Jump to content











Photo
- - - - -

Busting the Myth about ramdisk.sys - XP/2003


  • Please log in to reply
60 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 21 October 2009 - 09:59 PM

Rambooting is not limited to binaries from server 2003 or XP Embedded. It works on XP sp2 and sp3 too (don't know about sp1). When I mean works, I refer to booting a real non-pe system from ramdisk with the osloader(Boot Loader)/ntldr (pretty much like diskless XP Embedded systems) and boot.ini. Booting WinPE from ramdisk must be done with setupldr.bin (Setup Loader) and winnt.sif, and maybe only with the 2003 version of it. Note that ntdetect.com can be from XP. Trying to load ramdisk images with the xp version of setupldr.bin gives I/O errors, and cannot read winnt.sif properly. The xp version of ramdisk.sys requires a registry patch (because otherwise it will not start at boot). Therefore ramloading works with XP sources too, and the only time you need 1 2003 binary, setupldr.bin, is when ramloading in PE-mode.

Sample registry patch (inf taken from 2003 but also works with xp one;

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Control\Class\{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}]

"Class"="Ramdisk"

@="Ramdisk"

"Icon"="-5"



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Control\Class\{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\0000]

"InfPath"="ramdisk.inf"

"InfSection"="BusInstall"

"InfSectionExt"=".NT"

"ProviderName"="Microsoft"

"DriverDateData"=hex:00,40,2a,7c,dd,68,c2,01

"DriverDate"="10-1-2002"

"DriverVersion"="5.2.3790.3959"

"MatchingDeviceId"="ramdisk"

"DriverDesc"="Windows RAM Disk Controller"



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Control\Class\{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\0001]

"InfPath"="ramdisk.inf"

"InfSection"="VolumeInstall"

"InfSectionExt"=".NT"

"ProviderName"="Microsoft"

"DriverDateData"=hex:00,40,2a,7c,dd,68,c2,01

"DriverDate"="10-1-2002"

"DriverVersion"="5.2.3790.3959"

"MatchingDeviceId"="ramdisk\\ramvolume"

"DriverDesc"="Windows RAM Disk Device (volume)"



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN]



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0000]

"ClassGUID"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}"

"ConfigFlags"=dword:00000004

"Driver"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\\0000"

"Class"="Ramdisk"

"Mfg"="Microsoft"

"HardwareID"=hex(7):72,00,61,00,6d,00,64,00,69,00,73,00,6b,00,00,00,00,00

"CompatibleIDs"=hex(7):64,00,65,00,74,00,65,00,63,00,74,00,65,00,64,00,69,00,\

  6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,5c,00,72,00,61,00,6d,00,64,00,69,\

  00,73,00,6b,00,00,00,64,00,65,00,74,00,65,00,63,00,74,00,65,00,64,00,5c,00,\

  72,00,61,00,6d,00,64,00,69,00,73,00,6b,00,00,00,00,00

"Service"="Ramdisk"

"DeviceDesc"="Windows RAM Disk Controller"

"Capabilities"=dword:00000000



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0000\LogConf]



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0000\Control]

"ActiveService"="Ramdisk"



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0001]

"ClassGUID"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}"

"Class"="Ramdisk"

"ConfigFlags"=dword:00000004

"Driver"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\\0001"

"Mfg"="Microsoft"

"HardwareID"=hex(7):72,00,61,00,6d,00,64,00,69,00,73,00,6b,00,5c,00,72,00,61,\

  00,6d,00,76,00,6f,00,6c,00,75,00,6d,00,65,00,00,00,00,00

"DeviceDesc"="Windows RAM Disk Device (volume)"

"Capabilities"=dword:00000000



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0001\LogConf]



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0001\Control]



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk]

"Type"=dword:00000001

"Start"=dword:00000000

"ErrorControl"=dword:00000001

"ImagePath"="\\??\\C:\\WINDOWS\\SYSTEM32\\DRIVERS\\ramdisk.sys"

"DisplayName"="Windows RAM Disk Driver"



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk\Debug]

"DebugComponents"=dword:7fffffff

"DebugLevel"=dword:00000005



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\

  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00



[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk\Enum]

"0"="Root\\UNKNOWN\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

Adjust the path for winpe usage.

The size restriction on 512 Mb is in ntldr/setupldr.bin only. Ramdisk.sys can handle larger images, and some have said there is an absolute restriction on 2 Gb, with an actual user limit at around 1 Gb (some chineese users have reported success with around 1.7 Gb. See good explanation here; link1 and here; link2

Verification of this can be done with a modified ntldr found here (thank you JFX for pointing out); link3 and here; link4
This patched sample is the debug version of ntldr_dbg 5.2.3790.0. I'm currently trying to find the original ntldr_dbg 5.2.3790.0 to locate the patch and hopefully produce a custom patch for setupldr.bin too. For other interested souls, you may want to strip off the 16-bit stub in the beginning of ntldr/setupldr.bin. That way your favourite disassembler will produce much more friendly output. A good link about reversing ntldr; http://www.reteam.or....php/t-323.html

Important to remember is to add /pae to boot.ini. The author of the patch have mentioned /nodebug is a must too, but I have done it without that entry.

If i get some time, I may create a performance report with comparisons of ramdisk/firadisk/winvblock/disklessangel.


Joakim

#2 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 21 October 2009 - 11:39 PM

Sorry, i'm a bit behind in ramboot things.
What exactly happens when one tries to load an image bigger than 512MB?

:cheers:

#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 22 October 2009 - 04:32 AM

What exactly happens when one tries to load an image bigger than 512MB?


Then ntldr/setpldr.bin will fail because of a check in them.

Part of the myth has been that the size restriction of 512 Mb also was in ramdisk.sys, which evidentally is wrong. The myth was also that xp's version of ramdisk.sys could not be booted off, which also is wrong. The myth also was that XP's ntldr/setupldr.bin could not load images to ram, which also is partly wrong (at least ntldr can do loading to ram).

However, what remains unsolved, is how to force xp's setupldr.bin to read winnt.sif.

Joakim

#4 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 22 October 2009 - 11:32 AM

If there is an error message, which you didn't say, then one could find the part that needs to be patched easily by backtracking from the error message.
If there is no error message, looking for the number the image size is compared to, should do the trick.

:cheers:

#5 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 22 October 2009 - 11:51 AM

I don't think the matter is as easy as patching a conditional jump instruction. We also have to calculate how much ram we need (if at all enough) and reserve it for the ramdisk when switching mode. And possibly also more..

Joakim

#6 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 22 October 2009 - 12:50 PM

From what i know about the W2k3 ramboot, it doesn't always use 512MB no matter how big the image, but always adopts the used ram to the image size, unless the image is bigger then 512MB.

This behavior, together with your found fact that images bigger 512MB are possible with the driver, suggest that M$ has put a limiter into setupldr, like it has done so with other files.

If setupldr would simply use 512MB RAM even if the image is bigger, it would be likely that some function needs to be adopted.

Imo, the limiter idea is more likely, since it is also used in FBWF.

:cheers:

#7 was_JFX

was_JFX

    Frequent Member

  • Advanced user
  • 483 posts
  •  
    Germany

Posted 22 October 2009 - 03:43 PM

Yep xp ramdisk always works nicely, but do not use full imagepath

system32\DRIVERS\ramdisk.sys is the normal case and will not cause problem for guy's with different Windows directory

Here's a BartPE Plugin what always has worked

Attached File  PERAMDISK.inf   2.21KB   80 downloads

#8 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 22 October 2009 - 09:29 PM

I just noticed some weird behaviour of ramdisk.

I put xp version of ramdisk.sys on a winpe ramload based on 2003 sources with the exact registry patch as shown in post 1 (path adjusted). Result is the image being mapped to ram twice, as X: and C:, and it does not crash!! Strange.

Joakim

#9 luzel

luzel
  • Members
  • 3 posts
  •  
    Poland

Posted 24 October 2009 - 12:54 PM

Hello Joakim. I have interested your fantastic investigations beside the firadisk project. I installed the fresh copy of my windows xp sp3 operating system with size reduction made by nlite software. I added by hardware vizard both ramdisk volume and ramdisk controler drivers. I added the path which has been published at the first post, and i prepared image using the diskless angel software, The root directory contains windows, program files and documents and settings folders and boot.ini and modifiet ntldr with ntdetect.com oryginal file. Boot.ini at the image file contains the following entries:
[boot loader]
default=ramdisk(0)\WINDOWS
[operating systems]
ramdisk(0)\WINDOWS="Windows XPE From RAM" /fastdetect
Boot.ini at the root directory of my hardrive contains the following entries:
[boot loader]
timeout=2
default=ramdisk(0)\Windows
[operating systems]
ramdisk(0)\Windows="RAM_SYS Windows 2003" /fastdetect /noguiboot /nodebug
/sos /pae /noexecute=AlwaysOff
/rdpath=multi(0)disk(0)rdisk(0)partition(1)\IMAGE.DSK. When i am trying to boot the image, ntldr load entire image into ram memory, but windows annouces the following message: Windows could not start because the following file is missing or corupted ntkrnl.exe. I think that ramdisk drive is unaccessible so i dont know how can i resolve this problem. Composing the image using sdi scripts coming from windows xp sp1 embedded package is absolutly more complicate process. Do you have any ideas?. Best wishes from Poland.

#10 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 24 October 2009 - 01:45 PM

A couple of things to note.

- You only need ntldr, boot.ini, ntdetect.com, image.dsk on medium you're booting from.
- You can delete ntldr, boot.ini, ntdetect.com inside the image (they are not used)
- In boot.ini you must add the offset your partition starts at. Most likely you will want to add /rdimageoffset=32256 for a standard disk image.
- If your image is created with Embedded tools (sdi image), then /rdimageoffset is 4096 for partition image and 36352 for disk image.
- The /pae in boot.ini is only a must if using the size-patched ntldr.

Joakim

#11 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 12:25 PM

Here's a custom patched one, without the debug crap (still require /PAE);

http://www.mediafire...d_non_debug.zip

Joakim

#12 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 26 October 2009 - 12:35 PM

So you now now what exactly gets patched?

:confused1:

#13 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 12:44 PM

Yes, after sorting out the debug version specific stuff, there are only two bytes that need to be changed.

Joakim

#14 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 26 October 2009 - 02:24 PM

I was more hoping for an explaination what functionality gets changed to what.

:confused1:

#15 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 03:03 PM

I was more hoping for an explaination what functionality gets changed to what.


The relevant virtual addresses (as seen in the disassembler) that needs to be changed are;

Original ntldr_dbg (5.2.3790.0)
00418847  C70000000200					  mov	dword ptr [eax],00020000h

Original ntldr (5.2.3790.0)
0041743D  C70000000200					  mov	dword ptr [eax],00020000h

And they must be changed to this;

Like in the patched ntldr_dbg (5.2.3790.0)
00418847  C70000800700					  mov	dword ptr [eax],00078000h


Joakim

#16 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 26 October 2009 - 03:37 PM

Are you talking about the 16bit part or the 32 bit part?

:confused1:

#17 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 04:29 PM

Are you talking about the 16bit part or the 32 bit part?


That is when the 16bit stub (first 16616 bytes) is cut off and you have only the 32bit part loaded.

Joakim

#18 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 26 October 2009 - 04:41 PM

Thanks.

btw. Looks like they change the sector or cluster size from 128kB to 480kB, which gives a max size of 1920MB for the RamDisk.

:confused1:

PS: How much RAM is accessable on XP without PAE?

#19 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 05:00 PM

I believe we are restricted to around 3.2 Gb. Without the /pae in boot.ini with the patched version, you will get bsod 7b.

The original patch also modifies on 5 other places, but are only applicable to the debug version, to hide that.

Joakim

#20 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 26 October 2009 - 06:32 PM

Really weird.

Can you check the geometry of the created ramdisk with and without the patch? Best with a same sized image.

Does the BSOD happen with this patch also when a small (less than 512MB) image is used? Or does it even happen when no ramboot and no PAE is used?
Is it possible to create a RamDisk with the driver which is not a BootDisk? If so, how big can it be without PAE?

:confused1:

#21 was_JFX

was_JFX

    Frequent Member

  • Advanced user
  • 483 posts
  •  
    Germany

Posted 26 October 2009 - 07:25 PM

Very nice :unsure:

Any idea how to adjust the pointer for for SP1/SP2 NTLDR. So we can get rid ARC Path and have full x64 Support?

:confused1:

#22 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 07:58 PM

Can you check the geometry of the created ramdisk with and without the patch? Best with a same sized image.

Does the BSOD happen with this patch also when a small (less than 512MB) image is used? Or does it even happen when no ramboot and no PAE is used?
Is it possible to create a RamDisk with the driver which is not a BootDisk? If so, how big can it be without PAE?

As far as I have understood this, windows don't see its own ramdisk as a harddisk, and thus cannot determine any geometry for it. The /pae requirement was only for rambooting and not necessary for regular booting. I don't think you can keep loaded images during boot unless the system is booted from it (gets lost somewhere). However, see my earler finding about xp driver on 2003 rambooted system which resultet in image loaded to ram twice without crashing...

I am well on the way to finishing 5.2.3790.3959 (sp2). I am not finished optimising some values. I just can't the pattern in it...(at some point certain sizes do 1 of 3 things;
a. refused to load
b. loaded to ram but hang
c. boot fine

The good thing though, is that those that boot can do without the /pae.

Joakim

#23 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 08:10 PM

Any idea how to adjust the pointer for for SP1/SP2 NTLDR. So we can get rid ARC Path and have full x64 Support?


I don't know, but might give it a shot when the values for ntldr/setupldr.bin sp2 are sorted out (yes the patch also works for setupldr.bin too).

Joakim

#24 was_JFX

was_JFX

    Frequent Member

  • Advanced user
  • 483 posts
  •  
    Germany

Posted 26 October 2009 - 08:19 PM

b. loaded to ram but hang

:confused1: wasn't this a general problem of setupldr SP2 that it loads image but than boot will hang?

#25 joakim

joakim

    Silver Member

  • Team Reboot
  • 885 posts
  • Location:Bergen
  •  
    Norway

Posted 26 October 2009 - 08:37 PM

wasn't this a general problem of setupldr SP2 that it loads image but than boot will hang?


Not on my machines. I know the setupldr.bin of sp0 cannot ramboot (which appears similar to the Setup Loader of XP).

Joakim




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users