Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

DISM

All-in-one reversing related discussions
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

DISM

Post by WaxfordSqueers »

Thought I'd do a quick query re DISM and the possibility of tracing through its code. Came across an article on the Net showing how to setup DISM on XP using the DISM files from W7. Not too sure how well that would work since the applications of DISM I have seen on XP were fairly primitive.

Anyway, when I run DISM from the command prompt in XP it claims (in the log file) it cannot find the windows directory, therefore it is presuming C:\Windows. My windir is C:\winxp and DISM refers to it a few steps earlier in the log as such, mainly because dism.exe is in windir\system32 and it's files are in windir\system32\dism. I mean, it couldn't even start if it did not know where it was located, or its files.

It uses 'providers' to find the windir path and they can't find it. My path is set in the environment variables and the windir is indicated as c:\winxp.

So, I need to trace into dism to see why the provider cannot find the windir. I have never tried a command line app with windbg, never mind a system utility. Should I encounter any problems doing so? Is kernel mode the best or maybe one of the other debuggers?
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Not Sure What You Want to debug
dism takes an argument to windir /WINDIR:[email protected]

it there is a meesagebox/dialog anything that is blocking waiting for user input
maybe just attach windbg/xxxdbg break and look at callstack maybe ??

ok this is not a guiapp but console mode so no blocking message boxes

you need to know where to setbreakpoints

logfile create break (ifexistscondition)

Code: Select all

0:000> !fnproto
no of entries = 1 757fa768
 
 
[CSP + 00 ] [       CreateFileW(Num Args = 07) Returns to ] = 75d9e8ef
[ESP + 04] [ __in LPCWSTR lpFileName                     ] = 00280b34  C:\Windows\Logs\DISM\dism.log
[ESP + 08] [ __in DWORD dwDesiredAccess                  ] = c0000000
[ESP + 0c] [ __in DWORD dwShareMode                      ] = 00000003
[ESP + 10] [ __in_opt LPSECURITY_ATTRIBUTES lpSecurityAt ] = 00000000
[ESP + 14] [ __in DWORD dwCreationDisposition            ] = 00000004
[ESP + 18] [ __in DWORD dwFlagsAndAttributes             ] = 00000080
[ESP + 1c] [ __in_opt HANDLE hTemplateFile )             ] = 00000000
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 000af754 75d9e8ef 00280b34 c0000000 00000003 KERNELBASE!CreateFileW
01 000af780 57584ee7 00280b34 c0000000 00000003 kernel32!CreateFileWImplementation+0x69
02 000af7a8 57585b60 001a4cb4 00280b34 07db402b DismCore!IDismConfigurationImpl: :p ut_logFile+0x3b
03 000afa18 575863f7 07db4073 001a4cb0 001a4cd0 DismCore!CDISMManager::CreateLocalImageSession+0x28a
04 000afa40 57586c90 00000000 00000000 001a4cd0 DismCore!CDISMManager::get_LocalImageSession+0x93
05 000afa5c 575823c4 001a4cd0 000afb7c 00000000 DismCore!CDISMManager::GetLocalProviderStore+0x2e
06 000afb84 00762088 001a4cd0 000afbac 0b271a31 DismCore!CDISMManager::get_Logger+0x23
07 000afbc8 00762e46 000afc6c 001a2798 0b271dd1 Dism!CDismWrapper::SetupLogging+0xf7
08 000afc28 0075bf57 000afc6c 000afc68 00000000 Dism!CDismWrapper::Initialize+0x192
09 000afc7c 0075c3f6 000afd34 000afcb0 80070057 Dism!CCmdlineProcessor::InitializeDism+0x152
0a 000afc90 0075dd47 000afd34 000afcb0 0b271c3d Dism!CCmdlineProcessor::LogEarlyParseFailure+0x13
0b 000afdc4 0075decf 00000002 001a1758 00000000 Dism!CCmdlineProcessor::Run+0x279
0c 000afde0 0076a18f 00000002 001a1758 001a3978 Dism!wmain+0x3d
0d 000afe24 75d9ed6c 7ffdf000 000afe70 776837eb Dism!_initterm_e+0x163
0e 000afe30 776837eb 7ffdf000 7726dd79 00000000 kernel32!BaseThreadInitThunk+0xe
0f 000afe70 776837be 0076a2c0 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
10 000afe88 00000000 0076a2c0 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
write break

Code: Select all

[CSP + 00 ] [         WriteFile(Num Args = 05) Returns to ] = 75da543c
[ESP + 04] [ __in HANDLE hFile                           ] = 000000f8
[ESP + 08] [ __in_bcount_opt(nNumberOfBytesToWrite) LPCV ] = 00285d58
[ESP + 0c] [ __in DWORD nNumberOfBytesToWrite            ] = 000000a0
[ESP + 10] [ __out_opt LPDWORD lpNumberOfBytesWritten    ] = 000af440
[ESP + 14] [ __inout_opt LPOVERLAPPED lpOverlapped )     ] = 00000000
0:000> !handle poi(@esp+4)
Handle f8
  Type         	File
0:000> dc poi(@esp+8)
00285d58  30323032 2d31302d 31203132 35353a37  2020-01-21 17:55
00285d68  2c32353a 666e4920 2020206f 20202020  :52, Info       
00285d78  20202020 20202020 44202020 204d5349             DISM 
00285d88  49502020 37353d44 53203639 65636375    PID=5796 Succe
00285d98  75667373 20796c6c 64616f6c 74206465  ssfully loaded t
00285da8  49206568 6567616d 73736553 206e6f69  he ImageSession 
00285db8  22207461 575c3a43 6f646e69 535c7377  at "C:\Windows\S
00285dc8  65747379 5c32336d 6d736944 202d2022  ystem32\Dism" - 
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 000af3ec 75da543c 000000f8 00285d58 000000a0 KERNELBASE!WriteFile
01 000af408 58f1c42d 000000f8 00285d58 000000a0 kernel32!WriteFileImplementation+0x76
02 000af424 58f1cedd 000000f8 00285d58 000000a0 wdscore!WriteFileWin32+0x19
03 000af444 58f1e56a 00285d58 000000a0 00280890 wdscore!CSharedAccessFile::Append+0x2d
04 000af464 58f1b29a 001a617c 07d8a359 001a6178 wdscore!CFileDevice::Process+0x5a
05 000af4a4 58f1b478 07d8a315 00000000 58f01b30 wdscore!CLogManager::WdsSetupLogMessageW+0xa6
06 000af4e8 58f18cb9 001a6178 00000011 57575c90 wdscore!CLogManager::LogA+0x17c
07 000af678 5758cd80 00289e00 000b8000 57575c90 wdscore!WdsSetupLogMessageA+0x18d
08 000af6e0 57581dc2 001a4dc8 000b8000 00000003 DismCore!CPanther::WdsSetupLogMessageW+0xce
09 000af728 575848f4 001a4cb0 00000003 57571d84 DismCore!CDISMManager::WriteLogEntry+0xad
0a 000af790 57585dc1 00289d80 00000000 00000001 DismCore!CDISMManager::LoadImageSession+0x561
0b 000afa18 575863f7 07db4073 001a4cb0 001a4cd0 DismCore!CDISMManager::CreateLocalImageSession+0x4eb
0c 000afa40 57586c90 00000000 00000000 001a4cd0 DismCore!CDISMManager::get_LocalImageSession+0x93
0d 000afa5c 575823c4 001a4cd0 000afb7c 00000000 DismCore!CDISMManager::GetLocalProviderStore+0x2e
0e 000afb84 00762088 001a4cd0 000afbac 0b271a31 DismCore!CDISMManager::get_Logger+0x23
0f 000afbc8 00762e46 000afc6c 001a2798 0b271dd1 Dism!CDismWrapper::SetupLogging+0xf7
10 000afc28 0075bf57 000afc6c 000afc68 00000000 Dism!CDismWrapper::Initialize+0x192
11 000afc7c 0075c3f6 000afd34 000afcb0 80070057 Dism!CCmdlineProcessor::InitializeDism+0x152
12 000afc90 0075dd47 000afd34 000afcb0 0b271c3d Dism!CCmdlineProcessor::LogEarlyParseFailure+0x13
13 000afdc4 0075decf 00000002 001a1758 00000000 Dism!CCmdlineProcessor::Run+0x279
14 000afde0 0076a18f 00000002 001a1758 001a3978 Dism!wmain+0x3d
15 000afe24 75d9ed6c 7ffdf000 000afe70 776837eb Dism!_initterm_e+0x163
16 000afe30 776837eb 7ffdf000 7726dd79 00000000 kernel32!BaseThreadInitThunk+0xe
17 000afe70 776837be 0076a2c0 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
18 000afe88 00000000 0076a2c0 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:you need to know where to setbreakpoints
Thanks Blabbs...it's very late and I have managed to throw out both my lower back and mid-back, between shoulder blades. An old war wound from work. I'll need time to digest this.

I am amazed at how much you know about all this stuff. :) Besides the BPs, I was thinking of just brute-forcing it by single-stepping to see where it goes. I know it (DISM) uses a tmp file in the users/temp directory where it looks up providers. Not exactly sure what provider means but it seems to be msoft double-speak for libraries. They have functions that do things like check the windir. They are pretty dumb if you ask me, they can't even look up the environment variables and get the windir path. But they must have since they got the path c:\winxp. They just can't accept that it's THE windir.

Just dawned on me, there may be a BP in the dism log. They do refer to a function with a C-type extension, like foo::foobar that is used to find the windir. I'll look it up tomorrow. Thanks.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

a complete write sequence for one command

deleting log file

Code: Select all

:\>del c:\Windows\Logs\DISM\dism.log
Could Not Find c:\Windows\Logs\DISM\dism.log
windbg automatic seeesion

Code: Select all

:\>cdb -c "bp kernelbase!WriteFile \"da /c 100 poi(@esp+8);gc\";g;q" dism /sysdrivedir /? |awk "/Reading/,/quit/"
0:000> cdb: Reading initial command 'bp kernelbase!WriteFile "da /c 100 poi(@esp+8);gc";g;q'
ModLoad: 75ad0000 75aef000   C:\Windows\system32\IMM32.DLL
ModLoad: 75f10000 75fdc000   C:\Windows\system32\MSCTF.dll
ModLoad: 756f0000 756fc000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 58d70000 58dc2000   C:\Windows\System32\Dism\DismCore.dll
ModLoad: 57f70000 57fa2000   C:\Windows\system32\wdscore.dll
003247e8  "..Deployment Image Servicing and Management tool..Version: 6.1.7600.16385..............................................................................................."

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

ModLoad: 58f10000 58f20000   C:\Windows\System32\Dism\DismCorePS.dll
ModLoad: 75c60000 75ce3000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 751f0000 75206000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 74f90000 74fcb000   C:\Windows\system32\rsaenh.dll
ModLoad: 75760000 7576e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 713c0000 714ab000   C:\Windows\system32\dbghelp.dll
0018f2f8  "..."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   PID=5984 Scratch directory set to 'C:\Users\xx\AppData\Local\Temp\'. - CDISMManager: :p ut_ScratchDir.."
ModLoad: 57f20000 57f66000   C:\Windows\System32\Dism\dismprov.dll
00335bd0  "2020-01-21 19:24:55, Info                  DISM   PID=5984 Successfully loaded the ImageSession at "C:\Windows\System32\Dism" - CDISMManager::LoadImageSession.."
PID=5984 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStorePID=5984 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnectPID=5984 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnectPID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProviderPID=5984 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProviderModLoad: 57d60000 57d88000   C:\Windows\System32\Dism\LogProvider.dll
PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProviderPID=5984 Getting Provider OSServices - CDISMProviderStore::GetProviderPID=5984 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)PID=5984 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Failed to get and initialize the PE Provider.  Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Manager: PID=5984 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: .."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: <----- Starting Dism.exe session ----->.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: .."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Host machine information: OS Version=6.1.7601, Running architecture=x86, Number of processors=1.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Executing command line: dism /sysdrivedir /? .."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider.."
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\WimProvider.dll - CDISMProviderStore::Internal_GetProvider.."
ModLoad: 57cf0000 57d60000   C:\Windows\System32\Dism\WimProvider.dll
ModLoad: 57800000 57867000   C:\Windows\system32\WIMGAPI.DLL
00335bd0  "2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\WimProvider.dll. - CDISMProviderStore::Internal_LoadProvider.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider.."
ModLoad: 580b0000 580d0000   C:\Windows\System32\Dism\FolderProvider.dll
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\CompatProvider.dll - CDISMProviderStore::Internal_GetProvider.."
ModLoad: 577b0000 577f5000   C:\Windows\System32\Dism\CompatProvider.dll
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\CompatProvider.dll. - CDISMProviderStore::Internal_LoadProvider.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Got the collection of providers. Now enumerating them to build the command table..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: WimManager.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: WimManager..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Registering information from the help collection from provider: WimManager..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(wimcommands) and category(localtoplevelhelp) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(cleanup-wim) and category(wimcommands) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(remount-wim) and category(wimcommands) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(mount-wim) and category(wimcommands) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(unmount-wim) and category(wimcommands) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(commit-wim) and category(wimcommands) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-wiminfo) and category(wimcommands) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-mountedwiminfo) and category(wimcommands) for the provider(WimManager)..."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: FolderManager.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DISM Log Provider.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: Compatibility Manager.."
00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: Compatibility Manager..."
0034bfc8  "../Image:<path_to_offline_image> [/SysDriveDir:<path_to_bootmgr>]....  Specifies the path to the directory of the bootmgr file. If not..  specified, it defaults to the offline image path.....  This option cannot be used with the /Online option.....    Exam"
0034c0c8  "ple:..      DISM.exe /Image:C:\test\offline /SysDriveDir:C:\...................................................................."

/Image:<path_to_offline_image> [/SysDriveDir:<path_to_bootmgr>]

  Specifies the path to the directory of the bootmgr file. If not
  specified, it defaults to the offline image path.

  This option cannot be used with the /Online option.

    Example:
      DISM.exe /Image:C:\test\offline /SysDriveDir:C:\


00335bd0  "2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Image session has been closed. Reboot required=no..."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM.EXE: .."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM.EXE: <----- Ending Dism.exe session ----->.."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM.EXE: .."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Image Session: PID=5984 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect.."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: WimManager - CDISMProviderStore::Internal_DisconnectProvider.."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider.."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect.."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: Compatibility Manager - CDISMProviderStore::Internal_DisconnectProvider.."
00335bd0  "2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Releasing the local reference to DISMLogger.  Stop logging. - CDISMProviderStore::Internal_DisconnectProvider.."
PID=5984 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProviderPID=5984 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProviderquit:

file contents post windbg session

Code: Select all

:\>cat c:\Windows\Logs\DISM\dism.log
2020-01-21 19:24:55, Info                  DISM   PID=5984 Scratch directory set to 'C:\Users\xx\AppData\Local\Temp\'. - CDISMManager: :p ut_ScratchDir
2020-01-21 19:24:55, Info                  DISM   PID=5984 Successfully loaded the ImageSession at "C:\Windows\System32\Dism" - CDISMManager::LoadImageSession
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Failed to get and initialize the PE Provider.  Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM Manager: PID=5984 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM.EXE:
2020-01-21 19:24:55, Info                  DISM   DISM.EXE: <----- Starting Dism.exe session ----->
2020-01-21 19:24:55, Info                  DISM   DISM.EXE:
2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Host machine information: OS Version=6.1.7601, Running architecture=x86, Number of processors=1
2020-01-21 19:24:55, Info                  DISM   DISM.EXE: Executing command line: dism /sysdrivedir /?
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\WimProvider.dll - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:55, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\WimProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Loading Provider from location C:\Windows\System32\Dism\CompatProvider.dll - CDISMProviderStore::Internal_GetProvider
2020-01-21 19:24:56, Info                  DISM   DISM Provider Store: PID=5984 Connecting to the provider located at C:\Windows\System32\Dism\CompatProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Got the collection of providers. Now enumerating them to build the command table.
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: WimManager
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: WimManager.
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Registering information from the help collection from provider: WimManager.
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(wimcommands) and category(localtoplevelhelp) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(cleanup-wim) and category(wimcommands) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(remount-wim) and category(wimcommands) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(mount-wim) and category(wimcommands) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(unmount-wim) and category(wimcommands) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(commit-wim) and category(wimcommands) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-wiminfo) and category(wimcommands) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Succesfully registered the Help Item with topic(get-mountedwiminfo) and category(wimcommands) for the provider(WimManager).
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: FolderManager
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DISM Log Provider
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: Compatibility Manager
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Getting the help information collection for the provider: Compatibility Manager.
2020-01-21 19:24:56, Info                  DISM   DISM.EXE: Image session has been closed. Reboot required=no.
2020-01-21 19:24:57, Info                  DISM   DISM.EXE:
2020-01-21 19:24:57, Info                  DISM   DISM.EXE: <----- Ending Dism.exe session ----->
2020-01-21 19:24:57, Info                  DISM   DISM.EXE:
2020-01-21 19:24:57, Info                  DISM   DISM Image Session: PID=5984 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: WimManager - CDISMProviderStore::Internal_DisconnectProvider
2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider
2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Disconnecting Provider: Compatibility Manager - CDISMProviderStore::Internal_DisconnectProvider
2020-01-21 19:24:57, Info                  DISM   DISM Provider Store: PID=5984 Releasing the local reference to DISMLogger.  Stop logging. - CDISMProviderStore::Internal_DisconnectProvider

:\>
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Blabbs...I was trying to replicate your command line for cdb but it did not like the awk commands at the end. How did you manage to incorporate an awk compiler into Windows?

I appreciate your effort but maybe I am misleading you through my ignorance of dism. I may be premature with my assumption that tracing into dism will reveal answers.

Here's more info.

I removed the awk reference and it ran but it gave me essentially the same o/p I got from running dism /sysdrivedir /? in a command window. It tells me that command cannot be used in the online mode, only with an image. Furthermore, /sysdrivedir refers to the directory of the bootmgr file. If not specified, it defaults to the offline imagepath. Have no idea what that means. Don't know what bootmgr has to do with it unless they are reading boot.ini to get a system path.

Part of the problem is that I have essentially no idea what I'm doing with dism. I have used it in the past on W7 to check system health and to load drivers into an image but not in this manner where I am simply trying to verify the integrity of an OS. It's suppose to work and according to sources online it should work. However, how is dism supposed to verify the integrity of an OS unless it has a reference offline OS image with which to compare it? Maybe I am supposed to have the installation disk in the optical drive but I tried and it did not work.

I have read on this for hours on the Net but most articles are about applying commands, not how or what dism is supposed to do. Even Microsoft is vague on the issue.

If you use the query: dism /online /? it returns "The following commands may be used to service the image:" Since my query was about an online image, meaning the image of a running OS, I would presume that's what image means. But, no, msoft goes on to talk about offline images. Therefore the distinction between 'online' and 'image' is not clear.

They give an example:

DISM.exe /Image:C:\test\offline /Get-Features /?

When I apply that in a W7 install I get an error: 3 ....Unable to access the image.
Make sure that the image path and the Windows directory for the image exist and you have Read permissions on the folder.

I mean, this is using dism as it naturally resides on W7. I'll try it on W10, maybe I can access W7 and/or XP offline through W10.

You are supposed to be able to use dism in conjunction with System File Checker to clean up an operating OS.

For example, the command:

dism /online /cleanup-image /checkhealth

is supposed to simply check the health of the online OS. So, I ran it on w7 and got an error "The checkhealth option is not recognized in this context. For more information, refer to the help.

This is maddening. If I run it on XP I get this error: 126...An error occurred while attempting to access the image. The crux of the error in the log file is this:

DISM OS Provider: PID=2224 Defaulting SystemPath to c:\ ~CDISOSServiceManager::Final_OnConnect
DISM OS Provider: PID=2224 Defaulting Windows folder to C:\Windows - CDISOSServiceManager::Final_OnConnect

Then it says: Failed to bind the offline servicing stack. Make sure that the Windows directory has been set.

Then this brilliance [/sarc off]....There were errors when setting the default windows directory to C:/Windows. No kidding!!!!

Surely the programmers who wrote dism are not that stupid. They have already identified the dism directory as c:\winxp\system32\dism and the windir is stated in the environment variables as c:\winxp.

I am thinking they are looking for an installation disk or an installation image file with a '.wim' extension. That would explain why they are looking for a windows folder but then it would be in D:\windows on a disk or at a specified image directory.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

awk is available for windows from gnuwin32 utilities (for x64 awk iirc is available in msys\mingw )

i am not sure where you get all this info about command lines (the checkhealth is available in windows 10 not in windows 7 and obviously absolutely not in xp)

in a stock windows 7 dism /online /cleanup-image has only two options /revetpending and /spsuperseded /hidesp

/revertpending needs an offline image (crap.wim located at say x:\y\z)

/Cleanup-Image needs an image

actually there is a system update blah blah that was available forwindows7 which is parent to dism in windows 10


Code: Select all

The System Update Readiness Tool verifies the integrity of the following resources:

    Files that are located in the following directories:
        %SYSTEMROOT%\Servicing\Packages
        %SYSTEMROOT%\WinSxS\Manifests
    Registry data that is located under the following registry subkeys:
        HKEY_LOCAL_MACHINE\Components
        HKEY_LOCAL_MACHINE\Schema
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing

This list may be updated at any time.

When the System Update Readiness Tool detects incorrect manifests, Cabinets, or registry data, it may replace the incorrect data with a corrected version.
Logging

 
The System Update Readiness Tool creates a log file that captures any issues that the tool found or fixed. The log file is located here:

    %SYSTEMROOT%\Logs\CBS\CheckSUR.log
    %SYSTEMROOT%\Logs\CBS\CheckSUR.persist.log

How to fix errors that are found in the CheckSUR.log

here is an online (running computer ) not an image get-feature /featureinfo result (for game FreeCell (beware of Capitlaization freeCell/Freecell/FR33c311 wontwork)


Code: Select all

C:\>DISM.exe /online /Get-Featureinfo /FeatureName:FreeCell

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7601.17514

Feature Information:

Feature Name : FreeCell
Display Name : FreeCell
Description : FreeCell
Restart Required : Possible
State : Enabled

Custom Properties:

(No custom properties found)

The operation completed successfully.

C:\>
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:i am not sure where you get all this info about command lines (the checkhealth is available in windows 10 not in windows 7 and obviously absolutely not in xp)
Number 1 source is ryanvm at link below. That's where I got my unofficial XP SP4 update. They specialize in matters that Microsoft et al claim you cannot do. The page refers you to waik ver 2.0 but I had to look up the Microsoft download archives on wayback to find waik ver 3.0. On the archived Microsoft page they specifically refer to waik 3 as a W7 product and DISM is listed in the description blurb. Link below the other link.

My reasoning may be skewed but I am presuming waik 3 will work on XP given the proper adjustments. RyanVM seem to think so and their mindset is similar to ours at RCE, that if someone tells you something can't be done, you go and do it anyway. I was dubious as to whether XP would run on my 300-series chipset but I had a gut feeling that it might be possible. I am one of those types who, having a perfectly good OS on a disk, full of good reversing tools, hates to throw it out. They are not script kiddies or anarchist, they seem to be normal people who just like working with software and OSs.

I loaded waik 3 on XP and it did not protest. DISM runs on XP, just as on W7, without protest, with the exception that it cannot figure out the correct windir path. Turns out I am having similar problems on W7 "BUT" this waik is aimed at W7. Don't think I have that waik loaded on W7, I'll try it and see.

I do know that I used DISM to load drivers on an XP SP3 image. I pointed it to the directory with several INF files and it processed each INF file one after the other, stopping to ask me if I wanted to load the associated drivers into the image. That's before I discovered nlite. Of course if you use nlite on an XP image it has to be the XP nlite version run on in an XP environment. I used XP in a VM and it worked.

I did have the XP SP3 image loaded on disk with the windows image files available (.wim). There were two of them.

I am beginning to clue in. Microsoft claims dism can be used both on an OS image, like a wim or vkd, and on an online system, but it seems the primary usage is in dealing with images. However, they expound on the image functions and completely ignore the online aspects. Frustrating. They pass dism off as an image tool whereas many people online are using it in online mode to examine and clean up a live OS. Of course, to do that, dism would need an image with which to compare the live OS or a directory containing downloaded packages, etc.

I do recall running it once on W7 to verify the SxS directory in conjunction with file checker.

https://ryanvm.net/forum/viewtopic.php?t=8616

https://web.archive.org/web/20110804204014/http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5753
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Discovered part of the problem. XP does not use the wim image format in the install disk. You have to use dism or something called imagex to create a wim file that can be referenced by dism. I presume you create a wim file of XP, store it in a directory, then reference it using a command like:

Dism /Online /Cleanup-Image /RestoreHealth /Source:d:\test\mount\windows

where test is the directory containing the wim file. That is likely why dism XP complains about not being able to find the Windows path. It is likely looking for it in an image file.

I presume then that dism can go about its 'image' business using the xp wim image with which to verify the online installation. Why can't Microsoft just tell you that? What's the big secret?

According to msoft, you can use dism from a newer OS on an older offline OS. I can see that if you can direct dism to operate on the old OS. You wouldn't want to run it on W10 and have it compare the W10 image to an older OS image. I think that function may be aimed at installing driver packages onto an older OS image.

Have not tested this yet, must go out for groceries. Sadly, even reversers have to eat. :D
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

The fog lifts a little more. When a straight Dism /online scan is used, Windows checks the current setup online against files in the Windows Update site. If it cannot get online, a directory must be specified where a good wim OS install image is located.

At the moment, this is not a reversing problem but I may still have to resort to that if DISM does not behave. It's useless for me to attempt 'dism /online' via Windoze Update because I can't get online, and even if I did, there would be no XP files in Windoze update. Furthermore, I need to find a way to convert my windoze XP SP4 install disk to a wim file or a vhd file. But first I need to add some drivers to it. Oddly enough, I may be able to use DISM to do that. :devil: although nlite gives a better visual experience.
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:/revertpending needs an offline image (crap.wim located at say x:\y\z)
I have decided to trace into dism to see what's happening. I'll need to re-familiarize myself with windbg and cdb.

XP does not have a wim file in it's installation folder. W10 has one on the disk in the 'Sources' directory, which seems to be replacement for the old i386 folder. It has two wim files: install.wim and boot.wim. Since install.wim is over 3 gigs I presume it has the files i386 used to hold. Even W7 has a Sources dir on the install disk that is 3.47 gigs, with boot.wim and install.wim.

If I could get the XP install disk in that format it might work for dism. That is, convert the live XP installation to a wim format. I think imagex will do it but I'd need a clean XP installation with which to compare mine.
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Thinking about what I'd like to do and would appreciate some input/advice. I am thinking of using windbg rather than cdb because wdbg can be set with with registers, etc. So, I'd like to have windbg load dism with a command line to execute like /online /cleanup-image /blah blah. When it loads, I'd like dism to stop at the entry point so I can trace the code. As I go along, I make notes of the functions it calls so next time I trace I can set a BP.

I know this lacks elegance but I like tracing like that while making notes. It gives me an idea how dism works. I know it will set up a tmp file in documents and setting, in the 'temp' directory under user\local settings. So I want to see what it's up to since it loads files (providers) from that tmp file. At the same time, I want to compare what it's doing to the log file to see why it's having trouble with the windir. As I said, that windir may be a windir in an image file it is seeking.

At the same time, I want to follow its disassembly in IDA. I think I can do that based on my own knowledge of windbg but if anyone has anything to add, please feel free. Don't waste your breath telling me I'm a nutjob. :D

For example, a while back, Kayaker pointed out that strings that cannot be found are often in .mui files. I'd never have thought of that.

BTW...I could use advice on symbol files. I have a lot of XP symbol files saved from past work and they might come in handy for kernel-mode modules. However, I am using a W7 version of dism and I may need to point it to my W7 stash. Obviously, I cannot get online to the symbol server so I need to do it locally.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

open windbg.exe
click file->open Executable
Navigate to folder containing dism.exe
in the arguments editbox type in the command line you wish
(i have already stated stated win7 x86 dism.exe does not have /online /cleanup-image /check-health but you can confirm it yourself)
see image below for visuals ( i use /online /get-TargetEditions ) since i am running pro dism will return i can target ultimate edition)
[ATTACH]3067[/ATTACH]

once windbg opens and stops in SystemBreakpoint (ntdll!LdrpDoDebuggerBreak())

you can query the entry point using ? @$exentry

this should return the value in PeHeader->AddressOfEntryPoint

at this point you may load an instance in your favourite disassembler and rebase to the address windbg has loaded
so as to have synchronous addresses

now if you issue g @$exentry windbg will execute all the system code silently and will stop in dism!_WinCrtMain

if you have your symbols setup properly you can skip the crt initialisation code also using g dism!wmain

wmain() is the actual code

if you issue wt -m dism -l 3 -oR -oa windbg will trace the whole wmain and will give you notes including call address/ return values /summary you can change the depth of tracing by changing the -l 3 to -l 6 to log six levels deep

here is an -l 3 dism module only trace (set your bps where you want)

Code: Select all

0:000> wt -m dism -l 2 -oR -oa
Tracing Dism!wmain to return address 0079a18f
   10     0 [  0] Dism!wmain
                      call at 0078dea6 
   36     0 [  1]   kernel32!SetThreadUILanguage eax = 409
   12    36 [  0] Dism!wmain
                      call at 0078deae 
    5     0 [  1]   kernel32!SetErrorModeStub
    1     0 [  1]   kernel32!SetErrorMode
   25     0 [  1]   KERNELBASE!SetErrorMode eax = 1
   15    67 [  0] Dism!wmain
                      call at 0078debb 
   25     0 [  1]   kernel32!SetConsoleCtrlHandler eax = 1
   19    92 [  0] Dism!wmain
                      call at 0078deca 
    3     0 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dad8 
   18     0 [  2]     Dism!_EH_prolog3_catch eax = 21fb60
    7    18 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dae8 
   56     0 [  2]     Dism!CDismConfig::CDismConfig eax = 21fa58
   11    74 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078daf8 
   25     0 [  2]     Dism!CDismWrapper::CDismWrapper eax = 21fadc
   16    99 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078db0a 
   16     0 [  2]     Dism!ATL::CSimpleStringT<unsigned short,0>::CSimpleStringT<unsigned short,0> eax = 21fb58
   20   115 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078db17 
   16     0 [  2]     Dism!ATL::CSimpleStringT<unsigned short,0>::CSimpleStringT<unsigned short,0> eax = 21fb54
   29   131 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078db32 
   91     0 [  2]     Dism!CCmdlineProcessor::IsDefaultLanguageSpecified eax = 0
   38   222 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078db62 
   11     0 [  2]     Dism!operator new eax = 551758
   44   233 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078db6f 
   12     0 [  2]     Dism!CMessageWrapper::CMessageWrapper eax = 551758
   52   245 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dbcc 
   27     0 [  2]     Dism!CMessageWrapper::Initialize eax = 0
   58   272 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dbe4 
   11     0 [  2]     Dism!operator new eax = 551780
   66   283 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dbf8 
    4     0 [  2]     Dism!CConsoleWriter::CConsoleWriter eax = 551780
   74   287 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dc53 
    9     0 [  2]     Dism!CConsoleWriter::Initialize eax = 0
   80   296 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dc6b 
   11     0 [  2]     Dism!operator new eax = 554d70
   89   307 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dc82 
   18     0 [  2]     Dism!CErrorHelper::CErrorHelper eax = 554d70
   97   325 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dca9 
   10     0 [  2]     Dism!CDismConfig::Initialize eax = 0
  104   335 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dd09 
ModLoad: 58b60000 58bb2000   C:\Windows\System32\Dism\DismCore.dll
ModLoad: 57c80000 57cb2000   C:\Windows\System32\wdscore.dll
   42     0 [  2]     Dism!CDismWrapper::Load eax = 0
  113   377 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dd27 
  176     0 [  2]     Dism!CCmdlineProcessor::ParseCommandLine eax = 0
  118   553 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dd52 
    2     0 [  2]     Dism!CDismConfig::get_IsQuietSpecified eax = 0
  123   555 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dd77 
   63     0 [  2]     Dism!GetRunningExeVersion eax = 0
  130   618 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dd8a 
   13     0 [  2]     Dism!CConsoleWriter::WriteString eax = 0
  139   631 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078ddcc 
ModLoad: 6be50000 6be60000   C:\Windows\System32\Dism\DismCorePS.dll
ModLoad: 754f0000 75573000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 74b70000 74b86000   C:\Windows\System32\CRYPTSP.dll
ModLoad: 74910000 7494b000   C:\Windows\system32\rsaenh.dll
ModLoad: 750b0000 750be000   C:\Windows\System32\RpcRtRemote.dll
ModLoad: 70d40000 70e2b000   C:\Windows\system32\dbghelp.dll
ModLoad: 56840000 56886000   C:\Windows\System32\Dism\dismprov.dll
PID=5076 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStorePID=5076 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnectPID=5076 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnectPID=5076 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProviderPID=5076 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProviderModLoad: 58b30000 58b58000   C:\Windows\System32\Dism\LogProvider.dll
PID=5076 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProviderPID=5076 Getting Provider OSServices - CDISMProviderStore::GetProviderPID=5076 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)PID=5076 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)   88     0 [  2]     Dism!CCmdlineProcessor::InitializeDism eax = 0
  146   719 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dde1 
   31     0 [  2]     Dism!CDismConfig::Validate eax = 0
  155   750 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de20 
ModLoad: 58a60000 58a80000   C:\Windows\System32\Dism\FolderProvider.dll
ModLoad: 74ff0000 7503c000   C:\Windows\system32\apphelp.dll
ModLoad: 004d0000 004fe000   dismhost.exe
  220     0 [  2]     Dism!CCmdlineProcessor::ProcessCommandLine eax = 0
  162   970 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de37 
   57     0 [  2]     Dism!CCmdlineProcessor::CloseAndCheckForRestart eax = 0
  169  1027 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de48 
   46     0 [  2]     Dism!CLogWrapper::WriteLogFooter eax = 0
  173  1073 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de56 
PID=5076 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProviderPID=5076 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider    7     0 [  2]     Dism!CCmdlineProcessor::Cleanup eax = 0
  178  1080 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de63 
   11     0 [  2]     Dism!CErrorHelper: :D isplayError eax = 0
  181  1091 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de6b 
   10     0 [  2]     Dism!CCmdlineProcessor::HresultToWin32 eax = 0
  185  1101 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de78 
   12     0 [  2]     Dism!ATL::CStringData::Release eax = 1
  188  1113 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078de83 
    7     0 [  2]     Dism!ATL::CStringData::Release eax = 7c4e24
  192  1120 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dc31 
   68     0 [  2]     Dism!CDismWrapper::~CDismWrapper eax = 6
  195  1188 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dc40 
   33     0 [  2]     Dism!CDismConfig::~CDismConfig
    7     0 [  2]     Dism!ATL::CStringData::Release eax = 7c4e24
  198  1228 [  1]   Dism!CCmdlineProcessor::Run
                        call at 0078dbba 
   11     0 [  2]     Dism!_EH_epilog3 eax = 0
  199  1239 [  1]   Dism!CCmdlineProcessor::Run eax = 0
   21  1530 [  0] Dism!wmain

1551 instructions were executed in 1550 events (0 from other threads)

Function Name                               Invocations MinInst MaxInst AvgInst
Dism!ATL::CSimpleStringT<unsigned short,0>::CSi       2      16      16      16
Dism!ATL::CStringData::Release                        3       7      12       8
Dism!CCmdlineProcessor::Cleanup                       1       7       7       7
Dism!CCmdlineProcessor::CloseAndCheckForRestart       1      57      57      57
Dism!CCmdlineProcessor::HresultToWin32                1      10      10      10
Dism!CCmdlineProcessor::InitializeDism                1      88      88      88
Dism!CCmdlineProcessor::IsDefaultLanguageSpecif       1      91      91      91
Dism!CCmdlineProcessor::ParseCommandLine              1     176     176     176
Dism!CCmdlineProcessor::ProcessCommandLine            1     220     220     220
Dism!CCmdlineProcessor::Run                           1     199     199     199
Dism!CConsoleWriter::CConsoleWriter                   1       4       4       4
Dism!CConsoleWriter::Initialize                       1       9       9       9
Dism!CConsoleWriter::WriteString                      1      13      13      13
Dism!CDismConfig::CDismConfig                         1      56      56      56
Dism!CDismConfig::Initialize                          1      10      10      10
Dism!CDismConfig::Validate                            1      31      31      31
Dism!CDismConfig::get_IsQuietSpecified                1       2       2       2
Dism!CDismConfig::~CDismConfig                        1      33      33      33
Dism!CDismWrapper::CDismWrapper                       1      25      25      25
Dism!CDismWrapper::Load                               1      42      42      42
Dism!CDismWrapper::~CDismWrapper                      1      68      68      68
Dism!CErrorHelper::CErrorHelper                       1      18      18      18
Dism!CErrorHelper: :D isplayError                       1      11      11      11
Dism!CLogWrapper::WriteLogFooter                      1      46      46      46
Dism!CMessageWrapper::CMessageWrapper                 1      12      12      12
Dism!CMessageWrapper::Initialize                      1      27      27      27
Dism!GetRunningExeVersion                             1      63      63      63
Dism!_EH_epilog3                                      1      11      11      11
Dism!_EH_prolog3_catch                                1      18      18      18
Dism!operator new                                     3      11      11      11
Dism!wmain                                            1      21      21      21
KERNELBASE!SetErrorMode                               1      25      25      25
kernel32!SetConsoleCtrlHandler                        1      25      25      25
kernel32!SetErrorMode                                 1       1       1       1
kernel32!SetErrorModeStub                             1       5       5       5
kernel32!SetThreadUILanguage                          1      36      36      36

0 system calls were executed

eax=00000000 ebx=00000000 ecx=0078dbbf edx=00000003 esi=00000001 edi=007dd3e8
eip=0079a18f esp=0021fb90 ebp=0021fbcc iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
Dism!_initterm_e+0x163:
0079a18f 83c40c          add     esp,0Ch

Attachments
windbg.JPG
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Thanks, Blabbs...that's far more than I expected. Invaluable. I played with it last night and got to the INT 3 at 7c90120e followed by a ret @ 7c90120f. That was in the disassembly screen. I opened a register window and a stack window and saw that I was in ntdll.dll. I began single-stepping, examining any calls and deciding whether to step over them or not. I stepped over one that seemed harmless and got a bsod with 0x50. It was late so I packed it up.

Anyway, armed with the info in your last post I will go at it again with proper command line. I am aware of your advice re the command lines. This is the stuff I enjoy doing and I need to get windbg set up again like I had it before, with the different windows arranged in a workspace. Also, need to re-familiarize myself with the various command. It's easier second time around.
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

More detail later. Just ran your commands from post above and they ran successfully on W7 dism. Got a huge amount of detail. Running dism in a cmd window with same command line tells me: The current edition cannot be upgraded to any target editions.

I am using the same dism on XP but I don't have the symbols for dism or dismcore or logprovider. I got pdb files for all three and transferred them verbatim to the XP symbol store. However, dism on XP is looking for a different key code.

eg. on W7, dism.pdb is listed under EF13480920E241AFBC390A2E53385EF51 whereas on XP, windbg is looking for FC16251BCD464911ABACF246B69F65021.

***********
OK....found a way to get a few of them using the command:

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\symchk.exe" /r c:\windows /s SRV*c:\symbols\*http://msdl.microsoft.com/download/symbols

changed to http so it wont appear as a hyperlink. Just change the xx to tt. Well...just a minute, when I enter the xx the system corrects it to tt and doesn't produce a hyperlink. Wait another minute, now the hyperlink is back. :p

The c:\windows is the directory containing the files you want checked, and the c:\symbols is the directory to store any retrieved pdb files.

I copied a bunch of files from system32 from my XP installation to my win7 disk, which has the internet. Inserted them in a directory tmp5 instead of c:\windows as above. Opened a command window at C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\symchk.exe, and entered the command above as:

symchk /r c:\tmp5 /s SRV*c:\tmp6\*http://msdl.microsoft.com/download/symbols

Hit enter and lo and behold it filled my tmp6 directory with the right XP symbols, all with the right codes. :yay:

Got the key core kernel files including ntoskrnl, ntdll, win32k, ole, advapi, etc. Even got the proper pdb for dism.

Created a directory, tmp6, and used it in place of the last c:\windows before SRV.

The only files that failed to d/l were user32 and kdcom.dll.

************

Incidentally, if I run dism on xp from the waik package, the moment the cmd window opens in wdbg, I get a bsod 0x50 related to win32k.sys. Error = PAGE_FAULT_IN_NONPAGED_AREA.

Oddly, If I run the dism I stole from W7, I don't get the page fault. Of course, I have not run the full code. I may get one eventually.

Actually, I just ran it without the command you provided, just the /online /get-targeteditions, and I got the same error I always get. Will pursue this later.

Thanks again, for your tute, like I said, invaluable.
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

WaxfordSqueers wrote: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\symchk.exe" /r c:\windows /s SRV*c:\symbols\*http://msdl.microsoft.com/download/symbols

changed to http so it wont appear as a hyperlink. Just change the xx to tt. Well...just a minute, when I enter the xx the system corrects it to tt and doesn't produce a hyperlink. Wait another minute, now the hyperlink is back. :p
Lol, one of the many modifications I made to this forum

Code: Select all

<style name="vB4 Default Style" vbversion="4.1.0" product="vbulletin" type="custom">
    <templategroup name="Replacement Var Special Templates">
        <template name="[B]hx xp[/B]" templatetype="[B]replacement[/B]" date="0" username="" version=""><[B]![CDATA[http]][/B]></template>
        ...
    </templategroup>

People used to routinely replace tt with xx in http links with the idea to not have them refer back to perceived cracking posts. I got tired of this and in an attempt to validate this place as Not-a-cracking forum I made the change. In fact I can't even paste the original code without modifying to hx xp.

You didn't think the forum code was immune to reversing too did you? :D
Post Reply