Digging in

Unable to move my cluster group from node A to Node B and cluster.log analysis

ganand — Wed, 25 Mar 2009 12:22:47 GMT

I have a 2 node MSCS quorum based cluster and was unable to move my cluster group from node 17 to node16 manually from cluadmin. So let’s have a look and the very first thing one will do is look at cluster.log and event logs…we at Microsoft will grab a quick cluster mps reports to see detailed information. So I quickly ran cluster mps on both nodes and that grabbed all the log files in cab file which I can look into now.

Link for cluster mps

http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_CLUSTER.EXE

now from my cluster mps reports I quickly outlined a few things that will come handy in my analysis

ffbc99dc-0432-4bc4-89bc-90c5899b99d1----------Cluster IP Address {IP Address}

c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7----------Disk Q: {Physical Disk}

3fa17b2e-a365-4c5d-8fde-460c74deaaf6----------Cluster Name {Network Name}

==========================================================================================

Cluster Disk Driver Parameters

==========================================================================================

Available Disk Signatures

-------------------------

Current Used Disk Signatures

----------------------------

1. E098B1A3

2. E098B1A2

3. C39BA6F5

4. AF4763FD

5. 09C073AC

6. 09C073A8

Cluster.log Node 17

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpDoMoveGroup: Entry—we moved the cluster group from node 17 to node 16 and whenever we do this we see FmpDoMoveGroup in the cluster.log so you can search for DoMove if you want to check in cluster.log when we moved the group and what happened after that

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpMoveGroup: Entry

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpPickNodeFromPreferredListAtRandom: Picking node for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 [Cluster Group1], suggested node 1...cluster group was on node 2 originally and here node 1 is being suggested as this is a 2 node cluster

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpPickNodeFromPreferredListAtRandom: Node 1 for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 is user preferred...this guid belongs to cluster group and as you see ---00000c50.00000c30::2009/01/06-14:06:03.226 OBRENAME "Group" "9d4fae4b-7dba-44f1-992a-0ecf1502e654" "Cluster Group"—I got this information from cluster.oml file

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpPickNodeFromPreferredListAtRandom: Selected node 1 for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654...

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpMoveGroup: Moving group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 to node 1 (1)—we are moving cluster group to node 1

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpOfflineResource: Cluster Name depends on Cluster IP Address. Shut down first.—as cluster IP is dependent on cluster name we need to bring cluster name offline before cluster ip

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpOfflineResource: Offline resource <Cluster Name> returned pending

00000874.00000c04::2009/03/18-12:19:10.651 INFO [RM] RmpSetResourceStatus, Posting state 3 notification for resource <Cluster Name>

00000468.00000774::2009/03/18-12:19:10.651 INFO [FM] NotifyCallBackRoutine: enqueuing event

00000874.00000c04::2009/03/18-12:19:10.651 INFO Network Name <Cluster Name>: Resource is now offline

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <Cluster IP Address>: Taking resource offline...

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <Cluster IP Address>: Deleting IP interface 4.

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <Cluster IP Address>: Address 172.23.96.221 on adapter Intel(R) PRO/1000 CT Network Connection offline.

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <exchange IP Address>: All resources offline - cleaning up

00000874.00000b90::2009/03/18-12:19:10.651 ERR IP Address <exchange IP Address>: WorkerThread: GetClusterNotify failed with status 6.

To check what this function GetClusterNotify do let’s have a look at msdn

http://msdn.microsoft.com/en-us/library/aa369623(VS.85).aspx

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: Offline, Dismounting volume \Device\Harddisk1\Partition1.—now we are dismounting the quorum

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_DISMOUNT for Q (Partition1) - Received

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_DISMOUNT for Q (Partition1) - Processed

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: Offline, Dismount complete, volume \Device\Harddisk1\Partition1.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup started.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is called---here cluster node 2 release arbitration on quorum so that other node can reserve it

Persistent Reserve refers to a set of Small Computer Systems Interface-3 (SCSI-3) standard commands and command options which provide SCSI initiators with the ability to establish, preempt, query, and reset a reservation policy with a specified target device. The functionality provided by the Persistent Reserve commands is a superset of the reserve/release commands.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] Stopping reservation thread.

00000874.00000a4c::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] CompletionRoutine, status 0.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Verifying sector size.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Reading arbitration block.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 12)

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Writing arbitration block.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] Successful write (sector 12) [:0] (0,00000000:00000000).

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Returning status 0.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is complete.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DisksDismountDrives: letter mask is 00010000.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup returning final error 0

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_UNLOCK for Q (Partition1) - Received

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_UNLOCK for Q (Partition1) - Processed

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: Offline, Returning final error 0.—error 0 means successfull

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [PnP] Stop watching PnP events for disk 9c073a8—this is the disk signature of quorum drive

00000874.00000828::2009/03/18-12:19:10.666 WARN Physical Disk <Disk Q:>: [PnP] RemoveDisk: WatchedList is empty

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [PnP] Stop watching disk 9c073a8 - processed

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup started.

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is called.

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is complete.

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup returning final error 0

00000468.00000ce4::2009/03/18-12:19:10.666 INFO [CP] CppResourceNotify for resource Disk Q:

00000468.00000ce4::2009/03/18-12:19:10.666 INFO [FM] RmTerminateResource: c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7 is now offline

So here our quorum goes offline for node 2 ---c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7----------Disk Q: {Physical Disk}

00000468.00000330::2009/03/18-12:19:10.682 INFO [FM] FmpCompleteMoveGroup: Completing the move for group Cluster Group1 to node 1 (1)

00000468.00000330::2009/03/18-12:19:10.682 INFO [FM] FmpCompleteMoveGroup: Take group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 request to remote node 1—now we going to node 1 so that it can take over the cluster group

00000468.00000330::2009/03/18-12:19:10.729 WARN [NM] RpcExtErrorInfo: Error info not found.

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpCompleteMoveGroup: Remote node asked us to resend take group request for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 to another node ..

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] Set membership mask of 0x0 returns status 1

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Wait for offline thread to complete...

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb]------- DisksArbitrate -------.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Attaching to disk with signature 9c073a8

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Disk unique id present trying new attach

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Retrieving disk number from ClusDisk registry key

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Retrieving handle to PhysicalDrive1

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Returns success.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Arbitration Parameters: ArbAttempts 5, SleepBeforeRetry 500 ms.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Read the partition info to insure the disk is accessible.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Issuing GetPartInfo on signature 9c073a8.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] GetPartInfo completed, status 0.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Arbitrate for ownership of the disk by reading/writing various disk sectors.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 12) [:0] (0,00000000:00000000).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful write (sector 11) [BLR3R07-17:0] (0,be247638:01c9a7c3).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 12) [:0] (0,00000000:00000000).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful write (sector 12) [BLR3R07-17:0] (0,be247638:01c9a7c3).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 11) [BLR3R07-17:0] (0,be247638:01c9a7c3).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Issuing Reserve on signature 9c073a8.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Reserve completed, status 0.

00000874.000006f4::2009/03/18-12:19:10.729 WARN Physical Disk <Disk Q:>: [DiskArb] Assume ownership of the device.

00000874.00000a4c::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] CompletionRoutine starts.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Arbitrate returned status 0.

00000874.00000a4c::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Posting request to check reserve progress.

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpNotifyGroupStateChangeReason: Notifying group Cluster Group1 [9d4fae4b-7dba-44f1-992a-0ecf1502e654] of state change reason 3...

00000874.00000a4c::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] ********* IO_PENDING ********** - Request to insure reserves working is now posted.

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpOnlineResourceList: Previous quorum resource state for c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7 is 2

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpOnlineResourceList: trying to bring quorum resource c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7 online, state 3

00000874.00000090::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Returns success.

00000874.00000090::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: Online, Wait for async cleanup worker thread in ClusDisk to complete.

00000874.00000090::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: Online, Send Offline IOCTL to all existing volumes, then Online IOCTL.

00000874.00000090::2009/03/18-12:19:10.744 INFO Physical Disk <Disk Q:>: Online, Recreate volume information from cluster database.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPathLite: Volume name \\?\Volume{57acdc20-dbdb-11dd-a9a5-00123f25504d}\

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksMountDrives: calling IsAlive function.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DriveIsAlive called for Online check

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DriveIsAlive checking quorum drive to insure cluster directory accessible.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\3586de39-46af-4072-9ffc-4c3a32ddf614\00000001.CPT succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\chkCD1.tmp succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\clusdbb1 succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\clusdbb1.LOG succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\quolog.log succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DriveIsAlive checking that file system is not corrupt. If so, chkdsk may run.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksIsVolumeDirty: Volume is clean

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksMountDrives: letter mask is 00010000.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksMountDrives: creating admin share names.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Insure mount point information is correct.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Offset String

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: ================ ======================================

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: 0000000000007E00 \??\Volume{57acdc20-dbdb-11dd-a9a5-00123f25504d}

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: *** End of list ***

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: SetupVolGuids: Processing VolGuid list

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Retrieve and validate the disk serial number.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Old SerNum (DF600-00A ) Old SerNumLen (16)

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, New SerNum (DF600-00A ) New SerNumLen (16)

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Trying to get Disk unique ids .

00000874.00000090::2009/03/18-12:19:10.791 INFO Physical Disk <Disk Q:>: Online, returning final error 0 ResourceState 2 Valid 1

00000874.00000828::2009/03/18-12:19:10.791 INFO Physical Disk <Disk Q:>: [PnP] Start watching PnP events for disk 9c073a8 - processed

00000874.000006f4::2009/03/18-12:19:11.291 INFO IP Address <Cluster IP Address>: Bringing resource online...

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpPropagateResourceState: resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1 pending event.

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpRmOnlineResource: Resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1 pending

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpRmOnlineResource: Returning. Resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1, state 129, status 997.

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpOnlineResourceList: Previous resource state for 3fa17b2e-a365-4c5d-8fde-460c74deaaf6 is 2

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpOnlineResourceList: trying to bring resource 3fa17b2e-a365-4c5d-8fde-460c74deaaf6 online

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] OnlineResource: 3fa17b2e-a365-4c5d-8fde-460c74deaaf6 depends on ffbc99dc-0432-4bc4-89bc-90c5899b99d1. Bring online first.

00000874.00000d70::2009/03/18-12:19:11.291 INFO IP Address <Cluster IP Address>: Online: Registered notification for netinterface 2a6976f9-af64-4d00-af1c-62381c96b776.

00000874.00000d70::2009/03/18-12:19:13.510 INFO IP Address <Cluster IP Address>: IP Address 172.23.96.221 on adapter Intel(R) PRO/1000 CT Network Connection online

00000874.00000eac::2009/03/18-12:19:13.510 INFO Network Name <Cluster Name>: Bringing resource online...

00000874.00000eac::2009/03/18-12:19:14.369 INFO Network Name <Cluster Name>: Registered server name CLUS157442 on transport \Device\NetBt_If3.

00000874.00000eac::2009/03/18-12:19:14.557 INFO Network Name <Cluster Name>: Registered workstation name CLUS157442 on transport \Device\NetBt_If3.

00000874.00000eac::2009/03/18-12:19:14.557 INFO Network Name <Cluster Name>: Network Name CLUS157442 is now online

Cluster group came back online on node 17 as node 16 was unable to arbitrate the quorum

Now let’s see what we see on node 16

Cluster.log Node 16

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] GUM update group 9d4fae4b-7dba-44f1-992a-0ecf1502e654, state 3—this is cluster group

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] New owner of Group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 is 2, state 3, curstate 0.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3362 type 0 context 9

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3363 type 0 context 11

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3363 type 0 context 11

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3364 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] Gum update resource 3fa17b2e-a365-4c5d-8fde-460c74deaaf6, state 3, current state 2.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3364 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3365 type 1 context 4099

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [DM] DmWriteToQuorumLog Entry Seq#=3365 Type=4099 Size=162

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [DM] DmUpdateDeleteValue

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [DM] DmWriteToQuorumLog Entry Seq#=3365 Type=4099 Size=162

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3365 type 1 context 4099

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3366 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] Gum update resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1, state 3, current state 2.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3366 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3367 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] Gum update resource c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7, state 130, current state 2.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3367 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3368 type 0 context 9

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] GUM update group 9d4fae4b-7dba-44f1-992a-0ecf1502e654, state 1

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] New owner of Group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 is 2, state 1, curstate 0.

Here we are updating the state of the resource via GUM update

ffbc99dc-0432-4bc4-89bc-90c5899b99d1----------Cluster IP Address {IP Address}

c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7----------Disk Q: {Physical Disk}

3fa17b2e-a365-4c5d-8fde-460c74deaaf6----------Cluster Name {Network Name}

00000db8.00000d7c::2009/03/18-12:19:10.599 INFO [FM] FmsTakeGroupRequest: To take group '9d4fae4b-7dba-44f1-992a-0ecf1502e654'.

00000db8.00000d7c::2009/03/18-12:19:10.599 INFO [FM] FmpTakeGroupRequest: To take group '9d4fae4b-7dba-44f1-992a-0ecf1502e654'.—node 1 being requested to take cluster group

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb] Wait for offline thread to complete...

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb]------- DisksArbitrate -------.node 1 trying to arbitrate quorum

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Attaching to disk with signature 9c073a8

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Disk unique id present trying new attach

00000e38.00000ab4::2009/03/18-12:19:10.599 ERR Physical Disk <Disk Q:>: [DiskArb] Signature of disk has changed or failed to find disk with id, old signature 0x9c073a8 new signature 0x9c073a8, status 2

00000e38.00000ab4::2009/03/18-12:19:10.646 ERR Physical Disk <Disk Q:>: SCSI: Attach, error attaching to signature 9c073a8, error 2.—err 2 path not valid

00000e38.00000ab4::2009/03/18-12:19:10.646 ERR Physical Disk <Disk Q:>: Arbitrate: Unable to attach to signature 9c073a8. Error: 2.

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [MM] MmSetQuorumOwner(0,0), old owner 1.

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [FM] FmpTakeGroupRequest: MM did not select local node 1 as the arbitration winner, Status 2

We were not able to arbitrate quorum on node 1 and we failed due to reservation

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [FM] FmpTakeGroupRequest: MM did not select local node 1 as the arbitration winner, Status 2

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [FM] FmpTakeGroupRequest: Exit for group <9d4fae4b-7dba-44f1-992a-0ecf1502e654>, Status = 1237...

What happened here..aah we see some time skew on both nodes as seen in cluster.log…which is as we see following event logs

Type: Error

Date: 03/18/2009

Time: 4:59:03 PM

Event ID: 29

Source: W32Time

User: N/A

Type: Information

Date: 03/18/2009

Time: 4:59:04 PM

Event ID: 37

Source: W32Time

Node 16

http://support.microsoft.com/kb/875424

http://support.microsoft.com/kb/830092

lets search on support.microsoft.com for any known issue..found these 2 kb articles..however none of them applies as I am already on sp2 and we are not using local quorum feature of cluster. Then what’s the issue…we are sure it is something to do on storage side on quorum.

911030 A cluster node failover does not work when you use SCSI-3-compliant persistent reservations in Windows Server 2003 SP1

http://support.microsoft.com/default.aspx?scid=kb;EN-US;911030

888160 Cluster is formed by using a local quorum resource after a cluster setup failure in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;888160

I went ahead and stopped the cluster service on node 17 and put clusdisk driver on demand in device manager ..so now quorum is not under the control of node 17 but quorum still may have reservation on it which is not getting cleared somehow. Node 16 was still not able to arbitrate quorum and I tried restarting cluster service on node 16 twice but no help. I went back to node 17 ..restored the cluster service and clusdisk driver on demand ….we got our failed cluster online again.

I am now more convinced that this is a storage issue …how to fix my cluster now

One way I can go on storage and see for issues and troubleshoot there..but I dint want to go down to lab where our underlying san storage is present..so I will just change the destination of our quorum from Q:\ to k:\

I stopped the cluster service on node 16 from cluadmin. I had drive K in another group 1 and I moved it to cluster group…..right clicked on cluster name and selected drive k instead of Q for quorum. Restarted cluster service on node 16 and both nodes are up….now I initiated a move group command for cluster group and Bingo!! It moved fine to node 16 . So we know for sure we were having reservation issue on quorum originally and node 16 was unable to clear that reservation.

Server 2003 Cluster service uses Reserve/Release SCSI SPC-2 reservations. Problems with reservations may cause problems with the Cluster service's ability to bring a physical disk resource online. In our case looks like quorum has an active persistent reservation even when node 17 was rebooted and that’s why node 16 was unable to clear it. The Cluster service does not manage persistent reservations. Therefore, the Cluster service cannot directly release or manage a persistent reservation.

If you experience a problem with a persistent reservation, you should contact the storage vendor or SAN administrator to help determine whether a problem exists. Generally, storage vendors have tools that you can use to help identify and change the properties of the storage objects. These tools include a tool to change reservations.

The information provided here is "AS IS"

How to stop Chkdsk from running

ganand — Tue, 17 Mar 2009 14:38:28 GMT

I have seen so many customer requesting how to stop the chkdsk from checking the drive during boot time especially when they have luns in Tera bytes and they cannot afford chkdsk running and hitting the production and uptime of the server. There are 2 ways of stoppng it and another way to do it on cluster volumes. All the ways and related Microsoft support articles are mentioned below.

Steps for stopping chkdsk given below:

When running the chkdsk /f /r command, Windows prompts the administrator whether chkdsk should be scheduled to run the next time the system starts. To prevent the chkdsk /f /r command from running, follow these steps:

1. Start the Registry Editor.

2. Locate the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

3. Change the BootExecute entry from autocheck autochk * /p \??\C: autocheck autochk * to autocheck autochk *.

If chkdsk was scheduled to run on multiple volumes, there is an autocheck entry for each volume. Repeat steps two and three of this procedure for each volume that should not be checked. To determine the volumes to be checked during the next startup process, view the entries in the BootExecute registry key.

Another way

The chkntfs /x command also adds a /k command-line switch before the asterisk. The /k option excludes volumes from being checked for the dirty bit.

For example, the command chkntfs /x d: modifies the default registry entry value to autocheck autochk /k:d *.

BootExecute Entries

Registry Value Function

/k:Volume * Excludes chkdsk from running against the volume

Command Examples

Sample Command Registry Entry Value

chkntfs d: e: /x Autocheck AUTOCHK /k:D /k:E *

for more information please have a look at the article given below

160963 CHKNTFS.EXE: What You Can Use It For

http://support.microsoft.com/default.aspx?scid=kb;EN-US;160963

the things change a little on cluster volumes

first way

The CHKDSK will be initiated when the clusdisk driver finds any inconsistency on the disk. It is recommended to run CHKDSK if cluster finds any inconsistency. Best procedure to run CHKDSK on the volume is to run in offline mode.

To run CHKDSK in offline mode, please follow the below procedure.

1. Keep the disk resource on passive node

2. Stop the cluster service on the node and mark the start-up type of the service to “Manual”

3. Open regedit

4. Locate the key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Clusdisk”

5. Select “Clusdisk” and will show parameter keys on the right side

6. Change the value of “Start” key to “4”

7. Restart the node

8. Once the system is back run “CHKDSK /f /r” on the disk resource from this node

Once the CHKDSK is finished, please follow the below procedure to bring the node back in to the cluster

1. From the services console mark the start-up type of the cluster service to “Automatic”

2. Open regedit

3. Locate the key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Clusdisk”

4. Select “Clusdisk” and will show parameter keys on the right side

5. Change the value of “Start” key to “1”

6. Restart the node

7. This will join the node back to the cluster.

second way

We have an easy way of running chkdsk on a cluster physical disk. Server 2008 and 2003 maintenance mode lets you do it and you need not to create downtime for whole cluster.

C:\Documents and Settings\Administrator>cluster.exe res "disk s:" /maint:1

Setting maintenance mode for resource 'disk s:'

Resource Group Node Status

-------------------- -------------------- --------------- ------

disk s: Group 1 BLR3R07-16 Online(Maintenance)

C:\Documents and Settings\Administrator>chkdsk s:

The type of the file system is NTFS.

Volume label is New Volume.

WARNING! F parameter not specified.

Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...

To stop the CHKDSK running on the disk resource till we get the downtime to run the CHKDSK offline, please run the following command.

"cluster clustername res "Disk E" /priv Skipchkdsk=1"

Once we finish the CHKDSK offline please run the command “cluster clustername res "Disk E" /priv Skipchkdsk=0" to revert back the previous change.

For more details on How to run the "chkdsk /f" command on a shared cluster disk : <http://support.microsoft.com/default.aspx?scid=kb;EN-US;176970>

223023 Enhanced disk resource private properties when using Cluster Server

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223023

The Information provided here is "AS IS"

Gaurav Anand

Start up for some one who is not familiar with Read only domain controller RODC

ganand — Sat, 26 Apr 2008 12:25:00 GMT

What

=====

RODC is a new feature unleashed with windows server 2008. Read-only Domain Controllers differentiate from Domain Controllers with writable AD replica in three basic aspects:

- Read-only replica of AD database.

- On-demand replication of account passwords.

- Ability to delegate administrative rights independently on other read-only domain controllers or writable domain controllers.

Why

====

It is designed to minimize risks introduced by running Domain Controller in less-secure locations such as branch offices or extranet networks.

No changes to AD database content are possible on RODC. All objects in RODC AD replica are read-only and can change only by means of AD replication from an upstream domain controller.

The replication partner cannot be: - Pre-Longhorn Domain controller. - Another RODC.

Features

=========

RODC by default does not replicate passwords of user and computer accounts into its replica of AD database.

By limiting credential caching to only users who have authenticated to the RODC and are allowed by the Password Replication Policy to have credentials cached, the potential exposure of credentials by a compromise of the RODC is limited. This is because, typically, only a small subset of domain accounts has their credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can become subject to any cracking attempt.

Password replication policy is the list of rules that specify which accounts can have passwords replicated to Read-only Domain controller. Every RODC has its own Password Replication policy – it is linked to the computer account of the Domain Controller.

Read-Only Domain Controller offers the possibility to delegate a certain level of access on single machine – without affecting any other domain controller in the domain of forest So the user account who has been delegated authority on RODC wont b able to access other domain controllers in domain.

Limitations

===========

RODC brings additional requirements to forest infrastructure. You cannot run RODC in a forest with Windows 2000 domain controllers.

RODC needs at least one full Longhorn DC in the domain. RODC cannot replicate from Windows 2003 domain controller and cannot bridge client authentication to Windows 2003 domain controller.

RODC cannot satisfy any write operations. All write operations are referred to full DC.

When connection to full Longhorn DC is broken, only users with credentials already cached on RODC are able to log on. Only resources having their passwords cached on RODC will be accessible.

RODC cannot be a Global Catalog

Prerequisites

==============

- Domain and Forest functional levels must be Windows 2003 or higher.

- Full Longhorn Domain Controller from the same domain must be a replication partner for RODC.

- PDC emulator FSMO role must be held by Full Longhorn Domain Controller.

- Longhorn Server ADPrep /rodcprep must be run.

RODC cannot be deployed in mixed Windows 2000/Windows 2003 environments.

You will not get the option to reset Pin in bitlocker when using TPM+PIN+StartupKey protectors in vista sp1

ganand — Sat, 26 Apr 2008 12:17:00 GMT

Aah i dont write blogs in such a nice format but this was written for an another document and i am putting same copy-paste here to save time.Hope this helps.

=======

SYMPTOMS

When you are using TPM+PIN+StartupKey protector on vista sp1 bitlocker enabled vista client you will not get the option to reset the pin when you go to Bitlocker drive encryption applet in control panel. The only option you receive when you choose "select keys to manage" is duplicate the recovery passowrd.

CAUSE

This is by design. Please use manage-bde.wsf to delete the exiting TPM+PIN+StartupKey protector and then add a new one if you need to reset the PIN. The GUI shows resetting PIN option only when there is a TPM+PIN protector.

RESOLUTION

1 Open the command prompt with administrator privilege.
2 Type:- cd c:\windows\system32
3 Type:- cscript manage-bde.wsf -protectors -delete c: (where c: is the volume being protected)
4 This command will remove all key protectors unless you provide additional parameters.
5 Press enter
6 Type :- cscript manage-bde.wsf -protectors -add (volume to be protected, for eg. c: ) -rp -rk (volume to store recovery key, for eg. f:) -tpsk -tp (pin that you want to be set for eg. 1234) -tsk (volume where you want to store the startup key for eg. g:)
7 Finally the command will appear as:- cscript manage-bde.wsf -protectors -add c: -rp -rk f: -tpsk -tp 1234 -tsk g:
8 You have sucessfully reset the pin.

======

The Information provided here is "AS IS"

Gaurav Anand

What is this Raw File System

ganand — Fri, 22 Feb 2008 16:15:15 GMT

Sometimes a damaged volume may look like it lost its file system and CHKDSK tool will complain that file system is raw

The type of the file system is RAW.

this is a curious issue as seen here

=========

what the hell is a RAW file system?—

http://www.microsoft.com/technet/archive/community/columns/inside/techans9.mspx?mfr=true

what the hell is a RAW file system?—is easy enough to answer. It's simply a disk partition that has not been

formatted with an NT file system, neither FAT nor NTFS.

=========

so what is this raw or as said raw file system, it is nothing but a system supplied file system driver that is the

"last resort" for all I/O requests requiring file system support. When the I/O manager calls active file systems

to mount a volume, RAW is always called last because it supports all disk and tape media.

However, RAW supplies very primitive file handling capabilities. That is, it does not impose any on-disk file

structure or metadata structures for the information about the media; it simply allows read/write access

to the logical blocks on the physical disk. For example, it treats the whole disk as a single file and supplies

physical-disk-level access to the disk.

If a device is being driven in raw mode, it has no function driver and no upper or lower-level filter drivers.

All raw-mode I/O is done by the bus driver and optional bus filter drivers.

Note, however, that a bus driver does not handle read and write requests for the devices on its bus.

Read and write requests to a device are handled by the device's function driver only. Only if the device

is being used in raw mode does the parent bus driver handle reads and writes for the device.

ok the above extract is from DDK ...now lets see where can i see this happening

here you see that it is for rawtape, rawcdrom, rawdisk (I am using device and driver explorer here )

so how can i reproduce this issue--raw file system reported by chkdsk --we can use dskprobe from http://technet2.microsoft.com/WindowsServer/en/library/006902f1-bae9-4055-9ad2-123ea19006b71033.mspx

and repro this issue ( please do not try this on a production or home machine -you may loose data)

There are two places where we store file system information as seen below

1 MBR partition Table

2 Volumes' boot sector

When the file system information provided on these 2 sectors of disk is not good you may see chkdsk reporting raw file

system (though the data is still there)

A Raw volume is a volume that was never formatted and does not contain a File System

http://support.microsoft.com/kb/929662

so just to play i did same on my test machine and removed OEM ID string on D drives Volume boot sector and yes this is

my production machine containing lots of data, Now when i try to access D drive it asks do you want to format it...

..Of course NOT

As if we format we will lose all the data on D drive.

I tried running Chkdsk and you can see results below. It says, type of File System is raw. Chkdsk is not available for raw drives.

I reversed my changes using dskprobe again (added NTFS IN OEM ID string) and Yes my data is back and D drive is accessible.

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

NTFS Time Stamps --file created in 1601, modified in 1801 and accessed in 2008!!

ganand — Tue, 19 Feb 2008 21:12:17 GMT

Technorati Tags: NTFS

So many times we have seen Server Admins asking how to figure out whether someone accessed there

files or not or is it possible to play with NTFS time stamps or how exactly time stamps change and under

what scenarios. I have heard of this issue a lot and seen people enquiring on same, so i though lets play

with a test notepad file and see what Time stamps i can change and then what really happens in MFT.

To read more about Time stamps please refer the following public links.

========================

"How NTFS Works" (http://technet2.microsoft.com/WindowsServer/en/library/8cc5891d-bf8e-4164-862d-dac5418c59481033.mspx?mfr=true)

http://technet2.microsoft.com/WindowsServer/en/Library/80dc5066-7f13-4ac3-8da8-48ebd60b44471033.mspx?mfr=true

Description of NTFS date and time stamps for files and folders

http://support.microsoft.com/kb/299648

Time Stamps Change When Copying From NTFS to FAT

http://support.microsoft.com/kb/127830

========================

In quick short words

Last modified time relates to the last time an application modified the unnamed data attribute—what we

normally think of as “the file.”

Last entry modified stamp relates to an update or modification of any attribute—data, metadata, named streams, etc.

Last access is updated by activity involving a file, but the stamp is not updated unless the last access occurs

after a certain amount of time from the last update of the last access stamp.

Two metadata attributes of interest to investigators in the NTFS file system are the Master File Table (MFT)

$STANDARD_INFO and $FILE_NAME. Both attributes contain their own entry last modified timestamps. The

MFT $STANDARD_INFO attribute contains general information about a file such as flags, last accessed,

written, created times, owner, and security ID. The MFT $FILE_NAME attribute contains file name in Unicode,

and also the last accessed, written and created times.

We have four time stamps…M MODIFIED….A ACESSED…….C CREATED…E ENTRY MODIFED…known as MACE too sometimes.

so I created a test notepad file with the name ntfs.txt and i used a 3rd party utility timestomp.exe (from http://www.metasploit.com/projects/antiforensics/ ) to change the attributes of my file which was otherwise

created today i.e. 19th feb, 2008.

C:\>TimeStomp ntfs.txt -c "Monday 7/25/1601 5:15:55 AM"

C:\>TimeStomp ntfs.txt -m "Monday 7/25/1701 5:15:55 AM"

C:\>TimeStomp ntfs.txt -a "Monday 7/25/1801 5:15:55 AM"

------------------------------------------------

now i checked in explorer and to my surprise I have a file which was created in year 1601 (much before i was born,NTFS

file system was born, computers were born) wow!!

Now i used another tool named NFI ( http://support.microsoft.com/kb/q253066/ ) to see the attributes and grab the

file record segment of the file ntfs.txt

------------------------------------

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c:\ntfs.txt

NTFS File Sector Information Utility.

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$DATA (resident)

I haven't wrote anything in the ntfs.txt till now and that why i don't see an $OBJECT_ID entry..so i wrote some garbage

text in it and saved it.

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c:\ntfs.txt

NTFS File Sector Information Utility.

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$OBJECT_ID (resident)

$DATA (resident)

aaaah now i see $OBJECT_ID attribue too (The $OBJECT_ID attribute has a type identifier of 64 and stores a file's

128-bit global object identifier that can be used to address the file instead of its name. This allows a file to be found

even when its name is changed.)

but the problem is i need to find out where on disk (on which sector) this file is being written to and NFI is not giving

me any output for same....what to do????

ohh i figured out that all the attributes and specially data attribute is resident..so i filled lot of garbage data in ntfs.txt and save it.

tried NFI again and finally got what i was looking for---------------

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c:\ntfs.txt

NTFS File Sector Information Utility.

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$OBJECT_ID (resident)

$DATA (nonresident)

logical sectors 88364256-88364263 (0x54454e0-0x54454e7)

logical sectors 115305560-115305567 (0x6df6c58-0x6df6c5f)

------------------------------

now from sector I can get the File record segment of this file-------------------

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c: 88364256

NTFS File Sector Information Utility.

***Logical sector 88364256 (0x54454e0) on drive C is in file number 44650.------------converting into hexa decimal

------------AE6A------44650

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$OBJECT_ID (resident)

$DATA (nonresident)

logical sectors 88364256-88364263 (0x54454e0-0x54454e7)

logical sectors 115305560-115305567 (0x6df6c58-0x6df6c5f)

----------------------------

Now i wanted to look at the attributes using another NTFS utility------------------------------

STANDARD_INFORMATION {

CreationTime :0x0000a114ff05fb80 07/24/1601 23:45:55.0000-------------------though this makes sense

LastModificationTime :0x01c872de3753158f 02/19/2008 10:00:11.0655-----------------why this --aaah because

i have added data into ntfs.txt after using timestomp so it again changed the modification time stamp-----now makes sense

LastChangeTime :0x01c872de3753158f 02/19/2008 10:00:11.0655--------------

LastAccessTime :0x01c872de3753158f 02/19/2008 10:00:11.0655---------------

FileAttributes :0x00000020

MaximumVersions :0x00000000

VersionNumber :0x00000000

ClassId :0x00000000

OwnerId :0x00000000

SecurityId :0x000002fd

QuotaCharged :0x0000000000000000

Usn :0x000000004a5e3e78

}

_ATTRIBUTE_RECORD_HEADER {

ATTRIBUTE_TYPE_CODE TypeCode :0x00000030 ($FILE_NAME)

ULONG RecordLength :0x00000070

UCHAR FormCode :0x00

UCHAR NameLength :0x00

USHORT NameOffset :0x0000 ""

USHORT Flags :0x0000

USHORT Instance :0x0004

RESIDENT_FORM {

ULONG ValueLength :0x0052

USHORT ValueOffset :0x0018

UCHAR ResidentFlags :0x0001

UCHAR Reserved :0x0000

}

FILE_NAME {

ParentDirectory Frs, Seq < 5 , 5 >

DUPLICATED_INFORMATION Info {

CreationTime :01c872da933c2514 02/19/2008 09:34:07.0868--------------------//////this never changed////

LastModificationTime :01c872da933c2514 02/19/2008 09:34:07.0868

LastChangeTime :01c872da933c2514 02/19/2008 09:34:07.0868

LastAccessTime :01c872da933c2514 02/19/2008 09:34:07.0868

AllocatedLength :0000000000000000

FileSize :0000000000000000

FileAttributes :00000020

--------------------------------------------------

lets do once again

C:\>TimeStomp ntfs.txt -a "Monday 7/25/1801 5:15:55 AM"

C:\>TimeStomp ntfs.txt -m "Monday 7/25/1801 5:15:55 AM"

----------------------

STANDARD_INFORMATION {

CreationTime :0x0000a114ff05fb80 07/24/1601 23:45:55.0000----------------------------

LastModificationTime :0x00e0da734e1ffb80 07/24/1801 23:45:55.0000---------------------------

LastChangeTime :0x01c872de3753158f 02/19/2008 10:00:11.0655----------------------------

LastAccessTime :0x00e0da734e1ffb80 07/24/1801 23:45:55.0000-----------------------

FileAttributes :0x00000020

MaximumVersions :0x00000000

VersionNumber :0x00000000

ClassId :0x00000000

OwnerId :0x00000000

SecurityId :0x000002fd

QuotaCharged :0x0000000000000000

Usn :0x000000004a5e8828

FILE_NAME {

ParentDirectory Frs, Seq < 5 , 5 >

DUPLICATED_INFORMATION Info {

CreationTime :01c872da933c2514 02/19/2008 09:34:07.0868--------------------------------THEY NEVER CHANGED

LastModificationTime :01c872da933c2514 02/19/2008 09:34:07.0868----------------------------------

LastChangeTime :01c872da933c2514 02/19/2008 09:34:07.0868------------------------------

LastAccessTime :01c872da933c2514 02/19/2008 09:34:07.0868-----------------------------------

AllocatedLength :0000000000000000

FileSize :0000000000000000

FileAttributes :00000020

============

If I undesrtand right FN mace values should be older than SIA mace values or same depending on different scenarios. But how easy it was to play with these time stamps on ntfs.txt file!!

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

What happens and parameters passed when a new process is created

ganand — Fri, 15 Feb 2008 17:56:00 GMT

Via this blog I have just tried to show What exactly happens when a new process is created and what all structures are required and parameters

passed to that process.

What ever mentioned below is all extracted from different places of windows SDK and I have tried to forward a easy picture for understanding

purpose.

The CreateProcessAsUser function creates a new process and its primary thread. The new process then runs the specified executable file.

There are other functions also for creating process like CreateProcess and CreateprocessWithLogonW but I have chosen

CreateProcessAsUser one to explain.

BOOL CreateProcessAsUser(

  HANDLE hToken,

  LPCTSTR lpApplicationName,

  LPTSTR lpCommandLine,

  LPSECURITY_ATTRIBUTES lpProcessAttributes,

  LPSECURITY_ATTRIBUTES lpThreadAttributes,

  BOOL bInheritHandles,

  DWORD dwCreationFlags,

  LPVOID lpEnvironment,

  LPCTSTR lpCurrentDirectory,

  LPSTARTUPINFO lpStartupInfo,

  LPPROCESS_INFORMATION lpProcessInformation

);

Now a little explained version in regards to all the parameters passed to the function CreateProcessAsUser

BOOL CreateProcessAsUser(

  HANDLE hToken,-------------- Handle to a primary token that represents a user.

  LPCTSTR lpApplicationName,------------ Pointer to a null-terminated string that specifies the module to execute.

 The specified module can be a Windows-based application.

  LPTSTR lpCommandLine, --------Pointer to a null-terminated string that specifies the command line to execute.

If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module to execute,

and *lpCommandLine specifies the command line.

  LPSECURITY_ATTRIBUTES lpProcessAttributes,------------- Pointer to a SECURITY_ATTRIBUTES structure that specifies

 a security descriptor for the new process and determines whether child processes can inherit the returned handle. If lpProcessAttributes

is NULL or lpSecurityDescriptor  is NULL, the process gets a default security descriptor and the handle cannot be inherited.

The default security descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller,

in which case the process may not be opened again after it is run. The process handle is valid and will continue to have full access rights.

lpSecurityDescriptor

A pointer to a security descriptor for the object that controls the sharing of it. If NULL is specified for this member, the object

is assigned the default security descriptor of the calling process. This is not the same as granting access to everyone by

assigning a NULL discretionary access control list (DACL). The default security descriptor is based on the default DACL of

the access token belonging to the calling process. By default, the default DACL in the access token of a process allows access

only to the user represented by the access token. If other users must access the object, you can either create a security

descriptor with the appropriate access, or add ACEs to the DACL that grants access to a group of users.

  LPSECURITY_ATTRIBUTES lpThreadAttributes, ---Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor

 for the new process and determines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL or

 lpSecurityDescriptor is NULL, the thread gets a default security descriptor and the handle cannot be inherited. The default security

 descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller.

  BOOL bInheritHandles,----- If this parameter is TRUE, each inheritable handle in the calling process is inherited by the new process.

If the parameter is FALSE, the handles are not inherited. Note that inherited handles have the same value and access rights as the original handles.

  DWORD dwCreationFlags,--- control the priority class and the creation of the process.

The GetPriorityClass function retrieves the priority class for the specified process. This value, together with the priority value of each thread

of the process, determines each thread's base priority level. The operating system uses the base priority level of all executable threads to

determine which thread gets the next slice of CPU time. Threads are scheduled in a round-robin fashion at each priority level, and only when

there are no executable threads at a higher level will scheduling of threads at a lower level take place.

  LPVOID lpEnvironment,------ Pointer to an environment block for the new process. If this parameter is NULL, the new process uses

 the environment of the calling process.

  LPCTSTR lpCurrentDirectory,------------ Pointer to a null-terminated string that specifies the full path to the current directory for

 the process. If this parameter is NULL, the new process will have the same current drive and directory as the calling process.

  LPSTARTUPINFO lpStartupInfo,---------- Pointer to a STARTUPINFO structure that specifies the window station, desktop, standard

 handles, and appearance of the main window for the new process.

For graphical user interface (GUI) processes, this information affects the first window created by the CreateWindow function and

shown by the ShowWindow function. For console processes, this information affects the console window if a new console is created

 for the process.  A process can use the GetStartupInfo function to retrieve the STARTUPINFO structure specified when the process

 was created.

  LPPROCESS_INFORMATION lpProcessInformation-----------Pointer to a PROCESS_INFORMATION structure that receives identification

information about the new process. This structure contains information about the newly created process and its primary thread.

 typedef struct _PROCESS_INFORMATION {

  HANDLE hProcess;

  HANDLE hThread;

  DWORD dwProcessId;

  DWORD dwThreadId;

} PROCESS_INFORMATION,

*LPPROCESS_INFORMATION;

If the function succeeds, be sure to call the CloseHandle function to close the hProcess and hThread handles when you are finished with them.

Otherwise, when the child process exits, the system cannot clean up these handles because the parent process did not close them.

However, the system will close these handles when the parent process terminates, so they would be cleaned up at this point.

);

By default, CreateProcessAsUser creates the new process on a noninteractive window station with a desktop that is not visible and cannot

receive user input. To enable user interaction with the new process, you must specify the name of the default interactive window station and

desktop, "winsta0\default",in the lpDesktop member of the STARTUPINFO structure.

The preferred way to shut down a process is by using the ExitProcess function, because this function sends notification of approaching

termination to all DLLs attached to the process. Other means of shutting down a process do not notify the attached DLLs. Note that when

a thread calls ExitProcess, other threads of the process are terminated without an opportunity to execute any additional code (including

the thread termination code of attached DLLs).

PLEASE LEVEAGE THE WINDOWS SDK FOR MORE ON SAME.

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Few public links giving an insight on Windows Internal Architecture.

ganand — Sat, 26 Jan 2008 15:51:00 GMT

A few favorite links of mine on Windows Architecture..Hope you will like reading them..

http://www.osronline.com/

http://www.windowsitlibrary.com/Documents/Book.cfm?DocumentID=356

http://www.jps.at/dev/kurs/3-23.html

http://blogs.msdn.com/ntdebugging/archive/tags/Debugging/default.aspx

http://bcs.wiley.com/he-bcs/Books?action=resource&bcsId=2217&itemId=0471694665&resourceId=5004

http://uninformed.org/index.cgi?v=8&a=5&p=1

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Internal structures of the Windows Registry

ganand — Sat, 05 Jan 2008 20:24:00 GMT

One of the best public document which talks about Registry internals is by Mark Russinovich and I will recommend same before you go ahead with this article.

http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true

Make sure before proceeding ahead you go through Mark's Article.

Ok..so now as you have read that article..you know how registry is broken into blocks, bins, cells and stored in memory or disk.

Now lets see the same via Live debugger and see the same structures.....

0: kd> !reg hivelist

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

| e1008950 | 1000 | e10089b0 | 1000 | e1008aec | 0 | 0 | 0| e1014000 | <NONAME>

| e1019458 | 364000 | e1021000 | 24000 | e10195f4 | 166 | 0 | 0| e101e000 | SYSTEM

| e1392008 | b000 | e1392068 | 4000 | e13921a4 | 0 | 0 | 0| e1393000 | <NONAME>

| e2081a80 | f000 | e2081ae0 | 1000 | e2081c1c | 4 | 0 | 0| e2063000 | emRoot\System32\Config\SECURITY

| e1626a80 | 3b000 | e1626ae0 | 1000 | e1626c1c | 15 | 0 | 0| e205b000 | temRoot\System32\Config\DEFAULT

| e1484008 | 8000 | e1484068 | 0 | 00000000 | 3 | 0 | 0| e1669000 | \SystemRoot\System32\Config\SAM

| e162fa80 | 1d9a000 | e1666000 | 1d000 | e162fc1c | 255 | 0 | 0| e1ff9000 | emRoot\System32\Config\SOFTWARE

| e24cc830 | 35000 | e24cc890 | 1000 | e24cc9cc | 14 | 0 | 0| e251d000 | tings\NetworkService\ntuser.dat

| e24c81a8 | 1000 | e24c8208 | 0 | 00000000 | 1 | 0 | 0| e2523000 | \Microsoft\Windows\UsrClass.dat

| e253d798 | 35000 | e253d7f8 | 1000 | e253d934 | 14 | 0 | 0| e254c000 | ettings\LocalService\ntuser.dat

| e2551008 | 1000 | e2551068 | 0 | 00000000 | 1 | 0 | 0| e2552000 | \Microsoft\Windows\UsrClass.dat

| e24fd0c0 | 2cb000 | e2ff8000 | 2000 | e24fd25c | 159 | 0 | 0| e24f9000 | and Settings\ganand\ntuser.dat

| e302e008 | 9000 | e302e068 | 0 | 00000000 | 3 | 0 | 0| e309d000 | \Microsoft\Windows\UsrClass.dat

-------------------------------------------------------------------------------------------------------------

I dumped out the hive lists on my machine..as registry is maintained as hives and not what we see when we open regedit..thats only visual registry. we see the address of the system hive right now loaded in kernel mode as you can figure out from address.

Now we dumped the system hive

0: kd> dt nt!hhive e1019458

nt!HHIVE

+0x000 Signature : 0xbee0bee0

+0x004 GetCellRoutine : 0x8092d3ef nt!HvpGetCellMapped+0

+0x008 ReleaseCellRoutine : 0x8093db9d nt!HvpReleaseCellMapped+0

+0x00c Allocate : 0x8091f642 nt!CmpAllocate+0

+0x010 Free : 0x8091f68d nt!CmpFree+0

+0x014 FileSetSize : 0x8091e608 nt!CmpFileSetSize+0

+0x018 FileWrite : 0x8092798f nt!CmpFileWrite+0

+0x01c FileRead : 0x808f6320 nt!CmpFileRead+0

+0x020 FileFlush : 0x80927615 nt!CmpFileFlush+0

+0x024 BaseBlock : 0xe101e000 _HBASE_BLOCK

+0x028 DirtyVector : _RTL_BITMAP

+0x030 DirtyCount : 0

+0x034 DirtyAlloc : 0x364

+0x038 BaseBlockAlloc : 0x1000

+0x03c Cluster : 1

+0x040 Flat : 0 ''

+0x041 ReadOnly : 0 ''

+0x042 Log : 0x1 ''

+0x043 DirtyFlag : 0x1 ''

+0x044 HiveFlags : 0

+0x048 LogSize : 0x400

+0x04c RefreshCount : 0

+0x050 StorageTypeCount : 2

+0x054 Version : 5

+0x058 Storage : [2] _DUAL

0: kd> dt nt!cmhive e1019458

nt!CMHIVE

+0x000 Hive : _HHIVE

+0x2d0 FileHandles : [3] 0x8000031c--------------------------------------handles to the hive

+0x2dc NotifyList : _LIST_ENTRY [ 0xe139b678 - 0x0 ]

+0x2e4 HiveList : _LIST_ENTRY [ 0xe13922ec - 0xe1008c34 ]

+0x2ec HiveLock : _EX_PUSH_LOCK

+0x2f0 ViewLock : 0x89b8f1a8 _KGUARDED_MUTEX

+0x2f4 WriterLock : _EX_PUSH_LOCK

+0x2f8 FlusherLock : _EX_PUSH_LOCK

+0x2fc SecurityLock : _EX_PUSH_LOCK

+0x300 LRUViewListHead : _LIST_ENTRY [ 0xe34b4598 - 0xe359d690 ]

+0x308 PinViewListHead : _LIST_ENTRY [ 0xe1019760 - 0xe1019760 ]

+0x310 FileObject : 0x89835df8 _FILE_OBJECT--------------------address of the file object

+0x314 FileFullPath : _UNICODE_STRING "\Device\HarddiskVolume1\WINNT\system32\config\system"------------------path on disk

+0x31c FileUserName : _UNICODE_STRING ""

+0x324 MappedViews : 0xa6

+0x326 PinnedViews : 0

+0x328 UseCount : 0

+0x32c SecurityCount : 0x5b

+0x330 SecurityCacheSize : 0x60

+0x334 SecurityHitHint : 13

+0x338 SecurityCache : 0xe1391d00 _CM_KEY_SECURITY_CACHE_ENTRY

+0x33c SecurityHash : [64] _LIST_ENTRY [ 0xe1020138 - 0xe1020138 ]

+0x53c UnloadEvent : (null)

+0x540 RootKcb : (null)

+0x544 Frozen : 0 ''

+0x548 UnloadWorkItem : (null)

+0x54c GrowOnlyMode : 0 ''

+0x550 GrowOffset : 0

+0x554 KcbConvertListHead : _LIST_ENTRY [ 0xe10199ac - 0xe10199ac ]

+0x55c KnodeConvertListHead : _LIST_ENTRY [ 0xe10199b4 - 0xe10199b4 ]

+0x564 CellRemapArray : (null)

+0x568 Flags : 0

+0x56c TrustClassEntry : _LIST_ENTRY [ 0xe10199c4 - 0xe10199c4 ]

+0x574 FlushCount : 0x5a1

+0x578 CreatorOwner : (null)

Now lets go to the storage...

0: kd> dt nt!hhive e1019458 storage.

nt!HHIVE

Cannot find specified field members.

0: kd> dt nt!hhive e1019458 Storage.

nt!HHIVE

+0x050 StorageTypeCount : 2

+0x058 Storage : [2]

+0x000 Length : 0x364000

+0x004 Map : 0xe1021000 _HMAP_DIRECTORY---map directory used by configuration manager..this is equivalent to PDE in terms of memory management

+0x008 SmallDir : (null)

+0x00c Guard : 0xffffffff

+0x010 FreeDisplay : [24] _FREE_DISPLAY

+0x130 FreeSummary : 0x100a5f

+0x134 FreeBins : _LIST_ENTRY [ 0xe10195e4 - 0xe10195e4 ]---free bins for this hive

0: kd> dt 0xe1021000 _HMAP_DIRECTORY

+0x000 Directory : [1024] 0xe1022000 _HMAP_TABLE---so first we went to hive directory address and from there we figured out hive table address and from there we got block offset. In this case cell index in configuration manager is equivalent to PFN in case of memory manager.

0: kd> dt 0xe1022000 _HMAP_TABLE

+0x000 Table : [512] _HMAP_ENTRY

0: kd> dt 0xe1021000 _HMAP_ENTRY

+0x000 BlockAddress : 0xe1022000-----------------

+0x004 BinAddress : 0xe1024000---------------------------

+0x008 CmView : (null)

+0x00c MemAlloc : 0

So now we have reached to the block and inside the block we have reached to the bin….from here we will go to that cell…

Now just to prove that we are on right track..let me achieve the same via debugger ….for that we have !reg cellindex

0: kd> !reg baseblock e1019458

FileName : SYSTEM

Signature: HBASE_BLOCK_SIGNATURE

Sequence1: 1a0f

Sequence2: 1a0f

TimeStamp: 1c84fa5 ac4d292c

Major : 1

Minor : 5

Type : HFILE_TYPE_PRIMARY

Format : HBASE_FORMAT_MEMORY

RootCell : 20

Length : 364000

Cluster : 1

CheckSum : 346bbc65

0: kd> !reg cellindex e1019458 20

Map = e1021000 Type = 0 Table = 0 Block = 0 Offset = 20

MapTable = e1022000

pcell: de441024--------------this is the address of the cell

==========

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Windows Vista Address Space Load Randomization - The way vista loads DLL's

ganand — Fri, 04 Jan 2008 23:50:00 GMT

Lets talk about what is a Dll and why we need it first ... dynamic-link library (DLL) is shared code and data that an application can load and call at run time. A DLL typically exports a set of routines for applications to use and contains other routines for internal use. This technique enables code reuse by allowing multiple applications to share common functionality in a library and load it on demand. Advantages of using DLLs include reduced code footprint, lower memory utilization due to single-copy-sharing and much more.

The original purpose for DLLs was saving both disk space and memory required for Windows applications by sharing a single library between two loaded programs. In a conventional non-shared library, sections of code are simply added to the calling program when its executable is built at the linking phase; if two programs use the same routine, the code has to be included in both. Instead, code which multiple applications share can be separated into a DLL which only exists as a single, separate file, loaded only once into memory during usage. Extensive use of DLLs allowed early versions of Windows to work under tight memory conditions, in an environment in which all programs shared the same address space,

How these Dll's and exe files are loaded?

This is done by Loader. Loader is the part of an operating system that is responsible for loading programs from executables (i.e., executable files) into memory, preparing them for execution and then executing them. The loader is usually a part of the Operating system's kernel and usually is loaded at system boot time and stays in memory until the system is rebooted, shut down, or powered off.

http://support.microsoft.com/kb/100635

Now what is the change in vista and what is this Address space load randomization?

Let’s see it practically

I attached debugger with msiexec.exe and we see the loaded modules below.

Before reboot In windows vista

CommandLine: C:\Windows\System32\msiexec.exe

Symbol search path is: SRV*C:\WINDOWS\Symbols*\\symbols\symbols

Executable search path is:

ModLoad: 00ab0000 00ac4000 msiexec.exe

ModLoad: 772c0000 773de000 ntdll.dll

ModLoad: 771e0000 772b8000 C:\Windows\system32\kernel32.dll

ModLoad: 768e0000 7699f000 C:\Windows\system32\ADVAPI32.dll

ModLoad: 769a0000 76a63000 C:\Windows\system32\RPCRT4.dll

ModLoad: 76ed0000 76f6e000 C:\Windows\system32\USER32.dll

ModLoad: 76a70000 76abb000 C:\Windows\system32\GDI32.dll

ModLoad: 76f70000 7701a000 C:\Windows\system32\msvcrt.dll

ModLoad: 76790000 768d4000 C:\Windows\system32\ole32.dll

ModLoad: 72950000 72b54000 C:\Windows\System32\msi.dll-----------------------------In legacy OS scenario …if I want to write a bad code…or want to modify something on your machine..i know that msi.dll is going to load here every time + even if I am not going to use this dll later, I m going to keep this address for msi.dll once it is loaded but in vista due to address space load randomization, I will unload/reload it later at some other address…and when I am not using this dll..i need not to reserve the address for it. BENEFIT:----the same address can be used by next dll which is going to load… creating larger regions of free memory for contiguous memory allocations, reducing the number of page tables the memory manager allocates to keep track of address-space layout.

After reboot

=========

Executable search path is:

ModLoad: 005b0000 005c4000 msiexec.exe

ModLoad: 77540000 7765e000 ntdll.dll

ModLoad: 763e0000 764b8000 C:\Windows\system32\kernel32.dll

ModLoad: 776c0000 7777f000 C:\Windows\system32\ADVAPI32.dll

ModLoad: 75ed0000 75f93000 C:\Windows\system32\RPCRT4.dll

ModLoad: 769d0000 76a6e000 C:\Windows\system32\USER32.dll

ModLoad: 764c0000 7650b000 C:\Windows\system32\GDI32.dll

ModLoad: 767c0000 7686a000 C:\Windows\system32\msvcrt.dll

ModLoad: 76290000 763d4000 C:\Windows\system32\ole32.dll

ModLoad: 72c40000 72e44000 C:\Windows\System32\msi.dll-----------------------------------address have changed--dynamically loaded

Later I did similar test on win2k3 machine for notepad.exe and we see dll load at same address even after reboot

Before reboot

Executable search path is:

ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe

ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll

ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll

ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll

ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll

ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll

ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll

ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll

ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll

ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll

ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll

ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll

ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll

ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV

ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll

ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll

After reboot

==============

Executable search path is:

ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe

ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll

ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll

ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll

ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll

ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll

ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll

ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll

ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll

ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll

ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll

ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll

ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll

ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV

ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll

ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll

now i wanted to see that whats the change in msi.dll on win2k3 and vista so i dumped both of them using following command...i knew that there is a new flag on vista msi.dll ......dynamic relocation flag in the header of the msi.dll...but i guess i was not able to see it because link.exe that i was using was not from vista SDK.

C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -headers c:\windows\system32\msi.dll

Microsoft (R) COFF/PE Dumper Version 7.10.2179

Dump of file c:\windows\system32\msi.dll

PE signature found

File Type: DLL

FILE HEADER VALUES

14C machine (x86)

5 number of sections

4549BD89 time date stamp Thu Nov 02 15:12:33 2006

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

2102 characteristics

Executable

32 bit word machine

DLL

OPTIONAL HEADER VALUES

10B magic # (PE32)

8.00 linker version

1DAE00 size of code

25200 size of initialized data

0 size of uninitialized data

7B2D entry point (751F7B2D)

1000 base of code

For more information refer to http://www.microsoft.com/technet/technetmag/issues/2007/04/VistaKernel/default.aspx

===============================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.