manual FBreseal question

  • Thread starter Thread starter Chip
  • Start date Start date
C

Chip

Hi,

I have difficulty of using manual FBreseal. My configuration has
Administrator Account and User Account components. In my System Cloning Tool
Component, I changed cmiResealPhase from default 12000 to 0 (so that I can
reseal the machine manually) and cmiRemoveUserSettings from default TRUE to
FALSE (so that I can keep want I change in user account). After FBA and
before reseal, I logged on as a user and used registry editor to add a key
and value. I closed the registry editor and open a cmd window and typed
"fbreseal -keepall". An error message popped up: "FBreseal requires
administrator privilege". So I logged off user account and logged on as an
adminstrator, opened a cmd window and type "fbreseal -keepall". Then I saw
"Machine Resealed" message. Then I used sdimgr to create sdi file for the
sealed image. After that, I deployed the sdi file (by using sdimgr) to the
target computer that has a clean and formatted hard drive. After booting the
XPE image successfully and logged on as a user, I couldn't find the key and
value in the registry, which I added before machine reseal.

Then I thought what I did for the manual fbreseal in the administrator
account was incorrect because the change made in user account was lost. So
next time I repeated the same process except trying a little different thing
for manual fbreseal. After I made the change to the registry in the user
account, I rebooted the computer with WinPE CD. Then I changed to
C:\Windows\system32 folder and typed "FBreseal -keepall", I got an error
message "SetupCL is missing". What have I done wrong?

Is there a way that I can keep my change in the registry in user account
after FBA and carry the change to the deployment?

Additional Info: My build was created in XPE SP2 but I upgraded the
development tool and component databse to FP2007 three weeks ago. But I
didn't upgrade the components in my configuration to FP2007 for the fear of
causing problems to my configuration. I did the dependency check and creating
the image in FP2007. I believe technically I am still working on XPE SP2.

Thanks in advance
 
Chip,

First of all, you don't run fbreseal from WinPE. It must be launched from within a session of the runtime itself.
Running fbreseal indeed requires the admin privileges.

I don't know why the registry value you added logged under the user account didn't persist through the cloning process but could you
provide more details on what registry key/value did you change/add?
 
Hi KM,

I was trying to follow Sean Liming's great article “Different Shells for
Different Users†at http://msdn2.microsoft.com/en-us/library/ms838576.aspx.
My intention was to create two different shells for two different accounts to
run my company's medical device software. One was the administrator shell
that allowed the administrator to use the explorer shell to run our software
plus any admin task needed. The other one was user shell that would
automatically start our company software upon user logon. I included Admin
Account, User Account, and Explorer Shell components in my configuration. I
changed the value of the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\system.ini\boot\Shell to
"USR:Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
through the “Extra Registry Data†in the configuration. In my System
Cloning Tool
Component, I changed cmiResealPhase from default 12000 to 0 and
cmiRemoveUserSettings from TRUE to FALSE. I ran dependency check, built the
image and booted XPE.

Then I logged on as a user and started registry editor to add the key
“HKEY_Current_User\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell†and the value “D:\My
Company\MyFolder\MyApp.exeâ€.

Then I logged on as an administrator and ran "fbreseal -keepall" (after an
unsccessful attempt to do fbreseal in user account). After I deployed the
image with sdimgr to the target computer, booted the image and logged on as a
"user". MyApp.exe wasn't started. Instead, I saw a regular explorer
environment. So I used registry editor and confirmed that the key
“HKEY_Current_User\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell†and the value “D:\My
Company\MyFolder\MyApp.exe†are missing.

Thanks.
 
Chip,

When you shutdown the image after the manual reseal, can you open up the user hive offline (please use regedit/Load Hive function on
a regular XP machine) to see if the registry value is still there? Just trying to understand who is responsible for cleaning up the
value from the registry - cloning process or fbreseal or something else.

Also, I suggest you to check if switching to a different shell application works on your image before you reseal the image. In other
words, after you add the value, reboot the device and try to log in as the user to see if the shell has changed. If worked, you can
reseal the image then.
 
I can't explain why your registry settings are getting trashed but at least
i can offer a way round the problem.

We had similar problems with our application.

We got round it as follows.

We set up a couple of batch files in a directory on c: (we called it
'firstboot').

The first batch file is run after logon as administrator when the system
first boots the cloned disk (A shortcut to the batch file is on the
administrators desktop). It does a number of things:

1. Sets the computer name and workgroup (these are defined very carefully
we can't accept the OEM-xxxyyyxxx format)
2. Adds autologon registry keys and the registry keys for different shells
for different users (the LOCAL_MACHINE keys)
3. Re-boots the system

Then when the system re-boots it automatically logs on as our 'user' to a
windows shell we run the second batch file (again a shortcut is on the users
desktop) which adds the CURRENT_USER bits of the registry to run our app as a
shell then re-boots again. then the system automatically logs on as user and
runs our app.

doing it this way is no real hardship for us, we ahve to test the unit
anyway (soemtimes with external test programs) so these couple of steps are
simply included in our test procedure.

Hope this is of help.
 
Hi Kevin,

Thanks for your help. It appeared what I did was very similar to yours
except you are running batch files under admin and user logon and I was
manually changing the registry by regedit. My application actually worked
right after changing CURRENT_USER in the registry. When I re-logged on as a
user, my user shell lauched my company software with no problem. The problem
was after I did a manual fbreseal and deploying the same image to the target
computer, the user shell didn't launch my application and found out
CURRENT_USER... that I had added was missing by the confirmation of regedit.

Currently, I am trying KM's suggestion by loading the key of my interest
(CURRENT_USER...) offline from the registry after fbreseal. I think I should
be able to find out weather it is the problem of the fbreseal tool or the
sdimgr. I will keep you guys posted.

The other thing I may look at is the compatibility issue that arised from my
recent upgrade from XP SP2 to FP2007. The development tool and component db
were upgraded to FP2007 but my configuration has not. I am thinking there
could be issues on running dependency checking of SP2 configuration with
FP2007 Dependency checker.

Regards,
 
Back
Top