Quick Search


Tibetan singing bowl music,sound healing, remove negative energy.

528hz solfreggio music -  Attract Wealth and Abundance, Manifest Money and Increase Luck



 
Your forum announcement here!

  Free Advertising Forums | Free Advertising Board | Post Free Ads Forum | Free Advertising Forums Directory | Best Free Advertising Methods | Advertising Forums > Post Your Free Ads Here in English for Advertising .Adult and gambling websites NOT accepted. > Post Your Business Ops Here

Post Your Business Ops Here This section is for posting your free classified ads about different work at home and home based business opportunities.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 04-16-2011, 02:03 PM   #1
jhjkrhsd
Major
 
Join Date: Feb 2011
Posts: 602
jhjkrhsd is on a distinguished road
Default Office Professional Plus 2007 Key Windows 7 XP Mod

Hello All, Ron Riddle here once more to reveal an additional mystery referring to the XP Mode Auto Publish function for Windows 7 that had an surprising root cause.  As you may know, the Vehicle Publish attribute allows applications installed within the guest to be automagically available from the start menu of the Windows seven host.  Of course, one requirement for this to work properly is that the characteristic must be enabled; however, I have encountered two such instances where the feature is listed as ‘Not Available’ within the Virtual PC Settings UI once the guest is started.

 

 

Debugging the Issue

 

The Virtual PC Integration Components Services Application (1-vmsrvc) service, which runs within a vmsrvc.exe instance on the guest, decides whether the Vehicle Publish attribute should be enabled.  For non-Windows seven guests,Office Professional 2007, the first thing 1-vmsrvc does is issue a WMI query to determine whether KB961742 (for an XP guest) or KB961741 (for a Vista guest), which provide Remote Applications Integrated Locally (RAIL) support, have been applied.

 

Root Cause Analysis

 

Before we issue the WMI query, we must first activate the CLSID_WbemLevel1Login component.  Here’s an excerpt below:

 

0:009> k

ChildEBP RetAddr 

00b1f730 74ef186e wbemprox!CDCOMTrans::DoActualCCI+0x3d

00b1f774 74ef15db wbemprox!CDCOMTrans::DoCCI+0x12d

00b1f830 74ef17e4 wbemprox!CDCOMTrans::DoActualConnection+0x25c

00b1f85c 74ef1ee1 wbemprox!CDCOMTrans::DoConnection+0x25

00b1f89c 01018283 wbemprox!CLocator::ConnectServer+0x7c

00b1fae8 010182da vmsrvc!VPCRAILUpdates::Connect+0xa8

00b1faf4 0101842b vmsrvc!VPCRAILUpdates::QueryInstalledFixes+0xb

00b1fe34 0100b61f vmsrvc!VPCRAILUpdates::CheckIfUpdatesArePresent+0x 91

00b1ffb4 7c80b729 vmsrvc!Win32VPCAppPublisherService::AllowListNotif icationThreadProc+0x90

00b1ffec 00000000 kernel32!BaseThreadStart+0x37

 

However, I noticed that the activation attempt failed with WBEM_E_CRITICAL_ERROR(0x8004100a).

 

0:009> r eax

eax=8004100a

 

So, I proceeded to debug the activation attempt from within the Windows Management Instrumentation(winmgmt) service, since it provides the class factory for this component.  Notice the call to LoadLibraryExW passing a relative path for the lpFileName parameter.  This means that a search strategy must be applied which leverages the PATH environment variable.

 

0:002> k

ChildEBP RetAddr             

0086f438 594976e2 kernel32!LoadLibraryExW

0086f494 7751d8a7 wmisvc!CForwardFactory::CreateInstance+0xf8

0086f4b8 7751daac ole32!GetInstanceHelperMulti+0x20

0086f578 77e799f4 ole32!CObjServer::CreateInstance+0x251

0086f59c 77ef421a RPCRT4!Invoke+0x30

0086f9a8 77ef4bf3 RPCRT4!NdrStubCall2+0x297

0086fa00 77600c15 RPCRT4!CStdStubBuffer_Invoke+0xc6

0086fa40 77600bbf ole32!SyncStubInvoke+0x33

0086fa88 7752ad31 ole32!StubInvoke+0xa7

0086fb60 7752ac56 ole32!CCtxComChnl::ContextInvoke+0xe3

0086fb7c 776007f5 ole32!MTAInvoke+0x1a

0086fbac 77602df3 ole32!AppInvoke+0x9c

0086fc80 77600715 ole32!ComInvokeWithLockAndIPID+0x2c2

0086fccc 77e794bd ole32!ThreadInvoke+0x1cd

0086fd00 77e79422 RPCRT4!DispatchToStubInC+0x38

0086fd54 77e7934e RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x113

0086fd78 77e8a384 RPCRT4!RPC_INTERFACE::DispatchToStub+0x84

0086fdb8 77e8a3c5 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xc 0

0086fdf8 77e7bcc1 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x2cd

0086fe1c 77e7bc05 RPCRT4,Office Professional Plus 2007 Key!LRPC_ADDRESS::DealWithLRPCRequest+0x16d

 

0:002> du poi(esp+4)

59491668  "wbemcore.dll"

 

Surprisingly, I found that the requested library could not be found using the standard search strategy.

 

0:002> !gle

LastErrorValue: (Win32) 0x7e (126) - The specified module could not be found.

LastStatusValue: (NTSTATUS) 0xc0000135 - Unable To Locate Component  This application has failed to start because %hs was not found. Re-installing the application may fix this problem.

 

I then decided to enable boot logging within the Process Monitor tool to catch a glimpse into why the load for wbemcore.dll was failing.  Here’s an excerpt from the Process Monitor log:

 

8:18:11.1652951 PM      svchost2.exe      1628  QueryOpen   C:\WINDOWS\system32\%SystemRoot%\system32\wbemcore .dll  PATH NOT FOUND    

8:18:11.1653627 PM      svchost2.exe      1628  QueryOpen   C:\WINDOWS\system32\%SystemRoot%\wbemcore.dll        PATH NOT FOUND 

8:18:11.1654161 PM      svchost2.exe      1628  QueryOpen   C:\WINDOWS\system32\%SystemRoot%\System32\Wbem\wbe mcore.dll  PATH NOT FOUND     

 

At this point, it became clear to me that something must be wrong with the PATH environment variable configuration because the SystemRoot environment variable was not being properly expanded.  Sure enough,Windows 7 Home Premium Product Key, the registry showed that the Path value was of type REG_SZ rather than REG_EXPAND_SZ.

 

 

Once I saved off the data for the Path value and recreated it specifying the proper type(REG_EXPAND_SZ), the issue was resolved,Office Professional Plus 2007!

 

Sidenote on the Debugging Strategy

 

I chose to debug the services by attaching ntsd.exe and redirecting the session to your kernel debugger.  Alternatively, I could have chosen to use a remote debugging session since it’s much more natural than redirecting towards the kernel debugger, in my opinion.  However, this issue was further complicated by the fact that introducing a debugger in the mix had potential to change the timing enough such that I struggled to reproduce the issue using a remote session.  The reason for this is that if we slow down the 1-vmsrvc execution enough, the winmgmt service itself will attempt to load wbemcore.dll, albeit through an activation request where an absolute path is specified, thereby avoiding application of a search strategy, which will succeed.  Thus, when 1-vmsrvc attempts to activate CLSID_WbemLevel1Login, it will now succeed because wbemcore.dll is already loaded and the Automobile Publish function will now be ‘Enabled’!

 

Configuration

 

I leveraged the Image File Execution Options key,Microsoft Office 2010 Product Key, creating a new entry for vmsrvc.exe and configuring the Debugger value with the following command line:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe]

"Debugger"="c:\\debuggers\\ntsd.exe -d -y srv*c:\\vmsrvc -c \"bu vmsrvc!Win32VPCAppPublisherService::AllowListNotif icationThreadProc;bu wbemprox!CDCOMTrans::DoActualCCI;g\""

 

I also isolated the winmgmt service into its own svchost.exe, copied %systemroot%\system32\svchost.exe to %systemroot%\system32\svchost2.exe, and then created a new key for svchost2.exe with the following command line:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost2.exe]

"Debugger"="c:\\debuggers\\ntsd.exe -d -y srv*c:\\winmgmt -c \"bu wmisvc!CForwardFactory::CreateInstance;g\""

 

Although redirecting ntsd.exe to your kernel debugger was cumbersome from a usability perspective, I found the ability to debug both processes from a central facility very appealing and worthwhile.

 

Conclusion

 

For issues like these that ultimately resolve to a misconfiguration of the OS, I can’t help but think how unfortunate it was that I didn’t stumble onto root trigger sooner via the routine task of launching some executable from a command shell.  Surely this would have been a red flag and could have saved me a lot of time debugging!

 

 

While this was a rather extreme example of how a misconfiguration of the OS can affect other seemingly unrelated parts such as the Automobile Publish function of XP Mode, the take-away right here is when you detect that the Auto Publish characteristic is ‘Not Available’, you should begin with standard WMI troubleshooting; and, as we’ve just seen here, a quick sanity check of the environment might not be a bad idea either! :)

 

Until next time, happy debugging!
jhjkrhsd is offline   Reply With Quote
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT. The time now is 10:49 AM.

 

Powered by vBulletin Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Free Advertising Forums | Free Advertising Message Boards | Post Free Ads Forum