Vista – Sp2 0x80073712 Corrupt CBS Manifest

The other day, we had a Vista Service Pack 1 notebook dropped off just to have Service Pack 2 installed.  We ran through some basic hardware tests, and virus scans to make sure things were ok; the problem was error code 0x80073712 which means “CBS manifest is corrupted.”  So we ran through the System Readiness Tool, and SFC, fixing all those errors.  Afterward, the Service pack installer was still throwing 0x80073712.  So I started looking through the cbs.log and noticed there was an error stating “MissingFileSystemResource” and pointing to a specific file in c:windowswinsxs.  So I replaced the file from a known good copy of Winsxs, backed up the CBS log, and reran the SP installer; it failed again, but this time the CBS log pointed to a different missing file.

Being the semi-lazy when it comes to repeating a process over and over, I wrote a basic batch file to find the missing file from CBS.log, delete the cbs log, and run the service pack installer.  Here it is (make sure to turn off UAC, to simply the process):

@echo off

findstr /c:"MissingFileSystemResource"

pause

del %windir%logscbscbs.log

pathToSp2Installersp2.exe /unattend

So after running this script and replacing problem 15-20 missing files, the service pack installer started to reboot the system like normal; during the reboot, it would get to “Stage 1 of 3” and fail at 4%; the new error was 0x80070002 “Error_File_Not_Found,” when it booted back to Windows.  I checked the CBS log again for guidance on the missing file, but there was no indicator of thie missing file.  So I started poking around setupapi.dev.log looking for something wrong.  After blinding paging through many many pages of setupapi.dev.log, I found an error pointing to a missing file in c:windowswinsxs.  This time, I replaced the missing file with a known good, backed up setupapi.dev.log and reran the service pack installer.  The installer rebooted and failed in the same place; once back in Windows, I searched setupapi.dev.log for the word “fail” and quickly found another single reference to a missing file.  So again, the missing file got replace, setupapi.dev.log got erased, and the installer reran.  This process went on for two or three more files, before I had to leave for the day. 

I, later, realized the easier way to figure out the missing files would have been to compare this corrupt Winsxs, to a known good Vista SP1 winsxs with something like comp.exe or Winmerge.  So in preparation to test my new idea, I used tree on a Vista SP1 virtual machines and redirected the results into a text file.

tree /f /a c:windowswinsxs > c:WinsxsSp1.txt

Sadly, before I could test my new process the machine was already started on an OS reload.  So this idea remains unverified.

The Vista SP1 text document is here.

 

 

Phantom Contact in Hotmail

Tags

,

I had a customer come in with a phantom contact in the “To:” field’s dynamic list.  The weird this was this contact did not appear in the actual contact list.  After all the typical fixes — reseting IE, clearing cookies, clearing flash cookies, etc — I had almost given up when I saw a possible fix on some random questionable forum.  The idea was there was a pending invitation request, and that was the phantom contact.  In this case, it was an invitation from “Sexygirlroom.”  It did turn out to be a pending invitation, which once decline, caused the phantom contact to disappear. 

Here is how to decline/remove the contact:

  • Click “Contacts”
  • Click “View Invitations”
  • Click “Groups”
  • Decline any unwanted invitations. 

 

Adding Microsoft System Sweeper to Custom Windows PE USB stick

Adding Microsoft Standalone System Sweeper to a custom USB drive is no more difficult than creating the initial USB stick. The most complicated part is keeping track of the BCD descriptions; it is far easier to get it right the first time, than have to go back and change it.  Although updating the descriptions is not difficult. 

First download the Microsoft Standalone System Sweeper files for both x86 and x64 – https://connect.microsoft.com/systemsweeper is the beta page, which will change eventually.  I ran both executables and created ISOs.  Next, I mounted those ISO with Virutal clone drive and copied the contents to a working directory, such as c:tempMSSS_x64.  After both ISOs have been copied to a working directory, some files will need to be copied into the main bootable image. 

First, we’ll need to copy boot.wim into our destination image sources directory and rename the file. 

copy c:tempmsss_x64sourcesboot.wim c:tempusbsourcesmsss_x64.wim copy c:tempmsss_x86sourcesboot.wim c:tempusbsourcesmsss_x86.wim

We’ll also need to copy FilesList64.dll, mpam-fex64.exe from the x64 source, and FilesList32.dll, and mpam-fe.exe from the x86 source.  Just put these in the root of the working directory.  Also copy etfsboot_XP.com from the x86 boot directory into the USB boot directory.

Usbroot

Example of my Sources directory – Note this usb stick also has a Windows PE x86, Windows Recovery Environment x86 and x64 already added from a previous build.  It also hosts many of the tools I use often, and a Windows 7 x64 WIM file for random deployment situations.

Sourceswim

Now that all of our files are in place, we will need to update the BCD store to boot the new System Sweeper images.

First make a copy of the default BCD entry and take note of the GUID

bcdedit /store bcd /copy {default} /d "MSSS x86"

bcdedit /store bcd /copy {default} /d "MSSS x64"

Createnewbcdstore

From here, the BCD settings for each new entry must be updated with the path to the MSSS images.  I did this with the following script, since I’m lazy. 

bcdedit /store c:shareWaikusb_pe_workingbootbcd /set {967afa23-91d8-11e0-aea5-005056c00008} device ramdisk=[boot]sourcesmsss_x64.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
bcdedit /store c:shareWaikusb_pe_workingbootbcd /set {967afa23-91d8-11e0-aea5-005056c00008} osdevice ramdisk=[boot]sourcesmsss_x64.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}

bcdedit /store c:shareWaikusb_pe_workingbootbcd /set {d36d8608-91d8-11e0-aea5-005056c00008} device ramdisk=[boot]sourcesmsss_x86.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
bcdedit /store c:shareWaikusb_pe_workingbootbcd /set {d36d8608-91d8-11e0-aea5-005056c00008} osdevice ramdisk=[boot]sourcesmsss_x86.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}

While I was using Find and Replace to update the GUIDs, I failed to notice, the descriptions pointed to the wrong MSSS images.  So after testing to make sure it worked, I had to go back and rename the BCD entries.

bcdedit /store bcd  /set {d36d8608-91d8-11e0-aea5-005056c00008} description "MSSS x86"

bcdedit /store bcd /set {967afa23-91d8-11e0-aea5-005056c00008} description "MSSS x64"

You’ll need to use diskpart from here to set the partition on the USB drive to active, then copy the files over. 

Manual Updates can retrieved from the Microsoft Malware Protection Center, if you don’t want to get the updates everytime it boots. 

Weird Office 2010 Problem of the Week

Tags

,

We had this customer come in this week who was having problems with his Office 2010.  The problem was the Insert Page number galleries would not show up, like in the picture.

Missingpagenumbergalleries

It turns out this is caused by the “Built-In Building Blocks.dotx” file being hidden.  After unhiding this file, the galleries will reappear like magic. 

Make sure Word is closed, then from a command prompt:

attrib -h "%userprofile%appdataRoamingMicrosoftDocument Building Blocks103314Built-In Building Blocks.dotx"

Or it can be unhidden from Windows Explorer:

  • Open Windows Explorer
  • Open the Windows Explorer Folder Options (under Tools)
  • Select “View” tab
  • Select “Show hidden files, folders, drives” radial button
  • Click ok
  • Navigate to AppdataRoamingMicrosoftDocument Building Blocks103314
  • Right Click on “Built-In Building Blocks.dotx”
  • Uncheck “Hidden” check box.
  • Click Ok.
  • Go back through Folder Options and rehide files.
  • Done.

I would, also, unhide “Building Blocks.dotx” in the process, if it exists.

Seriously, make sure Word 2010 is closed or changing the hidden attribute will have no effect. 

Final results should look like this picture. 

Fixedgalleries

 

Sorry for the crappy screenshots, I didn’t remember to close out the movie I was watching. 

Windows 7 – Hidden Libraries

To unhide hidden libraries in Windows 7 (This is an outline for unhiding all the libraries, but can be easily applied to individual)

1.  Unhide the Libraries directory

attrib -h %userprofile%AppdataRoamingMicrosoftWindowsLibraries

2. Unhide all Library Files

attrib -h %userprofile%AppdataRoamingMicrosoftWindowsLibraries*

3. Reboot and all your default libraries should be visible. If not try again. 

Empty Start Menus

Some of the fake security malware in the wild has been moving the start menu items to a temporary directory under the user profile.  This has cause us at work some annoyance, since we remove all the temp files before starting a malware removal.  So several times this week, we have had to rebuild several start menus from scratch — which was not fun.  

In Windows 7, the Start menu items are move to

  • All Users Items = %userprofile%AppDataLocalTempsmtmp1
  • Current User Items = %userprofile%AppDataLocalTempsmtmp2
  • Desktop Items = %userprofile%AppDataLocalTempsmtmp4

 

Desktop item can be moved or copied back with robocopy:

robocopy %userprofile%appdatalocaltempsmtmp4 %userprofile%desktop /move /a-:h

All Users can be moved with:

robocopy %userprofile%appdataLocalTempsmtmp1 "c:ProgramDataMicrosoftWindowsStart Menu" /move /a-:h[/code[

Current Users:

robocopy %userprofile%AppdataLocalTEmpsmtmp2 "%userprofile%AppdataRoamingMicrosoftWindowsStart Menu" /move /a-:h

Of course, /e can be subsituted for /move to make a copy of the files back to the correct locations. I've been using the /a-:h to remove the hidden attribute, since a few times the files have been hidden too. 

I have not seen the start menu get moved in Windows XP, yet; however the paths will be very similar:

  • All Users Items = %userprofile%Local SettingsTempsmtmp1
  • Current User Items = %userprofile%Local Settings\Tempsmtmp2
  • Desktop Items = %userprofile%Local SettingsTempsmtmp4

Windows Update – 0x80007005 and 0x80070002

We’ve been seeing a ton of 0x80070005 (Access Denied)  and 0x80070002 (File not found) from Windows Updates lately.  Most of it seems to stem from the malware floating around right now, hiding user files and system files.  Most of the time, unhiding %systemroot% seems to fix both issues.  I can understand why unhiding the directory fixes “File Not Found,” but am a little perplexed why it fixes Access Denied too.  I suspect we maybe changing something else at the same time, but for the life of me cannot remember the other thing. 

The command we have been using to unhide C:windows is (from an Admin cmd prompt):  attrib -s -h %systemroot% /s /d

This command also works for unhiding the user profile data hidden by the malware floating around right now.

attrib -s -h c:usersUserName /s /d

Win 7 – Cannot download files from Internet

We had this Windows 7 x64 computer come in for a malware removal, and it was not able to download files using Internet Explorer 9.  We cleaned out all the malware, and when I can in the next morning, it was running updates from Windows update.  Shortly after I came into work, Windows Update threw an error 1606.  I, also, noticed standalone updates would install fine, but some Microsoft installer would just hang and never install anything. 

I started checking through Microsoft KB886549, and checking the registry keys; I would have used the Microsoft Fix-It, but being unable to download anything made that not possible.  Luckly, the broken registry key was near the top of the list – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersAppdata

Windows 7 – Cannot change wallpaper or theme

We were, almost, finished with this malware removal.  Everything was clean and repaired, except, the wallpaper and theme could not be changed.  Not totally true, we could go into the display settings and select new items, but they would not change from the default theme with a black background. 

The registry key HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktopNoChangingWallpaper was non-existent, as it should be on a standard install of Windows. If this key is set, deleting it will allow wallpaper to be changed again. 

The next option, was to delete %userprofile%AppdataRoamingMicrosoftWindowsThemesTranscodedWallpaper.jpg and %userprofile%AppdataRoamingMicrosoftWindowsThemesslideshow.ini.  Initially, after deleting these files, the wallpaper and theme would not change still; however, after clicking through several different themes, everything went back to normal. 

Windows 7 – Autoplay does not work

Symptom:  CD, DVDs, and usb drives do not autoplay, and the context menus in Explorer do not have any autoplay options.  All Autoplay settings in control panel are turned on and all registry keys are correct.

Cause: Shell Hardware Detection service is either set to disable or set to manual.

The easy way to check if the Shell hardware service is the issue is to open services.msc and check the status or use an administrative command prompt.

To check in the command prompt:

sc query shellhwdetection | find "STATE"

If state is equal to disable or manual, then the service needs to be reset to the correct setting.  While still in the command prompt run:, sc config shellhwdetection start=auto and this will reset the service back to Automatic. 

It took several hours of hunting through Autoplay registry keys, sfc results, errors logs, and systemically removing software to figure this out. If this does not work, then check the following registry keys:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerNoDriveTypeAutorun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutorun

On my Windows 7 system the HKLM key is set to 0xFF; I haven’t noticed any major issues, but for those who can’t get around without autoplay, he recommended value is 145 or 0x00000091; this value is not necessary, so it can be deleted on Windows 7 and Vista. 

Both of these keys can easily be check from a standard command prompt, though the values cannot be modified without administrator rights:
Check Values:
reg query HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer /v NoDriveTypeAutorun
reg query HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoDriveTypeAutorun

To change the values:
reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer /v NoDriveTypeAutorun /t REG_DWORD /d 0x00000091 /f
reg add HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoDriveTypeAutorun /t REG_DWORD /d 0x00000091 /f

To delete the values:
reg delete HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer /v NoDriveTypeAutorun  /f
reg add HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoDriveTypeAutorun /f