This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
« on: March 23, 2017, 07:26:45 AM »
Yes it's IDA 6.8 with loaded x64 explorer.exe version 14393.
I guess the CTray object has it's own function to enable\disable the show desktop functionallity.
« on: March 23, 2017, 07:07:00 AM »
You rock man
Seems it's explorer himself who send this message.
« on: March 23, 2017, 12:58:39 AM »
They should not be replaced, but could be added.
But there is no need. SMI key is handled by SxS_Unknow Section of the WoW64 Plugin.
« on: March 22, 2017, 07:59:52 AM »
IA64 is an old architecture already superseded by AMD64.
ARM and ARM64 are very new architectures. You can ignore them for now.
It see Microsoft does not really know what they want with ARM and their Windows RT version.
« on: March 22, 2017, 07:55:59 AM »
By SxS error always check the manifest of an application.
This DMDE version 3.2 properly need a newer VCRuntime-
« on: March 22, 2017, 06:48:25 AM »
Microsoft is moving a lot of code into *base.dll or *.core.dll files.
To have a good application compatibility you should add all of them to your WinPE.
« on: March 22, 2017, 02:51:34 AM »
Hmm, will be difficult to find it for other version.
Would be easier if we could find the reason why this byte is set in WinPE.
« on: March 22, 2017, 12:46:55 AM »
Great work Noel
For x86 it's *CTrayObj + 0x231
« on: March 22, 2017, 12:44:26 AM »
good news today on a new Windows 10 RS2 machine, I could reproduce all problems.
The memory patching of wimgapi.dll used by the winload extraction causes quite some memory corruption
and leads to strange results. Actually I wonder why I does not crash.
For the percent progress, it's really a math problem.
The language have no unsigned integer, so I have to change quite a bit.
« on: March 21, 2017, 04:01:22 AM »
I couldn't really reproduce the this locked folder problem you mentioned. But so far the x64 version is now fully working here.
« on: March 21, 2017, 03:54:25 AM »
GetBinaryType API has couple of problems, when running from older Os on never files.
Maybe this can be a better way.
Local $hFile, $Buffer, $aReturn
$hFile = FileOpen($sDriverFile, 16)
IF Not $hFile Then Return SetError(1, 0, 0)
$Buffer = FileRead($hFile, 1024)
IF not @error Then
IF BinaryMid($Buffer, 1, 2) = 0x5A4D Then
Switch BinaryMid($Buffer, Int(BinaryMid($Buffer, 0x3D, 4)) + 5, 2)
$aReturn = 'x64'
$aReturn = 'x86'
$aReturn = 'ARM'
$aReturn = 'ARM64'
IF $aReturn Then
$aReturn = FileGetVersion($sDriverFile, 'FileVersion')
$aReturn = FileGetVersion($sDriverFile, 'FileDescription')
Return SetError (2, 0, 0)
Local $aDriverInfo = GetDriverSys_Info("C:\Windows\System32\drivers\3ware.sys")
IF not @error Then
ConsoleWrite('Architecture: ' & $aDriverInfo & @CRLF)
ConsoleWrite('Version: ' & $aDriverInfo & @CRLF)
ConsoleWrite('Description: ' & $aDriverInfo & @CRLF)
« on: March 15, 2017, 07:01:01 AM »
It's a known problem and not limited to WinPE only.
« on: March 10, 2017, 05:50:57 AM »
thank you very much for these bug reports.
I'm currently doesn't have much time and also playing with compiler update.
So here a test version, I hope I addresses all problems.
« on: March 05, 2017, 07:40:52 AM »
In the same folder as were the gwt.exe is located.
« on: March 01, 2017, 01:51:39 AM »
Good that they fixed it
The bcdedit.exe is still linked against win10 API set and therefor can not run on Windows 7.
Does anyone noticed any improvement over the 1511 version?
« on: February 25, 2017, 11:48:48 PM »
Well you have to wait until Chris is back.
On a normal Windows 8+ PE, the mouse cursor is hidden until winpeshl.exe enables it.
The Startup of our WinPE's got a bit to much complexity to just make a small change without breaking something.
Is there really the need to call PENM before shell?
« on: February 03, 2017, 10:38:09 PM »
First remove the drive letter of C:\ drive, if it exists.
mountvol C: /D
Than use subst
subst C: X:\
« on: February 03, 2017, 12:21:59 AM »
No, there is no option.
Just use subst to add another drive letter for the systemdrive.
« on: January 28, 2017, 07:58:37 AM »
welcome back after quite a long time
Not true. ShutdownPE was updated for Win 8.1. the latest release is 1.5.x and was posted back in Jan of 2015 script version is .17
I do not know why chrisR continued to use the old 1.4.x version. He never reported any issues on the 1.5 beta. as far as I am aware there are no outstanding issues with 1.5.x
Oh, my bad. Can you post a link to it, cause I'm still can not find this 1.5.x version.
« on: January 13, 2017, 05:37:24 AM »
Makes no sense to me.
There is no guarantee that the project will work with such a source.