Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: DISM

  1. #1

    DISM

    Thought I'd do a quick query re DISM and the possibility of tracing through its code. Came across an article on the Net showing how to setup DISM on XP using the DISM files from W7. Not too sure how well that would work since the applications of DISM I have seen on XP were fairly primitive.

    Anyway, when I run DISM from the command prompt in XP it claims (in the log file) it cannot find the windows directory, therefore it is presuming C:\Windows. My windir is C:\winxp and DISM refers to it a few steps earlier in the log as such, mainly because dism.exe is in windir\system32 and it's files are in windir\system32\dism. I mean, it couldn't even start if it did not know where it was located, or its files.

    It uses 'providers' to find the windir path and they can't find it. My path is set in the environment variables and the windir is indicated as c:\winxp.

    So, I need to trace into dism to see why the provider cannot find the windir. I have never tried a command line app with windbg, never mind a system utility. Should I encounter any problems doing so? Is kernel mode the best or maybe one of the other debuggers?

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    Not Sure What You Want to debug
    dism takes an argument to windir /WINDIR:myfancydirectorylocatedinclouds@55

    it there is a meesagebox/dialog anything that is blocking waiting for user input
    maybe just attach windbg/xxxdbg break and look at callstack maybe ??

    ok this is not a guiapp but console mode so no blocking message boxes

    you need to know where to setbreakpoints

    logfile create break (ifexistscondition)
    Code:
    0:000> !fnproto
    no of entries = 1 757fa768
     
     
    [CSP + 00 ] [       CreateFileW(Num Args = 07) Returns to ] = 75d9e8ef
    [ESP + 04] [ __in LPCWSTR lpFileName                     ] = 00280b34  C:\Windows\Logs\DISM\dism.log
    [ESP + 08] [ __in DWORD dwDesiredAccess                  ] = c0000000
    [ESP + 0c] [ __in DWORD dwShareMode                      ] = 00000003
    [ESP + 10] [ __in_opt LPSECURITY_ATTRIBUTES lpSecurityAt ] = 00000000
    [ESP + 14] [ __in DWORD dwCreationDisposition            ] = 00000004
    [ESP + 18] [ __in DWORD dwFlagsAndAttributes             ] = 00000080
    [ESP + 1c] [ __in_opt HANDLE hTemplateFile )             ] = 00000000
    0:000> kb
     # ChildEBP RetAddr  Args to Child              
    00 000af754 75d9e8ef 00280b34 c0000000 00000003 KERNELBASE!CreateFileW
    01 000af780 57584ee7 00280b34 c0000000 00000003 kernel32!CreateFileWImplementation+0x69
    02 000af7a8 57585b60 001a4cb4 00280b34 07db402b DismCore!IDismConfigurationImpl::put_logFile+0x3b
    03 000afa18 575863f7 07db4073 001a4cb0 001a4cd0 DismCore!CDISMManager::CreateLocalImageSession+0x28a
    04 000afa40 57586c90 00000000 00000000 001a4cd0 DismCore!CDISMManager::get_LocalImageSession+0x93
    05 000afa5c 575823c4 001a4cd0 000afb7c 00000000 DismCore!CDISMManager::GetLocalProviderStore+0x2e
    06 000afb84 00762088 001a4cd0 000afbac 0b271a31 DismCore!CDISMManager::get_Logger+0x23
    07 000afbc8 00762e46 000afc6c 001a2798 0b271dd1 Dism!CDismWrapper::SetupLogging+0xf7
    08 000afc28 0075bf57 000afc6c 000afc68 00000000 Dism!CDismWrapper::Initialize+0x192
    09 000afc7c 0075c3f6 000afd34 000afcb0 80070057 Dism!CCmdlineProcessor::InitializeDism+0x152
    0a 000afc90 0075dd47 000afd34 000afcb0 0b271c3d Dism!CCmdlineProcessor::LogEarlyParseFailure+0x13
    0b 000afdc4 0075decf 00000002 001a1758 00000000 Dism!CCmdlineProcessor::Run+0x279
    0c 000afde0 0076a18f 00000002 001a1758 001a3978 Dism!wmain+0x3d
    0d 000afe24 75d9ed6c 7ffdf000 000afe70 776837eb Dism!_initterm_e+0x163
    0e 000afe30 776837eb 7ffdf000 7726dd79 00000000 kernel32!BaseThreadInitThunk+0xe
    0f 000afe70 776837be 0076a2c0 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
    10 000afe88 00000000 0076a2c0 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
    write break


    Code:
    [CSP + 00 ] [         WriteFile(Num Args = 05) Returns to ] = 75da543c
    [ESP + 04] [ __in HANDLE hFile                           ] = 000000f8
    [ESP + 08] [ __in_bcount_opt(nNumberOfBytesToWrite) LPCV ] = 00285d58
    [ESP + 0c] [ __in DWORD nNumberOfBytesToWrite            ] = 000000a0
    [ESP + 10] [ __out_opt LPDWORD lpNumberOfBytesWritten    ] = 000af440
    [ESP + 14] [ __inout_opt LPOVERLAPPED lpOverlapped )     ] = 00000000
    0:000> !handle poi(@esp+4)
    Handle f8
      Type         	File
    0:000> dc poi(@esp+8)
    00285d58  30323032 2d31302d 31203132 35353a37  2020-01-21 17:55
    00285d68  2c32353a 666e4920 2020206f 20202020  :52, Info       
    00285d78  20202020 20202020 44202020 204d5349             DISM 
    00285d88  49502020 37353d44 53203639 65636375    PID=5796 Succe
    00285d98  75667373 20796c6c 64616f6c 74206465  ssfully loaded t
    00285da8  49206568 6567616d 73736553 206e6f69  he ImageSession 
    00285db8  22207461 575c3a43 6f646e69 535c7377  at "C:\Windows\S
    00285dc8  65747379 5c32336d 6d736944 202d2022  ystem32\Dism" - 
    0:000> kb
     # ChildEBP RetAddr  Args to Child              
    00 000af3ec 75da543c 000000f8 00285d58 000000a0 KERNELBASE!WriteFile
    01 000af408 58f1c42d 000000f8 00285d58 000000a0 kernel32!WriteFileImplementation+0x76
    02 000af424 58f1cedd 000000f8 00285d58 000000a0 wdscore!WriteFileWin32+0x19
    03 000af444 58f1e56a 00285d58 000000a0 00280890 wdscore!CSharedAccessFile::Append+0x2d
    04 000af464 58f1b29a 001a617c 07d8a359 001a6178 wdscore!CFileDevice::Process+0x5a
    05 000af4a4 58f1b478 07d8a315 00000000 58f01b30 wdscore!CLogManager::WdsSetupLogMessageW+0xa6
    06 000af4e8 58f18cb9 001a6178 00000011 57575c90 wdscore!CLogManager::LogA+0x17c
    07 000af678 5758cd80 00289e00 000b8000 57575c90 wdscore!WdsSetupLogMessageA+0x18d
    08 000af6e0 57581dc2 001a4dc8 000b8000 00000003 DismCore!CPanther::WdsSetupLogMessageW+0xce
    09 000af728 575848f4 001a4cb0 00000003 57571d84 DismCore!CDISMManager::WriteLogEntry+0xad
    0a 000af790 57585dc1 00289d80 00000000 00000001 DismCore!CDISMManager::LoadImageSession+0x561
    0b 000afa18 575863f7 07db4073 001a4cb0 001a4cd0 DismCore!CDISMManager::CreateLocalImageSession+0x4eb
    0c 000afa40 57586c90 00000000 00000000 001a4cd0 DismCore!CDISMManager::get_LocalImageSession+0x93
    0d 000afa5c 575823c4 001a4cd0 000afb7c 00000000 DismCore!CDISMManager::GetLocalProviderStore+0x2e
    0e 000afb84 00762088 001a4cd0 000afbac 0b271a31 DismCore!CDISMManager::get_Logger+0x23
    0f 000afbc8 00762e46 000afc6c 001a2798 0b271dd1 Dism!CDismWrapper::SetupLogging+0xf7
    10 000afc28 0075bf57 000afc6c 000afc68 00000000 Dism!CDismWrapper::Initialize+0x192
    11 000afc7c 0075c3f6 000afd34 000afcb0 80070057 Dism!CCmdlineProcessor::InitializeDism+0x152
    12 000afc90 0075dd47 000afd34 000afcb0 0b271c3d Dism!CCmdlineProcessor::LogEarlyParseFailure+0x13
    13 000afdc4 0075decf 00000002 001a1758 00000000 Dism!CCmdlineProcessor::Run+0x279
    14 000afde0 0076a18f 00000002 001a1758 001a3978 Dism!wmain+0x3d
    15 000afe24 75d9ed6c 7ffdf000 000afe70 776837eb Dism!_initterm_e+0x163
    16 000afe30 776837eb 7ffdf000 7726dd79 00000000 kernel32!BaseThreadInitThunk+0xe
    17 000afe70 776837be 0076a2c0 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
    18 000afe88 00000000 0076a2c0 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
    Last edited by blabberer; January 21st, 2020 at 01:31.

  3. #3
    Quote Originally Posted by blabberer View Post
    you need to know where to setbreakpoints
    Thanks Blabbs...it's very late and I have managed to throw out both my lower back and mid-back, between shoulder blades. An old war wound from work. I'll need time to digest this.

    I am amazed at how much you know about all this stuff. Besides the BPs, I was thinking of just brute-forcing it by single-stepping to see where it goes. I know it (DISM) uses a tmp file in the users/temp directory where it looks up providers. Not exactly sure what provider means but it seems to be msoft double-speak for libraries. They have functions that do things like check the windir. They are pretty dumb if you ask me, they can't even look up the environment variables and get the windir path. But they must have since they got the path c:\winxp. They just can't accept that it's THE windir.

    Just dawned on me, there may be a BP in the dism log. They do refer to a function with a C-type extension, like foo::foobar that is used to find the windir. I'll look it up tomorrow. Thanks.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    a complete write sequence for one command

    deleting log file
    Code:
    :\>del c:\Windows\Logs\DISM\dism.log
    Could Not Find c:\Windows\Logs\DISM\dism.log
    windbg automatic seeesion
    Code:
    :\>cdb -c "bp kernelbase!WriteFile \"da /c 100 poi(@esp+8);gc\";g;q" dism /sysdrivedir /? |awk "/Reading/,/quit/"
    0:000> cdb: Reading initial command 'bp kernelbase!WriteFile "da /c 100 poi(@esp+8);gc";g;q'
    ModLoad: 75ad0000 75aef000   C:\Windows\system32\IMM32.DLL
    ModLoad: 75f10000 75fdc000   C:\Windows\system32\MSCTF.dll
    ModLoad: 756f0000 756fc000   C:\Windows\system32\CRYPTBASE.dll
    ModLoad: 58d70000 58dc2000   C:\Windows\System32\Dism\DismCore.dll
    ModLoad: 57f70000 57fa2000   C:\Windows\system32\wdscore.dll
    003247e8  "..Deployment Image Servicing and Management tool..Version: 6.1.7600.16385..............................................................................................."
    
    Deployment Image Servicing and Management tool
    Version: 6.1.7600.16385
    
    ModLoad: 58f10000 58f20000   C:\Windows\System32\Dism\DismCorePS.dll
    ModLoad: 75c60000 75ce3000   C:\Windows\system32\CLBCatQ.DLL
    ModLoad: 751f0000 75206000   C:\Windows\system32\CRYPTSP.dll
    ModLoad: 74f90000 74fcb000   C:\Windows\system32\rsaenh.dll
    ModLoad: 75760000 7576e000   C:\Windows\system32\RpcRtRemote.dll
    ModLoad: 713c0000 714ab000   C:\Windows\system32\dbghelp.dll
    0018f2f8  "..."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   PID=5984 Scratch directory set to 'C:\Users\xx\AppData\Local\Temp\'. - CDISMManager::put_ScratchDir.."
    ModLoad: 57f20000 57f66000   C:\Windows\System32\Dism\dismprov.dll
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   PID=5984 Successfully loaded the ImageSession at "C:\Windows\System32\Dism" - CDISMManager::LoadImageSession.."
    PID=5984 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStorePID=5984 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnectPID=5984 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnectPID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProviderPID=5984 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProviderModLoad: 57d60000 57d88000   C:\Windows\System32\Dism\LogProvider.dll
    PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProviderPID=5984 Getting Provider OSServices - CDISMProviderStore::GetProviderPID=5984 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)PID=5984 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Failed to get and initialize the PE Provider.  Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Manager: PID=5984 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: .."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: <----- Starting Dism.exe session ----->.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: .."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Host machine information: OS Version=6.1.7601, Running architecture=x86, Number of processors=1.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Executing command line: dism /sysdrivedir /? .."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider.."
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\WimProvider.dll - CDISMProviderStore::Internal_GetProvider.."
    ModLoad: 57cf0000 57d60000   C:\Windows\System32\Dism\WimProvider.dll
    ModLoad: 57800000 57867000   C:\Windows\system32\WIMGAPI.DLL
    00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\WimProvider.dll. - CDISMProviderStore::Internal_LoadProvider.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider.."
    ModLoad: 580b0000 580d0000   C:\Windows\System32\Dism\FolderProvider.dll
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\CompatProvider.dll - CDISMProviderStore::Internal_GetProvider.."
    ModLoad: 577b0000 577f5000   C:\Windows\System32\Dism\CompatProvider.dll
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\CompatProvider.dll. - CDISMProviderStore::Internal_LoadProvider.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Got the collection of providers. Now enumerating them to build the command table..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: WimManager.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: WimManager..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Registering information from the help collection from provider: WimManager..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(wimcommands) and category(localtoplevelhelp) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(cleanup-wim) and category(wimcommands) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(remount-wim) and category(wimcommands) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(mount-wim) and category(wimcommands) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(unmount-wim) and category(wimcommands) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(commit-wim) and category(wimcommands) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-wiminfo) and category(wimcommands) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-mountedwiminfo) and category(wimcommands) for the provider(WimManager)..."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: FolderManager.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DISM Log Provider.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: Compatibility Manager.."
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: Compatibility Manager..."
    0034bfc8  "../Image:<path_to_offline_image> [/SysDriveDir:<path_to_bootmgr>]....  Specifies the path to the directory of the bootmgr file. If not..  specified, it defaults to the offline image path.....  This option cannot be used with the /Online option.....    Exam"
    0034c0c8  "ple:..      DISM.exe /Image:C:\test\offline /SysDriveDir:C:\...................................................................."
    
    /Image:<path_to_offline_image> [/SysDriveDir:<path_to_bootmgr>]
    
      Specifies the path to the directory of the bootmgr file. If not
      specified, it defaults to the offline image path.
    
      This option cannot be used with the /Online option.
    
        Example:
          DISM.exe /Image:C:\test\offline /SysDriveDir:C:\
    
    
    00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Image session has been closed. Reboot required=no..."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM.EXE: .."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM.EXE: <----- Ending Dism.exe session ----->.."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM.EXE: .."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Image Session: PID=5984 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect.."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: WimManager - CDISMProviderStore::Internal_DisconnectProvider.."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider.."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect.."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: Compatibility Manager - CDISMProviderStore::Internal_DisconnectProvider.."
    00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Releasing the local reference to DISMLogger.  Stop logging. - CDISMProviderStore::Internal_DisconnectProvider.."
    PID=5984 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProviderPID=5984 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProviderquit:

    file contents post windbg session


    Code:
    :\>cat c:\Windows\Logs\DISM\dism.log
    2020-01-21 19:24:55, Info                  DISM   PID=5984 Scratch directory set to 'C:\Users\xx\AppData\Local\Temp\'. - CDISMManager::put_ScratchDir
    2020-01-21 19:24:55, Info                  DISM   PID=5984 Successfully loaded the ImageSession at "C:\Windows\System32\Dism" - CDISMManager::LoadImageSession
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Failed to get and initialize the PE Provider.  Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM Manager: PID=5984 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM.EXE:
    2020-01-21 19:24:55, Info                  DISM   DISM.EXE: <----- Starting Dism.exe session ----->
    2020-01-21 19:24:55, Info                  DISM   DISM.EXE:
    2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Host machine information: OS Version=6.1.7601, Running architecture=x86, Number of processors=1
    2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Executing command line: dism /sysdrivedir /?
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\WimProvider.dll - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\WimProvider.dll. - CDISMProviderStore::Internal_LoadProvider
    2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider
    2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\CompatProvider.dll - CDISMProviderStore::Internal_GetProvider
    2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\CompatProvider.dll. - CDISMProviderStore::Internal_LoadProvider
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Got the collection of providers. Now enumerating them to build the command table.
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: WimManager
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: WimManager.
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Registering information from the help collection from provider: WimManager.
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(wimcommands) and category(localtoplevelhelp) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(cleanup-wim) and category(wimcommands) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(remount-wim) and category(wimcommands) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(mount-wim) and category(wimcommands) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(unmount-wim) and category(wimcommands) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(commit-wim) and category(wimcommands) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-wiminfo) and category(wimcommands) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-mountedwiminfo) and category(wimcommands) for the provider(WimManager).
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: FolderManager
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DISM Log Provider
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: Compatibility Manager
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: Compatibility Manager.
    2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Image session has been closed. Reboot required=no.
    2020-01-21 19:24:57, Info                  DISM   DISM.EXE:
    2020-01-21 19:24:57, Info                  DISM   DISM.EXE: <----- Ending Dism.exe session ----->
    2020-01-21 19:24:57, Info                  DISM   DISM.EXE:
    2020-01-21 19:24:57, Info                  DISM   DISM Image Session: PID=5984 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
    2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: WimManager - CDISMProviderStore::Internal_DisconnectProvider
    2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider
    2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
    2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: Compatibility Manager - CDISMProviderStore::Internal_DisconnectProvider
    2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Releasing the local reference to DISMLogger.  Stop logging. - CDISMProviderStore::Internal_DisconnectProvider
    
    :\>

  5. #5
    Blabbs...I was trying to replicate your command line for cdb but it did not like the awk commands at the end. How did you manage to incorporate an awk compiler into Windows?

    I appreciate your effort but maybe I am misleading you through my ignorance of dism. I may be premature with my assumption that tracing into dism will reveal answers.

    Here's more info.

    I removed the awk reference and it ran but it gave me essentially the same o/p I got from running dism /sysdrivedir /? in a command window. It tells me that command cannot be used in the online mode, only with an image. Furthermore, /sysdrivedir refers to the directory of the bootmgr file. If not specified, it defaults to the offline imagepath. Have no idea what that means. Don't know what bootmgr has to do with it unless they are reading boot.ini to get a system path.

    Part of the problem is that I have essentially no idea what I'm doing with dism. I have used it in the past on W7 to check system health and to load drivers into an image but not in this manner where I am simply trying to verify the integrity of an OS. It's suppose to work and according to sources online it should work. However, how is dism supposed to verify the integrity of an OS unless it has a reference offline OS image with which to compare it? Maybe I am supposed to have the installation disk in the optical drive but I tried and it did not work.

    I have read on this for hours on the Net but most articles are about applying commands, not how or what dism is supposed to do. Even Microsoft is vague on the issue.

    If you use the query: dism /online /? it returns "The following commands may be used to service the image:" Since my query was about an online image, meaning the image of a running OS, I would presume that's what image means. But, no, msoft goes on to talk about offline images. Therefore the distinction between 'online' and 'image' is not clear.

    They give an example:

    DISM.exe /Image:C:\test\offline /Get-Features /?

    When I apply that in a W7 install I get an error: 3 ....Unable to access the image.
    Make sure that the image path and the Windows directory for the image exist and you have Read permissions on the folder.

    I mean, this is using dism as it naturally resides on W7. I'll try it on W10, maybe I can access W7 and/or XP offline through W10.

    You are supposed to be able to use dism in conjunction with System File Checker to clean up an operating OS.

    For example, the command:

    dism /online /cleanup-image /checkhealth

    is supposed to simply check the health of the online OS. So, I ran it on w7 and got an error "The checkhealth option is not recognized in this context. For more information, refer to the help.

    This is maddening. If I run it on XP I get this error: 126...An error occurred while attempting to access the image. The crux of the error in the log file is this:

    DISM OS Provider: PID=2224 Defaulting SystemPath to c:\ ~CDISOSServiceManager::Final_OnConnect
    DISM OS Provider: PID=2224 Defaulting Windows folder to C:\Windows - CDISOSServiceManager::Final_OnConnect

    Then it says: Failed to bind the offline servicing stack. Make sure that the Windows directory has been set.

    Then this brilliance [/sarc off]....There were errors when setting the default windows directory to C:/Windows. No kidding!!!!

    Surely the programmers who wrote dism are not that stupid. They have already identified the dism directory as c:\winxp\system32\dism and the windir is stated in the environment variables as c:\winxp.

    I am thinking they are looking for an installation disk or an installation image file with a '.wim' extension. That would explain why they are looking for a windows folder but then it would be in D:\windows on a disk or at a specified image directory.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    awk is available for windows from gnuwin32 utilities (for x64 awk iirc is available in msys\mingw )

    i am not sure where you get all this info about command lines (the checkhealth is available in windows 10 not in windows 7 and obviously absolutely not in xp)

    in a stock windows 7 dism /online /cleanup-image has only two options /revetpending and /spsuperseded /hidesp

    /revertpending needs an offline image (crap.wim located at say x:\y\z)

    /Cleanup-Image needs an image

    actually there is a system update blah blah that was available forwindows7 which is parent to dism in windows 10



    Code:
    The System Update Readiness Tool verifies the integrity of the following resources:
    
        Files that are located in the following directories:
            %SYSTEMROOT%\Servicing\Packages
            %SYSTEMROOT%\WinSxS\Manifests
        Registry data that is located under the following registry subkeys:
            HKEY_LOCAL_MACHINE\Components
            HKEY_LOCAL_MACHINE\Schema
            HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing
    
    This list may be updated at any time.
    
    When the System Update Readiness Tool detects incorrect manifests, Cabinets, or registry data, it may replace the incorrect data with a corrected version.
    Logging
    
     
    The System Update Readiness Tool creates a log file that captures any issues that the tool found or fixed. The log file is located here:
    
        %SYSTEMROOT%\Logs\CBS\CheckSUR.log
        %SYSTEMROOT%\Logs\CBS\CheckSUR.persist.log
    
    How to fix errors that are found in the CheckSUR.log

    here is an online (running computer ) not an image get-feature /featureinfo result (for game FreeCell (beware of Capitlaization freeCell/Freecell/FR33c311 wontwork)



    Code:
    C:\>DISM.exe /online /Get-Featureinfo /FeatureName:FreeCell
    
    Deployment Image Servicing and Management tool
    Version: 6.1.7600.16385
    
    Image Version: 6.1.7601.17514
    
    Feature Information:
    
    Feature Name : FreeCell
    Display Name : FreeCell
    Description : FreeCell
    Restart Required : Possible
    State : Enabled
    
    Custom Properties:
    
    (No custom properties found)
    
    The operation completed successfully.
    
    C:\>
    Last edited by blabberer; January 22nd, 2020 at 01:45.

  7. #7
    Quote Originally Posted by blabberer View Post
    i am not sure where you get all this info about command lines (the checkhealth is available in windows 10 not in windows 7 and obviously absolutely not in xp)
    Number 1 source is ryanvm at link below. That's where I got my unofficial XP SP4 update. They specialize in matters that Microsoft et al claim you cannot do. The page refers you to waik ver 2.0 but I had to look up the Microsoft download archives on wayback to find waik ver 3.0. On the archived Microsoft page they specifically refer to waik 3 as a W7 product and DISM is listed in the description blurb. Link below the other link.

    My reasoning may be skewed but I am presuming waik 3 will work on XP given the proper adjustments. RyanVM seem to think so and their mindset is similar to ours at RCE, that if someone tells you something can't be done, you go and do it anyway. I was dubious as to whether XP would run on my 300-series chipset but I had a gut feeling that it might be possible. I am one of those types who, having a perfectly good OS on a disk, full of good reversing tools, hates to throw it out. They are not script kiddies or anarchist, they seem to be normal people who just like working with software and OSs.

    I loaded waik 3 on XP and it did not protest. DISM runs on XP, just as on W7, without protest, with the exception that it cannot figure out the correct windir path. Turns out I am having similar problems on W7 "BUT" this waik is aimed at W7. Don't think I have that waik loaded on W7, I'll try it and see.

    I do know that I used DISM to load drivers on an XP SP3 image. I pointed it to the directory with several INF files and it processed each INF file one after the other, stopping to ask me if I wanted to load the associated drivers into the image. That's before I discovered nlite. Of course if you use nlite on an XP image it has to be the XP nlite version run on in an XP environment. I used XP in a VM and it worked.

    I did have the XP SP3 image loaded on disk with the windows image files available (.wim). There were two of them.

    I am beginning to clue in. Microsoft claims dism can be used both on an OS image, like a wim or vkd, and on an online system, but it seems the primary usage is in dealing with images. However, they expound on the image functions and completely ignore the online aspects. Frustrating. They pass dism off as an image tool whereas many people online are using it in online mode to examine and clean up a live OS. Of course, to do that, dism would need an image with which to compare the live OS or a directory containing downloaded packages, etc.

    I do recall running it once on W7 to verify the SxS directory in conjunction with file checker.

    https://ryanvm.net/forum/viewtopic.php?t=8616

    https://web.archive.org/web/20110804204014/http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5753

  8. #8
    Discovered part of the problem. XP does not use the wim image format in the install disk. You have to use dism or something called imagex to create a wim file that can be referenced by dism. I presume you create a wim file of XP, store it in a directory, then reference it using a command like:

    Dism /Online /Cleanup-Image /RestoreHealth /Source:d:\test\mount\windows

    where test is the directory containing the wim file. That is likely why dism XP complains about not being able to find the Windows path. It is likely looking for it in an image file.

    I presume then that dism can go about its 'image' business using the xp wim image with which to verify the online installation. Why can't Microsoft just tell you that? What's the big secret?

    According to msoft, you can use dism from a newer OS on an older offline OS. I can see that if you can direct dism to operate on the old OS. You wouldn't want to run it on W10 and have it compare the W10 image to an older OS image. I think that function may be aimed at installing driver packages onto an older OS image.

    Have not tested this yet, must go out for groceries. Sadly, even reversers have to eat.

  9. #9
    The fog lifts a little more. When a straight Dism /online scan is used, Windows checks the current setup online against files in the Windows Update site. If it cannot get online, a directory must be specified where a good wim OS install image is located.

    At the moment, this is not a reversing problem but I may still have to resort to that if DISM does not behave. It's useless for me to attempt 'dism /online' via Windoze Update because I can't get online, and even if I did, there would be no XP files in Windoze update. Furthermore, I need to find a way to convert my windoze XP SP4 install disk to a wim file or a vhd file. But first I need to add some drivers to it. Oddly enough, I may be able to use DISM to do that. although nlite gives a better visual experience.

  10. #10
    Quote Originally Posted by blabberer View Post
    /revertpending needs an offline image (crap.wim located at say x:\y\z)
    I have decided to trace into dism to see what's happening. I'll need to re-familiarize myself with windbg and cdb.

    XP does not have a wim file in it's installation folder. W10 has one on the disk in the 'Sources' directory, which seems to be replacement for the old i386 folder. It has two wim files: install.wim and boot.wim. Since install.wim is over 3 gigs I presume it has the files i386 used to hold. Even W7 has a Sources dir on the install disk that is 3.47 gigs, with boot.wim and install.wim.

    If I could get the XP install disk in that format it might work for dism. That is, convert the live XP installation to a wim format. I think imagex will do it but I'd need a clean XP installation with which to compare mine.

  11. #11
    Thinking about what I'd like to do and would appreciate some input/advice. I am thinking of using windbg rather than cdb because wdbg can be set with with registers, etc. So, I'd like to have windbg load dism with a command line to execute like /online /cleanup-image /blah blah. When it loads, I'd like dism to stop at the entry point so I can trace the code. As I go along, I make notes of the functions it calls so next time I trace I can set a BP.

    I know this lacks elegance but I like tracing like that while making notes. It gives me an idea how dism works. I know it will set up a tmp file in documents and setting, in the 'temp' directory under user\local settings. So I want to see what it's up to since it loads files (providers) from that tmp file. At the same time, I want to compare what it's doing to the log file to see why it's having trouble with the windir. As I said, that windir may be a windir in an image file it is seeking.

    At the same time, I want to follow its disassembly in IDA. I think I can do that based on my own knowledge of windbg but if anyone has anything to add, please feel free. Don't waste your breath telling me I'm a nutjob.

    For example, a while back, Kayaker pointed out that strings that cannot be found are often in .mui files. I'd never have thought of that.

    BTW...I could use advice on symbol files. I have a lot of XP symbol files saved from past work and they might come in handy for kernel-mode modules. However, I am using a W7 version of dism and I may need to point it to my W7 stash. Obviously, I cannot get online to the symbol server so I need to do it locally.

  12. #12
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    open windbg.exe
    click file->open Executable
    Navigate to folder containing dism.exe
    in the arguments editbox type in the command line you wish
    (i have already stated stated win7 x86 dism.exe does not have /online /cleanup-image /check-health but you can confirm it yourself)
    see image below for visuals ( i use /online /get-TargetEditions ) since i am running pro dism will return i can target ultimate edition)
    Name:  windbg.JPG
Views: 83
Size:  109.7 KB

    once windbg opens and stops in SystemBreakpoint (ntdll!LdrpDoDebuggerBreak())

    you can query the entry point using ? @$exentry

    this should return the value in PeHeader->AddressOfEntryPoint

    at this point you may load an instance in your favourite disassembler and rebase to the address windbg has loaded
    so as to have synchronous addresses

    now if you issue g @$exentry windbg will execute all the system code silently and will stop in dism!_WinCrtMain

    if you have your symbols setup properly you can skip the crt initialisation code also using g dism!wmain

    wmain() is the actual code

    if you issue wt -m dism -l 3 -oR -oa windbg will trace the whole wmain and will give you notes including call address/ return values /summary you can change the depth of tracing by changing the -l 3 to -l 6 to log six levels deep

    here is an -l 3 dism module only trace (set your bps where you want)


    Code:
    0:000> wt -m dism -l 2 -oR -oa
    Tracing Dism!wmain to return address 0079a18f
       10     0 [  0] Dism!wmain
                          call at 0078dea6 
       36     0 [  1]   kernel32!SetThreadUILanguage eax = 409
       12    36 [  0] Dism!wmain
                          call at 0078deae 
        5     0 [  1]   kernel32!SetErrorModeStub
        1     0 [  1]   kernel32!SetErrorMode
       25     0 [  1]   KERNELBASE!SetErrorMode eax = 1
       15    67 [  0] Dism!wmain
                          call at 0078debb 
       25     0 [  1]   kernel32!SetConsoleCtrlHandler eax = 1
       19    92 [  0] Dism!wmain
                          call at 0078deca 
        3     0 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dad8 
       18     0 [  2]     Dism!_EH_prolog3_catch eax = 21fb60
        7    18 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dae8 
       56     0 [  2]     Dism!CDismConfig::CDismConfig eax = 21fa58
       11    74 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078daf8 
       25     0 [  2]     Dism!CDismWrapper::CDismWrapper eax = 21fadc
       16    99 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078db0a 
       16     0 [  2]     Dism!ATL::CSimpleStringT<unsigned short,0>::CSimpleStringT<unsigned short,0> eax = 21fb58
       20   115 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078db17 
       16     0 [  2]     Dism!ATL::CSimpleStringT<unsigned short,0>::CSimpleStringT<unsigned short,0> eax = 21fb54
       29   131 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078db32 
       91     0 [  2]     Dism!CCmdlineProcessor::IsDefaultLanguageSpecified eax = 0
       38   222 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078db62 
       11     0 [  2]     Dism!operator new eax = 551758
       44   233 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078db6f 
       12     0 [  2]     Dism!CMessageWrapper::CMessageWrapper eax = 551758
       52   245 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dbcc 
       27     0 [  2]     Dism!CMessageWrapper::Initialize eax = 0
       58   272 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dbe4 
       11     0 [  2]     Dism!operator new eax = 551780
       66   283 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dbf8 
        4     0 [  2]     Dism!CConsoleWriter::CConsoleWriter eax = 551780
       74   287 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dc53 
        9     0 [  2]     Dism!CConsoleWriter::Initialize eax = 0
       80   296 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dc6b 
       11     0 [  2]     Dism!operator new eax = 554d70
       89   307 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dc82 
       18     0 [  2]     Dism!CErrorHelper::CErrorHelper eax = 554d70
       97   325 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dca9 
       10     0 [  2]     Dism!CDismConfig::Initialize eax = 0
      104   335 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dd09 
    ModLoad: 58b60000 58bb2000   C:\Windows\System32\Dism\DismCore.dll
    ModLoad: 57c80000 57cb2000   C:\Windows\System32\wdscore.dll
       42     0 [  2]     Dism!CDismWrapper::Load eax = 0
      113   377 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dd27 
      176     0 [  2]     Dism!CCmdlineProcessor::ParseCommandLine eax = 0
      118   553 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dd52 
        2     0 [  2]     Dism!CDismConfig::get_IsQuietSpecified eax = 0
      123   555 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dd77 
       63     0 [  2]     Dism!GetRunningExeVersion eax = 0
      130   618 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dd8a 
       13     0 [  2]     Dism!CConsoleWriter::WriteString eax = 0
      139   631 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078ddcc 
    ModLoad: 6be50000 6be60000   C:\Windows\System32\Dism\DismCorePS.dll
    ModLoad: 754f0000 75573000   C:\Windows\system32\CLBCatQ.DLL
    ModLoad: 74b70000 74b86000   C:\Windows\System32\CRYPTSP.dll
    ModLoad: 74910000 7494b000   C:\Windows\system32\rsaenh.dll
    ModLoad: 750b0000 750be000   C:\Windows\System32\RpcRtRemote.dll
    ModLoad: 70d40000 70e2b000   C:\Windows\system32\dbghelp.dll
    ModLoad: 56840000 56886000   C:\Windows\System32\Dism\dismprov.dll
    PID=5076 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStorePID=5076 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnectPID=5076 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnectPID=5076 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProviderPID=5076 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProviderModLoad: 58b30000 58b58000   C:\Windows\System32\Dism\LogProvider.dll
    PID=5076 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProviderPID=5076 Getting Provider OSServices - CDISMProviderStore::GetProviderPID=5076 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)PID=5076 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)   88     0 [  2]     Dism!CCmdlineProcessor::InitializeDism eax = 0
      146   719 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dde1 
       31     0 [  2]     Dism!CDismConfig::Validate eax = 0
      155   750 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de20 
    ModLoad: 58a60000 58a80000   C:\Windows\System32\Dism\FolderProvider.dll
    ModLoad: 74ff0000 7503c000   C:\Windows\system32\apphelp.dll
    ModLoad: 004d0000 004fe000   dismhost.exe
      220     0 [  2]     Dism!CCmdlineProcessor::ProcessCommandLine eax = 0
      162   970 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de37 
       57     0 [  2]     Dism!CCmdlineProcessor::CloseAndCheckForRestart eax = 0
      169  1027 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de48 
       46     0 [  2]     Dism!CLogWrapper::WriteLogFooter eax = 0
      173  1073 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de56 
    PID=5076 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProviderPID=5076 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider    7     0 [  2]     Dism!CCmdlineProcessor::Cleanup eax = 0
      178  1080 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de63 
       11     0 [  2]     Dism!CErrorHelper::DisplayError eax = 0
      181  1091 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de6b 
       10     0 [  2]     Dism!CCmdlineProcessor::HresultToWin32 eax = 0
      185  1101 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de78 
       12     0 [  2]     Dism!ATL::CStringData::Release eax = 1
      188  1113 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078de83 
        7     0 [  2]     Dism!ATL::CStringData::Release eax = 7c4e24
      192  1120 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dc31 
       68     0 [  2]     Dism!CDismWrapper::~CDismWrapper eax = 6
      195  1188 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dc40 
       33     0 [  2]     Dism!CDismConfig::~CDismConfig
        7     0 [  2]     Dism!ATL::CStringData::Release eax = 7c4e24
      198  1228 [  1]   Dism!CCmdlineProcessor::Run
                            call at 0078dbba 
       11     0 [  2]     Dism!_EH_epilog3 eax = 0
      199  1239 [  1]   Dism!CCmdlineProcessor::Run eax = 0
       21  1530 [  0] Dism!wmain
    
    1551 instructions were executed in 1550 events (0 from other threads)
    
    Function Name                               Invocations MinInst MaxInst AvgInst
    Dism!ATL::CSimpleStringT<unsigned short,0>::CSi       2      16      16      16
    Dism!ATL::CStringData::Release                        3       7      12       8
    Dism!CCmdlineProcessor::Cleanup                       1       7       7       7
    Dism!CCmdlineProcessor::CloseAndCheckForRestart       1      57      57      57
    Dism!CCmdlineProcessor::HresultToWin32                1      10      10      10
    Dism!CCmdlineProcessor::InitializeDism                1      88      88      88
    Dism!CCmdlineProcessor::IsDefaultLanguageSpecif       1      91      91      91
    Dism!CCmdlineProcessor::ParseCommandLine              1     176     176     176
    Dism!CCmdlineProcessor::ProcessCommandLine            1     220     220     220
    Dism!CCmdlineProcessor::Run                           1     199     199     199
    Dism!CConsoleWriter::CConsoleWriter                   1       4       4       4
    Dism!CConsoleWriter::Initialize                       1       9       9       9
    Dism!CConsoleWriter::WriteString                      1      13      13      13
    Dism!CDismConfig::CDismConfig                         1      56      56      56
    Dism!CDismConfig::Initialize                          1      10      10      10
    Dism!CDismConfig::Validate                            1      31      31      31
    Dism!CDismConfig::get_IsQuietSpecified                1       2       2       2
    Dism!CDismConfig::~CDismConfig                        1      33      33      33
    Dism!CDismWrapper::CDismWrapper                       1      25      25      25
    Dism!CDismWrapper::Load                               1      42      42      42
    Dism!CDismWrapper::~CDismWrapper                      1      68      68      68
    Dism!CErrorHelper::CErrorHelper                       1      18      18      18
    Dism!CErrorHelper::DisplayError                       1      11      11      11
    Dism!CLogWrapper::WriteLogFooter                      1      46      46      46
    Dism!CMessageWrapper::CMessageWrapper                 1      12      12      12
    Dism!CMessageWrapper::Initialize                      1      27      27      27
    Dism!GetRunningExeVersion                             1      63      63      63
    Dism!_EH_epilog3                                      1      11      11      11
    Dism!_EH_prolog3_catch                                1      18      18      18
    Dism!operator new                                     3      11      11      11
    Dism!wmain                                            1      21      21      21
    KERNELBASE!SetErrorMode                               1      25      25      25
    kernel32!SetConsoleCtrlHandler                        1      25      25      25
    kernel32!SetErrorMode                                 1       1       1       1
    kernel32!SetErrorModeStub                             1       5       5       5
    kernel32!SetThreadUILanguage                          1      36      36      36
    
    0 system calls were executed
    
    eax=00000000 ebx=00000000 ecx=0078dbbf edx=00000003 esi=00000001 edi=007dd3e8
    eip=0079a18f esp=0021fb90 ebp=0021fbcc iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
    Dism!_initterm_e+0x163:
    0079a18f 83c40c          add     esp,0Ch

  13. #13
    Thanks, Blabbs...that's far more than I expected. Invaluable. I played with it last night and got to the INT 3 at 7c90120e followed by a ret @ 7c90120f. That was in the disassembly screen. I opened a register window and a stack window and saw that I was in ntdll.dll. I began single-stepping, examining any calls and deciding whether to step over them or not. I stepped over one that seemed harmless and got a bsod with 0x50. It was late so I packed it up.

    Anyway, armed with the info in your last post I will go at it again with proper command line. I am aware of your advice re the command lines. This is the stuff I enjoy doing and I need to get windbg set up again like I had it before, with the different windows arranged in a workspace. Also, need to re-familiarize myself with the various command. It's easier second time around.

  14. #14
    More detail later. Just ran your commands from post above and they ran successfully on W7 dism. Got a huge amount of detail. Running dism in a cmd window with same command line tells me: The current edition cannot be upgraded to any target editions.

    I am using the same dism on XP but I don't have the symbols for dism or dismcore or logprovider. I got pdb files for all three and transferred them verbatim to the XP symbol store. However, dism on XP is looking for a different key code.

    eg. on W7, dism.pdb is listed under EF13480920E241AFBC390A2E53385EF51 whereas on XP, windbg is looking for FC16251BCD464911ABACF246B69F65021.

    ***********
    OK....found a way to get a few of them using the command:

    "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\symchk.exe" /r c:\windows /s SRV*c:\symbols\*http://msdl.microsoft.com/download/symbols

    changed to http so it wont appear as a hyperlink. Just change the xx to tt. Well...just a minute, when I enter the xx the system corrects it to tt and doesn't produce a hyperlink. Wait another minute, now the hyperlink is back.

    The c:\windows is the directory containing the files you want checked, and the c:\symbols is the directory to store any retrieved pdb files.

    I copied a bunch of files from system32 from my XP installation to my win7 disk, which has the internet. Inserted them in a directory tmp5 instead of c:\windows as above. Opened a command window at C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\symchk.exe, and entered the command above as:

    symchk /r c:\tmp5 /s SRV*c:\tmp6\*http://msdl.microsoft.com/download/symbols

    Hit enter and lo and behold it filled my tmp6 directory with the right XP symbols, all with the right codes.

    Got the key core kernel files including ntoskrnl, ntdll, win32k, ole, advapi, etc. Even got the proper pdb for dism.

    Created a directory, tmp6, and used it in place of the last c:\windows before SRV.

    The only files that failed to d/l were user32 and kdcom.dll.

    ************

    Incidentally, if I run dism on xp from the waik package, the moment the cmd window opens in wdbg, I get a bsod 0x50 related to win32k.sys. Error = PAGE_FAULT_IN_NONPAGED_AREA.

    Oddly, If I run the dism I stole from W7, I don't get the page fault. Of course, I have not run the full code. I may get one eventually.

    Actually, I just ran it without the command you provided, just the /online /get-targeteditions, and I got the same error I always get. Will pursue this later.

    Thanks again, for your tute, like I said, invaluable.
    Last edited by WaxfordSqueers; January 26th, 2020 at 23:36.

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,124
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\symchk.exe" /r c:\windows /s SRV*c:\symbols\*http://msdl.microsoft.com/download/symbols

    changed to http so it wont appear as a hyperlink. Just change the xx to tt. Well...just a minute, when I enter the xx the system corrects it to tt and doesn't produce a hyperlink. Wait another minute, now the hyperlink is back.
    Lol, one of the many modifications I made to this forum

    Code:
    <style name="vB4 Default Style" vbversion="4.1.0" product="vbulletin" type="custom">
        <templategroup name="Replacement Var Special Templates">
            <template name="hx xp" templatetype="replacement" date="0" username="" version=""><![CDATA[http]]></template>
            ...
        </templategroup>
    People used to routinely replace tt with xx in http links with the idea to not have them refer back to perceived cracking posts. I got tired of this and in an attempt to validate this place as Not-a-cracking forum I made the change. In fact I can't even paste the original code without modifying to hx xp.

    You didn't think the forum code was immune to reversing too did you?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •