Problems with Booting XPe from CD-ROM

[Alexander]

Hello KM,

I have generated a new image depending on the imported Target Analyzer
Informations with the following additional components:
El Torito CD Support
Winlogon Sample Macro Component (there unchecking "Standard PC" in the
setting because the target is an "ACPI Uniprocessor PC")
CMD - Windows Command Processor
Registry Editor

In the settings of the EWF I have unchecked "Start EWF Enabled" and
set the Overlay Type to RAM(Reg). Furthermore I have disabled the "FBA
DLL/COM Registration" in the Resources of EWF. As described in the
website how to configure EWF RAM Reg mode I have also enabled NTLDR
and disabled EWF NTLDR.

After having booted from this image (with the Pre-FBA image in the
ISO9660/El Torito format on CD in the drive) and letting the FBA phase
to pass I got the following results from the EWF manager:

ewfmgr:

RAM(Reg) Configuration
Device Name "\Device\HarddiskVolume1"[C:]
HORM Not supported

ewfmgr c:

Type RAM(Reg)
State DISABLED

The CD drive has got drive E: and the El Torito disk has been
recognized as seen in fbalog.txt.

Then going on:

ewfmgr c: -enable

ewfmgr c: (to test the effect of the enable operation)

Type RAM(Reg)
State DISABLED
Boot Command ENABLE
so the command has been accepted but the state has not changed!

etprep /all

This command has indicated no error and the automatic reboot passed on
to the desired state but sometimes the following message popped up:

Windows - Delayed Write Failed
Windows was unable to save all the date for the file C:\WINDOWS
\system32. The data has been lost. This error may be caused by a
failure of your computer hardware or network connection. Please try to
save this file elsewhere.

I have also saved C:\Windows\system32\config before and after "etprep /
all". An offline analysis by regedit showed that in HKLM\System
\MountedDevices the values for \DosDevices\C: and \DosDevices\F: have
been changed indeed so the swapping seemed to work well.

After the reboot I asked again the EWF manager:

ewfmgr c:

Failed getting protected volume configuration with error 1. Incorrect
function

ewfmgr f:

Protected Volume Configuration
Type RAM(Reg)
State ENABLED
Boot Command NO_CMD

I believe that the error is that not the (now) C: partition (namely
the CD drive) is protected by EWF, but the (now) F: partition, that is
the former boot partition C: on disk. So the cooperation of swapping
the drives and enabling EWF seemed not to be ok.

Nevertheless I have made a ISO9660/El Torito image of the post FBA
image on disk by HD2ISO and burnt it to CD.
By booting from this CD I got again my old BSOD friend:

STOP: 0x0000007B (0xF7C45528, 0xC0000034, 0x00000000, 0x00000000)

I have tested also other things like adapting the Boot partition size
in the Target deivce settings to the exact value of the boot partition
on disk or to use NTLDR instead of EWF NTLDR but nothing helped.

If you have no more idea which can help me I think that this was my
last turn and I'll give up the Boot from CD business.

Hope you or any other can help me once more.

Regards,
Alexander

 

[KM]

Alexander,

First of all, nice description of all the steps you did. Very clear and easy
to read.

Two things there concerned me:

1) It sounded right that EWF showed protecting drive F: after reboot after
etprep launch. EWF protects by ARC path. After etprep swap and reboot you
hard disk partition is assigned F: letter, CDROM is on C:, right?

The easiest way I usually set this up is not using etprep at all. Just
simply build an image that includes all the components you mentioned, run
though FBA and then run ewfmgr C: /enable. The same time go to registry and
delete MountedDevices key. Then reboot the device and make sure EWF RAM Reg
is protecting you drive C: (you can safely reboot many times here).
Now you can capture the image and burn it on CD.

2) 7B BSOD doesn't seem to be related to the above problem unless etprep did
something else wrong there.
Again, I'd eliminate the step with etprep and just manually delete the
HKML\System\MountedDevices key instead.

Let us know if the above doesn't work for you.

Regards,
KM

Hello KM,

I have generated a new image depending on the imported Target Analyzer
Informations with the following additional components:
El Torito CD Support
Winlogon Sample Macro Component (there unchecking "Standard PC" in the
setting because the target is an "ACPI Uniprocessor PC")
CMD - Windows Command Processor
Registry Editor

In the settings of the EWF I have unchecked "Start EWF Enabled" and
set the Overlay Type to RAM(Reg). Furthermore I have disabled the "FBA
DLL/COM Registration" in the Resources of EWF. As described in the
website how to configure EWF RAM Reg mode I have also enabled NTLDR
and disabled EWF NTLDR.

After having booted from this image (with the Pre-FBA image in the
ISO9660/El Torito format on CD in the drive) and letting the FBA phase
to pass I got the following results from the EWF manager:

ewfmgr:

RAM(Reg) Configuration
Device Name "\Device\HarddiskVolume1"[C:]
HORM Not supported

ewfmgr c:

Type RAM(Reg)
State DISABLED

The CD drive has got drive E: and the El Torito disk has been
recognized as seen in fbalog.txt.

Then going on:

ewfmgr c: -enable

ewfmgr c: (to test the effect of the enable operation)

Type RAM(Reg)
State DISABLED
Boot Command ENABLE
so the command has been accepted but the state has not changed!

etprep /all

This command has indicated no error and the automatic reboot passed on
to the desired state but sometimes the following message popped up:

Windows - Delayed Write Failed
Windows was unable to save all the date for the file C:\WINDOWS
\system32. The data has been lost. This error may be caused by a
failure of your computer hardware or network connection. Please try to
save this file elsewhere.

I have also saved C:\Windows\system32\config before and after "etprep /
all". An offline analysis by regedit showed that in HKLM\System
\MountedDevices the values for \DosDevices\C: and \DosDevices\F: have
been changed indeed so the swapping seemed to work well.

After the reboot I asked again the EWF manager:

ewfmgr c:

Failed getting protected volume configuration with error 1. Incorrect
function

ewfmgr f:

Protected Volume Configuration
Type RAM(Reg)
State ENABLED
Boot Command NO_CMD

I believe that the error is that not the (now) C: partition (namely
the CD drive) is protected by EWF, but the (now) F: partition, that is
the former boot partition C: on disk. So the cooperation of swapping
the drives and enabling EWF seemed not to be ok.

Nevertheless I have made a ISO9660/El Torito image of the post FBA
image on disk by HD2ISO and burnt it to CD.
By booting from this CD I got again my old BSOD friend:

STOP: 0x0000007B (0xF7C45528, 0xC0000034, 0x00000000, 0x00000000)

I have tested also other things like adapting the Boot partition size
in the Target deivce settings to the exact value of the boot partition
on disk or to use NTLDR instead of EWF NTLDR but nothing helped.

If you have no more idea which can help me I think that this was my
last turn and I'll give up the Boot from CD business.

Hope you or any other can help me once more.

Regards,
Alexander

 

[Alexander]

Hello KM,

Alexander,

First of all, nice description of all the steps you did. Very clear
and easy to read.

Many thanks. This enforces me to believe that at last I can express my
technical problems in a way that they can be understood so that there
are no misunderstandings beyond the problems themselves.

Two things there concerned me:

1) It sounded right that EWF showed protecting drive F: after reboot
after etprep launch. EWF protects by ARC path. After etprep swap and
reboot you hard disk partition is assigned F: letter, CDROM is on C:, right?

Yes, that's right.

The easiest way I usually set this up is not using etprep at all. Just
simply build an image that includes all the components you mentioned,
run though FBA and then run ewfmgr C: /enable. The same time go to
registry and delete MountedDevices key. Then reboot the device and
make sure EWF RAM Reg is protecting you drive C: (you can safely reboot many times here).
Now you can capture the image and burn it on CD.

If I do this in that way and delete this key after having enabled
(hopefully) the EWF protection for C: I get the following message if I
reboot manually my target system (with the PnP El Torito CD still in
the drive):

Windows could not start because the following file is missing or
corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

For me this is understandable because by deleting the key there are no
more mounted devices, not even a boot partition.

I also have tried to make "ewfmgr f: -enable" before "etprep /all" to
protect the partition which later will be the boot partition to
protect but then I get the error

ewfmgr f: -enable

Failed getting protected volume configuration with error 1. Incorrect
function

Also what I don't understand is why the "canonical way" described
clearly in the book of Sean D. Liming simply does not work and is now
put in question by Microsoft itself. So there is for example the
statement on a XPe FP2007 site that booting from CD is only supported
in the RAM(Reg) mode of EWF whereas the exercise in the book uses the
RAM mode. Or Sean himself recommends me to make "ewfmgr c: -enable"
before "etprep /all" although it is not mentioned in his book. Or in
the book is the statement that an El Torito CD can only be created
from a FAT boot partition whereas in the FP2007 sites is to read that
all file systems (FAT, FAT32, and NTFS) are supported. Or you write
that you do not use etprep at all although following Sean's book this
is an essential tool for the whole El Torito business. So I begin to
lose my faith in a solution at all.

Hope you can help me once more in my despair.

Regards,
Alexander

 

[KM]

Alexander,

I understand your frustration. The process of making bootable CD on XPe has
always been somewhat tricky :-(
I put some comments inline...

Regards,
KM

If I do this in that way and delete this key after having enabled
(hopefully) the EWF protection for C: I get the following message if I
reboot manually my target system (with the PnP El Torito CD still in
the drive):

Windows could not start because the following file is missing or
corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

For me this is understandable because by deleting the key there are no
more mounted devices, not even a boot partition.

Nope. This is a different message. It is coming from nt loader.
MountedDevices key is populated by kernel (or disk driver). Loader, however,
operates with ARC paths. The default boot ARC path is read off boot.ini.
Note that if a proper boot occurs, the MountedDevices is going to be filled
up again.

Now, how does your boot.ini look like?
Also, did you start this time with EWF RAM *Reg* mode? To do that you would
have to change the EWF settings in TD and make sure to delete EWF Config
partition (either by etprep /delete or using a 3rd party partition manager
tool that is going to see that hidden volume). If you don't do the latter,
the presense of EWF Config partition may have an impact on the EWF
configuration setup during next FBA run.

Also, can you describe your latest partition setup?
The following setup should work for you:
Hard disk
partition 1 (primary, active) - this will be assigned
C:
partition 2
partition x
DVD drive - this will be
assigned D: or E:

I also have tried to make "ewfmgr f: -enable" before "etprep /all" to
protect the partition which later will be the boot partition to
protect but then I get the error

Failed getting protected volume configuration with error 1. Incorrect
function

Well, this is understandble since you didn't set up EWF initially to protect
f: drive.

Also what I don't understand is why the "canonical way" described
clearly in the book of Sean D. Liming simply does not work and is now
put in question by Microsoft itself. So there is for example the
statement on a XPe FP2007 site that booting from CD is only supported
in the RAM(Reg) mode of EWF whereas the exercise in the book uses the
RAM mode.

I can only think that the book describes the approach that was there since
SP1. Long time ago there was no term "RAM Reg" mode, although EWF has always
supported that mode specifically to target El-Torito scenerios first.
Nowdays Reg mode is way better implemented (many bug fixes + some
functionality added) and often used standalone on targets with flash media
protected or else.

Think about it. EWF RAM mode used in RTM/SP1 times was switched to RAM Reg
mode by etprep anyway (etprep deletes EWF config partition).

So the real goal for you, I believe, should be to make EWF RAM Reg mode
working on your target device first.
Then, if you have had El-Torito CD in the drive during FBA and thus
El-Torito driver is loaded, you can safely capture the image to run on a
bootable CD.
But again, EWF RAM Reg mode is required to work on the device first. This
means your C: driver (more specifially first partition of the hard disk) got
to be protected and ewfmgr has to report the RAM Reg mode. Also, EWF must be
protecting multi(0)disk(0)rdisk(0)partition(1) ARC path here.

Deleting MountedDevices key manually will just help you to get rid of the
drive letter assignments set up during FBA. When booted next time, the
system should assign drive letters again. If booted from El-Torito CD, it
will become C:. otherwise, first primary active partition on HDD will become
C:. In both cases, if EWF RAM Reg mode was set up correctly, the image
should boot.

With FP2007 EWF RAM Reg mode takes very little effort to get it working. No
need for a custom steps like disabling PnP resources or etc. Just TD
settings.
But you have to make sure no EWF Config volume is left over on the taregt
device from previous attempts.

Also, when you test the bootable CD (should be very last step in the
process) you may want to disconnect HDD for a clear experiment.

Or Sean himself recommends me to make "ewfmgr c: -enable"
before "etprep /all" although it is not mentioned in his book. Or in
the book is the statement that an El Torito CD can only be created
from a FAT boot partition whereas in the FP2007 sites is to read that
all file systems (FAT, FAT32, and NTFS) are supported. Or you write

You can definitely make it working with all the listed file systems.
Actually, El-Torito technology doesn't care about the file system. Perhaps,
sometimes staring with FAT is easier.
Also, NTFS is chattier than FAT when it comes to disk/file usage and thus
EWF RAM overlay usage may in general be higher on NTFS.

that you do not use etprep at all although following Sean's book this

Well, you can continue using etprep. It'd just make it more clear if you
delete the key manually after that.
There is no really a reason for the MountedDevices key to be present
[prepopulated] on the system booted from El-Torito.