WildBill

PE Tool for creating patches

695 posts in this topic

I took a look at cdfs.sys and at first glance I don't see why there would be an issue. That's the sort of driver that we're all running, and it doesn't use any bound imports. I suspect the driver from winpcap, but I don't have it so I can't analyze it in Ida.

0

Share this post


Link to post
Share on other sites

I tested some XP DLLs for KB968389 support with the following results:

KSECDD.SYS = No negative results, but I don't know how I can test that it is working 100% properly

SCHANNEL.DLL = Works perfectly, tested it with IE6 trying to log on to a few sites (Other than the usual IE6-related glitches, they worked fine)

SECUR32.DLL = Caused Task Scheduler (mstask) to crash for some reason but had no other noticeable effects

WDIGEST.DLL = A new file, there should be no problems with this but I have no way to test it other than running through Dependency Walker (which showed no problems)

MSV1_0.DLL needs the following APIs before any testing can even be done:

ADVAPI32.DLL -> SystemFunction036

MSVCRT.DLL -> _resetstkoflw

SECUR32.DLL -> CredMarshalTargetInfo

SECUR32.DLL -> CredUnmarshalTargetInfo

LSASRV.DLL -> LsaIGetNbAndDnsDomainNames

LSASRV.DLL -> LsaIFreeHeap

LSASRV.DLL -> LsaINotifyPasswordChanged

EDIT: Crossed out functions added in MS11-020 v4

Edited by MacLover
0

Share this post


Link to post
Share on other sites

WildBill,

I was busy so I couldn't check all of these kernel versions and WinCap driver but I'll do all necessary tests and post results in short time.

0

Share this post


Link to post
Share on other sites

So I should just let the older files version install and disregard the new ones?

0

Share this post


Link to post
Share on other sites

So I should just let the older files version install and disregard the new ones?

Could you be more specific? Which updates are you talking about?

WildBill,

I did more tests and actually I was totally wrong and mislead by the bootlog created when logging to Safe Mode. This problem occurs before even bootlog is created. I have enabled /SOS in boot.ini and the exact moment when monitor goes off is after acpitabl.dat is loaded. This screen doesn't show up at all.

I looked for it in Google and what I found out is that it may be related to HDD controller driver which can't be loaded. This is the driver I use.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

Thanks. I'll check it out tomorrow night. My gut tells me that it's probably a deadlock of some sort; maybe it's detecting the presence of an XP API call and using it. One thing you might want to try is installing only MS11-011 and not MS11-020. That would eliminate one possible cause of a deadlock (albeit the less likely one, in my mind).

My gut instinct is that the cause is in the redesigned calls to the set/create/remove notify routines in the kernel. I spent a lot of time making sure they were thread-safe, but maybe I missed a potential deadlock. Hopefully it won't be hard to track down. In the meantime, one thing you could do that would help is see if any of your drivers are using any of these routines:

PsSetLoadImageNotifyRoutine

PsRemoveLoadImageNotifyRoutine

PsSetCreateThreadNotifyRoutine

PsRemoveCreateThreadNotifyRoutine

Edit: I just took a look and the drivers are using storport.sys, but I don't seem to have it. Can you post that as well? Perhaps that is also involved somehow.

Hmm. Apparently storport is only for server 2003, so perhaps that isn't the issue. Two more questions: (1) are you using the uniprocessor or multiprocessor kernel? (2) are you using PAE?

Edited by WildBill
0

Share this post


Link to post
Share on other sites

1. The problem occurs right after installing MS11-011 only.

2. Multiprocessor kernel. Switching PAE on and off doesn't make any difference. Neither does /3GB. I have both of them switched off at the moment.

I also have another HDD connected to the build-in SATA controller which uses this SATA/RAID driver. It's for storage only, system itself is installed on the former one.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

PROBLEMCHYLD,

It's not a bug, it's just how HFSLIP is constructed. By newer files I meant the date, not version. HFSLIP doesn't check file versions.

Should Wildbill patched the newer versions of files or keep patching the old ones.

The reason I asked because if files are not going to get slipstreamed I can remove them from the HF folder.

It doesn't make since to me to have multiple copies of the same files. It makes HFSLIP take longer.

0

Share this post


Link to post
Share on other sites

So I should just let the older files version install and disregard the new ones?

Could you be more specific? Which updates are you talking about?

WildBill,

I did more tests and actually I was totally wrong and mislead by the bootlog created when logging to Safe Mode. This problem occurs before even bootlog is created. I have enabled /SOS in boot.ini and the exact moment when monitor goes off is after acpitabl.dat is loaded. This screen doesn't show up at all.

I looked for it in Google and what I found out is that it may be related to HDD controller driver which can't be loaded. This is the driver I use.

Hmm. If you're not even getting the boot screen (with no boot logo settings added to boot.ini), that rules out a lot of potential sources. One thing you can try is to replace bootvid.dll with the one from the v3 patch and see what happens. If it boots that would at least eliminate that as a potential source. Another test, if it boots, would be to verify that when you install MS11-011 that it indeed installs the bootvid.dll from the patch (version 5.0.2172.3).

Edited by WildBill
0

Share this post


Link to post
Share on other sites

What I did was to try installing your patch without bootvid (by disabling it in update.inf) but after doing so there's an error on boot. I don't remember exactly what it said but it was just something about being unable to boot because of the non-patched bootvid.dll. In order to boot again I had to replace bootvid.dll manually with your version and after doing so I could boot to Safe Mode and uninstall the patch.

Actually at this moment I still have your bootvid.dll installed without the rest of files from your patch. It probably rules out bootvid.dll as a cause of this problem ;)

0

Share this post


Link to post
Share on other sites

The patch definitely requires the new bootvid -- I added a set-palette function to bootvid that the kernel will use.

I wonder if it's an issue with porting blackwingcat's cpu "patch" -- there's precious little patched code involved that runs before the boot screen comes up. I can make one that doesn't include it and post it for you to try. How many cores do you have running? I'm typing this on a laptop with a 2-core Intel T9500 with no issues.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I have an Athlon II X2 so 2 cores :)

Today I'm going to try your patch on a different configuration (but using the same slipstreamed Windows CD) and see if there are any problems or not.

By "cpu patch" do you mean the patch to enable more cores on Windows 2000 Professional system? Can it be a problem that I use Windows 2000 Advanced Server which by default can use up to 8 CPUs/cores?

I'd be very happy to test the patch for you ;)

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

I have an Athlon II X2 so 2 cores :)

Today I'm going to try your patch on a different configuration (but using the same slipstreamed Windows CD) and see if there are any problems or not.

By "cpu patch" do you mean the patch to enable more cores on Windows 2000 Professional system? Can it be a problem that I use Windows 2000 Advanced Server which by default can use up to 8 CPUs/cores?

I'd be very happy to test the patch for you ;)

Okay, here's a V4 test with the CPU core-limit patch removed (and some v4 stuff added). Let's see what this does:

Windows2000-KB2393802-v4-test1-x86-ENU.exe

Edited by WildBill
0

Share this post


Link to post
Share on other sites

It's still the same :( No difference.

0

Share this post


Link to post
Share on other sites

Boy, this is bizarre. What happens if you try the patch directly instead of slipstreaming? Also, what happens if you run the patch on a Pro system vs. Server? I know this could take a while to test... :/

I make backups of files at certain points when I patch them, so I might have to build a special patch for you with early versions to try to isolate where the failure takes place.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.