Tuesday, October 7, 2008

RegRipper, regview, and Bluetooth Registry Settings

During DFRWS '08, I thought it might be worthwhile to have an easy way to make RegRipper plugins. In fact, I asked Harlan if he had a plugin generator; back then, he said he just had some templates that provided basis for the plugins. Since then, I've been busy.

Recently, Harlan posted that the v0.40 update for Parse::Win32Registry came with a GTK-perl registry hive viewer. Naturally, I became very interested in modifying James' work to make the RegRipper plugin generator that had been on my mind in August.

To setup shop, I had to get Parse::Win32Registry and checkout this script. Quickly, I realized that there were quite a few dependencies for Gtk2-perl. Once all those were resolved (in a clean XP VMware WS 6.5 virtual machine, it didn't seem to like my host OS instance), I launched up the viewer. First, let me say that it's marvelous. James did a really slick job of programming this UI and his entire perl registry package. Until now, I hadn't looked too closely at its internals, but it's truly great code.

Default regview.pl 0.40 opening SYSTEM hive

Once I got it running, I thought that I only had one thing to do: hack up the UI to enable plugin generation. Well, at first, it appeared that plugin generation was too complicated to use a single template (which was my original idea). I needed to have a good understanding of the current RR plugin features as well as the other programming libraries in-use (GTK2-perl, Parse::Win32Registry, perl). I started writing a small document, in which I articulated the processes of some RR plugins. A lot of the plugins that Harlan wrote were pretty unique, but all followed similar strategies: from a starting registry key, traverse some subkeys, maybe select a few of those subkeys, and find some (or maybe all) values of the subkeys.

So, I thought, why not look at a RR plugin as something that traverses this registry tree with a filter? So, I wrote a special RR plugin that accepts a starting point, depth, a key filter per depth and a value filter per depth (plus one). This special RR plugin was further modularized by extracting plugin specific information to Harlan's %config hash in each RR plugin.

So, now I've got a bare-bone template plugin. From this, I hacked up James' UI (forgive me, at some point in the next weeks I want to remove my code from regview and make my own module). I've added the ability to create a new RR plugin based on a selected key or value. Below is a screenshot of me creating the Widcomm Bluetooth plugin.




Hacked Up regview UI

OK. So, in this SS, I've selected a key (Widcomm) and then from the Generate menu, clicked "from selected key." Next, the Plugin Detail Specification dialog appears. Here, I select an output folder, depth, name and description. Once depth is chosen, we can click on the Modify Filters button to bring up the Plugin Filter Specification dialog. This dialog has a dynamic number of input boxes, depdending on the user-specified depth.

The filter dialog is where the magic happens. From these boxes, a set of perl regular expressions are built within the a new plugin. In this example, I selected the key Widcomm, and would like to get subkeys of Widcomm that start with Devices and LinkKeys. From there, I want to traverse all subkeys. I've specified for all values (other than those from a fourth level subkey) to include all words (perl's \w). The fourth-level subkey value must start with ServiceNameUTF8. A few OKs and:

RR Plugin Created!

What, you don't believe me? :)


btwindcomm RR plugin output

Right now, I've committed my the code to my code page. A tag exists in the soruce tree called tuesday_morning that contains the script and template that you need to get going. There are bugs and I haven't coded proper error handling -- so, you you can break it easily. This Bluetooth demo is the last thing that I've tested, so it is probably broken in other areas. I'll bugcheck Tuesday afternoon and tag a new version on Wednesday.

With regard to Harlan's Bluetooth post, I still have further investigation to perform. Apparantly, there are different Bluetooth stacks., which undoubtedly means different registry keys. I'll play with MS-XP and MS-Vista stuff sometime this week.

In my small investigations of RR plugins, I noticed that the applets plugin could also rip Wordpad's recently opened files, so I updated applets.pl.

That is all for now.

Wednesday, October 1, 2008

Hyper-V Server


Today, Microsoft announced the availiablity of the free Hyper-V Server.

I quickly downloaded the 1.09GB ISO and began installation. Installation took about 15 minutes in a VM with ~1.5GB memory.

Here are some Hyper-V Server screenshots:

Choose your language


Hyper-V Server


Intial Configuration Script


Available & Installed Packages


The majority of the installation was the exact same as a Server 2008 install except there is no version/type selection (std, ent, dc/full, core). The text-based initial script enables quick configuration without memorizing the netdom and netsh commands . Further, from the last screenshot, we can see the small number of packages that come with Hyper-V and that only one is installed. This is considerably different from a basic Hyper-V Server Core installation, illustrated below.


Server Core with Hyper-V

Microsoft did a good job of stripping unecessary components as well as making an easy-to-install and easy-to-initialize Hyper-V solution. Thanks!
Links:

Tuesday, September 30, 2008

Hyper-V and recursive virtualization

After I got ESXi to run inside of Workstation 6.5. I asked myself, "Can Hyper-V run within Workstation 6.5?"

Well, the role installs, and I can create Hyper-V virtual machines, but I can't start them:




Note that I have two VMs running. The main VM in the screen shot is my Server 2008 Enterprise Full Domain Controller while the Server 2008 x64 Enterprise Core Hyper-V server. I made the same modification to the Core VMX as I did for the ESXi-3 VM from my earlier post. The Hyper-V role installed and updated fine. As you can see from the screen shot, I was able to manage Hyper-V remotely and create a VM. When I connect to the VM to start it, it displays the error message that it cannot create the partition because of an unspecified error 0x80004005. There aren't many search results about this error with Hyper-V other than two forum posts (one of which I posted an updated error message). There are some results about the error code.

I attempted the same thing in a Full installation and the Hyper-V installation was prevented by ServerManager. Is possible that ocsetup, the utility which installs Hyper-V in CORE does not properly detect VT and DEP capabilities and thus allows installation on non-Hyper-V supported hardware? I ran ocsetup on the Full installation, and the role installs just fine....


An error occurs upon attempting to start the VMbus:


John Howard mentions that this could happen if resources are scarce. In my instance, I confirm that it is unsupported hardware with no driver:

Looks like Hyper-V isn't actually running. Apparently ocsetup doesn't prevent installation of Hyper-V as ServerManager does...

Graphical ImageX

While using WDS, the imagex binary is at the forefront of WIM creation. Apparently, there is a graphical front end, GImageX! This is fun, and exciting. An intuitive tabbed interface immediately enables you to hone in on imaging process you're about to undertake.


While I was playing with ImageX this summer at RIT, I was injecting large VMDKs into a mounted, writeable WIM. When I unmounted and committed changes, it would take an incredibly long amount of time to unmount. So long so that, at times, it appeared like the utility 'froze' because there was no significant resource usage displayed in the Windows Resource Monitor or Task Manager. So, I launched process explorer and filtered events related to imagex. Sure enough, there are a ton of events occuring that relate directly to imagex; therefore, it's not 'frozen.'' It was definitely annoying that there is no progress bar or good indication that the utility is still running successfully.


One of the first things I wanted to discover about GImageX was how the utility handled these unmount commit scenarios. Well, the good news is, there was a significant amount of disk usage directly from gimagex.exe throughout the few minute unmount. Further, there is a little cursor inside the dialog showing that the program is indeed still working. Since this is a GUI, you can tell that the application has still responding because you can move its windows.


First impressions of this utility are very high. I'm happy that I bumped into it from Ulli's latest post about the ESX Bandit.

ESX inside of Workstation




I stumbled upon a post about running ESX inside of VMware Workstation.  While I'm not sure of the practicality behind recursive virtualization, I want to see this working.  This post is a walkthrough of my ESXinsideWS process.

For background, I've been running the WS6.5 beta since the beta program started.  Recently, WS6.5 was publically released.  So, now, I'm running the first public release of WS6.5.  Further, my computer operates the MSI P6NSLI Platinum motherboard, with a Intel E6550 Core 2 Duo @ 2.33Ghz with 4GB of DDR2 800 G.Skill memory.

I set out to create a WS6.5 VM from just Eric's post.  This first VM is based on the Other Linux 2.6 Kernel 64-bit with 2 processors and an IDE disk.  I followed the recommendation from Ulli in Eric's post and added the following lines to the VMX prior to startup.  I also made sure the network adapters abstracted e1000.

monitor.virtual_exec = "hardware" 
monitor_control.restrict_backdoor = "true" 

PSOD when I launch the installer:


The second VM I created was based on the Other Linux 2.6 Kernel with one CPU and IDE disks.  Note that this time, I chose not to use either 64-bit or two CPUs.  This first time I started this second VM, a dialog stating that my CPU had been disabled!  Oh no!

Then, the following error reveals the cause.  I configured it to operate with 620MB of memory.  Apparently this is insufficient.



OK, so I increased the RAM to 1536 and the installer got farther, and displayed a new error.



After getting this error, the following questions were bouncing around in my mind:
  • Eric and Ulli talk about getting ESX running in WS, not ESXi which is what i've been trying -- Will ESXi work?
  • What types of disks did Eric and Ulli use? I thought Eric's post recommnded using IDE disks..
So, I did some quick searches and found a post on petri.  That video is based on this paper.  Following the video, I recreated my VM to be based on RHEL4 64-bit, one processor, SCSI disk and 1GB of memory.  This VM gets further




Excellent.  I'll post more information about this little recursive virtualization environment of mine :)

Saturday, September 27, 2008

Master's Thesis

Well, I'm all done with my MS in Computer Security and Information Assurance from RIT. The thesis, titled Differential Virtualization for Large-Scale System Modeling, is posted here. Some of the stuff previously posted on the blog is incorporated into the thesis including WDS/DHCP and multicasting files.

Tuesday, September 16, 2008

Multicast File Transmission in WDS

In the environment detailed in my MS thesis and a recently accepted paper to SIGITE '08, we describe an environment that uses a standard set of virtual machine templates. This set of virtual machine templates is then distributed (and kept consistent) across a set of workstations. Then, users can create differential virtual machines (VMware's linked clones) based on the templates. Users store the linked clones on a file server, and can achieve virtual machine mobility between workstations. At RIT NSSA, this environment is semi-operational as I write this post. Since RIT NSSA teaches many different operating system technologies, there are many virtual machine templates that reach a summed size of 100GB. One of the issues that we discusssed in our paper and that I present in my thesis is the notion of updating template virtual machines across all workstations. This is a difficult subject because as the number of workstations increases, the copies of this template repository increase. Now, RIT NSSA has 80 workstations in the pilot-lab -- that means, right now, when they want to update or add a template to each machine, they have to inject the files into an image and re-deploy the OS and data on all 80 workstations. Another way they can achieve an update is through some differential robocopy script that copies the templates from the file server to the workstations -- this can be done in series or parallel (I've found that robocopies in series seem to work much better with the storage devices in that file server -- Adaptec 2820SA with 5 SATAII in RAID5). However, all of these approaches are inefficient because they either copy superflous data once as in deploying an install image, or they copy the same data 80 times as in differential robocopy. There has to be a better way!
Enter WDSMCAST.exe from the Server 2008 AIK. WDSMCAST enables multicast transmissions of custom data stores. So, I can create diretory and make a custom WIM with the directory's contents. Once I have a custom WIM, I can create a custom namespace on my WDS Transport Server using wdsutil /new-namespace with the /configstring parameter specified as the location of the custom WIM. Microsoft's documentation states that the custom WIM can be stored in any directory. This, however, caused a divide by zero in my test runs with WDSMCAST.exe:

So, I moved the custom WIM inside the RemoteInstall directory and then multicast transfer of the image works just fine.

WDSMCAST runs just fine inside Vista:



Therefore, we could create a differential version of the repository, generate a new WIM, create a multicast session based on the WIM, instruct each workstation to join the multicast session, and then have each workstation extract contents of the WIM ontop of the repository at the workstation.
While this is a nice solution, it is possible that a workstation require twice the size of the update in free disk space. For example, if we wanted to add 20GB of templates to all workstations, the workstations need at least 40GB of free space because 20GB is required for the WIM and 20GB is required for the extracted templates. In an environment where this is realistic, it would be neat to issue these differential updates in a multicast fashion with wdsmast.

Microsoft says, "You can create a custom content provider for cases where the default provider is not sufficient (for example when using Transport Server to deploy an operating system from inside a .vhd image). See the Windows Server 2008 SDK for guidelines and samples for authoring and registering the provider." I'm going to investigate custom content providers for the purposes of transmitting a template repository version and talk about custom content providers in future post.