WildBill

I've got couple of updates posted: KB2393802 v19 kernel32.dll WTSGetActiveConsoleSessionId KB2508429 v11 advapi32.dll StopTraceA StopTraceW UpdateTraceA UpdateTraceW GetInheritanceSourceA GetLocalManagedApplicationData QueryTraceA QueryTraceW RegDisablePredefinedCacheEx RegDisablePredefinedCache upgraded to XP specs

Just a little heads-up...I updated KB2393802 and KB2508429 tonight that get Steam running on my PC. In a few days, if all is well, I'll post them...

Thanks for catching that. I updated the link so it points to the right version. I'll take a look at user32 when I get a chance (at present I need to add some things to kernel32.dll) I also posted KB2393802 v18, which adds some new API calls: halacpi.dll halmacpi.dll KeAcquireInStackQueuedSpinLock KeReleaseInStackQueuedSpinLock ntoskrnl.exe ntkrmlpa.exe ntkrnlmp.exe ktkrpamp.exe IoCsqInitialize IoCsqInsertIrp IoCsqRemoveIrp IoCsqRemoveNextIrp Since this is the first time I made any changes to hal.dll I held onto this one for quite a while to make sure it's okay. All seems good here, so I've decided to release it into the wild.

I finally got sick of Dependency Walker complaining about that one missing 9x API call in mpr.dll and decided to do something about it. Up now is KB2508429 v10, which adds the routine (it actually maps it to an existing one that appears to do the same thing). I'm still occasionally working on fixing my kernel32 rewrite; I found one tiny bug but that wasn't the one I'm looking for. I captured a big log yesterday from my VM and I'll take a look at it to see what it tells me.

That seems to have solved several problems, so here is a link to v3 of my kernel32 rewrite. Please keep the feedback coming! http://www.mediafire.com/download/aybbhy8pjzlyw8q/Windows2000-kernel32-rewrite-v3.zip

Good catch! I'm going to test it right now and see if this fixes some problems.

Do you still have those logs? I tried unzipping the file and I can't extract them. 7-zip can't extract it at all and ZipGenius only creates zero-length files

Thanks! Every little bit helps. Lately I've been crawling through backup.cpp tp try to fix some reported bugs. I definitely found one, but I haven't finished going through it. I tried fixing the bug when trying to install software and I really need help there. One thing I need to check is all calls to FsRtlxxx routines to make sure I'm using the right structures. On another note, I just posted KB2479628-v8. It adds stub support for these routines in user32.dll: RegisterRawInputDevices GetRawInputData GetRawInputDeviceInfoA GetRawInputDeviceInfoW GetRawInputDeviceList GetRawInputBuffer DefRawInputProc They're just stubs and return zero and/or failure where appropriate, but they let you use programs that import them, like the latest version of FreeCAD.

There appear to be multiple problems downloading and unpacking the split archive files for KB2393802-v17. I crawled through MediaFire's knowledge base and found something that is letting me upload the standard .exe installer again. Apparently my browser doesn't like their HTML5 uploader, and there is a setting to disable it. I updated the link on the main listing, and it should let you download a standard installer like earlier versions.

Below is the link to v1 of my kernel32 rewrite. It includes a VS2005 project, full source, and a compiled DLL. DO NOT INSTALL THIS ON YOUR MAIN SYSTEM I'm posting this because I've hit a wall on a bug and I need help Windows2000-kernel32-rewrite-v1.zip

I updated the file and the link. Bear in mind that it's a split archive: you only have to extract from Windows2000-KB2393802-v17-x86-ENU.zip and it will extract from both files.

Well, I finally managed to get KB2393802 v17 uploaded. I've been trying to get this posted for months. It turns out that MediaFire is imposing a file size limit, and I had to upload it as a pair of ZIP files. The update includes the netman.dll and secur32.dll fixes I posted about in another thread. I'm still stumped as to the bug in my kernel32 rewrite. Maybe tomorrow I'll post it plus the full source.

That would help a lot. I'm having a problem hunting down a bug that I see in the VM when trying to open an app in WinDbg. I'm trying somethng simple (calc.exe). The bug is that the debugger starts calc at an invalid address. On another issue, is anyone having problems uploading to Mediafire? I have a v17 of MS11-011 but I've been unable to upload it.. It keeps failing with a -503 permissions error. I deleted some old versions to free up some space in case it was a folder size problem, but that hasn't helped.

Ahhh. Finally. The VM with my rewritten kernel32 comes up with no errors. I have maybe half a dozen more routines to add, and then the question is, how to test it in the community?

Spend $2000 on Ida Pro + the decompiler, and invest *lots* of time analyzing the DLL...

At least it was easy to fix... Today's red herring: secur32.dll .text:7C342FF0 ; void __stdcall SecpUnloadVMList(void) .text:7C342FF0 ?SecpUnloadVMList@@YGXXZ proc near ; CODE XREF: ProcDetach(void *,void *)+30p .text:7C342FF0 push esi .text:7C342FF1 push edi .text:7C342FF2 mov edi, offset ?SecVMListLock@@3U_RTL_CRITICAL_SECTION@@A ; _RTL_CRITICAL_SECTION SecVMListLock .text:7C342FF7 push edi .text:7C342FF8 call ds:RtlEnterCriticalSection .text:7C342FFE mov esi, ?SecVMList@@3PAU_VMLIST@@A ; _VMLIST * SecVMList .text:7C343004 .text:7C343004 loc_7C343004: ; CODE XREF: SecpUnloadVMList(void)+44j .text:7C343004 test esi, esi .text:7C343006 jz short loc_7C343036 .text:7C343008 push 8000h .text:7C34300D lea eax, [esi+4] .text:7C343010 push 0 <---------------- BUG .text:7C343012 push eax .text:7C343013 push 0FFFFFFFFh .text:7C343015 call ds:NtFreeVirtualMemory .text:7C34301B mov ecx, esi .text:7C34301D mov esi, [esi] .text:7C34301F mov eax, large fs:18h .text:7C343025 mov eax, [eax+30h] .text:7C343028 push ecx .text:7C343029 push 0 .text:7C34302B push dword ptr [eax+18h] .text:7C34302E call ds:RtlFreeHeap .text:7C343034 jmp short loc_7C343004 .text:7C343036 ; --------------------------------------------------------------------------- .text:7C343036 .text:7C343036 loc_7C343036: ; CODE XREF: SecpUnloadVMList(void)+16j .text:7C343036 push edi .text:7C343037 call ds:RtlLeaveCriticalSection .text:7C34303D push edi .text:7C34303E call ds:RtlDeleteCriticalSection .text:7C343044 pop edi .text:7C343045 pop esi .text:7C343046 retn .text:7C343046 ?SecpUnloadVMList@@YGXXZ endp This routine is called by scur32!ProcDetach, which is called when secur32.dll is unloaded. The problem is highlighted above: the call to NtFreeVirtualMemory gets passed along to ntoskrnl ZwVirtualMemory: NTSTATUS ZwFreeVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG FreeType ); The third parameter is a pointer to a SIZE_T, and it isn't optional. Consequently, ntoskrnl throws an access violation exception when it tries to dereference the null pointer. This was also easy to fix, though neither of these two bugs fixed my existing kernel32 bugs (though they at least aren't getting in the way now). Sometime soon I'll issue another update to KB2393802 with updated netman.dll and secur32.dll files. At this rate the patch is turning into its own mini service pack -- I'm beginning to wonder if we need some sort of naming or numbering convention for issuing our own patches separate from ones that MS issues.

I'm *still* at it trying to get my Win2k kernel32 rewrite finished, and chasing the last few bugs is driving me batty. For anyone not up-to-date on my progress, my VM boots, but I'm getting a few errors in Event Viewer and this causes some application problems. I've been trying to hunt down the bugs via remote debugging and LOTS of debugging output in my rewritten DLL. This would be a lot easier if I wasn't chasing red herrings. Case in point: Error: exception 0xC0000005 (access violation). When a thread awakens from a call to Sleep(), it finds that EIP is invalid and throws an exception. What's really happening: netman is making an API call that causes a thread to get spawned, but unloads the DLL before it can complete. Here's an assembly code snippet from netman.dll: .text:7627C5BB push offset aWzcsvc ; "wzcsvc" .text:7627C5C0 call ds:LoadLibraryW .text:7627C5C6 mov esi, eax .text:7627C5C8 test esi, esi .text:7627C5CA jz short loc_7627C5F0 .text:7627C5CC push offset aWzctrayiconrea ; "WZCTrayIconReady" .text:7627C5D1 push esi ; hModule .text:7627C5D2 call ds:GetProcAddress .text:7627C5D8 test eax, eax .text:7627C5DA jz short loc_7627C5E5 .text:7627C5DC lea ecx, [ebp+NameBuffer] .text:7627C5E2 push ecx .text:7627C5E3 call eax .text:7627C5E5 .text:7627C5E5 loc_7627C5E5: ; CODE XREF: CConnectionManager::Advise(IUnknown *,ulong *)+18Fj .text:7627C5E5 test esi, esi .text:7627C5E7 jz short loc_7627C5F0 .text:7627C5E9 push esi ; hLibModule .text:7627C5EA call ds:FreeLibrary .text:7627C5F0 .text:7627C5F0 loc_7627C5F0: And this is what it means in C: hModule = LoadLibraryW(L"wzcsvc"); hModuleA = hModule; if ( hModule ) { WZCTrayIconReady = GetProcAddress(hModule, "WZCTrayIconReady"); if ( WZCTrayIconReady ) { ((void (__stdcall *)(WCHAR *))WZCTrayIconReady)(&NameBuffer); } if ( hModuleA ) { FreeLibrary(hModuleA); } } So basically it loads wzcsvc.dll, calls WZCTrayIconReady, and then unloads it. The problem is that WZCTrayIconReady spawns a worker thread via QueueUserWorkItem, and the worker routine does a Sleep() for 1 second. So when the call immediately returns to netman, it immediately unloads wzcsvc--and when the worker thread wakes up, BOOM! Even the MSDN documentation for QueueUserWorkItem() points out to make sure to not unload a DLL before the work item has completed. XP fixes this by statically linking wzcsvc.dll into netman.dll. Now, it's possible that my slowing things down with all the debugging output is causing the error to manifest itself. I might have to fix netman before I can continue on my kernel32 rewrite mission. (sigh)

I can tell you that kernel32.dll contains some code specific to converting to and from the Korean locale. In several places throughout the NLS code it checks for the Korean locale and consults a special "KoreanWeights" table when it needs to. It was one of those things I had to reverse-engineer and have no way to test.

I've posted v16 (yikes!) of KB2393802 and updated the master list (Windows2000-KB2393802-v16-x86-ENU.exe). No bugfixes, but a few goodies: ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe IoAssignDriveLetters IoReadPartitionTable IoSetPartitionInformation IoWritePartitionTable These functions were already present, and I simply added them to the export table and bumped up the version one tick. The idea is to hopefully help with driver compatibility. There's also one new file: usbser.sys (5.1.2600.5512 from XPSP3) Why the new file? I picked up an Arduino Uno a while ago and no matter what I did, I couldn't get the Arduino software to program it (I can program my older Arduino Duemilanove just fine). Someone on a help forum had the same problem and had to use the XP usbser.sys driver to make it work. I gave it a try and presto, it works like a charm. So consider v16 the Arduino Uno version of the update I don't know if XP has a newer rev of the driver or not; this one is straight from the SP3 distro and works for me. In kernel32 news... This is somewhat frustrating. I'm *this close*, but there is still a memory corruption bug somewhere (at least I think that's what it is). It only shows up on the kernel side so it's hard to track down. My VM boots just fine, but ESENT and the Distributed LinkTracking Client report errors in Event Viewer and windbg reports some exceptions at certain times during bootup. I'm working on cleaning up the code to try to track the remaining bug(s) down.

It should just mean adding the C code and rebuilding.

YEAH!!!! Still some application errors in Event Viewer, but the VM finally runs with it

Kernel32 update: almost there! As of tonight the VM boots, but Explorer, Task Manager, etc. crash when I do certain things. I think I'm just a bugfix or two from really cooking with gas.

If I can get my Win2k kernel32 rewrite fully working it should become a lot easier since we'll be able to add bona-fide XP SxS support. It's almost booting, but it gets stuck somewhere when services.exe starts up--no exceptions, BSOD's, or freezing, it just sits there and keeps retrying to register device callbacks. I'm slowly crawling through the code to look for bugs. I might be asking for some community help soon if I can't find the problem.

(sigh) You know, on some days it's really tough. I just posted MS11-011 V15 (KB2393802). I found the same bug I fixed in V14 in a different place and had to fix it. Sorry for the inconvenience, folks. The lesson: it's possible to follow the XP code too closely.

Well, I'm finally making decent progress on the kernel32 rewrite; a lot of stuff is working now. One problem that I've been struggling with for the past couple of weeks, though has uncovered a bug in ntdll that I must have introduced at some point. In changing over how DLL's are loaded to try to add activation context support, I followed the XP code a bit too closely. The result was a heap corruption bug that would only manifest itself when a DLL was being unloaded. Consequently I've uploaded MS11-011 V14 (KB2393802), which you can find on the main download list. The update, as usual, also includes some new API goodies: ntoskrnl/ntkrnlpa/ntkrnlmp/ntkrpamp.exe KeAcquireInStackQueuedSpinLockAtDpcLevel KeReleaseInStackQueuedSpinLockFromDpcLevel