Jump to content











Photo
- - - - -

Mounting Windows 8.1 disk from EWF

imdisk windows 8.1 inaccessible

  • Please log in to reply
45 replies to this topic

#26 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 12:34 PM

It was easier than what I thought. All I needed to do was adding:
 
Case "multipartraw"
    Provider = DevioServiceFactory.GetProviderMultiPartRaw(DeviceName, DiskAccess)
to the Select Case statement that begins at line 114. That's it. I will check in this change as soon as possible, but you could try adding these lines yourself meanwhile if you would like to try out your multi-part raw files. :)

#27 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 17 April 2014 - 12:42 PM

Yes, it works! Both Logical and Physical Raw images work! 

 

If you ever get bored, here are some ideas:

* specify which partition to mount with an offset, just like with imdisk

* specify which driveletter to use (this may be a pain in the ass to do; if ArsenalImageMounterControl /query outputs which driveletters have been used for which offsets that would be sufficient as well)

 

I think this would make it easier to use AIM in a scripting environment.. 


Edited by theraven1982, 17 April 2014 - 12:53 PM.


#28 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14957 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 April 2014 - 12:54 PM

@Olof

Yep :thumbsup:

More generally, the good thing about Forums like this one (and exchanging ideas/experiences/whatever through them) is that usually we can - one way or the other - have solutions suitable to both kind of people, i.e. those - like yours truly - that believe in the "less is more" paradigm and at the same time those that think that "latest is better" (and that *need* or *wish* or *likes* to have the very latest mass of bloat).

 

 

:duff:

Wonko


  • Olof Lagerkvist likes this

#29 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 01:31 PM

ArsenalImageMounterService.exe is now available for download:
https://github.com/A...aster/MountTool
  • misty likes this

#30 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 02:12 PM

Yes, it works! Both Logical and Physical Raw images work! 
 
If you ever get bored, here are some ideas:
* specify which partition to mount with an offset, just like with imdisk
* specify which driveletter to use (this may be a pain in the ass to do; if ArsenalImageMounterControl /query outputs which driveletters have been used for which offsets that would be sufficient as well)
 
I think this would make it easier to use AIM in a scripting environment..


Thanks for the ideas, but I believe it could possibly turn out to be somewhat complicated...

Arsenal Image Mounter has no knowledge of concepts like drive letters, partitions and similar. All such things are left to disk.sys in Windows to handle. That's what makes it compatible with practically speaking all sorts of partition tables, filesystems and whatever that Windows handles for physical disks. Now, this also means that because such things are not directly managed by this Arsenal Image Mounter driver, it could turn out to be, not impossible of course, but complicated to implement some kind of tracking about these things.

Having said that, I would not be surprised if someone have already made a tool of some kind available for more general tasks like this. Tools that work with any kind of SCSI disk, physical, virtual, redirected, whatever and let you analyze and modify partitions and drive letters for these disks. But I don't know about one, maybe someone else do.

#31 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 17 April 2014 - 02:22 PM

Ah ok. I can work around it, so it's not a big problem. Thought that maybe it would be a few lines of code (that some function that you use from  the Windows API returns information about a drive letter). 

 

Carry on then ;)



#32 misty

misty

    Gold Member

  • Developer
  • 1033 posts
  •  
    United Kingdom

Posted 17 April 2014 - 07:49 PM

@olof
Fantastic work :good: :clapping:  :clap: :worship:

I do not actually have any EWF format disk images to test. I have however used ArsenalImageMounterService.exe to mount an NTFS compressed disk image I captured earlier today.

I also tested this in WinPE 5.0 with .NET Framework and HTA optional components installed - I don't know if HTA is also required, it just happened to be installed already. I had some issues actually installing the required drivers before running ArsenalImageMounterService.exe - neither ArsenalImageMounter-DriverSetup.exe nor running the following command...


rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 phdskmnt.inf
...worked in my WinPE build (it's very basic - other than the optional components I mentioned).

I was forced to install the required drivers by running ArsenalImageMounterMountTool.exe. Any suggestions on installing the drivers in WinPE - preferably via the commandline?

Regards,

Misty

#33 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 08:15 PM

@olof
Fantastic work :good: :clapping:  :clap: :worship:


Thanks! :hi:
 

I do not actually have any EWF format disk images to test. I have however used ArsenalImageMounterService.exe to mount an NTFS compressed disk image I captured earlier today.

I also tested this in WinPE 5.0 with .NET Framework and HTA optional components installed - I don't know if HTA is also required, it just happened to be installed already. I had some issues actually installing the required drivers before running ArsenalImageMounterService.exe - neither ArsenalImageMounter-DriverSetup.exe nor running the following command...

 

rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 phdskmnt.inf
...worked in my WinPE build (it's very basic - other than the optional components I mentioned).
I was forced to install the required drivers by running ArsenalImageMounterMountTool.exe. Any suggestions on installing the drivers in WinPE - preferably via the commandline?

 


You cannot install this kind of driver using rundll32.exe in that way. It is a plug-and-play driver, so in one way or another you need to install it through plug-and-play functions. One way would be to pick the correct .inf for your Windows version and architecture and use devcon.exe:
devcon install path\phdskmnt.inf ROOT\PhDskMnt

Something like that should work. Otherwise, there is also ArsenalImageMounterCLISetup.exe. If you unzip DriverSetup\DriverSetup.7z to somewhere, you can run ArsenalImageMounterCLISetup.exe /install there to install the correct version of the driver automatically.


  • misty likes this

#34 misty

misty

    Gold Member

  • Developer
  • 1033 posts
  •  
    United Kingdom

Posted 17 April 2014 - 08:43 PM

.... Otherwise, there is also ArsenalImageMounterCLISetup.exe. If you unzip DriverSetup\DriverSetup.7z to somewhere, you can run ArsenalImageMounterCLISetup.exe /install there to install the correct version of the driver automatically.

@Olof
Thanks - this command worked.

:cheers:

Misty
  • Olof Lagerkvist likes this

#35 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 03 June 2014 - 12:58 PM

Maybe I should open a new topic, but the question is very adjacent to what was asked before in this thread.

 

I have a second system (Windows 7 x86) in which I cannot get ArsenalImageMounterService to work correctly. I downloaded the latest version, and when I use the ArsenalImageMounterMountTool program, I can mount everything: multipart Raw disks, multipart EWF files, etc. When I do this, the partitions that reside in these images are recognized correctly: the partitions are viewable in the Explorer.

However, when I use the ArsenalImageMounterService /mount /filename=E:\EWF.E01 /provider=LibEwf command, it mounts the disk, but only shows the full disk size as unallocated (same goes with /provider=multipartraw). I added the x86 libewf/zlib/msvcr100 DLLs to the directory the exe is called from. 

 

So it does find all the segments of the image correctly, but there seems to be something missing. I'm 99.9999% sure I'm doing it right, as my other machine accepts this command and shows the contents correctly. 

 

Any ideas?

 

thanks in advance,



#36 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 03 June 2014 - 01:35 PM

This seems strange. I cannot think of anything that is practically done in any different way in console application compared to GUI application. There could be a few issues around auto-detection of disk partitions though that could have different effects when used from different applications (timing issues principally).

 

A few things you could try though, is right-click and Rescan or Refresh in Disk Management, or "rescan" command in diskpart command line tool. There is also a /rescan switch to ArsenalImageMounterControl.exe that you could try.



#37 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 03 June 2014 - 02:04 PM

Right click in Disk Management and Rescan disks: the management console stops responding. Note that if I haven't mounted a disk yet, the Disk Management GUI opens quickly. If I subsequently mount a disk with Arsenal it shows up quickly (but all as unallocated). 

 

However, if I mount the disk with Arsenal, and THEN open Disk Management, it will not show any disks (window is not responding) until I remove the mounted disk (Ctrl-C in the CMD window). 

 

The /rescan option shows: "Result: True". Nothing changes. 

 

If I use diskpart, I can select the disk (only if I mount the disk after diskpart was started.. otherwise I can't enter commands). I can select the disk, and it shows one large partition which cannot be opened).


Edited by theraven1982, 03 June 2014 - 02:06 PM.


#38 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 03 June 2014 - 02:25 PM

That's even more strange. It looks like the driver stops responding for some reason. Or maybe the driver is alive but the communication with libewf.dll in the service exe gets stuck for one reason or another. I am a little out of ideas right now, but I will check a few things and come back to this matter as soon as I have any idea or something!



#39 theraven82

theraven82
  • Members
  • 1 posts
  •  
    Netherlands

Posted 03 June 2014 - 02:57 PM

(same user as above.. I'm at home now, and reboot.pro does not allow me to log in with my account here).

 

Anyway, it's not a libewf problem, as the same issue occurs when I connect a multisegment Raw file. Haven't tried a single raw file yet, but will do so tomorrow. Don't know if this makes it easier to debug or even worse... 



#40 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 04 June 2014 - 05:17 AM

(didn't explicitly mention it, but I didn't compile the sources, but instead downloaded the files from the website).

 

If you want, I can try to compile the files (I have VS2012 Express installed) and see if there are any warnings/errors? Not sure if those would show up during the compile stage... you're the expert ;)



#41 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 04 June 2014 - 06:06 AM

Thanks, but I agree that errors like these are not likely to show up during compile time. I would say that some communication problem between the driver and the service exe (and thereby connected libraries) is the most probable cause. A few debug printouts from service exe when it receives from or sends messages to the driver would probably be useful.



#42 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 04 June 2014 - 06:30 AM

Where can I view these messages? The event log only displays 'The system failed to flush data to the transaction log. Corruption may occur.' 

 

The ArsenalImageMounterService.exe command only displays messages about the date_time_values-string, header_values and value_64bit. No errors or warnings. 



#43 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 04 June 2014 - 06:49 AM

If I recall correctly there should be a /debug or /verbose switch or something like that. I am not at my computer right now so I can't check. It could also happen that I forgot to add the debug switch to that tool, in which case it would need a minor modification and rebuild.

#44 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 04 June 2014 - 06:59 AM

Ah, no worries. Take your time (I know it's still early ;) )

 

There's no /verbose or /debug flag. Furthermore (if you're going to add it anyway), there's no  /provider=multipartraw flag in the help (but it does accept it as a valid parameter).



#45 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1415 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 04 June 2014 - 12:33 PM

The switch is, quite surprisingly, /trace which I for some reason did not remember. Try it and see if it could give any hints about what happens. I see in the source code that the printouts are not extremely detailed, just simply somewhat detailed, including in particular when something changes, errors occur etc, but not for each read/write operation.



#46 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 04 June 2014 - 12:49 PM

Thanks for the reply. I used the /trace option, and this was the output: http://pastebin.com/vv4qAbKS

 

(skipped some non-problematic looking info..)

Seeing the write-request related problems, I specified the /readonly flag, and everything worked alright... So it's not a big problem (and somewhat a mistake on my part). 

 

I checked it on my 64 bit machine (zip from github downloaded from April 16) and it did not require the /readonly flag. 

 

Thanks Olof!







Also tagged with one or more of these keywords: imdisk, windows 8.1, inaccessible

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users