Hello!
Less than half of the year! I'm here again!)
I have a portable version of a program. In my PE is running and working. As part of this program is help-file is implemented as an Exe-file. This file does not start. (
In the Windows XP-system everything works fine.
Is this problem solved?

Yes/No.
http://homepage.ntlworld.com./jonathan.deb...no-answers.html

Maybe if you post an EXACT reference to the program (you see, my crystal ball is re-known to be perpetually out of tuning and all I can see in it is some fog - but a cyrillic one ).


jaclaz

Yes/No.

This is true!) People often do raise questions!))) Do not hesitate!)

I have additional my question. How do I fix this?

The file can be run without the main program. It's here: http://www.fayloobmennik.net/1709141

you see, my crystal ball is re-known to be perpetually out of tuning and all I can see in it is some fog - but a cyrillic one

The machine was not able to translate it in an understandable way. (

Whenever someone asks a question WITHOUT giving sufficient DETAILS, see:
http://homepage.ntlworld.com./jonathan.deb...ard-litany.html

I need to guess.

I hate guessing.

So I must use a crystall ball:


Unfortunately my crystal ball does not work too well, and usually all I can see in it is some fog.



A tool that you must learn to use is dependency walker:
http://www.dependencywalker.com/


jaclaz

Thank you!

dependency walker

If I understand correctly ...
This program will show what the system files needed to run my file?
Is this true?

http://homepage.ntlworld.com./jonathan.deb...ard-litany.html

Do not be angry with me, please. (
I will try to adhere to the recommendations.)

Yes , that is the idea.
Basically there are three "kinds" of dependencies:

1. hardcoded/static ones <- you will find them with depends.exe by simply opening the program (help.exe in this case)
2. dynamic ones <- you will find them with depends.exe by using the "profile" option to actually load and execute the program
3. "other" ones <- these are more difficult to find, and you will have to use procmon and/or regmon/filemon to hopefully detect them

Very often you need to run depends.exe TWO times, one in the "full" XP where the app works correctly and one in the PE where it fails, saving and comparing the logs.


I am not at all angry with you .
Simply explaining HOW you can get better response and troubleshoot issues faster.


jaclaz

I started this program to preview. I opened my file in it. (Windows XP).
The program reported two errors - the lack of files: Ieshims.dll and Wer.dll. I was surprised and thought that it is not critical (because the file is worked). On the system drive them really was not.
Then I did it in PE. I was even more surprised when the program is reported only about one error - no file MSJava.dll. I thought then, that before turning to the first two files, I need this file.
I was shocked that I have on the system drive Windows XP did not have this file and my file works!!!

Sometimes READing the instructions does help :
http://www.dependencywalker.com/faq.html
That is FAQ #3:



jaclaz

Very often you need to run depends.exe TWO times, one in the "full" XP where the app works correctly and one in the PE where it fails, saving and comparing the logs.

I do not understand how to save logs.
This is an elementary need to copy the text of the lower window and put the text in Notepad?
Do I understand correctly?

File->Save as...
There are several formats available, .dwi is the "internal format", that you can save and re-open in DW.
But there are also plain text files.
Typical usage:

1. Boot XP.
2. Run DW.
3. Load Help.exe.
4. Profile Help.exe
5. Save as XPhelp.dwi
6. Boot PE.
7. Run DW.
8. Load Help.exe
9. Profile Help.exe
10. Save as PEhelp.dwi
11. Close DW.
12. Open DW.
13. Load XPhelp.dwi
14. Load PEhelp.dwi
15. Window->Tile vertically
16. Compare visually the two logs.

jaclaz

Profile Help.exe

I did not know what to write in the "Program arguments". I wrote "help.exe."
Everything else is left as it was.

If I understand correctly, I need the lower window.
When loading pehelp.dwi in this window were a few red lines.
The first two:
Warning: At least one delay-load dependency module was not found.
Warning: At least one module has an unresolved import due, to a missing export function in a delay-load dependent module.

At the end of the text:
Second chance exception 0xC0000005 (Access Violation) occured in "KERNEL32.DLL" at address 0x7C8024E5

I then compared the texts of two files completely.
For a few lines are identical except for variations in addresses.
Then, in the window xphelp.dwi was the line:
Loaded "SECUR32.DLL" at address 0x77FE0000 al. Successfully hooked module.
This line is not repeated in pehelp.dwi.

Then I thought that PE is not Secur32.dll. But it is there.

I'm probably completely wrong all doing?

No, the input line is intended for command line parameters (optional), you don't need any in help.exe.
Actually you profile by simply clicking on "profile" and then pressing OK.



But does the same happen when loading XPhelp.dwi?


The Secur32.dll is probably not found or - before that error - *something else* has loaded in a "different way".
Try adding (temporarily) to both your XP and PE the MSJAVA.DLL and the other two "missing" .dll's (you can try placing these files in the same directory where you put help.exe).
In the XP you should have not anymore any of:

If in the PE there are still issues, you should be able to find which one(s) they are, check (expanding the tree) the view in top left window.
It is also possible that a .dll is there but that is not registered properly in the Register (regsrv32.exe).


It is a game of patience.


jaclaz

Actually you profile by simply clicking on "profile" and then pressing OK.

Again, did save the log.
I added all the missing files in the folder sistem32. (I did this in the XP, and in the PE).
Now, there are no messages in the logs that there were no files.

Both logs begins with a single red line:
Warning: At least one module has an unresolved import due to a missing export function in a delay-load dependent module.
(It surprises me that the XP log contains a lot of red lines, and the log PE - only two red lines.)
In addition, the log PE has a red line:
Second chance exception 0xC0000005 (Access Violation) occurred in "KERNEL32.DLL" at address 0x7C8024E5.

Again, the log PE does not contain this line:
Loaded "SECUR32.DLL" at address 0x77FE0000. Successfully hooked module.
(This line is present in the log XP.)
At the command prompt of the PE, I typed the following command:
regsrv32 secur32.dll
There is a message:
secur32. dll was loaded, but to find an entry point for DllRegisterServer failed. Register the file impossible.
Then I put SECUR32.DLL in the program folder. It has not worked.

I have carefully looked at the file peHelp.dwi.
In the list of modules present Delay-load module warning. This MPR.DLL.
In the column "Actual Base" written "Unknown", and in the column "Load Order" written "Not Loaded".
In the tree links module, this module appears as a Duplicate module.
In the list of imported functions the parent module is marked in red line with the function "WNetRestoreConnectionA".

How do I proceed?

I installed on my computer operating system with the same distribution that I used to create a PE.
I did it for the purity of the experiments conducted.
In this connection, log xpHelp.dwi changed.
I give the first example of the differences in the logs:

In xpHelp.dwi there is a line
DllMain(0x77D30000, DLL_PROCESS_ATTACH, 0x0012FD30) in "USER.DLL" called.

This line is in the log peHelp.dwi

In xpHelp.dwi there is a line
DllMain(0x77D30000, DLL_PROCESS_ATTACH, 0x0012FD30) in "USER.DLL" returned 1 (0x1).

But this line is not in the peHelp.dwi

"Generic" advice (not necessarily applying to your case).

Let's say that the program needs "dll A".
And that "dll A" later needs to load "dll B" and "dll C".
If the "dll A" is missing you will never know that "dll B" and "dll C" are needed.

Another example:
"dll A" looks in the Registry for an entry like "dllAsupportDLL=dll D"
If the Registry entry is missing, "dll D" will never be loaded (and not even "traced").

Try looking in the "middle" window which modules are loaded and in which order in the two environments XP and PE.
Set the Depends.exe to use "full paths" and see where the dll's are actually on disk.

Specifically:
Check the WinSXS settings, at least on my machine that help.exe uses an updated COMCTL32 and GDIPLUS:
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.DLL
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GDIPLUS.DLL

Let me doubt that USER.DLL is called by that app (USER.DLL is the 16 bit version of the dll), maybe USER32.DLL ....


jaclaz

Hello, jaclaz!
I began to worry that you left me! (
I am glad to see you again!
Thank you for not forget your servant!)

Try looking in the "middle" window which modules are loaded and in which order in the two environments XP and PE.
Set the Depends.exe to use "full paths" and see where the dll's are actually on disk.


I did as you said. Here I see the difference.
Vary the sequence and structure.
In this case the PE is missing some files and some files do not exist in XP.
The order of loading files it matter? How can I change it?

In both lists MPR.DLL designated as "Delay-load module warning".

With your permission I will introduce you to my files. It's here:
http://www.fayloobmennik.net/1772971

Check the WinSXS settings, at least on my machine that help.exe uses an updated COMCTL32 and GDIPLUS

These files are present in two variations:
*_6.0.0.0_x-ww_1382d70a\comctl32.dll
*_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
*_1.0.0.0_x-ww_8d353f13\gdiplus.dll
*_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll

Let me doubt that USER.DLL is called by that app (USER.DLL is the 16 bit version of the dll), maybe USER32.DLL ....

Oh! I beg your pardon! Translator by Google ate "32"! (((

Please do not leave me!

You are seemingly tracing on a XP SP2 and on a PE built from "Gold" sources.
You either install a "Gold" XP or (better) create the PE from an integrated SP2 source.
This may or may not make a difference, but at least we remove a possible cause of difference.

Or is there an error in the "version" that depends.exe sees?
PE:
Operating System: Microsoft Windows XP Professional (32-bit), version 5.01.2600 (Gold)
XP:
Microsoft Windows XP Professional (32-bit), version 5.01.2600 Service Pack 2


jaclaz

It is very difficult to understand the translation of Google. (

PE:
Operating System: Microsoft Windows XP Professional (32-bit), version 5.01.2600 (Gold)
XP:
Microsoft Windows XP Professional (32-bit), version 5.01.2600 Service Pack 2

I used the same distribution disk to install XP, and to create a PE. It's true.
You are talking about this?
Is not that right?
To create a PE should I use C: \ WINDOWS?

I understand you correctly?

Good , that first line seems like the "full XP" is SP2 and the PE is built upon "Gold" (without Service Packs) source.
It is possible that it is a problem of depends.exe not parsing the info correctly.


NO, it's OK , you have two choices:
\I386\ on CD
\minint\ on Hd-like
(or you can use \I386\ on Hd-like as well, see here:):
http://www.911cd.net/forums//index.php?showtopic=17504


Yes.

The two traces "fork" rather early:
XP:
Entrypoint reached. All implicit modules have been loaded.
DllMain(0x77F10000, DLL_PROCESS_ATTACH, 0x0012FD30) in "GDI32.DLL" called.
DllMain(0x77F10000, DLL_PROCESS_ATTACH, 0x0012FD30) in "GDI32.DLL" returned 1 (0x1).
DllMain(0x77D30000, DLL_PROCESS_ATTACH, 0x0012FD30) in "USER32.DLL" called.
DllMain(0x77D30000, DLL_PROCESS_ATTACH, 0x0012FD30) in "USER32.DLL" returned 1 (0x1).

PE:
Entrypoint reached. All implicit modules have been loaded.
DllMain(0x77F10000, DLL_PROCESS_ATTACH, 0x0012FD30) in "GDI32.DLL" called.
DllMain(0x77F10000, DLL_PROCESS_ATTACH, 0x0012FD30) in "GDI32.DLL" returned 1 (0x1).
DllMain(0x77D30000, DLL_PROCESS_ATTACH, 0x0012FD30) in "USER32.DLL" called.
LoadLibraryW("LPK.DLL") called from "GDI32.DLL" at address 0x77F3C5C8.

NO ideas right now (if not to try tracing with regmon if at that point a particular Registry key is accessed by USER32.DLL or by GDI32.DLL)


jaclaz

The two traces "fork" rather early:

Yes, I also drew attention to it. This can be seen in my previous posts.

(if not to try tracing with regmon if at that point a particular Registry key is accessed by USER32.DLL or by GDI32.DLL)

Sadly this theme I absolutely do not know.
If you said exactly what I should do, I would have tried.

The two traces "fork" rather early

Here it comes to file USER32.DLL. If I understand correctly.
So I compared the registry for "USER32". I found a mismatch.
There are lines in XP that are not in PE. It is in the SYSTEM hive.

If it was in the hives SOFTWARE or DEFAULT, then I would have tried to edit it.
But there is not file "System" in the PE, which forms System-hive in XP.
Obviously, System-hive in the PE is not formed of the same name file , but with inf - files.

How to add registry entries, and hives with inf - files?
Or am I on the wrong way?

the system hive in PE is not x:\i386\system32\config\system but X:\i386\system32\setupreg.hiv

by the way - I tried to run this help.exe in my BartPE and it does not work either - thats quite unusual as most other apps run fine.
I would consider using another app that can do the same

Thank you for your willingness to help.



I did not understand what you mean?



This file forms the ...System-hive?

yes

I have looked through the files PEBuilder carefully. I have found folder XPSP3 with files in plugins. ( ...\plugin\!custom\z_fbwf\xpsp3).
I also find the file xpSP3res. Dll at ...\plugin\net _all\wpa2\xpsp3res.dll.
File with the same name was discovered at ...\bartpe\i386\system32\xpsp3res.dll. (This probably indicates that the file contained on the distribution disk).
Could this be caused by a mismatch in such things?
Should I get rid of all these objects?