UIU Blog

Technical issues deploying 32-bit operating systems to modern hardware

WinPE technical limitations – Memory Allocation

The UIU functions within WinPE in order to accomplish the daunting task of providing drivers on-the-fly to any make/model of business class PC. In order to accomplish this, the UIU requires access to the registry hive of the target PC from within WinPE. Occasionally, situations present themselves wherein the limitations of hardware architectures and components conspire to prevent proper execution of processes in WinPE.

Problem Description:

When attempting to mount an offline registry hive for a 32-bit OS image (at least through Win10 1703), (which requires WinPEx86), on hardware that has more than 4Gb of RAM installed, the allocation of memory blocks can be insufficient to mount the entire registry hive which causes part of the registry to be written to memory locations that cannot be properly addressed. Upon dismounting the offline registry hive, the part of the hive that was written to those locations will be truncated which results in a corrupted registry, and a BSOD upon reboot. The issue is seen on primarily (but not limited to) newer, 64-bit designed hardware.

What is really going on?

In particular instances, the following variables may combine to affect the mounting of an offline 32-bit OS registry hive into RAM while operating in WinPE:

• RAM type
• RAM quantity
• RAM configuration
• RAM block utilization

In effect, if there are insufficient contiguous blocks of RAM to hold the mounted offline registry hive, the data is truncated and no error is presented at the time. After reboot, when windows attempts to mount the registry, the corrupted registry causes a system halt and subsequent BSOD. In the case of the UIU, the truncated mount also inhibits the UIU’s ability to determine necessary details of the target machine required to function as designed, culminating in a failed UIU-prepared deployment of the 32-bit OS to the target hardware.


This is a known issue with WinPE:

Win2008R2/Win7: STOP 0xF4 during Task Sequence / OS Deployment




In the instances where this issue is encountered, given the limitations of the x86 architecture, the UIU can only offer the following resolutions at this time:

Potential Resolutions:

• Remove all but 4Gb RAM from the offending hardware
• Utilize native SCCM driver inclusion technology with customized UIU driver packages (provided by UIU Support)
• Install/deploy a 64-bit OS version

Please contact UIU Support for additional details.

In an era where we are all sensitive to computing security issues, whether it be from foreign powers, internal leaks, or from nefarious hackers, we are increasingly bombarded with media reports about new and seemingly disastrous computer security vulnerabilities. Some of these threats are very real and some are a bit of a hyperbole. The reality of the situation is that each of these potential vulnerabilities must be assessed objectively for the impact that they may actually have on an organization or individual.

For example, in 2017 when Equifax was breached and 145.5 million Americans’ personal information was exposed, the alleged culprit was a flaw in a design tool used to build web sites. The flaw was reported months before the attack. This is an example of a very real vulnerability resulting in very real losses.

In another example, the KRACK wi-fi vulnerability, widely covered in the media, would allow malevolent parties to eavesdrop on the datastream when a device was connected to public wi-fi connections. This vulnerability seems very serious and indeed potentially could be. It must be stated that the reality of the situation is that devices are connected to various unknown or unsecured wi-fi routers on a regular basis without concern for the potential of exposed datastreams. Notably, the vulnerability could also be used to interject code, presumably malware, into unprepared websites in order to infect machines (think ransomware). However, an attacker would need to be within range of the targeted wi-fi network. This greatly diminishes the potential for damage in many cases. Also, the network traffic could be eavesdropped upon only if it is not encrypted (think HTTPS or VPN). So, is the vulnerability real? Yes. Is it serious? Well, it could be. If network services are sufficiently protected/encrypted, the risk is ultimately rather low.

That brings us to the “keylogger” issue. Its name and description would lead us to believe that it is very dangerous, particularly when combined with other attacks designed to transfer the logged results of the keylogging to a nefarious party. In May of 2017, HP released an audio driver that contained the keylogger vulnerability. Again in December of 2017 HP released a touchpad driver that contained the same or similar vulnerability. The same questions apply. Is the vulnerability real? Yes. Is it serious? It could be. Again, if network services, particularly access to the logged results, are sufficiently protected, the risk is low. In the case of the touchpad driver, Synaptics claims that the keylogger feature is part of a “debug tool”:

”The debug tool cannot be turned on or used except by a person with Admin access and special developer tools. When turned on, the debug tool collects data in a proprietary binary format for a rolling memory buffer that gets either overwritten or deleted every time a power event happens.”


That said, of course all of these vulnerabilities should be remediated. By the same token, steps should be taken, or in some cases should have been taken, to secure local access to machines and to secure communications over business (and public) networks. I know, I know… Mistakes happen; things get missed. We all do our best. On that note, Big Bang LLC takes each of these matters seriously when they are reported. We do our very best to insure that the drivers that are delivered with the UIU are the most recent and secure versions available from component manufacturers and OEMs. We encourage all of our customers to bring potentially vulnerable drivers to our attention so that we may update or eliminate them from consideration by the UIU.

Reports of potentially vulnerable drivers may be submitted to UIU Support.

Factors:

• Yoga model laptops
• Windows 7x64
• SCCM Current Branch
• Domain Join
• USB3 Ethernet dongle

Summary:

When deploying Windows 7 x64, particular Lenovo Yoga models do not successfully initialize the USB3 Ethernet dongle driver in time for the Join Domain function to succeed during mini-setup, resulting in a failure to join the domain.

Testing:

Big Bang Support has run a myriad of tests to isolate the USB3 driver, the Lenovo dongle driver, other dongle drivers, SCCM (Current Branch) Task Sequence settings, and hardware/BIOS settings.

Results:

• The drivers (USB3 and dongle) appear to install correctly in any case.
• Non-Yoga models succeed in joining the domain (manually, through MDT, and through SCCM) each time.
• Yoga models succeed in joining the domain when their BIOS (USB Boot) is set to disable USB3. (This is an expected result with Windows 7 as it is known to have some difficulties in general with USB3). Unfortunately, this disables USB3 support.
• Incidental – the Yoga docking station will not PXE when the BIOS (USB Boot) is set to auto USB3. (Expected behavior according to Lenovo)
• Various forums have revealed that this issue, (among others), appear to plague these models…

Conclusions:

Based on our findings, (for the Yoga series laptops specifically):

• These models contain a proprietary set of on-board USB3 components, (presumably to accommodate the unique docking station connector).
• These models appear to require an extended time period in order to install and initialize the USB3 hub and subsequently the USB Ethernet dongle.
• In fact, when we manually installed the dongle driver (in WinPE), it took about 3½ minutes to simply install, which is an exceptionally long time to load. This is evidence that this is a hardware-related, timing issue.

Proposed Solution:

Add an additional Join Domain or Workgroup step to the SCCM task sequence (TS). Add the task post mini-setup; directly after the Setup Windows and Configuration task in the Setup Operating System group. This task will make an additional attempt to join the domain in the event that the mini-setup initiated join fails. Again, in the specific case of this hardware, it will attempt to join the domain after a sufficient amount of time has passed and the dongle driver (with its unusually long installation period) has successfully installed and initialized.

Other solutions researched purported to accomplish the desired effect though scripting and other complicated configurations that required creating packages specific to the Yoga hardware, (which may interfere with other makes/models).

Upon testing this procedure in SCCM Current Branch, we found that the Yoga tablet/laptop will successfully join the domain when the BIOS (USB Boot) is set to auto USB3.

Additional Information:

Furthermore, this additional Join Domain task appears to not cause an issue with other hardware, (which successfully join the domain during mini-setup), that is not susceptible to the proclivities of the Yoga hardware. Obviously, the procedure would need to be proven in any given customer environment and, if necessary, measures to isolate the additional Join Domain or Workgroup task could be scripted to isolate the process for the Yoga machines alone.

We at Big Bang have been following the news regarding the WPA2 hack known as Krack (key reinstallation attack).

During the week of October 16, 2017, researchers announced the discovery of a vulnerability which exploits the WPA2 protocol and allows attackers to steal sensitive information from unencrypted communications. It may also allow attackers to inject code (presumably malware) into websites.

"It’s important to keep the impact of KRACK in perspective: KRACK does not affect HTTPS traffic, and KRACK’s discovery does not mean all Wi-Fi networks are under attack."

The list of Wi-Fi vendors/chipset manufacturers is extensive and Big Bang is in the process of searching/monitoring each vendor for updates to their wi-fi network drivers that specifically address the Krack vulnerability. This process is entirely subject to the availability of adequately-prepared drivers by the chipset manufacturers. We anticipate that this update will take place over a lengthy period of time and in fact, may not be realized for those vendors that are out of business, no longer supporting versions of chipsets or are not prepared to update their device drivers.

If you become aware of a wi-fi network driver that specifically addresses the Krack vulnerability and you suspect that we have not yet encountered that driver, please bring it to the immediate attention of Big Bang Support.

Thank you for your patience and assistance.

For additional information, please refer to the following links:
KRACK Vulnerability: What You Need To Know
Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse
Here’s what you can do to protect yourself from the KRACK WiFi vulnerability

So, you’re sitting at your PC (or a customer/user’s pc) minding your own beeswax, just installing an application, or perhaps uninstalling an application when… BAM! Something awful hits the fan! Now the bloody thing is all locked up and not responding to any key strokes or mouse clicks. It won’t even let you open up Task Manager to see what in the hell it might be up to, even though you’re pretty sure that it’s up to absolutely nothing…

Now, invariably, the user was standing, looking over your shoulder, absolutely clueless about the fact that you’re boned and about the fact that you too are absolutely clueless… (No, I’ve never been in that position!)

If you’ve been working with PCs for any appreciable amount of time, any good troubleshooter knows that sometimes, for one reason or another, an install or uninstall will get “borked” and that usually happens at just the wrong moment, of course. Thank you Murphy, for that little gem of a “law”…


What happens during application installation or uninstallation?

Lots of stuff, really: files get copied, registry settings are potentially altered or created, active directory information may be read or altered, schema extensions may be initiated, operating system variables may be set, and Programs and Features registration is typically instantiated. Of course, it varies widely based on application demands and requirements… When, for various reasons, one of the necessary steps for an app install or uninstall doesn’t complete or fails outright, it can leave the app in a state of limbo, inhibiting the required re-installation of the app or, in extreme circumstances, it can inhibit the usefulness of the entire system. At the very least, it leaves administrators with a loss of confidence in the system and a dread that the problem is indicative of future time-consuming troubleshooting.

What can you do when it all goes bad?

I’ve personally used many methods in the past including registry/file scraping where I try to find all references to the app and ruthlessly (albeit recklessly) remove all discovered instances, in a subtle homage to Orson Wells. I’ve also tried clearing temp files and have, of course, resorted to the time-tested “restart and see if that helps” method, usually followed immediately by, “Ok, let’s see if a hard boot helps”. What else? I’ve restored from Restore Points, run OS diagnostics; I’ve even run some very questionable, 3rd party applications to “reset” the registry. Basically, I’ve tried everything short of waving chicken bones, drenched in the blood of the vanquished, under a full moon at midnight on a solstice. I’m saving that one for a really critical situation!

Although some of these solutions have worked some of the time, most of them live in the “60% of the time, it works every time” category. Although there are not hard-and-fast, always effective methods, I’ve been made aware of some interesting tools from Microsoft and, so far, have had success with them. I thought others may appreciate knowing about them.

Microsoft FixIt – Fix problems with programs that cannot be installed or uninstalled

This tool is so simple to execute that I’m having difficulty elaborating, so perhaps for once, I won’t. Suffice it to say that the UI is intuitive.

Download MS Fix It - Fix Problems - Install/Uninstall

Choose desired level of automation:

Indicate when the problem occurs:

 

Select the affected product (this example = uninstall):

When the process is complete, you’ll receive a results screen indicating that it was (or was not) able to resolve the problem. It’s that simple.

 

Microsoft MsiZap

This tool is a bit more involved and, I presume, a bit more risky — think of “malware detection programs reminding you that removing some discovered items may result in the untimely death of your OS” risky. The tool removes all Windows Installer information for one or more applications on a PC through the clever use of Product Codes. With command line options, you can also elect to remove rollback information, remove the “In-Progress” key, or even change ACL’s to Admin Full Control.

Download MsiZap

As the command line nature of the application can be a bit unwieldy, I’ve included a link to examples of its use as well. Heads-up! You’ll need to be able to determine Product Codes for applications that you’d like to target. Fun!

Syntax Examples:

MsiZap Examples

That's all for now

In summary, we all have our methods; some of those methods are more sound than others or at least more based in actual computer science and we’ll likely continue to employ what we perceive to have worked for us in the past. That’s great. Here are two more for your arsenal. Godspeed, John Glenn!

Oh, you’ve noticed? We’re blushing.

For those of you that didn’t catch it, our website got a little facelift complete overhaul this past week. In addition to a fresh look and the marriage of the once-separate Big Bang and UIU sites, our new slice of cyber real estate includes improved functionality and brand-new features (with more to come!)

Responsive design for tablets and mobile

In addition to our new desktop site, we’ve added both tablet and mobile versions, so you can browse easily from the device of your choice.

Revised navigation for easy UIU version selection

Whether you are using the UIU Classic (better known as the UIU 4.x to you lifers out there), the new UIU 5, or one of the UIU plug-ins for SCCM or MDT, you’ll find it all here.

Expedited UIU Support case handling

Speed up your support experience with the improved UIU Support request form. Submit the form for your next technical support issue, and a ticket will be automatically generated and sent to our technical support team. You’ll receive an email notification that your case has been received and also get a reference number to include in future emails for speedy handling. Also, please remember to attach any applicable UIU log and setupapi files for faster resolution of your issue.

Online User Guides for every UIU version

Browse the UIU Install and User Guides through each UIU version’s Table of Contents, or go old-school-but-effective with your browser’s built-in search capability.

RSS feed option for UIU Release Notes and UIU Blog

Whether you are an existing customer or testing with the free UIU Trial, you can sign up to receive notifications of industry-related blog posts and news about UIU Updates (you can also, of course, follow us on Facebook and Twitter).

Let us know what you think!

We’re adding new content and features every week, so check back for all-new UIU videos, case studies and additional resources. Let us know what you think below or email us here.