File Ownership Lost After FBA... Please Help!

[gasmonso]

After deploying my initial SP2 image to the target device, I reboot and
wait for the FBA to finish. The reseal is done manually, so I can
manually configure some software before resealing. But I have noticed a
strange problem with file/directory ownership. All core Windows
directories including C:\Windows and C:\Program Files have a SID as the
owner as with all their subdirectories and files. I assume that this
was the SID of the "Administrator" before FBA ran, but that information
is lost now. Even files that were copied over as part of a component
are losing the Administrator ownership information and being replaced
by a SID.

Now I know people in the past have suggested just writing a script to
redo the ownerships, but that is nothing more than a hack. Does anyone
know the root cause of this issue and how to fix it properly? This
image is for a medical product and I need to be very careful with how I
go about modifying it.

Your timely help would be greatly appreciated!



Regards,

Another Overworked Engineer

 

[Guest]

I don't remember seeing something similar. It sounds in your case, the
filesystem permissions were not restored correctly after fbreseal changed
the computer SID. Note that user SIDs derive from the computer SID. Since
fbreseal generates a new random computer SID (so that every clone has
unique computer SID) on the next boot after you ran it, all user SIDs will
change too and the filesystem and registry permissions should be reset to
use the new user SIDs.

I'm shooting in the dark here, but could you check if your runtime has the
"Windows Security Configuration Editor Client Engine " component? This
component includes scecli.dll which fbreseal seems to call into immediately
after the computer SID has changed. This dll is used by the Security Config
Manager for many tasks including changing permissions, appyling policies,
etc.

If this doesn't resolve the issue, please contact MS Support to reproduce
the problem on their side and do further investigation.

KS

This posting is provided "AS IS" with no warranties and confers no rights.

 

[gasmonso]

I should emphasize that the ownership of the files and directories is
messed up BEFORE I do the reseal. So after the the initial FBA and
before the reseal is where this issue first appears. Of course after
reseal, the issue is still there.

gasmonso

 

[Guest]

Does FBA log (%Windows%\FBA\fbalog.txt) show any thing abnormal,
particularly related to installing security components, users accounts,
etc? Did FBA create a "C:\WINDOWS\security\templates\setup security.inf"
file? This security template defines the default filesystem permissions.
Also check if your build has the security-related components, especially
those with "Security Configuration" in their names. Also include
"Primitive: FBASec". You probably need to build a relatively more
full-featured image and if it works, narrow it down to the missing
component.

KS


This posting is provided "AS IS" with no warranties and confers no rights.

 

[gasmonso]

Thanks for chiming in KS I have scoured the logs and found a few
things:

All log entries pertaining to security or user accounts...

10:34:19 AM - [FBASetProgressText] Setting PNP Flag...
10:34:21 AM - [FBAApplySecurityStringToRegKey] RegSetKeySecurity
Failed! Error: 0x6
10:34:21 AM - [FBAReplaceSecurityInRegistry]
FBAApplySecurityStringToRegKey(009) #1 Failed!
10:34:41 AM - [FBASetProgressText] Initializing...
..
..
..
10:34:43 AM - [FBASetProgressText] Installing System Security...
10:35:11 AM - [FBAInstallSecurity] Successfully set security!
10:35:11 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBASEC.DLL,
FBAInstallSecurityPhase1
..
..
10:44:54 AM - [FBASetProgressText] Setting Domain SID...
10:44:56 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBANET.DLL,
FBASetDomainSid
10:44:56 AM - [FBASetProgressText] Creating Users...
10:44:56 AM - [FBACreateUserAccounts: Creating User] Administrator
10:44:57 AM - [FBACreateUserAccounts: Creating User] geservice
10:44:57 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBASEC.DLL,
FBACreateUserAccounts
10:44:57 AM - [FBASetProgressText] Joining Workgroup...
10:44:59 AM - [FBAJoinWorkgroup] NetJoinDomain Succeeded!
10:44:59 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBANET.DLL,
FBAJoinWorkgroup
..
..
10:48:49 AM - [FBASetProgressText] Processing Runonce Items...
10:48:49 AM - [FBALaunch] C:\WINDOWS\system32\mshta.exe /register
(ExitCode: 0x0)
10:48:49 AM - [FBALaunch] C:\WINDOWS\system32\fixmapi.exe (ExitCode:
0x0)
10:48:49 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBAREG.DLL,
FBAProcessRunOnceKey
10:49:05 AM - [FBAApplySecurityStringToRegKey] RegSetKeySecurity
Failed! Error: 0x6
10:49:05 AM - [FBAReplaceSecurityInRegistry]
FBAApplySecurityStringToRegKey(009) #1 Failed!
..
..

====================================================================

I found the 'setup security.inf' file as you mentioned

I checked my build for security related components and found these:
-Security Configuration Engine Command Line Utility
-Windows Security Configuration Editor Client Engine
-Windows Security Configuration Editor Engine

The primitive FBASec is also in the image.

Do you have any other suggestions? This is really killing me and
slowing down progress on my project.

Thanks,

gasmonso

 

[Guest]

If it's possible to send me the slx (zipped) to (e-mail address removed),
I'll have a look at it next week.

KS

This posting is provided "AS IS" with no warranties and confers no rights.

 

[KM]

Just so that you don't spend much time on the errors you mentioned.

SP2 Product Rel Notes say:

a.. "
a.. FBA log will show a harmless error if the Performance Counter Configuration component is included in a runtime. The log text is
as follows and can be disregarded.
[FBAApplySecurityStringToRegKey] RegSetKeySecurity Failed! Error: 0x6

[FBAReplaceSecurityInRegistry] FBAApplySecurityStringToRegKey(009) #1 Failed!

"

Basically many of us here have been seeing these harmless errors in our FBALogs.

=========
Regards,
KM

Thanks for chiming in KS I have scoured the logs and found a few
things:

All log entries pertaining to security or user accounts...

10:34:19 AM - [FBASetProgressText] Setting PNP Flag...
10:34:21 AM - [FBAApplySecurityStringToRegKey] RegSetKeySecurity
Failed! Error: 0x6
10:34:21 AM - [FBAReplaceSecurityInRegistry]
FBAApplySecurityStringToRegKey(009) #1 Failed!
10:34:41 AM - [FBASetProgressText] Initializing...
.
.
.
10:34:43 AM - [FBASetProgressText] Installing System Security...
10:35:11 AM - [FBAInstallSecurity] Successfully set security!
10:35:11 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBASEC.DLL,
FBAInstallSecurityPhase1
.
.
10:44:54 AM - [FBASetProgressText] Setting Domain SID...
10:44:56 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBANET.DLL,
FBASetDomainSid
10:44:56 AM - [FBASetProgressText] Creating Users...
10:44:56 AM - [FBACreateUserAccounts: Creating User] Administrator
10:44:57 AM - [FBACreateUserAccounts: Creating User] geservice
10:44:57 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBASEC.DLL,
FBACreateUserAccounts
10:44:57 AM - [FBASetProgressText] Joining Workgroup...
10:44:59 AM - [FBAJoinWorkgroup] NetJoinDomain Succeeded!
10:44:59 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBANET.DLL,
FBAJoinWorkgroup
.
.
10:48:49 AM - [FBASetProgressText] Processing Runonce Items...
10:48:49 AM - [FBALaunch] C:\WINDOWS\system32\mshta.exe /register
(ExitCode: 0x0)
10:48:49 AM - [FBALaunch] C:\WINDOWS\system32\fixmapi.exe (ExitCode:
0x0)
10:48:49 AM - [CallEntryPointThread] C:\WINDOWS\FBA\FBAREG.DLL,
FBAProcessRunOnceKey
10:49:05 AM - [FBAApplySecurityStringToRegKey] RegSetKeySecurity
Failed! Error: 0x6
10:49:05 AM - [FBAReplaceSecurityInRegistry]
FBAApplySecurityStringToRegKey(009) #1 Failed!
.
.

====================================================================

I found the 'setup security.inf' file as you mentioned

I checked my build for security related components and found these:
-Security Configuration Engine Command Line Utility
-Windows Security Configuration Editor Client Engine
-Windows Security Configuration Editor Engine

The primitive FBASec is also in the image.

Do you have any other suggestions? This is really killing me and
slowing down progress on my project.

Thanks,

gasmonso