Thursday, March 19, 2015

What Have I Been Working On the Past Year?

Winodws 10. It is interesting to hear my boss' historical perspective. It is good inside info if you don't work at Microsoft.

Monday, March 16, 2015

Making Changes to the Windows Kernel

We all have to modify the Windows kernel from time to time...am I right?  If you are like me, you don't have to do all that often, but when I do, I always seem to forget to do these small things.

The kernel you build must be signed or it will not load.  As a side note, also many core DLLs must be singed like cfgmgr32.dll for instance.  They are checked by smss.exe early in boot, and will cause your system to bugcheck (with 0xc000021a aka STATUS_SYSTEM_PROCESS_TERMINATED) if they are not signed.  Also, how is the build signed?  If it is PRS signed build, you will need to install the test signing certificate to the target if you want to run a test signed kernel.  Make sure these environment variables are set.
set NT_SIGNCODE=1
set NT_SIGNCODE_PH=1

Your kernel and HAL need to match.  This may also be case with other components like ACPI, etc. but these are less likely to cause you problems.  You should just always build replace the kernel and the HAL together.

The are found in c:\windows\system32\ and are called:
x86
ntkrpamp.exe
halmacpi.dll
=or=
AMD64
ntkrnlmp.exe
hal.dll

You can just clobber them, and reboot, but your system will probably just bugcheck.  I would suggest replacing them with alternative names.  Try the following:
reagentc /disable
bcdedit /bootdebug on
bcdedit /set BootStatusPolicy IgnoreAllFailures
bcdedit /set testsigning yes
bcdedit /set kernel mykernel.exe
bcdedit /set hal myhal.dll

Likewise, you should setup up a KD on the target so you can see what bugchecks you are seeing.  Ex:
    bcdedit /debug on
    bcdedit /dbgsettings 1394 channel:1


    But, what if you forgot one of these steps and now your machine is in a bugcheck loop that you can't debug?  You can add them temporarily by pressing F10 to while the Windows boot manager is running, and you can add them in as boot options.

    If you need to change the kernel and the PC will not boot.  You can simply change the kernel or HAL offline using WinPE.  There are lots of ways to get into WinPE, so I won't describe them here.

    Handy tip: here is the command to see what drive is mounted as what in WinPE
    wmic LOGICALDISK LIST BRIEF

    Hopefully this was a handy refresher!