More fbreseal strange behavior

[Desi]

I have prepared a target device exactly the way that I want it, and ran


fbreseal.exe -keepall

After a few moments, it comes back with a prompt that it finished
sealing and would reboot. Once it rebooted, I shut it down and imaged
the device.

I applied the image to a new, but identical device. Upon booting up,
the device appeared to be generating new SIDs and whatever else it
needs to do after a reseal.

Here's where the strange behavior comes in:

1) Upon full boot, I logged in as Administrator, and I receive a prompt
that there is no User data for that account (I don't have the exact
message, but I will recreate it later and post it). A new account is
created, "Administrator.NSXXYYZZ", where NSXXYYZZ is the machine name.
Unfortunately, this account lacks the customization that I spent hours
doing by hand, since it was created from the default profile.

2) I also get a "New Hardware found" dialog that prompts me to reboot.
This is the first time that I have seen this on this hardware - did it
change with SP2? I have seen several threads that talk about renaming
newdev.dll to get rid of this dialog, but I am wondering if it is a bug
that has been filed with Microsoft, or is it considered "Standard
operation"? It would be very dissappointing if it is. I have built
other images with SP2 and this version of components, without receiving
this dialog - What component did I add to cause it to happen?

So I am now left with trying to use a different SID tool, since I have
little or no faith in Microsoft's FBRESEAL.EXE. I have spent 3 days
sorting out the numerous issues with XPe that should "Just work" but
don't when you get into the details.

 

[Mark K Vallevand]

1) I've seen this with SP1. After reseal there were 2 adminstrator
accounts. I worked around it by creating a batch file that executes every
time you log in. The batch file copies my customization from
"Administrator" to the current account. The customization in this case is
on the start menu.

2) I haven't seen the new hardware dialog unless I'm running on slightly
different hardware each time. Our prototype hardware includes video and
kb/mouse ports. Our real hardware is truly headless. And, we have
different BIOSs that report different hardware. So, we see the dialog. I
removed the newdev.dll and have no problems. I just make sure I run FBA on
a machine that has all the devices that we want to support.

3) If you try a different SID changed, don't use SysInternal's NewSID. Its
broken. It does not correctly change security information for COM.

4) I don't trust the SP2 version of fbreseal either. In my case, it looks
like the reseal process runs when a cloned image is booted, but the SIDs
don't seem to change. The fbreseal.exe file is not deleted either.
Fbreseal.exe is supposed to be deleted to prevent running the reseal process
again. Well, its not deleted. If you run it again, the image will reseal
on the next boot, and fbreseal.exe will be delete, but security setting are
corrupted. This leads me to believe that the first reseal acually worked,
but the evidence is to the contrary.

5) Microsoft? Anyone there have any comment?

 

[Slobodan Brcin \(eMVP\)]

Hi Mark,

How about:
http://msdn.microsoft.com/embedded/community/community/feedback/feedxp/default.aspx

Let us know if they have any comments on this.

Regards,
Slobodan

 

[Robert]

What are your settings for the System Cloning Tool
component? Can you post these here? I have a feeling
that the issues you are seeing have something to do with
the settings of this component, or some other component,
because I have never had any problems like you are seeing
with your image.

Robert

 

[Desi]

Mark:
#2: I am using the identical hardware for FBA and final delivery. There
should bo no difference between the images, yet I get the New Hardware
dialog when I reboot. It degrades my faith in the toolset.

#3 is bad news, as I switched over to NewSID for my image. Do you have
specific examples of what is incorrectly changed?

Robert:

My settings for the system cloning tool are the defaults, except for
changing the reseal phase to 0 so that I could make some changes after
FBA.

 

[Mark K Vallevand]

This is the text from a email from one of our engineers describing the
security settings in the registry that NewSID does not handle.

------------------------
Reading [1] that security descriptors serialized within registry values are
modified. Take a look at an example DCOM AppId from the registry:
[HKEY_CLASSES_ROOT\AppID\{27AF75ED-20D9-11D1-B1CE-00805FC1270E}]
@="netman"
"LocalService"="netman"
"AuthenticationLevel"=dword:00000000
"LaunchPermission"=hex:01,00,04,80,70,00,00,00,80,00,00,00,00,00,00,00,14,00,\
00,00,02,00,5c,00,04,00,00,00,00,00,18,00,0b,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,\
04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,\
00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
00
"AccessPermission"=hex:01,00,04,80,58,00,00,00,68,00,00,00,00,00,00,00,14,00,\
00,00,02,00,44,00,03,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,\
05,13,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,05,0a,00,00,00,\
00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,\
00,00
You'll notice the LaunchPermission and AccessPermission values. These are
serialized security descriptors. If I'm not mistaken, these contain SIDs and
their corresponding permissions. From reading [1], I don't see that these
get fixed...
[1] http://www.sysinternals.com/ntw2k/source/newsid.shtml

----------------------

I've sent this and other information to SysInternals. They have not
responded. I don't know if this is the cause of our problems with NewSID.
I do know that COM security setting are messed up after running NewSID. You
just need to look at Administrative Tools->Component Services->Component
Services->Computer->My Computer right-click Properties->COM Security
defaults. The SIDs are not resolved to account names any more, but listed
as raw SIDs.

 

[Robert]

So you have the cmiRemoveUserSettings set to FALSE? Also,
How are you taking your image of the drive after reseal?
Are you using Ghost? Once you reseal the drive and it
shuts down you don't let it boot back up to windows before
you take your image right? I have seen the new hardware
message as well with some of my images, but I believe this
is because of slight modifications to components on the
mother board. I know this to be true of IBM from looking
at 100's of IBM computers of the same model type.

Robert

 

[Desi]

Thanks, Mark.

NewSID has a license fee anyway, so I would prefer to get the tools
that were provided with XPe working, if at all possible.

That's proving to be difficult at the moment, and Microsoft does not
appear to be around much in the group lately.

In the meantime, our deadlines have come and gone, and people are
having many doubts about the viability of XPe as a product... It just
seems to be really labor-intensive today to build, maintain, and
release products with the tools provided.

 

[Desi]

cmiServicePackLevel 2
cmiResealDLL <empty>
cmiResealDLLEntry <empty>
cmiResealPhase 0
cmiRemoveAutoLogon TRUE
cmiGenerateComputerName 1
cmiUnjoinDomain TRUE
cmiRemoveNetSettings TRUE
cmiRemoveUserSettings TRUE
cmiRemoveMountedDevices TRUE
cmiNoHelpFiles FALSE
cmiLangEnableMUI TRUE
cmiProtPropList
'cmiServicePackLevel',
'cmiResealDLL',
'cmiResealDLLEntry',
'cmiResealPhase',
'cmiRemoveAutoLogon',
'cmiGenerateComputerName',
'cmiUnjoinDomain',
'cmiRemoveNetSettings',
'cmiRemoveUserSettings',
'cmiRemoveMountedDevices',
'cmiNoHelpFiles',
'cmiLangEnableMUI'
SrcFileSize 90112

I have taken images using Ghost and SDI. The computer was resealed,
shut down, and imaged. There is no reboot from the compact flash in the
unit, but rather froma USB CDROM to WinPE.

The next time it boots up, the New Hardware wizard appears and you have
to walk through the process once to "install" the new hardware.
Subsequent boots do not produce the wizard.

The hardware is *Identical*. It uses an industrial EBX PC and we had
them manufactured for us to our specs. Motherboard and component specs
are identical, as are compact flash and other pieces. Could they end up
with different Plug N Play ID's and be detected as "New"?

 

[Robert]

Anything is possible. I will do some research to see what
exactly could be causing the new hardware message in our
lab. I have never really researched it myself I just
always took it as a slight difference in hardware and left
it at that, but now you have me curious to find out what
it is. I do see one thing wrong with your settings of
the system cloning tool component. You will want to set
your cmiRemoveUserSettings to FALSE. This will keep your
settings that you do before reseal intact, and it should
get rid of the user account message you are seeing. I
will report back to the message board what I find on the
new hardware message on first boot.

Robert

 

[Slobodan Brcin \(eMVP\)]

Hi Desi,

Have you filled bug report to MS?

Anyhow I have not tried fbreseal in SP2 so I can't speak how it works but I can tell you few things to look at.

1.
Try setting cmiRemoveUserSettings to FALSE.

2.
Before you call fbreseal please delete setupapi.log
Now after you boot computer when you see dialog that new hardware is found please copy setupapi.log and send it here. It will
contain reason why new hardware was detected or at least what hardware is the culprit.

Regards,
Slobodan

 

[Desi]

Anything is possible. I will do some research to see what
exactly could be causing the new hardware message in our
lab. I have never really researched it myself I just
always took it as a slight difference in hardware and left
it at that, but now you have me curious to find out what
it is. I do see one thing wrong with your settings of
the system cloning tool component. You will want to set
your cmiRemoveUserSettings to FALSE. This will keep your
settings that you do before reseal intact, and it should
get rid of the user account message you are seeing. I
will report back to the message board what I find on the
new hardware message on first boot.

Robert

Thanks, Robert. I thought that the 'Keepall' switch did the same thing
when you ran fbreseal.exe manually after making your changes to the FBA
image... Is this not true?

 

[Desi]

Excellent. Thanks - I will post shortly.

Desi

 

[Robert]

Honestly, I have never used the command line switches with
FBReseal, so I wouldn't be able to tell you on that. I do
know however that if your settings are right in the system
cloning tool component you shouldn't have any problems. I
have never had any issues as long as the settings in the
component are set correctly. I think it may have to do
with the fact that the settings in the component are
overriding what you do at the command prompt with
FBReseal. If I had to guess the component settings are
applying after you run your FBReseal from a command prompt.

Robert

 

[Desi]

In the spirit of the -keepall switch, I have changed the values of the
various component settings to FALSE instead of TRUE. I'll let the group
know how it turns out.

Robert, do you work for MS?

 

[Robert]

No, but I wouldn't mind working for them.

 

[Desi]

Well, I have more information to report.

I recreated the image with the following set to FALSE:
cmiRemoveAutoLogon, cmiUnjoinDomain, cmiRemoveNetSettings,
cmiRemoveUserSettings, and cmiRemoveMountedDevices. Booted through FBA,
all seemed well there. I tweaked and installed some software that we
require (Enterprise Instrumentation Framework, Web Services
Enhancements SP2), and changed a bunch of little UI items. I changed
the password for the "Admiistrator" user. Then I ghosted the box so I
don't have to go through that again.

Finally, I ran fbreseal.exe -keepall from a command prompt. It came
back with a dialog that "Machine is sealed" and I clicked OK to
restart.

On the next start, I PXE booted to a RAM drive image and ghosted the
drives again. When finished, I restarted.

The target took a long time to start up, as though it were changing the
SIDs. When it finished, I was presented with a logon screen. The
"Administrator" user, and the password I changed it to worked. But
after logon, another delay for 3-4 minutes with nothing but a blank
screen. An error box appeared telling me that "Windows could not find
the file: C:\WINDOWS\wmp.inf". Then, shortly after that, another dialog
that said "Windows has finished installing your new hardware and must
be restarted to finish the installation".

Keep in mind that this is THE hardware that the image was created on.
Not just similar hardware, but the exact box.

When the desktop was finally started, all kinds of things were
immediately noticeable: Here's a quick list:

- The system had created a second account: Administrator.NSXXYYZZ,
under Documents and Settings. This is what was used for the logon.
(NSXXYYZZ is the hostname)

- None of the UI changes were present, no "My Computer" on the desktop,
etc.

- In Explorer, "Network Connections" under the Control Panel was a
default icon. Clicking on it did not show any network connections (The
unit has two that were configured and working prior to resealing).

- Drive letters are rearranged. Drives C & D are swapped.

- My Network Places -> Add Network Place does not do anything when
clicked, and icon is default "Unassociated" icon.

- MMC cannot start at all. Event viewer cannot start.

- UI colors for menus, etc. have a dark gray background instead of the
normal light gray.

- Trying to view security settings for folders results in a "Security
Settings dialog could not be found" error.

- Finally, as Mark Vallevand has also seen, fbreseal.exe in the
system32 folder is not deleted.

What would cause a new account to be created? Before resealing, I had
the network up and running, and was in a workgroup. I had mapped
network drives, etc. so the network did not suddenly appear... Would a
failure to load the network cause it to create a local account
"Administrator.NSXXYYZZ"?

 

[Slobodan Brcin \(eMVP\)]

Hi Desi,

Since you got new user account created that explains why all your user related settings were gone.
Perhaps if before image duplication you copy your configured account over Default User account you will make some ugly workaround.
(At least newly created account will be configured)
Regarding wmp.inf do you have it? I don't know why Windows Media Player is complaining :-(
Do you have purged setupapi.log so we can see what hardware is found by PnP?

Regards,
Slobodan

 

[Robert]

Hi Desi,

You said in your post that you ghosted your image
before you resealed and after you resealed. Which image
did you use when you tested what you have written about in
your post?

Robert

-----Original Message-----
Hi Desi,

Since you got new user account created that explains why

all your user related settings were gone.

Perhaps if before image duplication you copy your

configured account over Default User account you will make
some ugly workaround.

(At least newly created account will be configured)
Regarding wmp.inf do you have it? I don't know why

Windows Media Player is complaining :-(

 

[Desi]

I configured the target, then made a ghost image of it as a snapshot
that I could return to.

I then did an fbreseal, and shut down the machine. I booted to a
ramdisk and created another ghost snapshot of the target.

Then, without changing or writing to the target, I simply rebooted
using the sealed target's CF.

That's where I made the observations. Ghosting was just to allow me to
go back to that point in time for debugging.