Windows | NT Family

at sector offset `2,906,112` and has a sector size of `1,927,503,872`

dmsetup create snap-main --table '0 1927503872 linear /dev/mapper/snap 2906112'

Initially I did it too early and the filesystem wasn't cloned enough so mounting failed unceremoniously so I did `dmsetup remove snap-main`, `dmsetup remove snap`, and `zramctl -r /dev/zram1` to blow away what I did. But eventually the recovery got through the disk and now was slowly churning through 45-odd MB 7.5-so GB in the disk where a failure occurred. Setting up a `zram` device and mapping with `dmsetup` again, the NTFS partition had enough structure to be mounted. But rule of thumb for NTFS is `chkdsk` in Windows is what you should use for integrity checking if possible, even from Linux. So a download of Windows 10 installation media later, and I used `qemu` to give me a virtual machine on the spot with 16 cores and 8G of memory.

qemu-system-x86_64 -bios ${pathToOVMF.fd} -enable-kvm -M usb=on -cpu host -smp 16 -m 8G -drive file=~/win10.iso,media=cdrom -device usb-tablet -drive file=/dev/mapper/snap,format=raw

I let Windows on the snapshot try to boot, it does a `chkdsk`, tries to boot again, system recovery, then bails out with a suggestion to check `C:\Windows\System32\LogFiles\Srt\SrtTrail.txt`. Next boot I try to see if Startup Repair on the media can get further, but same message. Using `dmsetup` pointing to the NTFS partition I can mount it, browse, and unmount.

# What I did

Trying to use `dism /Image:C:\ /Source:D:\sources\install.wim:1` bails with a spurious error about being unable to create a temporary directory on `X:\` while the log lists this:

Info DISM DISM Manager: PID=2028 TID=2032 Copying DISM from "C:\Windows\System32\Dism" - CDISMManager::CreateImageSessionFromLocation
Error DISM DISM Manager: PID=2028 TID=2032 Failed to copy the image provider store out of the image. - CDISMManager::CreateImageSessionFromLocation(hr:0x8007025d)
Error DISM DISM.EXE: Could not load the image session. HRESULT=8007025D

I shut down the VM and mount the partition, check `/Windows/System32/Dism` and my file browser subtly highlights something odd. Windows executables look like exclamation dialogs (or their application icon) normally, but two had question marks indicating my file browser couldn't actually determine what they were. Comparing against my personal install of Windows 10 confirms the files were damaged. So I overwrote the damaged files with my personal copy, start the VM, and this changes the `dism` error in the logs to `Failed to copy inbox forwarders to temporary location` which is a dead-end for me.

And since I could, I tried seeing what happens if I just copy my `System32` and `SysWOW64` from my install over. Well. It works, shockingly after some spinning at boot. But it appears computer-specific configurations are in `System32` (and later I end up finding out the system's registry lives in `system32/config`) and instead of being prompted for the person's login it's instead trying to ask for *mine* and clicking the text to try to sign in ends up spinning indefinitely (until it eventually BSOD's in the background because the snapshot device filled from Windows doing Windows things.)

Copying over `System32` and `SysWOW64` seems to have legs, so I theory-crafted on if I could just get a untouched source and turns out I can pull from the install media's `install.wim`. I mounted the install media's wim using `wimlib`'s `wimmount`.

mkdir ~/wim
wimmount /run/media/…/CCCOMA_X64FRE_EN-US_DV9/sources/install.wim 1 ~/wim

I tried copying just `System32`, `SysWOW64`, to copying the whole `Windows` directory and even just the whole contents of the wim over. Doing the last one did try to get the system to stop going into recovery, but endlessly spun. And `dism` would still refuse to do anything with a mix of the others with similar errors.

# What worked

Once I learned that I may have been overwriting the registry with my previous experiments, I copied aside `system32/config` and used `rsync` to overwrite `C:\Windows`

`rsync -avP

www.tgoop.com/r_Windows/36669

1 viewJun 18 at 21:09

at sector offset `2,906,112` and has a sector size of `1,927,503,872`

dmsetup create snap-main --table '0 1927503872 linear /dev/mapper/snap 2906112'

Initially I did it too early and the filesystem wasn't cloned enough so mounting failed unceremoniously so I did `dmsetup remove snap-main`, `dmsetup remove snap`, and `zramctl -r /dev/zram1` to blow away what I did. But eventually the recovery got through the disk and now was slowly churning through 45-odd MB 7.5-so GB in the disk where a failure occurred. Setting up a `zram` device and mapping with `dmsetup` again, the NTFS partition had enough structure to be mounted. But rule of thumb for NTFS is `chkdsk` in Windows is what you should use for integrity checking if possible, even from Linux. So a download of Windows 10 installation media later, and I used `qemu` to give me a virtual machine on the spot with 16 cores and 8G of memory.

qemu-system-x86_64 -bios ${pathToOVMF.fd} -enable-kvm -M usb=on -cpu host -smp 16 -m 8G -drive file=~/win10.iso,media=cdrom -device usb-tablet -drive file=/dev/mapper/snap,format=raw

I let Windows on the snapshot try to boot, it does a `chkdsk`, tries to boot again, system recovery, then bails out with a suggestion to check `C:\Windows\System32\LogFiles\Srt\SrtTrail.txt`. Next boot I try to see if Startup Repair on the media can get further, but same message. Using `dmsetup` pointing to the NTFS partition I can mount it, browse, and unmount.

# What I did

Trying to use `dism /Image:C:\ /Source:D:\sources\install.wim:1` bails with a spurious error about being unable to create a temporary directory on `X:\` while the log lists this:

Info DISM DISM Manager: PID=2028 TID=2032 Copying DISM from "C:\Windows\System32\Dism" - CDISMManager::CreateImageSessionFromLocation
Error DISM DISM Manager: PID=2028 TID=2032 Failed to copy the image provider store out of the image. - CDISMManager::CreateImageSessionFromLocation(hr:0x8007025d)
Error DISM DISM.EXE: Could not load the image session. HRESULT=8007025D

I shut down the VM and mount the partition, check `/Windows/System32/Dism` and my file browser subtly highlights something odd. Windows executables look like exclamation dialogs (or their application icon) normally, but two had question marks indicating my file browser couldn't actually determine what they were. Comparing against my personal install of Windows 10 confirms the files were damaged. So I overwrote the damaged files with my personal copy, start the VM, and this changes the `dism` error in the logs to `Failed to copy inbox forwarders to temporary location` which is a dead-end for me.

And since I could, I tried seeing what happens if I just copy my `System32` and `SysWOW64` from my install over. Well. It works, shockingly after some spinning at boot. But it appears computer-specific configurations are in `System32` (and later I end up finding out the system's registry lives in `system32/config`) and instead of being prompted for the person's login it's instead trying to ask for *mine* and clicking the text to try to sign in ends up spinning indefinitely (until it eventually BSOD's in the background because the snapshot device filled from Windows doing Windows things.)

Copying over `System32` and `SysWOW64` seems to have legs, so I theory-crafted on if I could just get a untouched source and turns out I can pull from the install media's `install.wim`. I mounted the install media's wim using `wimlib`'s `wimmount`.

mkdir ~/wim
wimmount /run/media/…/CCCOMA_X64FRE_EN-US_DV9/sources/install.wim 1 ~/wim

I tried copying just `System32`, `SysWOW64`, to copying the whole `Windows` directory and even just the whole contents of the wim over. Doing the last one did try to get the system to stop going into recovery, but endlessly spun. And `dism` would still refuse to do anything with a mix of the others with similar errors.

# What worked

Once I learned that I may have been overwriting the registry with my previous experiments, I copied aside `system32/config` and used `rsync` to overwrite `C:\Windows`

`rsync -avP

BY Windows | NT Family