About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
The Windows 8 Consumer Preview is downloaded as a Web Installer called Windows8-ConsumerPreview-setup.exe.
On my system the Web Installer crashed while checking Application Compatibility:
I clicked the Debug option and launched the Visual Studio debugger:
Websetup crashed in Wica.dll (Windows Install Compability Advisor) because eax is null (smells like a bug), so I wanted to do some more analysis. Wica.dll comes bundled with the Web Setup and is extracted along with the other bundled files into the temp folder (in my case %temp%\1fd52b5b-2609-4156-ac02-49dca27a0a8d\WebSetupExpanded).
In the WebSetupExpanded folder is an executable called WebSetup.exe but when we launch it directly we get an error:
I figured we needed the pass some argument on the commandline to run it directly, so I loaded Websetup.exe in Ida Pro. Websetup parses it’s commandline in an internal function called ConX::Setup::Web::CWebSetupCommandLineInfo::ParseParam
In the screenshots we can see that the following commandline arguments are being checked:
So let’s see what they do:
/main is required to start without showing the launch error.
/late shows a dialog to enter the product id:
/showerr shows a dialog indicating your PC doesn’t meet system requirements:
/elevate and /silent are meant to be used together with the other switches.
So in order to run the WebSetup from the debugger I needed the /main argument.
Very nicely: Because I ran the debugger I noticed that Websetup outputs debug info:
Debugged application message: Info [ConX::Compatibility::Wica::RunScanner] device scan finished.
Debugged application message: Info [ConX::Compatibility::Wica::ImportPreviousScan] Previous system report not present; assuming first run.
Debugged application message: Info [ConX::Compatibility::Wica::RunScanner] Starting application scan - WicaInventory.exe /apps /fast /ext "exe,sys" /output "C:\Users\rweijnen\AppData\Local\Microsoft\WebSetup\Panther\WICA_Programs_REMKOLAPTOP.xml" /log "C:\Users\rweijnen\AppData\Local\Microsoft\WebSetup\Panther" "c:\Users\rweijnen\AppData\Local\Temp\1fd52b5b-2609-4156-ac02-49dca27a0a8d\WebSetupExpanded"
Debugged application message: Info SkuGetEditionOfferInfo: Filter Attribute Name [ Standard ] Value [ 1 ]
Debugged application message: Info GetOffers Query Structure
Debugged application message: Info Include physical media [ Yes ]
Debugged application message: Info Host OS License State [ Genuine ]
Debugged application message: Info Host OS Architecture [ 64Bit ]
Debugged application message: Info Host OS Language [ 1033 ]
Debugged application message: Info Host OS Edition [ Ultimate ]
Debugged application message: Info Host OS Version [ 6.1.7601 ]
Debugged application message: Info Host Edition Type: [ COMPLETE ]
Debugged application message: Info Offer Edition [ (null) ]
Debugged application message: Info User UI Language [ 1033 ]
Debugged application message: Info [ConX::Compatibility::Wica::RunScanner] Started application scan.
Debugged application message: Info Number of Offers returned [ 1 ]
Debugged application message: Info PRERELEASE offer index [ 0 ]
Debugged application message: Info Product ID [ WN7-00114_64Bit ] BackupMedia ID [ ]
Debugged application message: Info GetOffers succeeded!
Debugged application message: Info Getting Ready for the PreRelease flow
Debugged application message: Info ConX::Setup::Web::COnlineStore::SelectOffer: [ WN7-00114_64Bit ]
Debugged application message: Info ConX::Setup::Web::COnlineStore::StartCheckoutInternal
From this debug output I could see that is calls WicaInventory.exe and writes a log file and an XML file into %AppData”%\Local\Microsoft\WebSetup\Panther\”.
Interesting to see what’s in there.
But finally we get to the point where it crashes:
[ConX::Compatibility::Wica::GetDeviceList] Loading list of devices.
The instruction at 0xFEE49A8 referenced memory at 0x0. The memory could not be read -> 00000000 (exc.code c0000005, tid 8668)
From the disassembly we can see it’s a bug, at function start is the instruction xor edi, edi (after which edi is 0) after that follows and [ebp+var_240] which makes that variable 0 (var_240 equals ebp (the stack pointer) – 240h which you saw in the Visual Studio debugger screenshot):
.NET .NET FrameWork Active Directory Altiris Apple Automation Manager Citrix Dell Delphi Excel Exchange Exchange2003 Exchange2010 Hack HP iOS Java LinkedIn Linux Lync MSI Office Office 2010 Passat Password PowerPoint PowerShell RES RNS510 SasLibEx SCOM Security Terminal Server ThinApp TSAdminEx VBS VCDS Visual Basic Visual Studio VMWare Volkswagen VW Windows PE Wordpress XenApp