Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

PE Tool for creating patches

- - - - -

  • Please log in to reply
675 replies to this topic

#401
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I finished porting the changes and the patch is working here, so I've posted MS11-011 v4 and updated the link on the master list. For the record, the complete list of new API calls the patch adds is:


ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock
KeReleaseInterruptSpinLock
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlInt64ToUnicodeString
RtlIntegerToUnicode
RtlClearBit
RtlTestBit
RtlSetBit
ZwQueryInformationThread......already there, added it to the export table
IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)
PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)
PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)
_vsnwprintf
_aulldvrm
RtlGetVersion
KeFlushQueuedDpcs


ntdll.dll

RtlIpv4StringToAddressA
RtlIpv4StringToAddressW
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4AddressToStringA
RtlIpv4AddressToStringW
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressW
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringW
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlInitializeGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEnumerateGenericTableAvl
RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlQueryDepthSList
RtlInitializeSListHead
LdrLockLoaderLock
LdrUnlockLoaderLock
LdrAddRefDll
RtlComputePrivatizedDllName_U
RtlValidateUnicodeString
RtlDuplicateUnicodeString
RtlDowncaseUnicodeChar
RtlFindCharInUnicodeString
RtlpEnsureBufferSize
RtlMultiAppendUnicodeStringBuffer
RtlAppendPathElement
LdrEnumerateLoadedModules
RtlRandomEx
RtlUnhandledExceptionFilter2
RtlUnhandledExceptionFilter


bootvid.dll

VidSetVgaPalette (used by the bootskin code)


kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)
EncodePointer (forwarded export to NTDLL.RtlEncodePointer)
InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)
InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)
InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)
QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)
InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)
GetModuleHandleExA
GetModuleHandleExW
IsWow64Process
IsWow64Message
GetProcessHandleCount
GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)
SetDllDirectoryA
SetDllDirectoryW
GetDllDirectoryA
GetDllDirectoryW
AttachConsole
TzSpecificLocalTimeToSystemTime
SetClientTimeZoneInformation
IsValidUILanguage
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
SetHandleContext
GetProcessId


EDIT: forgot to list a couple of extra routines I added to ntdll.

Edited by WildBill, 12 November 2011 - 05:45 PM.



How to remove advertisement from MSFN

#402
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
tomasz: just as soon as you can give me the all-clear for V4 I'll consider that a green light for V5 (I've already started on it and added a few more routines to ntdll and kernel32)... ;)

#403
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag
I missed the fact that you already uploaded a v4 :lol:

I've installed it on both my desktop and laptop computers and while everything seems to work fine here (on the desktop),

there's still the same error on the other one:

*** STOP: 0x0000001E (0xC0000005, 0xDDC6473E, 0x00000000, 0x0000000C)
KMODE_EXCEPTION_NOT_HANDLED

*** Address DDC6473E base at DDC00000, DateStamp 4ebda139 - ntoskrnl.exe
System specifications are listed in #398
Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#404
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Hmm. I'm going to need some more info to track that one down, since the address is pointing to a trap routine (specifically, it traps 0x57, which I assume means int 0x57). When does the BSOD happen? Does it create a minidump file? It looks like it trapped an interrupt (maybe from a driver?) and it didn't like it.

The 0xC0000005 means ACCESS_VIOLATION, so I assume that it tried to access an invalid memory location. The problem is going to be finding where it happened.

Edit: it looks like int 57h is a relocated IRQ7, so maybe a driver that's using IRQ7 is causing the problem. The interrupt request for a driver is shown under the Resources tab in the Device Manager. It's also possible that it's really IRQ15, from a secondary interrupt controller.

Edited by WildBill, 13 November 2011 - 07:36 AM.


#405
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag
The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.
Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#406
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
What happens without /SOS? Same thing?

Another dumb question: is /BOOTLOG set? Are you using any bootskin settings?

Okay, after spending the day investigating, it looks like ESP (stack pointer) must have become corrupted somewhere, and then an interrupt occurred (most likely from a driver, which wouldn't be loaded when you're in safe mode). So now, the trick will be finding whatever is corrupting ESP yet doesn't result in a BSOD all the time (maybe the routine in question recovers the correct ESP before it returns?) It's pretty hard to screw up ESP and not generate a GP fault when returning from a routine.

Edited by WildBill, 13 November 2011 - 06:26 PM.


#407
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great! :thumbup

#408
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag

@WildBill: I'm fully aware your plate's got more chestnuts than it's feasible for you to chew for a long time. However, I cannot resist asking you to add a setting to control the font size of the disassembly in your great PE Tool for Creating Patches. I use 1024 x 768, so the disassembled code gets too big and I have to keep scrolling it horizontally to be able to read. Sorry for bothering, but now that I'm begining to be able to actually do something with that tool, it would be a great help. And, once more, thanks for sharing that tool: it's really great! :thumbup


Ask and ye shall receive... see the top post :)

#409
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Wow, that was really swift! :yes:
Thanks a whole lot!
You do rock! :thumbup

#410
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag

The BSOD happens just right after the GUI mode of /SOS startup is loaded. Surprisingly, safe mode works which is an improvement compared to the previous versions when the BSOD appeared during safe mode booting too.

It appears before bootlog is created and minidump also is not created when the BSOD happens.


Here's something to try...ntoskrnl was a bit different than the other three in that it had some extra changes when I was still working out how to hook in the bootskin code. I undid those extra changes so it matches the others, and I altered the bootskin code very slightly to better restore ESP (in ntoskrnl only for now). I don't see any reason why this would help as I didn't see any obvious issues, but it's worth a try. I've tested it in a VM with no issues.

This is an early build of V5 that adds some new functions to ntdll and kernel32, but there are some more things I'd like to add before making it an "official" v5. I'm using it here on my laptop with no problems, so for the adventurous it adds the following:

ntdll

RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)


kernel32

GetSystemTimes
CreateMemoryResourceNotification
QueryMemoryResourceNotification
AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)
RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)



Windows2000-KB2393802-v5-early-1-x86-ENU.exe

Edited by WildBill, 14 November 2011 - 09:44 PM.


#411
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag
Something strange's going on :huh:

1. I don't have any bootskin setting set.

2. /BOOTLOG is enabled but it's not created because the BSOD happens before boot logging is even started.

3. The strange thing is that regardless of /SOS set or not, the beginning of GUI part is the same and looks as if /SOS was enabled. I can see the GUI part for only half a second before the BSOD appears.

4. The v5 doesn't make any difference.

...

I think I found the reason. The BSOD appears only when /PAE is enabled. Interestingly it doesn't affect the desktop as I've just turned /PAE on and no problems here. It was turned on on the notebook by mistake but still there's no BSOD unless I install your patch ;)
Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#412
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
If your desktop is multiprocessor, then its PAE kernel is ntkrpamp.exe (which gets renamed to ntkrnlpa.exe), whereas the laptop's uniprocessor PAE one is from ntkrnlpa.exe (i.e., they're different). Actually, that info helps a lot: it means that I probably messed something up in the uniprocessor PAE kernel. Hopefully it will be easy to find.

#413
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
A-ha...the original ntkrnlpa had a stack variable in a different place than in the other three files, and it affected the SOS setting (and probably caused the BSOD). This might help:

Windows2000-KB2393802-v5-early-2-x86-ENU.exe

I also checked the multiprocessor PAE kernel, and that one looks ok (the variable's location is the same as the non-PAE one). Go figure.

Edited by WildBill, 14 November 2011 - 11:55 PM.


#414
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag
It's all right now :)
Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#415
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
MS11-011 V5 is now posted, and it includes just about everything I could add to kernel32 and ntdll without major pain in the process. The complete list of additions is now:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock
KeReleaseInterruptSpinLock
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlInt64ToUnicodeString
RtlIntegerToUnicode
RtlClearBit
RtlTestBit
RtlSetBit
ZwQueryInformationThread......already there, added it to the export table
IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)
PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)
PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)
_vsnwprintf
_aulldvrm
RtlGetVersion
KeFlushQueuedDpcs


ntdll.dll

RtlIpv4StringToAddressA
RtlIpv4StringToAddressW
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4AddressToStringA
RtlIpv4AddressToStringW
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressW
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringW
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlInitializeGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEnumerateGenericTableAvl
RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlQueryDepthSList
RtlInitializeSListHead
LdrLockLoaderLock
LdrUnlockLoaderLock
LdrAddRefDll
RtlComputePrivatizedDllName_U
RtlValidateUnicodeString
RtlDuplicateUnicodeString
RtlDowncaseUnicodeChar
RtlFindCharInUnicodeString
RtlpEnsureBufferSize
RtlMultiAppendUnicodeStringBuffer
RtlAppendPathElement
LdrEnumerateLoadedModules
RtlRandomEx
RtlUnhandledExceptionFilter2
RtlUnhandledExceptionFilter
RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlGetNtVersionNumbers
DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)
_vsnwprintf
_lfind
_aulldvrm
_alldvrm
RtlpNotOwnerCriticalSection
RtlpApplyLengthFunction
RtlCopyOutOfProcessMemoryStreamTo
RtlLockMemoryStreamRegion
RtlUnlockMemoryStreamRegion
RtlNtPathNameToDosPathName
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlCreateBootStatusDataFile
RtlComputeCrc32
RtlCaptureContext
RtlLockBootStatusData
RtlUnlockBootStatusData
RtlGetSetBootStatusData
RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)
RtlAddMemoryStream
RtlReleaseMemoryStream
RtlQueryInterfaceMemoryStream
RtlReadOutOfProcessMemoryStream
RtlRevertMemoryStream
RtlCloneMemoryStream
RtlCommitMemoryStream
RtlSetMemoryStreamSize
RtlWriteMemoryStream
RtlSeekMemoryStream
RtlCopyMemoryStreamTo
RtlReadMemoryStream
RtlStatMemoryStream
RtlInitMemoryStream
RtlFinalReleaseOutOfProcessMemoryStream
RtlInitOutOfProcessMemoryStream


bootvid.dll

VidSetVgaPalette (used by the bootskin code)


kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)
EncodePointer (forwarded export to NTDLL.RtlEncodePointer)
InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)
InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)
InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)
QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)
InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)
GetModuleHandleExA
GetModuleHandleExW
IsWow64Process
IsWow64Message
GetProcessHandleCount
GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)
SetDllDirectoryA
SetDllDirectoryW
GetDllDirectoryA
GetDllDirectoryW
AttachConsole
TzSpecificLocalTimeToSystemTime
SetClientTimeZoneInformation
IsValidUILanguage
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
SetHandleContext
GetProcessId
GetSystemTimes
CreateMemoryResourceNotification
QueryMemoryResourceNotification
AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)
RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)
RtlCaptureStackBackTrace
SetThreadUILanguage
LZStart
GetExpandedNameA
GetExpandedNameW
LZInit
LZDone
LZCreateFileW
LZOpenFileA
LZOpenFileW
LZSeek
LZRead
LZClose
LZCloseFile
LZCopy
CopyLZFile
GetVolumePathNamesForVolumeNameW
GetVolumePathNamesForVolumeNameA
GetHandleContext
GetCPFileNameFromRegistry
EnumerateLocalComputerNamesW
EnumerateLocalComputerNamesA
CreateSocketHandle
CreateNlsSecurityDescriptor
AddLocalAlternateComputerNameW
AddLocalAlternateComputerNameA
RemoveLocalAlternateComputerNameW
RemoveLocalAlternateComputerNameA
SetLocalPrimaryComputerNameW
SetLocalPrimaryComputerNameA

Edited by WildBill, 20 November 2011 - 05:12 PM.


#416
bristols

bristols

    Advanced Member

  • Member
  • PipPipPip
  • 451 posts
  • Joined 24-September 05
  • OS:none specified
  • Country: Country Flag
Hi WildBill,

MS11-011 V5 is now posted (...)


After installing the update, I get this error on reboot (the progress bar on the Windows 2000 boot screen having reached 100%):

stop:c0000139 (Entry Point Not Found)
The procedure entry point LdrLockLoaderLock could not be located in the dynamic link library ntdll.dll

:}

#417
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Hmm. That doesn't make any sense...I checked ntdll and the routine is there and it's in the export table. I also downloaded the patch and it matches what I uploaded. Did you install it normally or slipstream it? I'm not able to test slipstreaming, but I'm typing this on a laptop with V5 installed. I tested the patch on both a uniprocessor and a multiprocessor installation.

The ntdll you should have after installing the patch is version 5.0.2195.7010, 531,728 bytes, MD5 hash AB3331B195F0430945E0BADDA30112A3.

Edited by WildBill, 21 November 2011 - 04:58 PM.


#418
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag
WildBill,

ntdll.dll 5.0.2195.7080 is included in KB915985 which is a HBR. Bristols uses HBRs so that's probably the reason why your ntdll.dll doesn't install (as its version is lower).

By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.


I've also got one question unrelated to the kernel patch. Can such icon anomalies be caused by 2479628?

Posted Image Posted Image

They can be brought back to normal by changing color depth or resolution.

Edited by tomasz86, 21 November 2011 - 07:24 PM.

Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#419
bristols

bristols

    Advanced Member

  • Member
  • PipPipPip
  • 451 posts
  • Joined 24-September 05
  • OS:none specified
  • Country: Country Flag

Did you install it normally or slipstream it?

(...)

The ntdll you should have after installing the patch is version 5.0.2195.7010



By the way, there exist also KB915985-v2 made by BlackWingCat with ntdll.dll 5.0.2195.7081.


That's the problem. I've installed blackwingcat's KB915985-v2. Indeed I have Ntdll.dll 5.0.2195.7081.

WildBill, I see that several other of the files included in your update have lower version numbers than those found in some hotfixes. Tricky... I suppose that your update would cause problems too for people who have installed the hotfixes in question.

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

#420
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

Edited by WildBill, 21 November 2011 - 08:29 PM.


#421
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

Yes, I've already analysed some files included in HBRs but there's still a lot more to do :whistle: I hope I'll manage to finish the first part in the next few days.


When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

The problem is that it happens randomly (once a few days) even after the cache is flushed. I can't reproduce it, unfortunately.


Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

That'd be probably the safest solution. You may also try to play with [OverrideVersionNumbers] but I don't really know if it works.

In case you bump the number to a higher than 7081, would be it be difficult to add changes from the original 915985 and BWC's 915985-v2?

Edited by tomasz86, 21 November 2011 - 08:45 PM.

Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#422
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I'm taking a look at KB915985 and I'll see if I can push out a V6 with a higher version number. It looks like the changes in the HBR are pretty simple.

#423
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I posted MS11-011 V6, which includes the KB915985 hotfix as well as the fix in blackwingcat's v2, with one exception: the HBR also has a change to RtlCallQueryRegistryRoutine that the hotfix doesn't mention, but my patch completely replaces it (and routines that call it) with the version from XPSP3. If it winds up being changed in XP then I can change it as well, but I figure the best thing to do is to leave RtlCallQueryRegistryRoutine alone.

The ntdll version is 5.0.2195.7082, which should make slipstreaming happy. I also found a couple more routines that could go into ntdll, so here's the new additions list:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock
KeReleaseInterruptSpinLock
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlInt64ToUnicodeString
RtlIntegerToUnicode
RtlClearBit
RtlTestBit
RtlSetBit
ZwQueryInformationThread......already there, added it to the export table
IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)
PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)
PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)
_vsnwprintf
_aulldvrm
RtlGetVersion
KeFlushQueuedDpcs


ntdll.dll

RtlIpv4StringToAddressA
RtlIpv4StringToAddressW
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4AddressToStringA
RtlIpv4AddressToStringW
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressW
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringW
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlInitializeGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEnumerateGenericTableAvl
RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlQueryDepthSList
RtlInitializeSListHead
LdrLockLoaderLock
LdrUnlockLoaderLock
LdrAddRefDll
RtlComputePrivatizedDllName_U
RtlValidateUnicodeString
RtlDuplicateUnicodeString
RtlDowncaseUnicodeChar
RtlFindCharInUnicodeString
RtlpEnsureBufferSize
RtlMultiAppendUnicodeStringBuffer
RtlAppendPathElement
LdrEnumerateLoadedModules
RtlRandomEx
RtlUnhandledExceptionFilter2
RtlUnhandledExceptionFilter
RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlGetNtVersionNumbers
DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)
_vsnwprintf
_lfind
_aulldvrm
_alldvrm
RtlpNotOwnerCriticalSection
RtlpApplyLengthFunction
RtlCopyOutOfProcessMemoryStreamTo
RtlLockMemoryStreamRegion
RtlUnlockMemoryStreamRegion
RtlNtPathNameToDosPathName
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlCreateBootStatusDataFile
RtlComputeCrc32
RtlCaptureContext
RtlLockBootStatusData
RtlUnlockBootStatusData
RtlGetSetBootStatusData
RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)
RtlAddMemoryStream
RtlReleaseMemoryStream
RtlQueryInterfaceMemoryStream
RtlReadOutOfProcessMemoryStream
RtlRevertMemoryStream
RtlCloneMemoryStream
RtlCommitMemoryStream
RtlSetMemoryStreamSize
RtlWriteMemoryStream
RtlSeekMemoryStream
RtlCopyMemoryStreamTo
RtlReadMemoryStream
RtlStatMemoryStream
RtlInitMemoryStream
RtlFinalReleaseOutOfProcessMemoryStream
RtlInitOutOfProcessMemoryStream
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)


bootvid.dll

VidSetVgaPalette (used by the bootskin code)


kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)
EncodePointer (forwarded export to NTDLL.RtlEncodePointer)
InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)
InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)
InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)
QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)
InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)
GetModuleHandleExA
GetModuleHandleExW
IsWow64Process
IsWow64Message
GetProcessHandleCount
GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)
SetDllDirectoryA
SetDllDirectoryW
GetDllDirectoryA
GetDllDirectoryW
AttachConsole
TzSpecificLocalTimeToSystemTime
SetClientTimeZoneInformation
IsValidUILanguage
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
SetHandleContext
GetProcessId
GetSystemTimes
CreateMemoryResourceNotification
QueryMemoryResourceNotification
AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)
RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)
RtlCaptureStackBackTrace
SetThreadUILanguage
LZStart
GetExpandedNameA
GetExpandedNameW
LZInit
LZDone
LZCreateFileW
LZOpenFileA
LZOpenFileW
LZSeek
LZRead
LZClose
LZCloseFile
LZCopy
CopyLZFile
GetVolumePathNamesForVolumeNameW
GetVolumePathNamesForVolumeNameA
GetHandleContext
GetCPFileNameFromRegistry
EnumerateLocalComputerNamesW
EnumerateLocalComputerNamesA
CreateSocketHandle
CreateNlsSecurityDescriptor
AddLocalAlternateComputerNameW
AddLocalAlternateComputerNameA
RemoveLocalAlternateComputerNameW
RemoveLocalAlternateComputerNameA
SetLocalPrimaryComputerNameW
SetLocalPrimaryComputerNameA

#424
MacLover

MacLover

    Newbie

  • Member
  • 30 posts
  • Joined 21-October 10
  • OS:Windows 2000 Professional
  • Country: Country Flag
I found an issue with your MS11-020 fix :} :
On Windows 2000 Advanced Server (Probably any other server variant as well), when I enable Active Directory, I am unable to log on to the system unless I use safe mode *without* networking. I narrowed down the issue to being caused by the KERBEROS.DLL file from said update.

When I look at the event log on the system (in safe mode), it mentions Kerberos causing an exception and then a cascade of failures caused by that.

#425
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Can you post the info from the event? If it has the address where it happened I could try to hunt it down.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN