MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?

Hi bob.omb

Some news about "Eject USB Storage"

Before anything else, I must say: It doesn't work every start.
I did some tests without activating the spooler. I got the expected behavior.
My test context: Boot to USB disk and VHD containing WinPE in Flat mode so there is always a USB device. It is different from Winpese/WinpeXpe.

In the notification area, at the bottom right, the icon with the ToolTip/Balloon"Safety Remove Harware and eject Media" is used to eject a connected (plugged) USB device.
The line displaying  "Eject USB Storage" is usually absent in WinPE.
The line displaying the name of the USB device is dimmed.

It was a long time since I wanted to understand why this display was incomplete in this icon.
Chance did the right thing. It was by testing my printer installation that I found the correct display of  "Eject Usb Storage".
And a simple change in my environment was necessary.
It is certainly possible to ungroup this view and the printers.

Now I'm going to describe various anomalies and constraints.

Important TimeOut:
With the new change, the line  "Eject Usb Storage" appears with a delay of approximately 2 minutes after the DSMSVC service is started.

A random locking operation: My USB drive is present. I'm inserting a USB key. They are therefore visible in the "Safety Remove Hardware and Eject Media" icon at the bottom right!
From the "Eject USB Storage" icon, if one of the USB devices is ejected, the "Explorer" window will be updated 1 or 2 seconds later.
But the bottom right icon  "Safety Remove Harware and Eject Media" does not display anything until the key has been removed.
When the device is removed then the icon becomes operational and displays a content: my USB Drive

The constraint related to my environment:
To date, this feature  "Eject USB Storage" is embedded in the printer installation

The sequence that works in my context is very simple:
1-Change the value: HKLM:  systemsetup-Name systemsetupInProgress = 0
2-net stop dsmsvc (in my "build ", this DSMSVC service is configured with  "start = demand")
3-net start dsmsvc
NOTE: 2 minutes after starting the DSMSVC service, the "Eject USB Storage" entry appears if a USB drive was connected (I am using a bootable USB drive for my tests)
4-Wait before changing the value systemSetupnProgress = 1 (see the explanation that will follow)

I had the chance to find a sequence that gives this result but I can't explain why it works or why there is a delay.
And I can not identify the (invisible) elements that are implemented (services requested, Object DCOM...).

A word on the later modification/postponed  "systemSetupnProgress = 1":
I don't know when "DeviceSetupManager. dll" will read and process this value. That is why, currently, I do not modify it immediately after the DSMSVC service is started.

I have redone 2 or 3 tests
-by neutralising the start/stop of the DSMSVC service in my script: no display of "Eject USB Storage" even after 10 minutes
-by neutralising the spooler: Correct display of "Eject USB Storage" (and always with the delay)

Regarding the integration of this sequence in another context of  "Build":
-I use the Software hive of install. wim. This avoids looking for one by one the necessary keys, work long and without real interest. The difference in size (64MB versus 10MB) is small (in my opinion).
-I installed many services (and almost all addons of MMC)
-I only use the native desktop provided by  "Explorer. exe "

It seems easy to install this service DSMSVC and to identify the associated files (dependencies, Services...)
For the keys to the Software hive, this is going to be a little more difficult.

Ways to understand how to eliminate this delay: I don't have any!
I used IDA. But I had very little time to analyze the code. It seems that the test of this key is done from the beginning of the service's "main ". But the analysis will be long.

A long way for 2019 !

PS : A few figures:
t=0   Boot
25s   display of rotating points
1'25   "cmdline" black box display
1'40   Display of the small box at the top left of the keys  "Setup " to explore
2'   Desktop display
3'   End script display  "ACL printer" = Start/stop dsmsvc and presence of 2 PDF/XPS Printers
Mouse interaction to regularly check the presence of "Eject USB Storage" and open  "devices and Printers "
4'40   Display of "Eject USB Storage" and 4 devices in the topic  "" Unspecified  "
11'   Correct display of 2 printers, 'Computer' and 'USB storage' and Remote Desktop printers

If necessary, contact me by PM or email
I have updated my PDF file (first post)

Hi
For printers, it's a lot longer to explain than "Eject USB Storage"

In October 2016, I was able to install the PDF and XPS printers as well as my Samsung SCX-4500 printer.
The investigation had been long. It's a solitary job. And there is little help to wait when you misunderstand English.
It was the first time I had embarked on such an adventure. It turned out to be pretty straightforward.

The method of installation adopted is not perfect. And to this day, I have never corrected it.
Having never had a single return on this subject, I saw no reason to do better.
So I read the script  "traitement.PS1" To summarize the part dealing with the installation of printers.
And I repeat that this is the result of an old work (fall 2016) and clumsy.
But to this day (January 2019), under Winpe10, my clumsy work remains a potential basis.

Regarding the integration of this sequence in another context of  "Build ":
-I use the Software hive of install. wim. This avoids looking for one by one the necessary keys, work long and without real interest. The difference in size (64MB versus 10MB) is small (in my opinion).
-I installed many services (and almost all addons of MMC)
-I only use the native desktop provided by  "Explorer. exe"

The Spooler service is the centrepiece of the printer architecture. We need to consider two essential points.

-Identify useful elements to install the spooler
The first step is to start the spooler without error.
Its installation is quite simple and requires little investigative work.

-Enable the Spooler
But like many services (EventLog, TermService...) Its startup is not enough to make it operational.
Because in WinPE, a lot of features are blocked. WINPE is a tool to install Windows.
Many features are not compatible with its efficiency, speed, robustness, etc.
The spooler is inactive if "HKLM\system\setup\systemsetupInProgress" = 1

Boot sequence read in my script:

Set-ItemProperty "HKLM\system\setup\systemsetupInProgress" = 0
Stop-Service Dsmsvc
Start-Service Dsmsvc
Start-Service spooler-------> > >  "start = 2 " In my hive  "System " but no auto start

PDF and XPS Printers
When you have managed to install the spooler, it starts without error, it is active, then you have to install printers.
Currently, it is the spooler itself that installs the PDF and XPS printers.
It does it 2 minutes after it starts (as in a normal Windows 10)

Some reminders:
The printers in the ADM session may be different from the printers in the system session.
Redirected printers from a "Remote Desktop " Session are replayed to local printers.
The "Devices and Printers" Refresh occurs 3 to 5 minutes after the connection
In the system session, you cannot install a printer shared by another computer

My installation method is flawed:
Currently, the script "PostDemarrageWinpe. PS1" is launched after WinPE is started. It provides several tasks.
-Fixed file names ".inf" In the Drivers Hive
#
# DISM Create oemxxxx entries. So, I need to recreate them with the good names
#
Reg Load Hklmdrivers X:windowssystem32configDRIVERS
$t = "Ntprint. inf ", "ntprint4. inf ", "prnms003. inf ", "printqueue. inf "
$c = get-ChildItem "HKLM: driversDriverDatabaseDriverInfFiles" |? {$ _. Name-like "* OEM * "}
$c | % {$i = $ _; foreach ($s in $t) {$z = GP $i. Pspath; if ($z-like "* $s * ") {copy-item ($i. Pspath) $ (Join-Path ($i. PSParentPath) $s)}}}
Reg Unload Hklmdrivers
-Start of services
Set-ItemProperty HKLM: systemsetup-Name SystemsetupInProgress-value 0
Stop-Service Dsmsvc
Start-Service Dsmsvc
Start-Service Spooler
-Modification of the security (ACL) of.. spoolprinters
-second installation of PrintQueue. inf with MS System32InfDefaultInstall.exe software
I still have work to do to remove these construction anomalies

Printers with "Remote Desktop "
I run WinPE on a remote machine. And I use "Remote Desktop " (MSTSC) to connect to this WinPE.
So my local printers are added to local WinPE printers.
Again, the refresh in "Devices and Printers " is long and takes between 3 to 5 minutes

Note 1: I added 2. mof files for PowerShell
# for Gmwi Win32_Printer
X:windowssystem32wbemmofcomp.exe X:windowssystem32wbemwin32_printer.mof
# for Get-printer
X:windowssystem32wbemmofcomp.exe X:windowssystem32wbemPrintManagementProvider.mof
Note 2: The XPSRCHVW. exe file is missing some details about the installation

The. Cat for Usbprint. sys with v1809: "C:UsersnoelBlancDesktopsigntool.exe" verify/KP/a/v Driversusbprint.sys
Verifying: Driversusbprint.sys
File is signed in catalog: C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}Microsoft-Windows-Client-Desktop-Required-Package00 ~ 31bf3856ad364e35 ~ AMD64 ~ ~ 10.0.17763.1. Cat

The Services installed:
$clesPrinter=@'
;services
Tmp_System\ControlSet001\Services\spooler
Tmp_System\ControlSet001\Services\usbprint
;for printer pdf et xps
Tmp_System\ControlSet001\Services\dsmsvc -------------------->>> used by "Eject USB Storage"
;control
Tmp_System\ControlSet001\Control\Print
'@

For files : see "traitement.ps1" script in my pdf V4 ( too long and depends of your base )
for "software" key : no add because software from install.wim

function printer{

    # 1- copy .cat for usbprint.sys for v1809  --> voir $filesPrinter ci-dessus
    #       Microsoft-Windows-Client-Desktop-Required-Package00~31bf3856ad364e35~amd64~~10.0.17763.1.cat

    # 2- dism /Add-Driver ... usbprint.inf... /forceunsigned

    # copy usbprint.sys to ...\system32\Drivers : i don't remember if it is necessary with v1809 !

    # 3- copy printupg.inf and ntprint.inf to ...\windows\inf:
    #printupg.inf used by ntprint.inf : i don't remember if it is necessary with v1809 !
    #added V1803 : ntprint.inf

    # 4- copy ...\windows\System32\spool\prtprocs\x64 ( should be in copyfile section )
    copy-item -Recurse $(join-path $RefWindows "windows\System32\spool\prtprocs\x64") $(join-path $targetWindows "System32\spool\prtprocs\x64")

    # 5- dism /Add-Driver ... NtPrint.inf

    # 6- printer pdf et xps :  installation will be done by spooler service, 2 mn after it starts

    # 7- dism /Add-Driver ... NtPrint4.inf

    # 8- dism /Add-Driver ... Us008.inf for my printer samsung
    # i put all needed files for drivers in a directory. I took them from samsung's package

    # 9- dism /Add-Driver ... Prnms003.inf for PDF and XPS printers
    #
    # attention :
    #     "DISM Add-driver" rename  .inf into OEMxxx.inf
    #     Drivers hive doesn't contain entry for ntprint.inf nor ntprint4.inf.
    #     i think spooler needs it. So, a script recreate these entries when winpe starts
    #     Actually, printqueue.inf must be re-installeds after winpe starts or after remote desktop create printer

    # 10- dism /Add-Driver ... printqueue.inf
    #         for devmgmt.msc can display the good name of PDF/XPS printers
    # bug : t's not enought. printqueue.inf must be re-installed after spooler starts and after printers was added by remote desktop
    # so, i copy printqueue.inf to ...\inf ( see script postprinter )
 
    # 11 - copy all files needed in system32
    CopieDesFichiers $filesPrinter

    # 12 - modif v1709 : i create a script that modify an ACL on ...\spool\printers directory

    #13 - add V1803 : copy all \inf\ prn*.inf to \inf but i don't kown if it is needed in v1809
}
edit : You must neutralize systemsetupInProgress just before you start printing with  "StartdocOpen ".
So systemsetupInProgress = 0 before you start printing.

If necessary, contact me by PM or email (see in PDF)
Still some works for 2019 ...

I forget the printer post-script. i add quickly some pieces of PS ( not complexe to understand )
#region printer
# il faut neutraliser systemsetupInProgress juste avant de lancer l'impression avec "startdocOpen"
$PostPrinter=@'
#
#postPrinter dans session System obligatoirement !!!
#
#*******************************************************
write-host  -ForegroundColor green "`nPostPrinter et DsmSvc"
#*******************************************************
write-host  -ForegroundColor yellow  "`tMofcomp"
# pour gmwi win32_printer
x:\windows\system32\wbem\mofcomp.exe x:\windows\system32\wbem\win32_printer.mof
# pour get-printer
x:\windows\system32\wbem\mofcomp.exe x:\windows\system32\wbem\PrintManagementProvider.mof
#
# DISMcreated oemxxxx. i need to recreate with good names: need more investigation
#
write-host  -ForegroundColor yellow  "`tReg load/unload ...\DRIVERS"
reg load hklm\drivers X:\windows\system32\config\DRIVERS
$t = "ntprint.inf","ntprint4.inf","prnms003.inf", "printqueue.inf"
$c = get-childitem "HKLM:\drivers\DriverDatabase\DriverInfFiles" | ?{$_.name -like "*oem*"}
$c | %{ $i = $_; foreach($s in $t){$z=gp $i.pspath;if($z -like "*$s*"){copy-item ($i.pspath) $( join-path ($i.PSParentPath) $s) }}}
reg unload hklm\drivers

set-itemproperty hklm:\system\setup -name systemsetupInProgress -value 0
write-host  -ForegroundColor yellow  "`tStart-service dsmsvc"
Stop-service dsmsvc
Start-service dsmsvc
write-host  -ForegroundColor yellow  "`tStart-service spooler"
start-service spooler
 
# don't do that too fast : so, i never do that !
#set-itemproperty hklm:\system\setup -name systemsetupInProgress -value 1

write-host  -ForegroundColor yellow  "`tNew for V1709 : modify ACL on directory ...\spool\printers"
$scripAclPrinteV1709="x:\modifAclPrinterV1709.ps1"
if ( test-path $scripAclPrinteV1709){
        $p = start-process  "powershell.exe" -ArgumentList "-file $scripAclPrinteV1709 " -passThru
}
'@
$CodePourV1709=@'
#New with V1709 !!!
write-host  -ForegroundColor yellow  "`tNew for V1709 : modify ACL on directory ...\spool\printers"
#spooler.exe will create this directory 2 minutes after it starts
$cible = "X:\windows\system32\spool\printers"
while(!(test-path $cible)){
    start-sleep -m 500
}
$aclBase = get-acl $cible
# create ace
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$NTsystem = [system.security.principal.SecurityIdentifier]'S-1-5-18'
$rule1=New-Object System.Security.AccessControl.FileSystemAccessRule($NTsystem,"FullControl",$allInherit, $allPropagation,"Allow")
# on ajoute cet ace dans l'acl finale
$aclBase.SetAccessRule($rule1)
$aclBase | set-acl -Path $cible
#add : re-installation of printqueue
while ((get-printer).count -ne 2){
    start-sleep -s 1
}
x:\windows\system32\InfDefaultInstall.exe X:\windows\inf\printqueue.inf
'@

Hi
For WPD-MTP ( smartphone in winpe ), please, see the post created by slore.
He explains better than i can do.
http://theoven.org/index.php?topic=2390.msg30428#msg30428
We work together and he makes the hook dll.
Enjoy.

I'll continue to work on the smartCard reader which use also WUMF

Thank you I am looking at this now.  Good read 

Thanks for all your hard work I will start with your and slores MTP for cameras/phones then move into printing/usb ejection.. at the least being able to print to PDF is very useful

Hi,
As I said, I tried to install the SmartCard reader again.
By doing a test with my environment  "full-flat", I found that by connecting the network the Wuauserv service would automatically install the drivers for that drive. This simplifies the investigation
And so, for my SmartCard reader, it was simply missing the driver brought by Rtsp2storx. inf (oz776x64.inf already present)
Anomaly: the "Eject USB Storage " Part is very disturbed.
The SmartCard ejection does not allow you to find a correct display.
It seems that the removal of the device is not reported to the various windows.
 "Kill/Restart Explorer " is not a solution.

In my full-flat environment, I also noticed the installation of the Bluetooth stack and its proper functioning.
It is therefore posible to integrate it into another environment.
But I'm not sure it would be helpful. So I'm going to deal with something else.

Detail:
I read on a site that it is possible to change the name of the icon  "This PC". I think it's very much in the right.
    $cle = join-path $tmp_soft_PS 'Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}'
    $null = Set-ItemProperty $cle -name 'LocalizedString' -value '%computername% %userName%' -Type ExpandString

There is still some work to search with "Eject USB Storage" 

 

Hi,

Problem "Eject USB storage" When 2 USB devices are connected and one is removed:
When removing the device, a process is created and remains blocked:
  "X:windowsSystem32RunDll32.exe" X:windowssystem32hotplug.dll, HotPlugSafeRemovalDriveNotification USB-MicroSD (K:)
The icon at the bottom right  "safely remove... " is no longer displayed

If I kill this process, the icon does not reappear
I wait 5 minutes for the case where a timeout fixes: no fixe

If kill/restart "Explorer": Icon is OK

I assume COM/DCOM communication is blocked.
Possible track:  "runas" to delete somewhere. I delete only entries "runas=interactive user"


If someone can give me an idea...

hi,
For a long time I wanted to find a way to back up the system and software hives in WinPE.
Indeed, after installing an application in WinPE, the additions in these hives are lost with reboot.
The context that I am imposing:
-Do not use a product like  "Winbuilder " and its plugins,
-Do not modify my script because the search for changes (useful!) made by the installation of a program can be long and useless (like Citrix for example)
-use WinPE in Flat mode to benefit from the "Persistence " files (USB key and/or VHD!)

So I use the method, simple but a little restrictive, which is to save the 2 hives before shutting down Winpe (Reg save...).
Then you have to reboot on the same disk but with a second WinPE. And since this second WinPE, we can edit the files of the first WinPE. And so copy the system and software hives backed up and crushed the old ones.
And at the next reboot on the first WinPE, it will find its application ready for use.

The solution is simple in my case: Build a BCD for a second WinPE.

I have not been able to make these 2 copies from the software  "native. exe" launched thanks to  "BootExecute ".

And watch out for viruses!

hi,
No news from me about winpe ( computer is not my friend at this time ).
I go on a bike trip until the end of the summer.
If some want to test my ISO for build 1809 (October 2018?) size = 870Mb to test printers for example, here is a link :
https://1drv.ms/f/s!Ao1n1sCvil3_ildf_aE9xbH7_2vD
name of iso file : winpe10V1809.ISO
It comes with a french keyboard but you can easy change for English keyboard.
Of course there are not all drivers. But you can add your own with DISM commands.
And be sympathetic, give me a return whatever it is.

hi,
A long time ago ...
As everyone, i try V1903.
My news : PDF, XPS printers are ok but it was long to find it.

First of all, I thank Slore who is very supportive and actively helps me in my research.

With the V1903 version I find that the installation of PDF and XPS printers are no longer automatically installed.
Normally, they are installed 2 minutes after the start of the spooler
But with my winpeV1903 FULLFLAT version (from a real installation of w10 "degraded" in winpe by modifying the hives), Pdf printers and xps are available without anomalies.

After much research with Windbg and IDA V7 (free), I found that localspl.spl was testing an event every 30 seconds.
But this event did not change and the dll did not come out of its loop.

localspl.dll!IsSystemCurrentlyUpgrading calls : spoolss.dll!SplIsUpgrade
spoolss.dll!SplIsUpgrade calls                : spoolsv.exe!PrvSplIsUpgrade
spoolsv.exe!PrvSplIsUpgrade calls in a loop:
                                  lea     rcx, WNF_DEP_OOBE_COMPLETE
                                  call    cs:__imp_NtQueryWnfStateData

After much more research, I found some information in the following sites:
https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html
https://gracefulbits.com/2018/08/13/find-which-process-is-using-the-microphone-from-a-kernel-mode-driver/
http://redplait.blogspot.com/2012/09/wnf-notifiers.html
http://redplait.blogspot.com/2017/08/wnf-ids-from-perfntcdll.html
"A3BC0C75 - 41960B29 WNF_DEP_OOBE_COMPLETE
This event triggers when the system has completed OOBE (Windows Welcome)"

The question: what is the indicator of "the system has completed OOBE (Windows Welcome)"?

It is understood that there are two tracks to follow, modify the dll or look for the indicator WNF_DEP_OOBE_COMPLETE

1 - First method: change localspl.dll!IsSystemCurrentlyUpgrading
    Very easy with IDA V7 (extraordinary free tool)
C:\Windows\System32>fc /B "C:\Users\noelb\Desktop\ida-asm\1-v1903\localspl - New.dll" C:\Users\noelb\Desktop\ida-asm\1-v1903\localspl.dll
Comparaison des fichiers C:\USERS\NOELB\DESKTOP\IDA-ASM\1-V1903\localspl - New.dll et C:\USERS\NOELB\DESKTOP\IDA-ASM\1-V1903\LOCALSPL.DLL
0001417E: 31 85
00014180: 90 0F
00014181: 90 95
00014182: 90 C0

2 - Second method: understand the WNF mechanism and act on the indicator WNF_DEP_OOBE_COMPLETE
    I tried to follow with windbg the call of NtQueryWnfStateData in the "kernel". But too complex for me.
    So I did more research on the WEB.
I found a real "bible" on WNF in the site:
http://www.alex-ionescu.com/Publications/BlackHat/blackhat2018.pdf
And an example of code in the site:
https://gist.github.com/msmania/472912cd6e9ab067be3211ba3f5f0f9e
But the code was not very helpful to me.
The information from "blackhat2018.pdf" is extraordinary. And I quickly realized that WNF_DEP_OOBE_COMPLETE 0x41960B29A3BC0C75:
- is a permanent notification despite the PC reboots,
- is stored in the software hive (which I already knew thanks to fullflat),
- where it is located in the hive of a normal w10 :
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications
    ( exactly here : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data
                     41960B29A3BC0C75 REG_BINARY 01 00 00 00 01 00 00 00
     but i prefere copy/paste all "notifocations key)

With its new data in hand, I made a "copy/paste" of the right key (…\notifications) in the "software" hive of winpe.
Don't forget  to reset SystemSetupInProgress, start spooler, and fax, PDF, XPS printers have been installed.
And Pdf Printer creates a file in my winpe.

It's a busy week of rain. And for the next week of rain, I have to look for why "termservice" displays a black screen.

Hi,
Good news about termservice in V1903

A long time...a long job...and many bad ways for research.

Now i can connect a W10 remote computer (running mstsc.exe) to my Winpe v1903 computer (using termservice) and get the "good" display, not a black screen.

Some words....

First, i searched around indirectkmd.sys. Ms changes something in the architecture of the graphic drivers.

https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-deprecated-features
    DDM-based remote display driver
    Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release.

Second, because i didn't find the missing files with procmon, I searched on registry/drivers/services side... for a long time.

Third, I thougth "wdmf"  driver installation was the key. But too complex for me and no informations in french to study.

Fourth, MSRA.EXE (novice in winpe asks for help) had the same "black screen". I looked sometime with it. But it's not the same origine ("novice MSRA" doesn't work in session system).

Fifth, these last days, i test "my" hives in my fullflat environment where "termservice is OK". After corrected BSOD (long time), display of termservice is ok. So, i thougth it was only missing files.

4272 file in system32 in fullflat, 1900 files in "my" system32 in winpe !
Note : don't forget that these 2 files are not good in winpe : WallpaperHost.exe and windows.immersiveshell.serviceprovider.dll. So, rename it if needs.

I spend many many time to test (dychotomy and chance) and find 3 missing files :

;add V1903
windows\system32\Windows.Graphics.dll
windows\system32\DispBroker.Desktop.dll
windows\system32\DispBroker.dll

Procexp shows that DWM.EXE is using the three files ! And when i trace with procmon, i always remove DWM.exe. It's why research takes a so long time for me !!!

Before launching mstsc and for a first test, i install rdpidd with "pnputil /add-driver rdpidd.inf /install"
And termservice becomes ok.

Perhaps the picture can shows you the remote screen.

ps : i put an iso (fr) here https://1drv.ms/f/s!Ao1n1sCvil3_ildf_aE9xbH7_2vD

Hi,
With V1909, for my build, I use the boot.wim file of ADK 1903: it's normal because MS says it's normal.

But when I start from this winpe, I get a black screen.
In the VM I can see a short time the window of starnet.cmd.
So I understand that I need more thought.

3 methods:
- use Flat Winpe and use a core debugging session but where to put BP?
or
- use Flat Winpe and create/analyze a drain file when the error occurs
or
- use Flat Winpe, procmon boot loggin and look at the WER logs
The last one is easier.

1 - Procmon boot logging in the mode Flat:
it shows that no file is missing for the DWM feature/composant

2 - WER ( werfault ans its report ) in the mode Flat
WerFault creates an error report file in:
"X:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dwm.exe_4768d7780538cee7b2f2bfca411f3c2ad93d_25529819_91290e5f-a5ec-424f-a05b-d0cb38a59f2c\Report.wer"
It contains :
"
EventType=BEX64
NsAppName=dwm.exe
Sig[3].Name=Fault Module Name
Sig[3].Value=ism.dll
Sig[6].Name=Exception Offset
Sig[6].Value=0000000000031da0
Sig[7].Name=Exception Code
Sig[7].Value=c0000409
"
And the report lists the loaded dll for this process.

I can't go any further in analyzing the code of this minidump file.
The creation and analysis of a minidump file shows that ism.dll calls a Win32u.dll function that triggers a system call (int2E or syscall).
error address : ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+1c8
system call   : win32u!NtMITCoreMsgKOpenConnectionTo
See the file I'm joining for fun.

The questions become:
- what is the role of win32u.dll?
- is it normal that this function of ism.dll runs?
- is it its environment that is disturbed?

Answer: I have to think more!

3 - Cogitation around the lack of ADK for this version of the OS
MS does not provide ADK for Windows10-V1909 and imposes the use of V1903 ADK
However, many exe/dll have evolved and changed versions. This is the case for various DWM components.
The observation when booting: a loop of dwm.exe crashs.
A Bug report in "X:\ProgramData\Microsoft\Windows\WER\ReportQueue" refers to ISM. DLL as the source of the error.
The file analysis shows that ism.dll calls win32u.dl.

4 - My first idea
This dll belongs to WinSxS-amd64_microsoft-windows-win32k_... which contains 3 files
i associate with win32kBase.sys from 'WinSxS' amd64_microsoft-windows-win32kbase_...
The idea is to use the versions of ISO V1909 for these 4 files.
And it works!

Conclusion:
You can't mix different versions of dll with impunity in a winpe
note : the same goes for the consistency of WinSxs files and SideBySide keys
The anomaly is not visible if you use WinRe.wim because the WinRe files are identical to those of the OS
Other components other than DWM may suffer from this version difference of some DLL
Perhaps WinRe is a more robust construction base than Winpe ? 

Most OEM's that create boot media, now prefer WinRE.wim (over ADK PE)

Hello,
An information about PDF printer and the displaying extension "*.prn"
I searched long-time for the following anomaly when using the PDF printer in Winpe:
   the extension "*.prn" appears in the file-type editbox of the file name entry window

To locate the discrepancy with my FullFlat winpe which clearly displays "*.pdf" in the editbox:
- comparison of the "procmon" traces of the 2 environments
- on winpe:
   no reading of the top HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-Print-Printers-Microsoft Print to PDF-PrinterDriverData-SaveAsExtensions
- on winpeFullFlat:
   reading this key
The discrepancy appears after reading the Value SaveAsExtensionFromBaseMan (non-existent value in both cases)
- analysis of the stacks of the "procmon" traces to identify the functions of the dll put into play:
   upthe stacks from the WINSPOOL api code! GetSaveFileNameDialog
- analysis of the code of these dll with IDA7free
- a lot of time with windbg to find the divergence:
The code searches for data that is in the registry but does not read the registry, so these calls are invisible in procom
I came to understand that the data was read when spoolsv.exe was booted and memorized in an internal structure of localspl.dll
A few days later, I find the data that generates the discrepancy:
   "HKLM-SYSTEM-CurrentControlSet-Control-Print-Environments-Windows NT x86-Drivers-Version-3-Microsoft enhanced Point and Print compatibility driver"

Once the discrepancy is located, we must look for why this data is absent in my winpe.
The name of the key makes me think that I'm missing drivers for ""...Environments-Windows NT x86..."
After a few more days of research, I find an obvious difference with procmon when starting the spooler:
   Enumeration of HKEY_LOCAL_MACHINE-DRIVERS-DriverDatabase-DriverInfFiles-ntprint.inf

   - On wineFullFlat:

Code: [Select]

HKEY_LOCAL_MACHINE-drivers-DriverDatabase-DriverInfFiles-ntprint.inf
default: ntprint.inf_x86_ce3301b66255a0fb
    ntprint.inf_amd64_ce3301b66255a0fb

active: ntprint.inf_amd64_ce3301b66255a0fb

HKEY_LOCAL_MACHINE-drivers-DriverDatabase-DriverInfFiles-prnms003.inf
default: prnms003.inf_x86_86cc1f2b72147922
    prnms003.inf_amd64_e4ff50d4d5f8b2aa

active: prnms003.inf_amd64_e4ff50d4d5f8b2aa

   - And on my winpe, I don't have the references to "_x86_"

Question: But where does this data come from?

I try an installation with "dism /add-driver" after doing the "mount" of my boot.wim.
"dism" reports: installation OK
But looking at the log file "setupapi.offline.log" I notice the absence of a real installation.

So I use the "elephant" method, I copy the ISO Drivers hive in my winpe.
And the extension ".pdf" is visible in my winpe.

I don't understand why "Dism/add-driver...inf_x86_ce3301b66255a0fb..." failed.
I did not do the test twice.
But I'd be delighted if someone gives me an explanation on that last point.

Yes, of course, I can use win10XPE or WimBuilder2.
But to each his hobbies: I like to understand.

Important note for francophones like me: WimBuilder2 is translated into French
If your OS is "FR" then you will read French on the screen.

Hi
@Lancelot
I would like to ask you:
you will be able to create a new topic in win10XPE
and move the messages from this "post" dealing with the problem "extension .prn with PDF printer"
from the message "Reply #214 on: December 26, 2019, 03:28:52 PM"
http://theoven.org/index.php?topic=1639.msg36000#msg36000

If there is any concern or risk offending anyone, forget my request.

It seems to me more consistent to have a "topic" specific to this problem.
And also because, during last upload I received the warning informing me that this "thread" had reached the maximum size. So I deleted several files too old.

I try to keep in this forum the small place that you gave me a few years ago (2016).
Which I'm indebted to you for.
Thank you for your intervention

Ps : I hope the translator doesn't betray my point

Hi noelBlanc,

I fully understand you. 
Done http://theoven.org/index.php?topic=3019.0

If you have other posts you like to move, let me know. 

*

I received the warning informing me that this "thread" had reached the maximum size. So I deleted several files too old.

I guess this is attachment limit,
  If you like I can add your files to http://lancelot.theoven.org/noelBlanc/
    so you will not need to delete old files. ? 

ps: I like to keep information. 

If yes, just send me files with dropbox etc. with pm etc. 



Edit:
Following noelBlanc request, posts moved to other topic: http://theoven.org/index.php?topic=3019.0

Hi,
About Bluetooth….
Since the bluetooth worked in my FullFlat winpe, I always postponed the investigation. When I say "bluetooth works" I mean that the bluetooth driver of my pc installs without error, that the icon appears in the bare of tasks at the bottom right. But that the menus of this icon remain inactive because they use the graphical interface "METRO".

Bluetooth context is easy to installe in v1903 which is the only one version that i get in my disk (i'm in family, not at my home).

My context of this first test:
   winpe V1903FR ( but i think no many complex change because no change in architecture)
   Drivers Hive from Install.wim
   DISM.exe for installing drivers (you can adapt to your own method easy)

1 - Files for bluetooth
;system32
windows\system32\Bluetooth*.*
windows\system32\BTAGService.dll
windows\system32\BTH*.*
windows\system32\fsquirt.exe
windows\system32\Microsoft.Bluetooth*.*
windows\system32\Windows.Internal.Bluetooth.dll
;drivers
windows\system32\drivers\bth*.sys
windows\system32\drivers\rfcomm.sys

2 - Service for Bluetooth = with Drivers hive there is only one needed service (perhaps more depend on other Bluetooth service uses, but i never use Bluetooth with my pc)
Tmp_SYSTEM\ControlSet001\Services\bthserv

3 - Dism /add-drivers for these drivers
bth.inf_amd64_*
bthleenum.inf_amd64_*
bthpan.inf_amd64_*
bthprint.inf_amd64_*
tdibth.inf_amd64_*

4 - DriversRepository :
i copy these directories from install.wim into mount\...\filesrepository
(not sure at this time this copy is needed)

Because i use dism, i copy all .sys in \Drivers and .inf in \INF. ! i don't know at this time if it is needed !!!

5 - Installing the driver of my pc: bcbtums-win8x64-brcm.inf_amd64....
But this driver is too old and is not in the driverstore.
In a normal W10, it is installed from the "WindowsUpdate" for the device during installation.
So I use a copy of this drivers.

6 - When winpe starts, bluetooth drivers are not installed.
For this first test, I need to use DEVMGMT. MSC to install this driver. The "Setup" engine looks into the winpe disk and finds the drivers in the driverstore.
And after that, everything is good as you can see in the picture.

Nevertheless, and because many internal tools are written for "METRO" GUI, it is not possible to get a MS graphical interface to make the device pairing
I'll look for writing an application to do "paired device" : for my fun .
And i prefere to try to build my own application for pairing the device than using one better application but coming from other place.

Noel,
I can Confirm Driver Installation & Bluetooth Tray Icon - Tray Bluetooth Menu Useless
Exported My Intel Bluetooth Driver From Host...


Here Are The Bluetooth Files I Used
 Bluetooth Files.txt (4.91 kB - downloaded 34 times.)

Hi,
Here, i put the first job i did to investigate the issue "timeout 10 minutes before DSMSVC displays the complet screen for devices"

My ultimate goal: to better understand the implementation of ETW/WPP traces

Quick introduction of ETW and WPP technologies.

I think I understood the concepts of Providers, Controlers, Consummers.
Here is the site among all those I consulted that sums up well what I understood:
https://www.magicsplat.com/book/event_tracing.html

My main documentation for TMF files:
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7

Analysis of DeviceSetupManager.dll (DSMSVC) code with IDA:
- to identify the guids
- to understand the use of WPP_xxx functions

The attached file describes a little more the method to produce the TMF file
without this work, i think i never find a workaround of the timeout "10 minutes for DSMSVC"
No really usefull, but i must stay at home even when sun is shining

Here, how i find a workaround for the issue "timeout 10 minutes before DSMSVC displays the complet screen for devices"

If someone can explain why cfgmgr32.dll waits 2 minutes for each call and why the result of the calls is not important....

The use of printers becomes a little more comfortable and a little more aesthetic.

But above all it opens up the possibility of exploiting some simple bluetooth devices, audio like my little speaker
I use a piece of code to do the coupling. But it was absolutely necessary that the timout does not exist because I use "Devices And Printers" to activate the various BTH services of the devices.

But Bluetooth LE is not possible (by design, if i well understand the MS doc, metro stule GUI only)