Mark Minasi's Windows Networking Tech Page
Issue #72 August 2008

Document copyright 2008 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Our Two-Day Vista Support and Server 2008 seminars coming to Seattle, Dallas, and Parsippany in September and December
    • Mastering Windows Server 2008: Networking Fundamentals is out
  • Tech Section
    • Making Pkgmgr Work in Vista and Server 2008 to Apply Patches Offline
  • Conferences
  • Bring a Seminar to Your Site
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

I finally found the time last week to solve a puzzle that's been bothering me for over a year, namely:  why is the pkgmgr tool that lets you apply patches to a Windows image offline seem to damage those images so often, and how can I make it stop?  I think you'll find the answer helpful if you're working with WIMs (and if you're not, you should be -- they're a useful and free technology).  It turned out to be a simple little bug in pkgmgr that can be worked around easily.  But first, a word from our sponsor...

2008 Server and Vista Classes Coming to Seattle and Dallas in September and Parsippany in December

As you know, in the past year and a half Microsoft has released the Workstation and Server versions of Windows 6 -- Vista and Server 2008 -- and even if you've not implemented them yet, we all know that Resistance Is Futile and so you'll need to know how to plan to fit them into your IT structure, get 'em rolled out, and then maintain and troubleshoot them... so why not learn now?

Of course, you could download a small mountain of white papers (mostly written based on late betas and thus are only partially correct), and spend a few weeks testing it to discover the hundreds of changes that 2008 and Vista bring... or you could come spend a couple of days with me. In my Vista Support and Server 2008 classes, I'll tell you and show you what's changed in Windows — the good, the bad, the wonderful and the awful ... with a chuckle or two thrown in. Please consider joining me for the two-day Vista class, the two-day Server 2008 class, or both. I'll be in Seattle September 15/16 to do the Server 2008 class, Dallas on the week of September 22 to do the Vista and then 2008 class, and Parsippany, NJ in December (we don't have the exact dates yet) to do the Vista and Server 2008 classes. Find out more about the Server class here, the Vista class here, and the schedule information here. Thanks!

Mastering Windows Server 2008: Networking Fundamentals is out

The first of my three Windows Server 2008 books is out finally!  Mastering Windows Server 2008: Networking Fundamentals is now on the shelf at bookstores near you.  You can find out more about it at my page at http://www.minasi.com/2008class/2008books.htm explaining The Master Plan for my three-book series on Server 2008.  Wiley has also put up a sample chapter for this book, which is intended for those just entering the Windows Server field, at http://media.wiley.com/product_data/excerpt/46/04702498/0470249846.pdf.  If you've read my old books then you'll already know most of what's in this first volume, but if you know someone who needs to get started in networking, then please consider suggesting this to him or her.

Tech Section

This month, we solve The Case of the Nonfunctional Deployment Tool.

Making Pkgmgr Work in Vista and Server 2008 to Apply Patches Offline

A couple of years ago, I first heard about the neat new features of Vista and Server 2008's setup and deployment tools.  I was happy to hear that in that you could (at least according to the documentation) first take a Vista/2008 system and put it in cold storage with a Ghost-like imaging tool called ImageX,  and, second, you could install the seemingly interminable hotfixes for those OSes offline with another tool called pkgmgr.

(By the way, in case "offline patching" isn't a term that makes sense, take a look at newsletter #65, when I explain how offline patching makes the job of applying Microsoft's monthly patches go from an hour or two to about ten minutes.)

Pkgmgr, then, sounded like a great boon to IT society... ah, but then I tried it. The whole ImageX thing worked fine to create Ghost-like images that reduced a fully working system to a single file, as I described in newsletter #61, but my experience with pkgmgr was, well, not so delightful. The syntax was ugly, and the online help lacked any really useful examples.  So I Googled it and found no end of Web sites created by people who apparently copied incorrect information from some other Web site onto their Web pages so that, um, other people could then put that (still incorrect) information on some Web page.  (Is simply trying something all that hard? Sorry, I know that sounded cranky, but I'm getting more and more discouraged with the quality of stuff on the Web.  Too bad there's no revenue model for someone to give Web pages the "Good Housekeeping Seal of Approval.")  I knew that the whole install-hotfixes-offline thing couldn't be total nonsense, so I looked further, and discovered that a different tool named peimg.exe did some of that (as I demonstrated in newsletter #65)... but that it lacked a bit and that apparently I was missing something, as everyone else seemed to be ignoring peimg for patching and focusing on pkgmgr.  Several days of experimentation finally yielded syntax that worked and that let me install one patch -- but just one patch; adding subsequent patches blew up the computer's ability to get any new patches at all.  A few more days led me to the complete answer, as you'll see.

What You Need to Make Pkgmgr Work

Restated, pkgmgr's job is to apply Microsoft patches to a Vista or Server 2008 WIM (Windows image file) image without having to install that image on a computer first.  (ImageX lets you create WIMs of XP or 2003 systems, but those WIMs can't be patched in this offline manner.)  Thus, to put pkgmgr to work, you need

  • One or more ("more" would be better) Microsoft patches downloaded in .MSU format.
  • A copy of the latest Windows Automated Installation Kit (WAIK 1.1), which contains pkgmgr, ImageX and the other tools necessary to create and maintain WIM images.  The 9 April 2008 version is the newest as I write this, and
  • A Vista or Server 2008 WIM file created with the ImageX from WAIK 1.1.

Get the New WAIK and Build an Image Called "SP1.WIM"

I've already discussed how to download and install the WAIK in newsletter #59, so I won't repeat that here.  Again, I wrote that based on WAIK 1.0, so you may see some small changes -- for one thing, WinPE now has gray rather than blue-green wallpaper.  I've also already discussed how to create a Vista image with ImageX in newsletter #61.  For this example, I've built an image based on a Vista SP1 system.  For this example, I created a WIM named sp1.wim and placed it in a folder that I called c:\images.  (Of course, you can call your WIM anything that you like -- that's just the name I'll be using in my examples.)

Get A Few Updates

Next, we'll need some post-SP1 updates.  I got four from KBs 950760, 941693, 950762, and 951698. In each case, go to the Knowledge Base article's page on the Microsoft site (usually Googling "KB" followed by the number yields the page on the first hit). Then look under the "Introduction" section of the KB article for a bullet point reading "IT Professionals," and click the hyperlink under that bullet point.  That will take you to a page pointing to different versions of that hotfix built for  different operating systems and SP levels. Each file will have the extension .MSU. Put all four updates into a folder named c:\updates. (Again, "c:\updates" is arbitrary and you can use any name that you'd like, but it's the name that I'll use in this article.)

(Note that while I've talked about security updates, there are also other updates that are not security updates, but instead fixes to provide better performance.  They too are generally distributed as .MSU files and pkgmgr can apply them just as well as it can install security updates.)

Set Up a Few More Folders

So far we've got c:\images that contains sp1.wim and c:\updates that contains the MSUs, but we'll need a few more:

  • Create a folder c:\mount that you can use to mount the sp1.wim image.
  • Create a folder c:\updates\unpack so that you will have a place to store the expanded MSU files.
  • Create a folder c:\sandbox that pkgmgr will use to to expand the updates to -- yes, the MSU files in c:\updates expand to CAB files in c:\updates\unpack which pkmgr then expands further into c:\sandbox.

Expand the MSUs and Delete wsusscan.cab

Open an elevated Windows PE Tools Command Prompt (Start / All Programs / Microsoft Windows AIK / right-click "Windows PE Tools Command Prompt," choose Run as Administrator and click "Continue" at the UAC prompt).  Then type

expand -F:* c:\updates\*.msu c:\updates\unpack

(Note that the -F is case-sensitive.)  There's always an extra useless .MSU file named wsusscan.cab, so delete that:

del c:\updates\unpack\wsusscan.cab

Mount the Vista Image

SP1.wim's got to be mounted in order for pkgmgr to apply patches to it, so do that next from your Windows PE Tools Command Prompt:

ImageX /mountrw c:\images\sp1.wim 1 c:\mount

Remember, we've got to use /mountrw rather than /mount if we want to change an image.

Apply the Package

Time to put pkgmgr to work with the first update, the one from KB 950760.  From the same command prompt, type (it's all one line but I broke it halfway through for to make it a bit more readable):

start /w pkgmgr /ip /m:"C:\updates\unpack\Windows6.0-KB950760-x86.cab" 
 /o:"c:\mount;c:\mount\windows" /s:"c:\sandbox" /l:pklog

That command will require a bit of explanation, so let's pause here and see what you just typed.  First of all, notice that I prefixed the pkgmgr command with "start /w."  I did that because if you just type the "pkmgr /ip..." command, then Vista returns a command prompt immediately, even though pkgmgr hasn't finished its work -- so it's hard to know when it's done.  Adding "start /w" tells Windows not to return the command prompt until the process -- pkgmgr, in this case -- is done.  (If you're using 2008 Server Core, then this may sound familiar -- you need to do the same thing with Server Core's ocsetup program.)  Also, once you've installed WAIK 1.1 on a Vista SP1 system, you'll find yourself with a number of pkgmgr.exe programs, but don't worry about that, as I've run these tests repeatedly using the different versions of pkgmgr on a WAIK-equipped Vista SP1 system and changing pkmgrs doesn't seem to make a difference.

I then invoke pkgmgr with five options:

  • "/ip" means "install package."
  • "/m:" points to the particular CAB file that you want pkgmgr to expand and apply.  Note that you must point to the CAB file rather simply pointing to its folder or its XML file, despite what the documentation and many Web pages say -- offline patch installations will not work otherwise.  If you're wondering how I put together that command line -- nope, I didn't really retype that long file name -- then remember that Vista's got a nice feature in that you can press Shift, then right-click any file in Explorer and you'll get the option "Copy as path," which makes constructing the line a lot easier, although you'll see an even easier version a bit later.
  • "/o:" says that pkgmgr is to install this patch offline to a mounted WIM.  You always follow this with the path to the folder that you mounted the image on, followed by a semicolon and then that same path with "\windows" after it.
  • "/s:c:\sandbox" tells pkgmgr where to expand the CAB files to.  The pkgmgr documentation calls this the "sandbox" folder, although most of us would just characterize it as as a temporary folder.
  • "/l:pklog" tells pkgmgr to create a series of log files.  The easiest one to view is pklog.txt, which you can examine with Notepad.  This option is not mandatory, but I like to do it because it gives me clues about why pkgmgr fails when it does.

That'll all take a minute or two.  When that's done, it's time to...

Unmount the Image

As we've done before in newsletter #59, we unmount sp1.wim with another ImageX command:

ImageX /unmount /commit c:\mount

Don't forget the "/commit," or all of your work will be undone.

Test the Image

Pkgmgr's a pretty fragile tool in my experience and so it's easy for it to damage a WIM.  (For example, do not yet try to add a second update -- I'll show you the trick in a moment.) Unfortunately when pkmgr blows up a WIM, you don't get any obvious error messages, you just get an image that doesn't know what updates it has installed on it any more, and that can't accept new updates.  The quickest way that I've found to validate an image is to point Windows System Image Manager (WSIM, newsletter #60) to the WIM file and ask it to catalog that image.  If WSIM crashes, then pkgmgr's munged your image!  Test the image like so:

  1. Start up Windows System Image Manager (start / All Programs / Microsoft Windows AIK / Windows System Image Manager)
  2. Click File / Select Windows Image and choose c:\images\sp1.wim.
  3. As we saw in newsletter #60, WSIM will ask if you want it to create a catalog file.  Click Yes, remembering to confirm the UAC prompt.
  4. If WSIM stops and raises a dialog box that says "Windows System Image Manager execution failure. / Details: Parameter count mismatch. / Click here to open the log file," the pkgmgr damaged the image.
  5. If, on the other hand, WSIIM didn't crash, then WSIM will show two folders: Components and Packages.  Open up the Packages folder and you should have a Security Updates folder, among others.  Open that and you'll see an entry for the update that you just installed.

Here's an example of what that WSIM screen might look like.  Once I figured out how to install more than one update, I found  found 14 post-SP1 updates -- eight security patches and six non-security updates.  Once cataloged, the image looks in WSIM like the following figure:

If you've counted 16 updates between the "SecurityUpdate" and "Update" folders and are wondering where the other two came from, the answer's simple -- Vista SP1 comes with three non-security updates pre-installed.  One of the new updates that I installed is an update to an update -- KB 938371 -- which is why there are 16 rather than 17 updates visible.

Using pkgmgr is just as simple as that... so long as you're only applying one update.  Add a second, third or whatever, and at that point you can kiss the image goodbye unless, of course, you know the trick.

Adding More Than One Update

The trick is amazingly simple (even if it did take me some time to figure it out):  between pkmgr invocations, delete all files in the sandbox folder.  Despite the fact that pkgmgr populates the sandbox folder and then uses the files in it, pkgmgr's author didn't take the time to check that the files it was using were the ones that it just unpacked from the .CAB file.

Summary

For those looking for the "short version" of how to apply multiple MSU updates to a Vista SP1 or Server 2008 WIM, here it is:

  1. Get the MSU updates and put them in c:\updates. Create folders named c:\updates\unpack and c:\mount.
  2. Use expand.exe -F:* c:\updates\*.MSU c:\updates\unpack to unpack the MSUs to c:\updates\unpack.
  3. Delete c:\update\unpack\wsusscan.cab.
  4. Mount the image that needs the updates to c:\mount using ImageX /mountrw.
  5. For each CAB file in c:\updates\unpack,
    1. Delete any existing folder named c:\sandbox and any subfolders within it.
    2. Create a new folder named c:\sandbox.
    3. Run this command: start /w pkgmgr /ip /m:"C:\updates\unpack\<CAB file name and path>"  /o:"c:\mount;c:\mount\windows" /s:"c:\sandbox" /l:pklog
  6. Unmount the image at c:\mount

Of course, you could do this by hand, or we could cook up a short batch file like this one:

@echo off
set patchdir=c:\patchdir
set updatedir=c:\updates
REM applies multiple patches to an image, using pkgmgr
REM INPUTS: takes the name of a WIM file as in-line input, like
REM applypatches e:mytest.wim
REM OUTPUTS: modified WIM file
REM REQUIRES:
REM Before running this, all desired patches must be in .MSU format
REM in a folder named %updatedir% (unless you put them somewhere else
REM and change the value of the line "set updatedir=" at the top of the
REM batch file.
REM SIDE-EFFECTS: nausea, giddiness, water retention... oops, sorry, I meant:
REM deletes any existing folders "c:\patchdir" and anything inside of it
REM unless you modify the value of the line "set patchdir=" at the top of
REM the batch file.
REM creates:
REM %patchdir%\unpack: unpacked CABs from the MSUs
REM %patchdir%\mount: used to mount the image file
REM %patchdir%\sandbox: where pkgmgr expands CABs to (its "sandbox")
REM %patchdir%\logs: contains pkgmgr's log files
REM
REM Check that (1) user specified a WIM file and (2) it exists 
if "%1"=="" (
echo ERROR:
echo This batch file needs the name of an image file as input, like
echo applypatches c:\images\sp1.wim
goto badend
)

if not exist %1 (
echo ERROR:
echo couldn't find the file "%1"
goto badend
)
REM
REM Check that there's at least one update
if not exist %updatedir%\*.msu (
echo ERROR:
echo This needs at least one patch file --something with an "MSU" extension --
echo in a folder named %updatedir%. Please add at least one patch to the
echo %updatedir% folder.
goto badend
)
REM
REM specify directory to store temporary files


REM delete existing patchtemp folder
rd /s /q %patchdir% 2>NUL
REM create new ones
md %patchdir%
md %patchdir%\unpack
md %patchdir%\mount
md %patchdir%\sandbox
md %patchdir%\logs
set imagename=%1
rem unpack updates from %updatedir% to %patchdir%\unpack
expand -F:* %updatedir%\*.msu %patchdir%\unpack
del %patchdir%\unpack\wsusscan.cab

imagex /mountrw %imagename% 1 %patchdir%\mount

rem and now, run each update
for %%f in (%patchdir%\unpack\*.cab) do (
echo applying patch %%f...
start /w pkgmgr /ip /m:%%f /o:"%patchdir%\mount;%patchdir%\mount\windows" /s:"%patchdir%\sandbox" /l:%patchdir%\logs\pklog
rd /s /q %patchdir%\sandbox 
md %patchdir%\sandbox
) 

imagex /unmount /commit %patchdir%\mount

echo Applypatch operations on %1 apparently complete.
echo.
echo To verify that the patches applied properly, do two things.
echo.
echo First, open %patchdir%\logs\pklog.txt with Notepad and look at the last line 
echo -- look for "Pkgmgr: return code: 0x0." If the value is not 0x0, then 
echo convert the number from hex (use Calculator) and type "net helpmsg nnn," where
echo "nnn" is the decimal value of the echo return code. That may provide clues to
echo why something failed, if it did.
echo.
echo Second, use Windows System Image Manager to open the newly-patched WIM. Let 
echo WSIM create a new catalog file. If WSIM doesn't crash when creating the 
echo catalog file, then the WIM is still internally consistent.

goto realend
:badend
echo Patches not applied.
:realend

To use it, just copy the text to the clipboard, open up Notepad, paste the text, and save it as a file named "applypatches.cmd" somewhere on your system's path -- c:\windows is fine, for example.  I didn't think that you'd want to mess up your system with a lot of junk folders at the root of the drive, and so I've replaced c:\mount, c:\sandbox, and c:\updates\unpack with c:\patchdir\mount, c:\patchdir\sandbox, and c:\patchdir\unpack and placed the logs in c:\patchdir\logs.  Put the MSU files into a folder called c:\updates, as before, and invoke the batch file with just the name of the WIM file, as in

applypatches sp1.wim

Expect a lot of output from the expanded patches, and then just an "applying patch..."  message for each patch as it's being applied.

If you want to give c:\patchdir or c:\updates a different name or put it on another drive letter then just edit applypatches.cmd and change one or both of these lines, which appear at the top of the file, resave the file and then run applypatches.cmd:

set patchdir=c:\patchdir
set updatedir=c\updates

I've tried this on Vista SP1 and Server 2008 images on virtual and physical machines, but I of course cannot guarantee how it'll work on your system.  I hope this saves someone a bunch of time!

Conferences

Besides my public classes, I'm presenting at

  • TechTarget's Vista Roadshow in DC, Atlanta and Minneapolis -- info at http://events.techtarget.com/vista/.  I mentioned a 2008 road show in my mailing to subscribers but unfortunately it's not going to happen -- the events need sponsors and we couldn't put together enough to cover the road show's costs. Sorry... but the Vista shows are still on, so join me there.
  • TechMentor in New York September 7-10.  Note that 1105 is running two events in the fall, the New York event and a show in Las Vegas.  I will be speaking in New York but not in Vegas -- so if you're planning to attend TechMentor in the fall and would like to see me speak then please plan for the New York show!  http://techmentorevents.com/2008/newyork/ for info.
  • Windows Connections Vegas November 10-13:  can't avoid Vegas in the fall, it seems!  Back to the Mandalay Bay -- how can you not love a hotel with its own aquarium? -- to keynote and more.   http://www.devconnections.com/shows/FALL2008WIN/default.asp?s=125 for more info.

Bring Mark to Your Site to Teach

I'm keeping busy doing Vista seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2008, Vista, security, XP, Active Directory or 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).

Special European Discount for On-Site Clients!

Well, sort of,.  Since the dollar's currently so weak against the euro, why not hire me now, before things change?<g>

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I hope that it is a useful source of Windows technical information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 45,000 subscribers and I hope to use this to get information to every one of my readers. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.  Thanks for letting me visit with you, and take care. 

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2008 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.