Making a Windows 2000/XP Hardware Independent Ghost Image

About a year and a half ago I was a apart of a 3 member team whose mission it was to create a standard Windows 2000 image for our desktops. The company was currently running Windows 98 SE as a desktop standard. There was a base image and an image for each department and it was messy, real messy! We sat down and discussed what services to leave enabled or disabled, what to include in the default user profile, etc. on the new image. When we were done the image was a beautiful thing. Even though we wrote documentation on everything we did there are always things that get missed. We had a total of 12 Ghost images: 4 for PCs, 6 for laptops (3 with wireless drivers and 3 without) and 2 specialty Ghost images. In January 2005 we merged with another company. This company had about 8 Ghost images bringing the total number of company Ghost images to 20! Under the new management they wanted the patch levels on each image maintained every month! Before that, we were just using SMS 2003 to maintain the patch level of the workstation. You would image a box and then SMS 2003 would push down the new patches. Try calculating the time it takes to open an image, run the patches on it, verify the patch installation with MBSA, do application testing on the image to make sure the patches didn’t break anything and finally reseal the image. Now take that calculation times 20. You could easily justify a full time position just for this task!

Not wanting to update 12 images each month I decided to make a hardware independent image for Windows 2000. When I was done, I got it down to 4 images: 1 base and 3 specialty images! Since the base image was used 95% of time for new machines I could take time to get the other ones updated. It took me 3 solid weeks hunting all over the Internet and ghosting countless machines to get it all working. The documentation I wrote for doing this is on my web page here. Just last month I started a new job at another company and again saw images for each individual piece of hardware. Time to test my skills once again!

The desktop platform at the new company is Windows XP Professional. Here’s one “problem” I found with my instructions. Under the section Finding the IDE Driver Used To Setup [SysprepMassStorage] I stated to search for 82801DB in the INF files you extract from the Intel Chipset setup. Well, I was working on a Dell Optiplex 280 and the image was giving a STOP 0x7B message at startup. I had included support for the IDE chipset driver, but it still wouldn’t work. I went back to the INF file and look what I found:

PCIVEN_8086&DEV_2651.DeviceDesc=”Intel(R) 82801FB Ultra ATA Storage Controllers – 2651″
PCIVEN_8086&DEV_2652.DeviceDesc=”Intel(R) 82801FB Ultra ATA Storage Controllers – 2652″
PCIVEN_8086&DEV_2653.DeviceDesc=”Intel(R) 82801FBM Ultra ATA Storage Controllers – 2653″
PCIVEN_8086&DEV_266F.DeviceDesc=”Intel(R) 82801FB/FBM Ultra ATA Storage Controllers – 266F”

Multiple versions of the 82801FB! Obviously, I had picked the wrong one, but which was the right one? We can solve this little problem by using PCI32. This is a freeware program made by Craig Hart that has 15,000+ PCI devices in its database. I’ll use my home PC as an example:

Vendor 8086h Intel Corporation
Device 24CBh 82801DB/DBL (ICH4/ICH4-L) UltraATA/100 EIDE Controller
Command 0007h (Memory Access, BusMaster, )
Status 0280h (Medium Timing, )
Revision 02h, Header Type 00h, Bus Latency 00h
Self test 00h (Self test not supported)
PCI Class Storage, type IDE
PCI EIDE Controller Features :
BusMaster EIDE is supported
Primary Channel is at I/O Port 01F0h and IRQ 14
Secondary Channel is at I/O Port 0170h and IRQ 15
Subsystem ID 80891043h Unknown
Subsystem Vendor 1043h ASUSTeK Computer Inc
Address 0 is an I/O Port : 00000000h
Address 1 is an I/O Port : 00000000h
Address 2 is an I/O Port : 00000000h
Address 3 is an I/O Port : 00000000h
Address 4 is an I/O Port : 0000F000h
Address 5 is a Memory Address (anywhere in 0-4Gb) : FEBFB400h
System IRQ 9, INT# A

If you can read the second line it says:

Device 24CBh 82801DB/DBL (ICH4/ICH4-L) UltraATA/100 EIDE Controller

That’s what we want. In the case of the Dell Optiplex 280 it was the 266F one: go figure! Incidently, we can use PCI32 for much cooler things like updating a universal network boot disk! Or finding that pesky model number without cracking the case. In the case of the Dell Optiplex 620 I found that it had 2 different versions of the same chipset on the same board! So make sure you include support for what ever is in the computer.

The other problem I ran into again was the HAL issue. I commented out the following line in my sysprep.inf:

UpdateUPHAL=ACPIPIC_UP,C:WINNTInfHal.inf

Upon trying the image on a Dell Latitude D620 I was greeted with a message from Windows stating there was a hardware problem and did I want to start Windows. If I answered yes it would BSOD and then reboot before I could even read the message! If you hit F5 right after you pick “Start Windows XP” it will give you an option to “Disable Automatic Restarting on System Failure”. Way to go Microsoft! I saw it was a stop 0x7B message. I checked the IDE setup in [SysprepMassStorage] section and saw that was setup correctly. Having gone through this once before I guessed it was a HAL issue and I was right. By uncommenting the above line and changing WINNT to WINDOWS the image came right up. This line forces the HAL from a Uniprocessor HAL to APCI HAL. What is the difference between these two HALs? I have no idea, but functionally they appear to be the same! I have yet to find good explanation: does anyone have one?

Making a hardware independent image is big business. The original makers of Ghost made a program called the Universal Imaging Utility. They want $19 per workstation for what we did here. Granted, it’s a drop and go solution, but with enough patience you can get a very simliar result with my instructions. In fact, if you want your image to support gobs of hardware you can head over to the Device Drivers subforum over at MSFN and pick up their Driver Packs, which include support for virtually everything in existence. Note that the Driver Packs are for Windows XP only.

Incidentally, Microsoft claims to solve all this in Windows Vista by using a program called Ximage. Among the cool features it lists:

  • This WIM image format is hardware-agnostic, meaning that you need only one image to address many different hardware configurations.
  • The WIM image format allows you to service an image offline. You can add or delete certain operating system components, patches, and drivers without creating a new image.
  • The WIM image format allows for non-destructive deployment. This means that you can leave data on the volume to which you apply the image because the application of the image does not erase the disk’s existing contents.

Time will tell if Ximage makes it to the final build of Vista! Let’s make sure that it does.

– Soli Deo Gloria

Congratulations Matty!

This post is dedicated to Matt: my co-worker at my last job. He just found another job and I am very happy for him. Matt is very technical and through in solving computer problems. He single handedly rebuilt a NT 4.0 box that died in the cancer department and brought up the cancer software on a Windows 2000 machine with little to no documentation or media. He was also the administrator of our form routing server and tape backup man. He was also great in getting us to Windows 2000 from Windows 98 SE as a desktop standard for various departments. Hey Matt, you remember the Decision Support upgrade? Wow, what a pain that was! Oh what fun it is to convert a 10 year old program using scripts programmed by God knows who dumping data into a mainframe. However, Matt did it.

  • Remember “Pizza Thursdays” in the cafe?
  • Hitting the golf ball just right into the 1970’s golf ball returner?
  • Videos from Ebaumsworld?
  • A. Vicious?
  • Formscape?
  • People also calling me Matt and you Adam?
  • Throwing rubber balls at people’s heads?

All the best to you buddy.

– Soli Deo Gloria

The Beginning

Well, not really. I’ve been posting on news groups (USENET) since 1996 and was on FIDONet back in 1995 (remember the BBS days?). I’ve always found it fascinating how the Internet allows people to exchange information. What prompted me to start a blog was Mark Russinovich starting one here. To see what kind of geek I am you can check out my web page.

To start off this blog I’ll describe how I fixed an Excel upgrade problem yesterday. I was assigned a task of upgrading Excel 2000 to Excel 2002 on a PC running Windows XP Professional. Easy, right? Upon installing it and testing it as myself it worked fine. The next day the user called me stating it was crashing. Indeed, it was crashing quite hard. The application seemed fine until you went to File>Open and then it went to never-never land. Since it worked as me this boiled it down to a permissions or NT profile issue. I reved him back to Excel 2000 which surprisingly worked fine. The next day I went back to reinstall Excel 2002 and check things out while the user was at a meeting. Upon checking the local administrator’s group I saw that the user was already an administrator on the machine, thus eliminating a permissions issue.

I then started up Filemon which is a excellent little freeware utility by our friends at Sysinternals. I setup a filter in Filemon to just show me the excel.exe entries. The last file it read was C:\windows\system32\davclnt.dll. I decided for fun to rename this file to see if that would fix the problem. Of course, this action was not really logical….after all, it would have used the same file logged in as me, right? Any ways, I renamed the file and the appeared back within seconds. Drats! Windows File Protection (WFP) rears its ugly head. Introduced in Windows 2000 WFP protects critical Windows system files by looking for changes. If you touch a critical file by renaming, deleting, or overwriting it, Windows copies the “good file” from a secret folder called dllcache. For a while you could disable WFP by setting “SFCDisable” to FFFFFF9D in the registry. However, Microsoft later removed this feature with their service packs for Windows 2000 and XP.

To get around this you can hex edit the sfc_os.dll file. However, this didn’t work for me and is a bit messy. I like using XP Lite for this purpose. There is a trial version available for download that the author states “is yours to keep!“. In the trial version there is an option to turn WFP On, Off or to Disable it. So I can turn it off, do my dirty work and when I reboot, WFP turns itself back on. Well, getting back to davclnt.dll: renaming it did not work. I started to think the problem was in the HKEY_CURRENT_USER (HKCU) part of the registry (logged in as that user of course). So I started up Regmon this time pausing it just before I went to File>Open. I then saw something interesting. Under HKCUNetwork there was a bunch of drive mappings and one of those mappings was pointing to a bogus server! I exported this key out (always export trees before you start deleting them!) and then deleted it. Tada, problem solved!

Now the interesting question is: why didn’t this happen with Excel 2000? Who knows. In this instance deleting the user’s NT profile may have been quicker. However, I’ve only been at this company for a month and therefore I am not well versed with all desktop standards. Besides, the user was gone and his NTUSER.DAT file was 4MB: that’s a lot of information to just throw away!

That’s it for now. Look for an upcoming article on making hardware independent ghost images for Windows 2000 and XP.