EWF and IIS: IIS metabase updates missing after restart.

[Mark K Vallevand]

I'm using RAM base EWF protection of C: and changes to the IIS metabase
(like virtual directory settings) are disappearing after commit and restart.
Other changes to the C: are written successfully and appear correctly after
commit and restart. But, some changes to the IIS metabase are working only
during the current session. Examination of IIS during the session looks
correct. Commit the changes and restart. The IIS changes are gone. This
is not completely consistant because only some IIS configuration is lost
after a commit and restart.

Oh, restart is "xpepm -restart". Could the metabase be cached and not
flushed until some service is shut down in an orderly way? A test has
confirmed this. If IIS is stopped and started or a Window restart is done,
the IIS configuration is not lost (assuming the EWF is committed, of
course).

This is not good. Are there any other services that don't write their
information to disk until they are terminated in an orderly way?

Is there a way to call the real Windows Restart or Shutdown from a batch
file?

 

[KM]

Mark,

What do you mean by "real" restart? You may try ExitWindowsEx API.
Btw, do you see the same IIS configuration's losts using shutdown.exe?

Also, you could probably make use of "net /stop" command to properly (in proper order) stop necessary services including IIS before or after the EWF commit but definitely before calling to restart. You mention batch file processing so it should be easy for your to add more commands in the batch file.

KM
BSquare Corporation



MK> I'm using RAM base EWF protection of C: and changes to the IIS
MK> metabase (like virtual directory settings) are disappearing after
MK> commit and restart.
MK> Other changes to the C: are written successfully and appear
MK> correctly after commit and restart. But, some changes to the IIS
MK> metabase are working only during the current session. Examination
MK> of IIS during the session looks correct. Commit the changes and
MK> restart. The IIS changes are gone. This is not completely
MK> consistant because only some IIS configuration is lost after a
MK> commit and restart.

MK> Oh, restart is "xpepm -restart". Could the metabase be cached and
MK> not flushed until some service is shut down in an orderly way? A
MK> test has confirmed this. If IIS is stopped and started or a Window
MK> restart is done, the IIS configuration is not lost (assuming the EWF
MK> is committed, of course).

MK> This is not good. Are there any other services that don't write
MK> their information to disk until they are terminated in an orderly
MK> way?

MK> Is there a way to call the real Windows Restart or Shutdown from a
MK> batch file?

MK> --
MK> Regards.
MK> Mark K Vallevand

 

[Mark K Vallevand]

I haven't tried shutdown.exe. Its not in my image. Easy to fix that. I
think it might be a better choice. And, I can add net /stop to the batch
files, I guess. I didn't think of that.

Is there a reason for xpepm? Maybe a very light-weight version of
shutdown.exe? Perhaps I don't want to ever use xpepm.

Thanks.

--
Regards.
Mark K Vallevand

Mark,

What do you mean by "real" restart? You may try ExitWindowsEx API.
Btw, do you see the same IIS configuration's losts using shutdown.exe?

Also, you could probably make use of "net /stop" command to properly (in

proper order) stop necessary services including IIS before or after the EWF
commit but definitely before calling to restart. You mention batch file
processing so it should be easy for your to add more commands in the batch
file.

 

[KM]

Mark,

I don't have sources of the XPePM and can't speak for MS guys but exploring xpepm.dll/xpepm.exe and shutdown.exe import sections it is easy to notice that xpepm only imports NtShutdownSystem API (ntdll.dll's fastest way to shutdown OS) while shutdown.exe also imports ExitWindowsEx (user32.dll's slow shutdown with all the OS and services file/data flushes). So, I guess the shutdown.exe is "more appropriate" way to shutdown Winlogon images while xpepm is good for Minlogon (no user accounts) images.
It is just a guess, though. Anyway, worth to try the shutdown.exe tool (and ExitWindowsEx API) on your target

KM
BSquare Corporation



MK> I haven't tried shutdown.exe. Its not in my image. Easy to fix
MK> that. I think it might be a better choice. And, I can add net
MK> /stop to the batch files, I guess. I didn't think of that.

MK> Is there a reason for xpepm? Maybe a very light-weight version of
MK> shutdown.exe? Perhaps I don't want to ever use xpepm.

MK> Thanks.

MK> --
MK> Regards.
MK> Mark K Vallevand


MK> proper order) stop necessary services including IIS before or after
MK> the EWF commit but definitely before calling to restart. You mention
MK> batch file processing so it should be easy for your to add more
MK> commands in the batch file.



MK>>> I'm using RAM base EWF protection of C: and changes to the IIS
MK>>> metabase (like virtual directory settings) are disappearing after
MK>>> commit and restart.
MK>>> Other changes to the C: are written successfully and appear
MK>>> correctly after commit and restart. But, some changes to the IIS
MK>>> metabase are working only during the current session. Examination
MK>>> of IIS during the session looks correct. Commit the changes and
MK>>> restart. The IIS changes are gone. This is not completely
MK>>> consistant because only some IIS configuration is lost after a
MK>>> commit and restart.

MK>>> Oh, restart is "xpepm -restart". Could the metabase be cached and
MK>>> not flushed until some service is shut down in an orderly way? A
MK>>> test has confirmed this. If IIS is stopped and started or a
MK>>> Window restart is done, the IIS configuration is not lost
MK>>> (assuming the EWF is committed, of course).

MK>>> This is not good. Are there any other services that don't write
MK>>> their information to disk until they are terminated in an orderly
MK>>> way?

MK>>> Is there a way to call the real Windows Restart or Shutdown from a
MK>>> batch file?

MK>>> --
MK>>> Regards.
MK>>> Mark K Vallevand

 

[Mark K Vallevand]

I've included shutdown.exe and using it instead of xpepm.exe. Its great.
Exactly what I want. Great tip. Thanks.

--
Regards.
Mark K Vallevand

Mark,

I don't have sources of the XPePM and can't speak for MS guys but

exploring xpepm.dll/xpepm.exe and shutdown.exe import sections it is easy to
notice that xpepm only imports NtShutdownSystem API (ntdll.dll's fastest way
to shutdown OS) while shutdown.exe also imports ExitWindowsEx (user32.dll's
slow shutdown with all the OS and services file/data flushes). So, I guess
the shutdown.exe is "more appropriate" way to shutdown Winlogon images while
xpepm is good for Minlogon (no user accounts) images.

It is just a guess, though. Anyway, worth to try the shutdown.exe tool

(and ExitWindowsEx API) on your target