I recently discovered simply copying over the checked fltmgr.sys file wasn’t doing the trick - it would just replace itself! Booting up in Safe Mode with Networking was the way to go!
It that the common practice? What’s the best way to do this?
Also, I don’t download the checked versions of the OS’s so I’m not sure what’s available. But is it essential to use the checked components from the same Service Pack as your test VM? Ex: Checked components from 2003 SP1 with Free 2003 SP2? Or Checked 2003 Enterprise with Free 2003 Standard?
Yes it is needed to use the same service pack, you may get away with it
in some cases where an update of a file in SP1 is not further updated in
SP2 so you are dealing with the same file, but this is rare.
In general you need the checked kernel and HAL, plus whatever components
you are working with. You should be able to use a different version of
the same OS plus service pack for getting checked files, so you example
of checked enterprise 2003 with free 2003 standard should work.
> I recently discovered simply copying over the checked fltmgr.sys file wasn’t doing the trick - it would just replace itself! Booting up in Safe Mode with Networking was the way to go! > > It that the common practice? What’s the best way to do this? > > Also, I don’t download the checked versions of the OS’s so I’m not sure what’s available. But is it essential to use the checked components from the same Service Pack as your test VM? Ex: Checked components from 2003 SP1 with Free 2003 SP2? Or Checked 2003 Enterprise with Free 2003 Standard?
I think this is the system file protection feature of windows.
(http://www.microsoft.com/whdc/archive/wfp.mspx). I normally just copy a
checked fltmgr.sys over the existing one and reboot the machine (but I think
I disabled SFP).
You can replace the HAL and the kernel if you want to but it’s not required
(and it might be somewhat noisy) if you just need fltmgr.
> I think this is the system file protection feature of windows. > (http://www.microsoft.com/whdc/archive/wfp.mspx). I normally just copy a > checked fltmgr.sys over the existing one and reboot the machine (but I think > I disabled SFP). > > You can replace the HAL and the kernel if you want to but it’s not required > (and it might be somewhat noisy) if you just need fltmgr. > > Thanks, > Alex.
Well, I mostly use a checked fltmgr on Win7 (a lot more checks and fltmgr
verifier checks were added in Win7 so it makes sense for me). However, for
plugest the setup used to include a checked fltmgr (and some file systems)
but no checked kernel (at least in recent years).
Still, it’s quite possible this was broken in previous releases but I
haven’t experienced it.
Thanks,
Alex.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, January 24, 2011 11:25 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Using Checked Components
Alex,
Which OS’es do you do this with, early in the FltMgr just copying it made
the whole system unbootable.
> I think this is the system file protection feature of windows. > (http://www.microsoft.com/whdc/archive/wfp.mspx). I normally just copy a > checked fltmgr.sys over the existing one and reboot the machine (but I think > I disabled SFP). > > You can replace the HAL and the kernel if you want to but it’s not required > (and it might be somewhat noisy) if you just need fltmgr. > > Thanks, > Alex.
>I recently discovered simply copying over the checked fltmgr.sys file
wasn’t doing the trick - it would just replace itself! Booting up in >Safe
Mode with Networking was the way to go!
It that the common practice? What’s the best way to do this?
Prior to Vista, Windows had something called System File Protection that
would automatically replace system files if they were overwritten. Starting
with Vista, all of the critical system files (e.g. drivers) are ACL’d such
that the owner is the TrustedInstaller user and no one else has modify
access (which is a much saner approach, though prior to Vista you could
install Windows on a FAT volume so there had to be a different solution).
To replace in box drivers pre-Vista with their checked components, you had
to disable SFP somehow and then replace the files. To replace files on Vista
and later you need to first take ownership of the file and then modify the
ACL to give yourself modify access.
However, there is (IMO) an easier way that works on all releases of Windows.
What I do is create a “chk” subdirectory of the \drivers directory and copy
the checked images there. Then all I need to do is replace the ImagePath
value of the appropriate service key and I’m done.
The kernel and HAL are a bit different as you don’t replace those by
changing the service key but by specifying the kernel= and hal= boot
switches (boot.ini pre-Vista, bcdedit Vista and later).
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc. http://www.osronline.com
Hope to see you at the next OSR kernel debugging class February 14th in
Columbia, MD!
I really like the “chk” subdirectory approach. I noticed in the registry the ImagePath exists in multiple locations for FltMgr: HKLM\System\ControlSet001\Services\FltMgr, ControlSet002, and CurrentControlSet.
So just change ImagePath to be system32\drivers\chk\fltmgr.sys - nice!
Now do I need to do that in all places or perhaps just CurrentControlSet?
Also, I read that Plugfest used a checked FltMgr and checked NTFS - is that still valid?
You DEFINITELY do NOT want to change it in all places; if you do so and have
a problem that prevents you from booting, you’ll be screwed, because
LastKnownGood will not work.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, January 25, 2011 10:52 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Using Checked Components
Thanks for the great info!
I really like the “chk” subdirectory approach. I noticed in the registry
the ImagePath exists in multiple locations for FltMgr:
HKLM\System\ControlSet001\Services\FltMgr, ControlSet002, and
CurrentControlSet.
So just change ImagePath to be system32\drivers\chk\fltmgr.sys - nice!
Now do I need to do that in all places or perhaps just CurrentControlSet?
Also, I read that Plugfest used a checked FltMgr and checked NTFS - is that
still valid?