Fbseal, EWF and SID corruption.

M

Mark K Vallevand

Testers of our released image are reporting user group SID corruption. The
Administrator group and the User group need to be re-created in the final
running image in the field because of the corruption. This corruption is
currently being blamed on the way I build the XPe image.

Here is what I do.

- Create an image with necessary components, including disabled EWF,
Administrator account, and 3 specific user accounts.
- Write the image to HDD.
- Boot through FBA.
- Sign on as Administrator and finish setting up the image. I include the
registry change for EWF to run without its partition.
- Disable pagefile.
- Enable EWF.
- Shutdown.
- Delete EWF partition using DOS.
- Startup.
- Sign on as Administrator and confirm that EWF is enabled and registry
value is correct.
- Delete pagefile.
- Commit EWF.
- Shutdown.
- Deliver image internally to another group that:
- Writes the image to CF device.
- Startup.
- Sign on as Administrator.
- Installs application software.
- Sets up IIS and webpages.
- Create user groups.
- Commit EWF.
- Restart.
- Sign on as Administrator. Confirm that image is ready to go.
- Commit EWF.
- Fbreseal.
- Power off and deliver to mass reproduction.

Is there anything in this sequence that can corrupt user group SIDs?
Does fbreseal change anything related to user or group SIDs?
 
B

Brad Combs

Mark,

Are you running any switches on FBReseal? /Keepall, etc. I'm not entirely
sure that the switches are needed using the Q810144 version of the Cloning
Component. As long as cmiRemoveUserSettings is false it should preserve all
the account information. Is this happening over time? As in maybe your users
have access to the Users applet in Control Panel and are changing something,
or changing the workgroup name, or trying to join a domain? All these seem
unlikely since your using the write filter. Maybe they have a way to commit
the write filter?

HTH,
Brad Combs
Imago Technologies
 
M

Mark K Vallevand

Excellent point about the /Keepall or cmiRemoveUserSettings, but that is not
it. All the cmiRemoveXXX settings are false.

I'm pretty sure this is not a problem with my image, but I need to make sure
there are no known problems with SIDs, fbreseal and EWF.

I think that they created new user groups, changed computer name, or
something, and didn't commit the EWF. Or, variant like that. Yes, they can
commit EWF. This is still a group within the company. They supposedly
understand EWF and commit.
 
D

Doug Hoeffel

Mark:

Did you reseal more than once? I remember some time ago someone from MS
explained what problems this may cause. The key word is "may". I think the
potential problems were related to IIS. MS deletes the reseal files after
it has run to try to keep this from happening.

Also, do you think someone could of turned off power after a EWF commit?
This could cause corruptions as well since the commit needs a graceful
shutdown atleast for a RAM-based EWF. I have seen this on my product where
the C: partition got corrupted after a non-graceful shutdown after a commit.
I fixed it by disabling the EWF, chkdsk'ing, then re-enabling the EWF.

HTH... Doug
 
M

Mark K Vallevand

Yes, all of these are possible. We really don't know what happened. At
this point we are waiting for someone to reproduce the problem.
 
S

Slobodan Brcin

Mark,

This is same post I sent you yesterday, but just for the record.

0.
- Create an image with necessary components.
- Use my approach from www.xpefiles.com to create EWF solution that will not
create EWF partition. and configure it to be disabled by default.
- Configure your image from TD not to use pagefile.
1.
-Write the image to HDD
-Boot through FBA.
- Sign on as Administrator and finish setting up the image
- Disable device.
2.
- Deliver image internally to another group that:
- Writes the image to CF device.
- Startup.
- Sign on as Administrator.
- Installs application software.
- Sets up IIS and webpages.
- Create user groups.
- Restart.
4.
- Sign on as Administrator. Confirm that image is ready to go.
- Set something like runonce request that will enable ewf next time device
is started and after the reseal is done.
- Fbreseal.
- Power off and deliver to mass reproduction.
- After device is enabled it will need one additional restart so EWF becomes
enabled.

Regards,
Slobodan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Confusion over best practice: Disk-EWF cloned deployment 2
Fbreseal problesm with SP2. 12
Flash and EWF 2
EWF RAM problem 2
EWF will not disable - no changes can be committed. 5
Flush or Commint Regedit changes 4
EWFMGR reports STATE DISABLED after commiting 6
Cloning an EWF image 0

Top