Document copyright 2008 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.
I finally found the time last week to solve a puzzle that's been bothering me for over a year, namely: why is the pkgmgr tool that lets you apply patches to a Windows image offline seem to damage those images so often, and how can I make it stop? I think you'll find the answer helpful if you're working with WIMs (and if you're not, you should be -- they're a useful and free technology). It turned out to be a simple little bug in pkgmgr that can be worked around easily. But first, a word from our sponsor...
2008 Server and Vista Classes Coming to Seattle and Dallas in September and Parsippany in December
As you know, in the past year and a half Microsoft has released the Workstation and Server versions of Windows 6 -- Vista and Server 2008 -- and even if you've not implemented them yet, we all know that Resistance Is Futile and so you'll need to know how to plan to fit them into your IT structure, get 'em rolled out, and then maintain and troubleshoot them... so why not learn now?
Of course, you could download a small mountain of white papers (mostly written based on late betas and thus are only partially correct), and spend a few weeks testing it to discover the hundreds of changes that 2008 and Vista bring... or you could come spend a couple of days with me. In my Vista Support and Server 2008 classes, I'll tell you and show you what's changed in Windows — the good, the bad, the wonderful and the awful ... with a chuckle or two thrown in. Please consider joining me for the two-day Vista class, the two-day Server 2008 class, or both. I'll be in Seattle September 15/16 to do the Server 2008 class, Dallas on the week of September 22 to do the Vista and then 2008 class, and Parsippany, NJ in December (we don't have the exact dates yet) to do the Vista and Server 2008 classes. Find out more about the Server class here, the Vista class here, and the schedule information here. Thanks!
Mastering Windows Server 2008: Networking Fundamentals is out
The first of my three Windows Server 2008 books is out finally! Mastering Windows Server 2008: Networking Fundamentals is now on the shelf at bookstores near you. You can find out more about it at my page at http://www.minasi.com/2008class/2008books.htm explaining The Master Plan for my three-book series on Server 2008. Wiley has also put up a sample chapter for this book, which is intended for those just entering the Windows Server field, at http://media.wiley.com/product_data/excerpt/46/04702498/0470249846.pdf. If you've read my old books then you'll already know most of what's in this first volume, but if you know someone who needs to get started in networking, then please consider suggesting this to him or her.
This month, we solve The Case of the Nonfunctional Deployment Tool.
Making Pkgmgr Work in Vista and Server 2008 to Apply Patches Offline
A couple of years ago, I first heard about the neat new features of Vista and Server 2008's setup and deployment tools. I was happy to hear that in that you could (at least according to the documentation) first take a Vista/2008 system and put it in cold storage with a Ghost-like imaging tool called ImageX, and, second, you could install the seemingly interminable hotfixes for those OSes offline with another tool called pkgmgr.
(By the way, in case "offline patching" isn't a term that makes sense, take a look at newsletter #65, when I explain how offline patching makes the job of applying Microsoft's monthly patches go from an hour or two to about ten minutes.)
Pkgmgr, then, sounded like a great boon to IT society... ah, but then I tried it. The whole ImageX thing worked fine to create Ghost-like images that reduced a fully working system to a single file, as I described in newsletter #61, but my experience with pkgmgr was, well, not so delightful. The syntax was ugly, and the online help lacked any really useful examples. So I Googled it and found no end of Web sites created by people who apparently copied incorrect information from some other Web site onto their Web pages so that, um, other people could then put that (still incorrect) information on some Web page. (Is simply trying something all that hard? Sorry, I know that sounded cranky, but I'm getting more and more discouraged with the quality of stuff on the Web. Too bad there's no revenue model for someone to give Web pages the "Good Housekeeping Seal of Approval.") I knew that the whole install-hotfixes-offline thing couldn't be total nonsense, so I looked further, and discovered that a different tool named peimg.exe did some of that (as I demonstrated in newsletter #65)... but that it lacked a bit and that apparently I was missing something, as everyone else seemed to be ignoring peimg for patching and focusing on pkgmgr. Several days of experimentation finally yielded syntax that worked and that let me install one patch -- but just one patch; adding subsequent patches blew up the computer's ability to get any new patches at all. A few more days led me to the complete answer, as you'll see.
What You Need to Make Pkgmgr Work
Restated, pkgmgr's job is to apply Microsoft patches to a Vista or Server 2008 WIM (Windows image file) image without having to install that image on a computer first. (ImageX lets you create WIMs of XP or 2003 systems, but those WIMs can't be patched in this offline manner.) Thus, to put pkgmgr to work, you need
Get the New WAIK and Build an Image Called "SP1.WIM"
I've already discussed how to download and install the WAIK in newsletter #59, so I won't repeat that here. Again, I wrote that based on WAIK 1.0, so you may see some small changes -- for one thing, WinPE now has gray rather than blue-green wallpaper. I've also already discussed how to create a Vista image with ImageX in newsletter #61. For this example, I've built an image based on a Vista SP1 system. For this example, I created a WIM named sp1.wim and placed it in a folder that I called c:\images. (Of course, you can call your WIM anything that you like -- that's just the name I'll be using in my examples.)
Get A Few Updates
Next, we'll need some post-SP1 updates. I got four from KBs 950760, 941693, 950762, and 951698. In each case, go to the Knowledge Base article's page on the Microsoft site (usually Googling "KB" followed by the number yields the page on the first hit). Then look under the "Introduction" section of the KB article for a bullet point reading "IT Professionals," and click the hyperlink under that bullet point. That will take you to a page pointing to different versions of that hotfix built for different operating systems and SP levels. Each file will have the extension .MSU. Put all four updates into a folder named c:\updates. (Again, "c:\updates" is arbitrary and you can use any name that you'd like, but it's the name that I'll use in this article.)
(Note that while I've talked about security updates, there are also other updates that are not security updates, but instead fixes to provide better performance. They too are generally distributed as .MSU files and pkgmgr can apply them just as well as it can install security updates.)
Set Up a Few More Folders
So far we've got c:\images that contains sp1.wim and c:\updates that contains the MSUs, but we'll need a few more:
Expand the MSUs and Delete wsusscan.cab
Open an elevated Windows PE Tools Command Prompt (Start / All Programs / Microsoft Windows AIK / right-click "Windows PE Tools Command Prompt," choose Run as Administrator and click "Continue" at the UAC prompt). Then type
expand -F:* c:\updates\*.msu c:\updates\unpack
(Note that the -F is case-sensitive.) There's always an extra useless .MSU file named wsusscan.cab, so delete that:
Mount the Vista Image
SP1.wim's got to be mounted in order for pkgmgr to apply patches to it, so do that next from your Windows PE Tools Command Prompt:
ImageX /mountrw c:\images\sp1.wim 1 c:\mount
Remember, we've got to use /mountrw rather than /mount if we want to change an image.
Apply the Package
Time to put pkgmgr to work with the first update, the one from KB 950760. From the same command prompt, type (it's all one line but I broke it halfway through for to make it a bit more readable):
start /w pkgmgr /ip /m:"C:\updates\unpack\Windows6.0-KB950760-x86.cab" /o:"c:\mount;c:\mount\windows" /s:"c:\sandbox" /l:pklog
That command will require a bit of explanation, so let's pause here and see what you just typed. First of all, notice that I prefixed the pkgmgr command with "start /w." I did that because if you just type the "pkmgr /ip..." command, then Vista returns a command prompt immediately, even though pkgmgr hasn't finished its work -- so it's hard to know when it's done. Adding "start /w" tells Windows not to return the command prompt until the process -- pkgmgr, in this case -- is done. (If you're using 2008 Server Core, then this may sound familiar -- you need to do the same thing with Server Core's ocsetup program.) Also, once you've installed WAIK 1.1 on a Vista SP1 system, you'll find yourself with a number of pkgmgr.exe programs, but don't worry about that, as I've run these tests repeatedly using the different versions of pkgmgr on a WAIK-equipped Vista SP1 system and changing pkmgrs doesn't seem to make a difference.
I then invoke pkgmgr with five options:
That'll all take a minute or two. When that's done, it's time to...
Unmount the Image
As we've done before in newsletter #59, we unmount sp1.wim with another ImageX command:
ImageX /unmount /commit c:\mount
Don't forget the "/commit," or all of your work will be undone.
Test the Image
Pkgmgr's a pretty fragile tool in my experience and so it's easy for it to damage a WIM. (For example, do not yet try to add a second update -- I'll show you the trick in a moment.) Unfortunately when pkmgr blows up a WIM, you don't get any obvious error messages, you just get an image that doesn't know what updates it has installed on it any more, and that can't accept new updates. The quickest way that I've found to validate an image is to point Windows System Image Manager (WSIM, newsletter #60) to the WIM file and ask it to catalog that image. If WSIM crashes, then pkgmgr's munged your image! Test the image like so:
Here's an example of what that WSIM screen might look like. Once I figured out how to install more than one update, I found found 14 post-SP1 updates -- eight security patches and six non-security updates. Once cataloged, the image looks in WSIM like the following figure:
If you've counted 16 updates between the "SecurityUpdate" and "Update" folders and are wondering where the other two came from, the answer's simple -- Vista SP1 comes with three non-security updates pre-installed. One of the new updates that I installed is an update to an update -- KB 938371 -- which is why there are 16 rather than 17 updates visible.
Using pkgmgr is just as simple as that... so long as you're only applying one update. Add a second, third or whatever, and at that point you can kiss the image goodbye unless, of course, you know the trick.
Adding More Than One Update
The trick is amazingly simple (even if it did take me some time to figure it out): between pkmgr invocations, delete all files in the sandbox folder. Despite the fact that pkgmgr populates the sandbox folder and then uses the files in it, pkgmgr's author didn't take the time to check that the files it was using were the ones that it just unpacked from the .CAB file.
For those looking for the "short version" of how to apply multiple MSU updates to a Vista SP1 or Server 2008 WIM, here it is:
Of course, you could do this by hand, or we could cook up a short batch file like this one:
@echo off set patchdir=c:\patchdir set updatedir=c:\updates REM applies multiple patches to an image, using pkgmgr REM INPUTS: takes the name of a WIM file as in-line input, like REM applypatches e:mytest.wim REM OUTPUTS: modified WIM file REM REQUIRES: REM Before running this, all desired patches must be in .MSU format REM in a folder named %updatedir% (unless you put them somewhere else REM and change the value of the line "set updatedir=" at the top of the REM batch file. REM SIDE-EFFECTS: nausea, giddiness, water retention... oops, sorry, I meant: REM deletes any existing folders "c:\patchdir" and anything inside of it REM unless you modify the value of the line "set patchdir=" at the top of REM the batch file. REM creates: REM %patchdir%\unpack: unpacked CABs from the MSUs REM %patchdir%\mount: used to mount the image file REM %patchdir%\sandbox: where pkgmgr expands CABs to (its "sandbox") REM %patchdir%\logs: contains pkgmgr's log files REM REM Check that (1) user specified a WIM file and (2) it exists if "%1"=="" ( echo ERROR: echo This batch file needs the name of an image file as input, like echo applypatches c:\images\sp1.wim goto badend ) if not exist %1 ( echo ERROR: echo couldn't find the file "%1" goto badend ) REM REM Check that there's at least one update if not exist %updatedir%\*.msu ( echo ERROR: echo This needs at least one patch file --something with an "MSU" extension -- echo in a folder named %updatedir%. Please add at least one patch to the echo %updatedir% folder. goto badend ) REM REM specify directory to store temporary files REM delete existing patchtemp folder rd /s /q %patchdir% 2>NUL REM create new ones md %patchdir% md %patchdir%\unpack md %patchdir%\mount md %patchdir%\sandbox md %patchdir%\logs set imagename=%1 rem unpack updates from %updatedir% to %patchdir%\unpack expand -F:* %updatedir%\*.msu %patchdir%\unpack del %patchdir%\unpack\wsusscan.cab imagex /mountrw %imagename% 1 %patchdir%\mount rem and now, run each update for %%f in (%patchdir%\unpack\*.cab) do ( echo applying patch %%f... start /w pkgmgr /ip /m:%%f /o:"%patchdir%\mount;%patchdir%\mount\windows" /s:"%patchdir%\sandbox" /l:%patchdir%\logs\pklog rd /s /q %patchdir%\sandbox md %patchdir%\sandbox ) imagex /unmount /commit %patchdir%\mount echo Applypatch operations on %1 apparently complete. echo. echo To verify that the patches applied properly, do two things. echo. echo First, open %patchdir%\logs\pklog.txt with Notepad and look at the last line echo -- look for "Pkgmgr: return code: 0x0." If the value is not 0x0, then echo convert the number from hex (use Calculator) and type "net helpmsg nnn," where echo "nnn" is the decimal value of the echo return code. That may provide clues to echo why something failed, if it did. echo. echo Second, use Windows System Image Manager to open the newly-patched WIM. Let echo WSIM create a new catalog file. If WSIM doesn't crash when creating the echo catalog file, then the WIM is still internally consistent. goto realend :badend echo Patches not applied. :realend
To use it, just copy the text to the clipboard, open up Notepad, paste the text, and save it as a file named "applypatches.cmd" somewhere on your system's path -- c:\windows is fine, for example. I didn't think that you'd want to mess up your system with a lot of junk folders at the root of the drive, and so I've replaced c:\mount, c:\sandbox, and c:\updates\unpack with c:\patchdir\mount, c:\patchdir\sandbox, and c:\patchdir\unpack and placed the logs in c:\patchdir\logs. Put the MSU files into a folder called c:\updates, as before, and invoke the batch file with just the name of the WIM file, as in
Expect a lot of output from the expanded patches, and then just an "applying patch..." message for each patch as it's being applied.
If you want to give c:\patchdir or c:\updates a different name or put it on another drive letter then just edit applypatches.cmd and change one or both of these lines, which appear at the top of the file, resave the file and then run applypatches.cmd:
set patchdir=c:\patchdir set updatedir=c\updates
I've tried this on Vista SP1 and Server 2008 images on virtual and physical machines, but I of course cannot guarantee how it'll work on your system. I hope this saves someone a bunch of time!
Besides my public classes, I'm presenting at
Bring Mark to Your Site to Teach
I'm keeping busy doing Vista seminars and writing, but I've still got time to visit your firm. In just two days, I'll make your current NT techies into 2008, Vista, security, XP, Active Directory or 2003 experts. (And better yet they won't have to sit through any Redmondian propaganda.) To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).
Special European Discount for On-Site Clients!
Well, sort of,. Since the dollar's currently so weak against the euro, why not hire me now, before things change?<g>
Until Next Month...
Have a quiet and safe month.
Please share this newsletter; I hope that it is a useful source of Windows technical information. Please forward it to any associates who might find it helpful, and accept my thanks. We are now at over 45,000 subscribers and I hope to use this to get information to every one of my readers. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews. As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum. Thanks for letting me visit with you, and take care.
To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address
To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2008 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.