Hello All, Ron Riddle right here once again to share an additional mystery referring to the XP Mode Car Publish attribute for Windows 7 that had an sudden root result in. As you may know, the Vehicle Publish function allows applications installed within the guest to be automagically available from the start menu of the Windows 7 host. Of course, one requirement for this to work properly is that the function must be enabled; however, I have encountered two such instances where the attribute is listed as ‘Not Available’ within the Virtual PC Settings UI once the guest is started.
Debugging the Issue
The Virtual PC Integration Components Services Application (1-vmsrvc) service, which runs within a vmsrvc.exe instance on the guest, decides whether the Car Publish attribute should be enabled. For non-Windows seven guests, the first thing 1-vmsrvc does is issue a WMI query to determine whether KB961742 (for an XP guest) or KB961741 (for a Vista guest), which provide Remote Applications Integrated Locally (RAIL) support, have been applied.
Root Lead to Analysis
Before we issue the WMI query, we must first activate the CLSID_WbemLevel1Login component. Here’s an excerpt below:
0:009> k
ChildEBP RetAddr
00b1f730 74ef186e wbemprox!CDCOMTrans::DoActualCCI+0x3d
00b1f774 74ef15db wbemprox,
microsoft Office 2010 Serial!CDCOMTrans::DoCCI+0x12d
00b1f830 74ef17e4 wbemprox,
Office 2007 Keygen!CDCOMTrans::DoActualConnection+0x25c
00b1f85c 74ef1ee1 wbemprox!CDCOMTrans::DoConnection+0x25
00b1f89c 01018283 wbemprox!CLocator::ConnectServer+0x7c
00b1fae8 010182da vmsrvc!VPCRAILUpdates::Connect+0xa8
00b1faf4 0101842b vmsrvc!VPCRAILUpdates::QueryInstalledFixes+0xb
00b1fe34 0100b61f vmsrvc!VPCRAILUpdates::CheckIfUpdatesArePresent+0x 91
00b1ffb4 7c80b729 vmsrvc!Win32VPCAppPublisherService::AllowListNotif icationThreadProc+0x90
00b1ffec 00000000 kernel32!BaseThreadStart+0x37
However, I noticed that the activation attempt failed with WBEM_E_CRITICAL_ERROR(0x8004100a).
0:009> r eax
eax=8004100a
So, I proceeded to debug the activation attempt from within the Windows Management Instrumentation(winmgmt) service, since it provides the class factory for this component. Notice the call to LoadLibraryExW passing a relative path for the lpFileName parameter. This means that a search strategy must be applied which leverages the PATH environment variable.
0:002> k
ChildEBP RetAddr
0086f438 594976e2 kernel32!LoadLibraryExW
0086f494 7751d8a7 wmisvc!CForwardFactory::CreateInstance+0xf8
0086f4b8 7751daac ole32!GetInstanceHelperMulti+0x20
0086f578 77e799f4 ole32!CObjServer::CreateInstance+0x251
0086f59c 77ef421a RPCRT4!Invoke+0x30
0086f9a8 77ef4bf3 RPCRT4!NdrStubCall2+0x297
0086fa00 77600c15 RPCRT4!CStdStubBuffer_Invoke+0xc6
0086fa40 77600bbf ole32!SyncStubInvoke+0x33
0086fa88 7752ad31 ole32!StubInvoke+0xa7
0086fb60 7752ac56 ole32!CCtxComChnl::ContextInvoke+0xe3
0086fb7c 776007f5 ole32!MTAInvoke+0x1a
0086fbac 77602df3 ole32!AppInvoke+0x9c
0086fc80 77600715 ole32!ComInvokeWithLockAndIPID+0x2c2
0086fccc 77e794bd ole32!ThreadInvoke+0x1cd
0086fd00 77e79422 RPCRT4,
Office Professional 2010!DispatchToStubInC+0x38
0086fd54 77e7934e RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x113
0086fd78 77e8a384 RPCRT4!RPC_INTERFACE::DispatchToStub+0x84
0086fdb8 77e8a3c5 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xc 0
0086fdf8 77e7bcc1 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x2cd
0086fe1c 77e7bc05 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x16d
0:002> du poi(esp+4)
59491668 "wbemcore.dll"
Surprisingly, I found that the requested library could not be found using the standard search strategy.
0:002> !gle
LastErrorValue: (Win32) 0x7e (126) - The specified module could not be found.
LastStatusValue: (NTSTATUS) 0xc0000135 - Unable To Locate Component This application has failed to start because %hs was not found. Re-installing the application may fix this problem.
I then decided to enable boot logging within the Process Monitor tool to catch a glimpse into why the load for wbemcore.dll was failing. Here’s an excerpt from the Process Monitor log:
8:18:11.1652951 PM svchost2.exe 1628 QueryOpen C:\WINDOWS\system32\%SystemRoot%\system32\wbemcore .dll PATH NOT FOUND
8:18:11.1653627 PM svchost2.exe 1628 QueryOpen C:\WINDOWS\system32\%SystemRoot%\wbemcore.dll PATH NOT FOUND
8:18:11.1654161 PM svchost2.exe 1628 QueryOpen C:\WINDOWS\system32\%SystemRoot%\System32\Wbem\wbe mcore.dll PATH NOT FOUND
At this point, it became clear to me that something must be wrong with the PATH environment variable configuration because the SystemRoot environment variable was not being properly expanded. Sure enough, the registry showed that the Path value was of type REG_SZ rather than REG_EXPAND_SZ.
Once I saved off the data for the Path value and recreated it specifying the proper type(REG_EXPAND_SZ), the issue was resolved!
Sidenote on the Debugging Strategy
I chose to debug the services by attaching ntsd.exe and redirecting the session to the kernel debugger. Alternatively, I could have chosen to use a remote debugging session since it’s much more natural than redirecting to your kernel debugger, in my opinion. However, this issue was further complicated by the fact that introducing a debugger in the mix had potential to change the timing enough such that I struggled to reproduce the issue using a remote session. The reason for this is that if we slow down the 1-vmsrvc execution enough, the winmgmt service itself will attempt to load wbemcore.dll, albeit through an activation request where an absolute path is specified, thereby avoiding application of a search strategy, which will succeed. Thus,
Office Enterprise 2007 Key, when 1-vmsrvc attempts to activate CLSID_WbemLevel1Login, it will now succeed because wbemcore.dll is already loaded and the Vehicle Publish feature will now be ‘Enabled’!
Configuration
I leveraged the Image File Execution Options key, creating a new entry for vmsrvc.exe and configuring the Debugger value with the following command line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe]
"Debugger"="c:\\debuggers\\ntsd.exe -d -y srv*c:\\vmsrvc -c \"bu vmsrvc!Win32VPCAppPublisherService::AllowListNotif icationThreadProc;bu wbemprox!CDCOMTrans::DoActualCCI;g\""
I also isolated the winmgmt service into its own svchost.exe, copied %systemroot%\system32\svchost.exe to %systemroot%\system32\svchost2.exe, and then created a new key for svchost2.exe with the following command line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost2.exe]
"Debugger"="c:\\debuggers\\ntsd.exe -d -y srv*c:\\winmgmt -c \"bu wmisvc!CForwardFactory::CreateInstance;g\""
Although redirecting ntsd.exe to the kernel debugger was cumbersome from a usability perspective, I found the ability to debug both processes from a central facility very appealing and worthwhile.
Conclusion
For issues like these that ultimately resolve to a misconfiguration of the OS, I can’t help but think how unfortunate it was that I didn’t stumble onto root result in sooner via the routine task of launching some executable from a command shell. Surely this would have been a red flag and could have saved me a lot of time debugging!
While this was a rather extreme example of how a misconfiguration of the OS can affect other seemingly unrelated parts such as the Vehicle Publish feature of XP Mode, the take-away right here is when you detect that the Vehicle Publish feature is ‘Not Available’, you should begin with standard WMI troubleshooting; and,
Office Standard, as we’ve just seen here, a quick sanity check of the environment might not be a bad idea either! :)
Until next time, happy debugging!
microsoft Office 2010 Serial Windows 7 XP Mode –
Linear Mode
