Jump to content











Photo
- - - - -

Opening Shell in PE


  • Please log in to reply
12 replies to this topic

#1 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 27 August 2010 - 04:25 PM

I have the following :)

Two nativeEx XP builds with FBWF differring only in Misc Setting:
  • Open explorer.exe as shell
  • Open cmd.exe as shell
After the builds, the %Target% are identical, besides the explorer/cmd entries in registry.

Maybe it should be mentioned that Misc Settings starts primarily PELoader as shell, which then loads Explorer / Cmd.

In Explorer shell, FBWF works with "Echo bla > x"
In Cmd shell, "Echo bla > x" gives the error "access denied". IMO that means, the disk is not writable, or better: fbwf cannot / does not buffer.

"net start fbwf " does not help.
Next "net start fbwf" brings the message that the service is already running.

IMO, starting the shell, does some magic actions.

To avoid Wonko's "yes", I do not ask "Does somebody know, ..."

My questions:
What are the magic actions?
How can I record them?

Peter

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14919 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 27 August 2010 - 05:02 PM

"net start fbwf " does not help.
Next "net start fbwf" brings the message that the service is already running.

HOW is the FBWF service installed?

Maybe you can SC or INSTSRVR or DEVCON it.

The "net start" working the first time should mean that the driver is installed (but not running), but are all the (whatever) settings needed for FBWF in the Registry?

Or, in other words, would explorer automatically create "links" or "Re

#3 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 August 2010 - 12:55 PM

Here the console output when PELoader launches explorer.exe
FBWF_explorer.gif
And here when launching cmd.exe
FBWF_cmd.gif
For me the final status look identical.

Peter

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14919 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 August 2010 - 12:59 PM

For me the final status look identical.

Yes. :) ;)

What happens if you kill the cmd.exe session? (it should re-start automatically since it is designated as "shell") :cheers:

Could it be some kind of dependency on another driver/service (that Explorer auto-starts and cmd.exe doesn't - just like it seems like happening to FBWF?)

:)
Wonko

#5 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 August 2010 - 01:29 PM

What happens if you kill the cmd.exe session? (it should re-start automatically since it is designated as "shell") ;)

Could it be some kind of dependency on another driver/service (that Explorer auto-starts and cmd.exe doesn't - just like it seems like happening to FBWF?)

#1: Kill reboots emulator and real CD.
#2 was exactly my question post #1:

IMO, starting the shell, does some magic actions.

My questions:
What are the magic actions?
How can I record them?

Peter

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14919 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 August 2010 - 01:52 PM

#1: Kill reboots emulator and real CD.

This is "strange", maybe it is a behaviour "PE peculiar", this is the way I use in XPCLI to load bblean.

Any "DependonService" in the Registry?
http://support.micro...kb/193888/en-us
http://www.windowsne...pendencies.html

;)
Wonko

#7 Rui Paz

Rui Paz

    Frequent Member

  • Advanced user
  • 201 posts
  •  
    Portugal

Posted 28 August 2010 - 01:54 PM

Here the console output when PELoader launches explorer.exe
FBWF_explorer.gif
And here when launching cmd.exe
FBWF_cmd.gif
For me the final status look identical.

Peter


Hi,

Based on the screenshots seems to me that you are not doing the exact same test on both builds, on first you are trying to write on drive R: and on the second on drive X: if i'm not wrong R: is Ram drive so it must be writable.

Maybe the fact of some path is missing can give this problem with FBWF.
___
Rui Paz

#8 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 August 2010 - 02:15 PM

Thanks!

I did not realize that! ;)

I'm going to check everything again.

Peter

#9 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 August 2010 - 05:27 PM

Now test with cd to X:
No difference.

Peter

#10 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 29 August 2010 - 01:20 PM

I found it! ;)

IMO, starting the shell, does some magic actions.
What are the magic actions?

Starting explorer.exe, processes the registry RunOnce ... entries.
That is not done when startimg cmd.exe.

rundll32 iernonce.dll,RunOnceExProcess
Solves the issue

Peter

#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14919 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 29 August 2010 - 01:47 PM

Good :cheers:, but this looks like a workaround, according to:
http://dll.paretolog...il.php/iernonce
http://www.win7dll.i...rnonce_dll.html
http://www.msfn.org/...showtopic=19492
http://www.boot-land...?showtopic=4929
it could be that the "missing step" is not really iernonce.dll, but one of it's dependencies or Registry keys....:cheers:

Maybe there is another way to run the same "keys" without needng this .dll? ;)


:cheers:
Wonko

#12 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 31 August 2010 - 03:42 PM

Thanks, Wonko!

Currently I omly can repeat in my bad English, what an old Greek said: "I know that I know nothing ..."

This "RunOnce" seems not to solve all issues. I found situations where FBWF did not work. It really seems to depend on Explorer INSTALLED.

I postponed (for me) a deeper investigation.

Peter

#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14919 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 31 August 2010 - 04:31 PM

Currently I omly can repeat in my bad English, what an old Greek said: "I know that I know nothing ..."

Which makes a nice, round, TWO of us! :cheers:

;)
Wonko




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users