Jan 18
Misc IT Notes (2012.01.18)
Acer recovery partition password: Saved in plain text in a file named aimdrs.dat at the root of the recovery partition.
Mac: F12 ejects media from the optical drive during boot
ERROR: "Windows cannot find '(null)' " when using IE; FIX: uninstall and reinstall IE
When installing SP1 0x800F0A12: FIX What I did: Enabling automount did not fix the problem; mountvol /e did not work. Using diskpart to set the 100MB "Startup repair" partition to active resolved the problem.
ERROR: When opening a link in Outlook, "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." Resolution: (Microsoft KB310049)
Sep 7
Microsoft's Malicious Software Removal Tool Will Not Run
We ran into a problem while finishing a malware removal, in which the Malicious Software Removal tool (MSRT) would not run. We first noticed the problem while downloading Windows updates -- all the other updates would install, but Windows Update kept reoffering the August 2011 MSRT. We tried many different things, such as reseting Windows Updates, double checking for root kits, rescanning the machines, manually checking files in %windir%, and an assortment of other things. One of the things we tried was downloading the standalone MSRT from http://support.microsoft.com/kb/890830. The file would download fine, but it would not run. The extraction dialog boxes would show up, then it would just disappear. Watching Task Manager while extracting the MSRT standalone package show the package would start running and then just disappear. We could not find any information in Event viewer, mrt.log, or mrteng.log.
We double checked the permissions on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools to make sure acces was not denied, since the MSRT package updates the Version subkey when a new verison successfully finishes. Our final idea was to take ownership of %windir%\system32\mrt.exe and rename the file to %windir%\system32\mrt.old. To do this we used the following commands:
takeown /f %windir%\system32\mrt.exe /a icacls %windir%\system32\mrt.exe /grant Administrators:F ren %windir%\system32\mrt.exe mrt.old
After successfully taking ownership and renaming the file, We reran the MSRT standalone package. This time MSRT actually continued to run, and allowed us to complete a scan. After MSRT finished a scan Windows Update stopped reoffering the the August 2011 MSRT package and offered new Windows Updates. I am not sure whether the problem was acutally permission or a corrupted mrt.exe, since I was time crunched to fix the problem before the customer returned.
Sep 6
No Sound in Flash Player
We had this customer bring in a Dell desktop for having sound everywhere but in flash player; the customer had already had two local repair shops take a look at the problem and his IT guru son -- none were able to actually fix the problem. We looked at it for a few minutes with him in the store, but eventually convinced him we should check the computer in for repairs.
The symptoms were sound every where, but webpages using flash player. The volume mixer did not show any other devices but the built in sound device (a realtek sound card). Videos would download without any problems. All the Windows Vista x64 sounds worked fine, as did any local media.
Attempted resolutions
Uninstall Flash player, and reinstalled -- no effect
Flash player removal tool, and reinstall -- no effect
After poking around for a little bit, we found the registry keys for sound drivers were missing from the registry.
All the sub keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 were missing. A post on Technet indicated that the "wavemapper" subkey being missing was often the cause of no sound in flash player. We created a string value subkey named "wavemapper" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32, with a value of "msacm32.drv." After a reboot, we still had no sound. We looked under the x64 drivers registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 and found all the subkeys here were missing too. So we exported a known good list of both the x86 driver32 keys, and the x64 driver32 subkeys. After importing them and rebooting, there was still no sound. One of our tools indicated that users did not have permissions to read the registry keys, but it also show the keys existed; however regedit show the keys as still missing. I tried creating another copy of "wavemapper" in the Drivers32 subkey, but regedit tossed up an error saying the key already existed.
All the permissions on the registry keys looked ok, but I decided to look at the effective permissions. Luckly, I got the right account off the bat. It turned out the Administrator account had deny "Full Control" set. I moved up to the key higher in the tree, and found the the deny permission. After unsetting it and rebooting, sound worked perfectly.
Jul 9
fatal error c0000034 applying update operation at sud.dll
We had another employee's computer get this error while installing Service Pack 1 for Windows 7 x64. After poking around for some answer about how to fix the problem, I found most people were having sucess with running dism /image:c:\ /cleanup-image /revertpendingactions in Windows 7 Recovery Environment. This seemed to be working for us, but ending up throwing "Error 2" and bailing out. I pulled up the x:\windows\logs\dism\dism.log and started searching through for a possible answer.
Near the middle of dism.log, I found an error "Status_object_name_not_found" and a reference to the missing file in d:\windows\winsxs\. I pulled a good copy from another Windows 7 x64 SP1 machines. Reruning dism failed again with the same error, and the log found the same "Status_Object_Name_Not_Found" error. Also dism.log would indicate a missing directory with the error "Status_Object_Path_Not_Found." Between these two errors, my co-worker and I replaced between 200-300 files, and directories.
So the basic process from the command line in Windows Recovery Environment was:
dism /image:d:\ /cleanup-image /revertPendingActions notepad x:\windows\logs\dism\dism.log copy g:\windows\winsxs\PathTo\missingFile.xxx d:\windows\winsxs\PathTo\MissingFile robocopy g:\windows\winsxs\MissingDirectory d:\windows\winsxs\MissingDirectory /e (For Missing Directories) del x:\windows\logs\dism\dism.log
Once we replaced all the missing file in Windows Recovery Environment, the computer started booting to Windows without any errors; in windows, we ran SFC from an administrative command prompt. Reading through the SFC log the first time, some missing files from SP1 which I replaced with known good copies from another Windows 7 box. These first missing files were found by using "findstr /c:"[SR] Cannot" c:\windows\logs\cbs\cbs.log > c:\sfcResults.txt." All the missing files are listed in sfcResults.txt. After fixing these SFC did not show any errors from the above command, but said it found unrepairable errors. Searching manually through cbs.log, I found a reference to "Status_Object_Path_Not_Found." After replacing the missing directory, and a reboot, we ran SFC; the findstr command above found more missing files, which were all in a single missing directory. We replaced these, and that ended up being all the missing files.
One note, is /revertPendingActions rolls back filesystem changes, and not changes to the registry. So Service Pack 1 was seen by Windows as installed, and 99% of the files we replaced by hand were for Service Pack 1. We had thought about using System Restore, but there was no restore data.
Jun 23
Vista - Sp2 0x80073712 Corrupt CBS Manifest
The other day, we had a Vista Service Pack 1 notebook dropped off just to have Service Pack 2 installed. We ran through some basic hardware tests, and virus scans to make sure things were ok; the problem was error code 0x80073712 which means "CBS manifest is corrupted." So we ran through the System Readiness Tool, and SFC, fixing all those errors. Afterward, the Service pack installer was still throwing 0x80073712. So I started looking through the cbs.log and noticed there was an error stating "MissingFileSystemResource" and pointing to a specific file in c:\windows\winsxs. So I replaced the file from a known good copy of Winsxs, backed up the CBS log, and reran the SP installer; it failed again, but this time the CBS log pointed to a different missing file.
Being the semi-lazy when it comes to repeating a process over and over, I wrote a basic batch file to find the missing file from CBS.log, delete the cbs log, and run the service pack installer. Here it is (make sure to turn off UAC, to simply the process):
@echo off findstr /c:"MissingFileSystemResource" pause del %windir%\logs\cbs\cbs.log pathToSp2\Installer\sp2.exe /unattend
So after running this script and replacing problem 15-20 missing files, the service pack installer started to reboot the system like normal; during the reboot, it would get to "Stage 1 of 3" and fail at 4%; the new error was 0x80070002 "Error_File_Not_Found," when it booted back to Windows. I checked the CBS log again for guidance on the missing file, but there was no indicator of thie missing file. So I started poking around setupapi.dev.log looking for something wrong. After blinding paging through many many pages of setupapi.dev.log, I found an error pointing to a missing file in c:\windows\winsxs. This time, I replaced the missing file with a known good, backed up setupapi.dev.log and reran the service pack installer. The installer rebooted and failed in the same place; once back in Windows, I searched setupapi.dev.log for the word "fail" and quickly found another single reference to a missing file. So again, the missing file got replace, setupapi.dev.log got erased, and the installer reran. This process went on for two or three more files, before I had to leave for the day.
I, later, realized the easier way to figure out the missing files would have been to compare this corrupt Winsxs, to a known good Vista SP1 winsxs with something like comp.exe or Winmerge. So in preparation to test my new idea, I used tree on a Vista SP1 virtual machines and redirected the results into a text file.
tree /f /a c:\windows\winsxs > c:\WinsxsSp1.txt
Sadly, before I could test my new process the machine was already started on an OS reload. So this idea remains unverified.
The Vista SP1 text document is here.
