWrite,HKLM,0x4,Tmp_Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{5c4f28b5-f869-4e84-8e60-f11db97c5cc7}\TopViews\{00000000-0000-0000-0000-000000000000},LogicalViewMode,3
RegHiveUnLoad,Tmp_Software
Open explorer and browse X:\ --> It will be Medium Icon :wink:
LogicalViewMode,1 --> Details
Further replace {5c4f28b5-f869-4e84-8e60-f11db97c5cc7} with the special folder id on your picture, let us know when you figure out.
Let's see if this helps in your case. Good luck. :thumbsup:
:turtle:
-
Hi Noel,
Hi lancelot
I was happy to read your posts:
here: http://theoven.org/index.php?topic=1639.msg40055#msg40055
and here: http://theoven.org/index.php?topic=1639.msg40047#msg40047
...
Thx gentlemen for Your effort and the hints.
Some of tips are known to Me. Tested in the past - but no success so far.
...
Still, PE not saving folder settings after boot is the main "issue" ...
...
That's in fact My Status Quo.
The less time the less important to Me.
I'm sure I will remember someday unsolved "issue". But for now other things have priority.
See You.
-
...
Still, PE not saving folder settings after boot is the main "issue" ...
...
That's in fact My Status Quo.
At least we can now set how explorer see folder during a build, thanks to noelBlanc http://theoven.org/index.php?topic=1639.msg40052#msg40052 --> and in fact that noelBlanc reply made me figure out 3 layers of explorer view settings ...
I already start to use "Name-Size-Date" with Explorer (Generic) inside PE (Azin) following noelBlanc :great:
*
Time ....
When you find time, start with finding that special folder id on your picture. :wink:
See You
:turtle:
Edit: Test edit
-
Hi Noel,
hopefully You are fine.
Sorry, late reply.
@HeyJoe: thank you for the test. It is already a very good thing that the scan is recognized.
It is therefore that all the common elements are present.
For the "New Scan" menu: only if you have time, you could take a track/catch with procmon.
This would allow me to confirm that the missing objects are linked and depend on the hardware, the device.
For example, my Samsung scan uses a lot of dll/exe in 32bit mode.
You are welcome.
I can't test before next week, or so. :sad: Please be patient...
Today I am happy to comply with your request to repeat the printer/scanner test.
Test environment was same as described in http://theoven.org/index.php?topic=1639.msg39891#msg39891 except own printer (same model).
The way of acting also was same as described in http://theoven.org/index.php?topic=1639.msg39891#msg39891
But with this shorter way:
After successfully installing the printer by windows with its own driver files, all I had to do was look for the correct scanner driver files.
I just unpacked the Installer Package for Universal Scanner to a folder and let windows update the scanner hardware with driver files inside this folder.
Bingo! Scanner smoothly worked with WFS method as well as with option available on printer's context menu in "Devices and Printers" panel :smile::smile:
This means that only the right driver is crucial, while everything else is already on Your deck.
Great work done Noel :smile:
Please see My two scan results:
Sorry. No pics at the moment (both are < 1MB) - seems forumengine doesn't like it. Trying later.
Happy Easter inpandemic times, wherever possible.
Have a good time. Stay healthy.
See You.
-
Hi all,
I guess I workaround forum engine by splitting topic to another one,
Above is lost reply from HeyJoe :thumbsup:
(+ HeyJoe repost same reply + noelBlanc Test reply not included which I feel It is ok)
*
@HeyJoe
If you like to test what cause this (maybe pictures as you wrote), feel free to create a test topic and make some test
See You
:turtle:
-
@ Lancelot : thank you very much. You run like a rabbit !
@HeyJoe : thank you for the scaner test. Now, support is good and "someone" can add to "normal" builder.
Have a good day with sun.
:bike:
-
@ Noel,
Please see My two scan results:
(
Should be attached to http://theoven.org/index.php?topic=1639.msg40090#msg40090
Sorry there was a mishap - most likely produced by Me, dunno why/which ?
)
-
@ Lancelot,
Nice fix, Thx.
See You
Edit:
quote from engine: HeyJoe, You drive Me crasy.
Dear Engine,
forgive me, I wanna do better
:smile: :smile:
-
@HeyJoe
Thanks a lot. I'm happy it's ok. i hope you can share.
and wifi/ethernet scaner : a good game for you ! pity for me who only has a usb connection.
Have a good day.
:bike:
-
Hi,
You can't imagine my surprise. I know that is a detail for a lot of people.
But this is the end of a dream for many years.
Try to understand what it's about in this picture :lol:
[attach=1]
:bike:
-
Hi Noel,
Congratulations My friend, Your long-awaited dream came true.
Félicitations mon ami, Votre rêve tant attendu est devenu réalité.
I'm sure it is not
But this is the end of a dream for many years.
but the keep working in that matter and other awesome FODs in happy next weeks. :wink:
Stay healthy. Have a good time
See You.
-
Hi Noel,
:thumbsup: Good to know you got the hyperV work. You are the best.
Enjoy the spring, and keep in good health.
-
@Slore, I'm very happy to read you.
@HeyJoe, my dream is not really finish.
The Virtual Network doesn't work. I can create a new VM but i can't create a Virtual Switch. Actually, i'm in front of a wall.
Vmms.exe create the Virtual Switch but immediately it destroys this Virtual Switch. I localized a part of code and i'll play with Windbg in a few days.
I'll use Windbg when i'm sure it's the good part of code. During some days and tests, i'll analyse procmon log file size around 500Mb. Long time in my seat...
VirtualBox is more easy to install. In fact, VirtualBox in winpe works without me. Like in Linux.
But my dream, as i wrote to Slore in the past, is to be able to add HyperV (and Virtual Network ) in Winpe.
Only for the challenge with me.
See you soon
-
Thanks for the good news noelBlanc,
:yahoo: :celebrate: :clap: :thumbup: :cheerleader:
I feel I will be able to use HyperV probably in my next free time after some months, never used HyperV before. (curiostiy)
:turtle:
-
Hi,
Thank you all for your kind words.
@Lancelot : HyperV does not manage USB (the US are very strict about MS's possible dominant position in virtualization and Ms had to make room in the market for workstations). Any other hypervior with USB makes better services on workstations. But I worked with HyperV as soon as it came out. So it's like nostalgia for me. I don't need Winpe, let alone HyperV. But it takes up my free time, makes my neurons work, and I learn a lot of details about the internal behavior of Windows. I had never had time to use Windbg. (i hope translator is good)
But for now, the Virtual Network is not working. :mad:
:bike:
-
Hi,
I'm happy...VirtualNetwork is working this morning.
I still need a lot of work to make construction reproducible.
:bike:
-
Hi Noel,
Congratulations again my friend, I was sure you would make it happen. :clap:
Félicitations encore, mon ami, j'étais sûr que tu y arriverais. :clap:
By the way:
Hi Noel,
...
BTW: How did You manage (in admin session) that the explorer remembers the setting changes?
Ex.: After changing the icon view (or other things) and reloading the panel, the icon view was not lost unlike in my PESE!
...
Finally solved. :smile:
The sticking point on my side was a wrong (but problem-free working) FBWF driver from Win8 Embedded v.2.0.99.0, which I discovered while investigating.
This driver seems somewhat limited in terms of saving folder settings and such.
Now everything works nicely what I wanted.:smile:
You may have a look to http://theoven.org/index.php?topic=3351.msg40135#msg40135 if You like or not already done,
especially text block starting with:
...
Explanation:
...
However, it is pretty quite closely related to the Win10PESE project.
Stay healthy. Have a good time
See You.
-
Hi,
I make a pause with VmSwitch and HyperV in winpe.
Today, i play with the wifi "Hosted Network" in Winpe : an other useless feature in winpe.
I began to search on the web how to use it from a command line. I found the "netsh" commands.
After i tried to compare with my normal win10 : not the same things "under the hood".
I search again and i found that there are two different things :
- The old wifi Hosted Network, wifi hotspot
- the "new" Mobile Hotspot, wifi direct
Some collected infromation:
https://www.connectify.me/blog/features/what-is-wi-fi-direct/
Microsoft announced that Wi-Fi card manufacturers like Realtek, Intel, and Dell should no longer support the “hostednetwork” protocol that was used in previous versions of Windows to create Wi-Fi hotspots. Instead, newer Wi-Fi cards and firmware updates being rolled out to current cards should begin using the new Wi-Fi Direct APIs for creating wireless access points
https://stackoverflow.com/questions/45833873/enable-windows-10-built-in-hotspot-by-cmd-batch-powershell
So it seems that MS is using a very different technique for the built-in hotspot than the netsh variant.
The Hosted Network (which can be configured using the netsh wlan set hostednetwork ... command) and the "new" Mobile Hotspot use different technologies under the hood.
https://stackoverflow.com/questions/55121033/on-using-the-wifi-direct-api-on-windows
I saw a lot of discussions about WiFi Direct vs Hosted Network and it seems that Hosted Network is a vanishing technology while WiFi Direct has a brilliant future???.
No need for the deprecated "Hosted Network" support which has been removed from many updated drivers
"Wifi Direct" need UWP, so not good for Winpe.
Actually, i can use/connect wifi Hosted Network from Winpe but i miss something in the ICS ( internet connection share). The GUI "ncpa.cpl/.../sharing" hangs up.
Still a long way ...
:bike:
-
Hi noelBlanc,
I make a pause with VmSwitch and HyperV in winpe.
I hope to see HyperV in summer at times when I have more time.
Just a side note about HyperV
HyperV is not available with Win10Home, so there may be a kind of "license check" mechanism to prevent HyperV work.
another idea, remember TeamViewer latest do not work on SystemUser (Default PE), to avoid the possibility, better work on HyperV on the Administrator account. :wink:
+
Also, consider making "Vmware Player" work on PE
https://www.softpedia.com/get/System/OS-Enhancements/VMware-Player.shtml
It is free and more portable compared to VirtualBox and usb2-3 drivers + other things come out of the box (you know VirtualBox requires "VirtualBox Extension Pack" for such things)
Anyway, Have fun
See You
:turtle: