question

WilliK-4039 avatar image
0 Votes"
WilliK-4039 asked Sean-Liming commented

May unexpected power losses causes UWF to fail?

Hello,

we use UWF in one of our cumster's systems (Windows 10 IoT Enterprise 2019 LTSC), and told them that they may use Sean Liming's "UWFUtility" to configure UWF since Windows 10 does not provide the nice GUI tools known from Windows Embedded Standard 7 or the MMC-Plugin from Windows 8.1 "Embedded".

After some months of operation our customer claims that the "UWFUtility terminates with an execption" immediately when started. Analysis has shown that:

  • As per stack trace from event viewer, it seems that the tools seems to attempt some kind of enumeration

  • Checking the WMI Provider shows that there is no instance for the "UWF_Filter" class any more (compared against a new system where UWF works)

  • Even the uwfmgr utility reject command like "uwfmgr get-config" with error "Access denied"

My assumption is that the UWF configuration has became damaged in some way. It is known that the customer does not shutdown the system before power interruption. Use of UWF - among others - is based on the supposition that it should protect the file system even in case of unexpected power losses. Now I have some doubts if this is really true...

Are there any known issues regarding UWF and unexpected power losses? Or do you have any ideas how the UWF configuration may became damaged, or what else could happen that UWF does not work any more?

Have much thanks in advance.

Yours Willi K.

windows-10-generalwindows-iot-10core
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Minor corrections: The initial problem was that I had no knowledge about the Administrators, but "uwfmgr get-config" usually works without priviledge elevation. I've got the password and things become strange now:

  1. After launching cmd as administrator call of "uwfmgr get-config" and it seems that everything so OK so far

  2. Disbled UWF using uwfmgr, rebootet the machine, enabled UWF using uwfmgr and rebootet again

  3. The problem when launching the UWFUtility has disappeared and it starts as usual (BTW: UWFUtility requires elevation of priviledges)

  4. However - "uwfmgr get-config" without elevated priviledges still returns "The command failed: (Access is denied)" (which usually works on a cleanly installed system)

  5. The instance for the "UWF_Filter" WMI class is still missing (a cleanly installed system usually has one instance of this class)

Unfortunately, I'm not very familiar with WMI, but it seems that some is wrong with the WMI Interface of the UWF provider, or some kind of permission problem (is that possible).
Do you have any idea what's going wrong here?



0 Votes 0 ·

UWFUtulity.exe and uwfmgr.exe require elevated privileges to run.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hello @WilliK-4039

Indeed seems some sort of corruption. I would recommend:

  1. repair Windows image:
    https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/repair-a-windows-image


  2. Rebuid WMI repository
    https://techcommunity.microsoft.com/t5/ask-the-performance-team/wmi-rebuilding-the-wmi-repository/ba-p/373846

  3. Reset UWF:
    run> uwfmgr filter disable

Reboot system

then Run> uwfmgr filter reset-settings

Then enable UFW again and set it up.

Hope this helps in your case!,
Best regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WilliK-4039 avatar image
0 Votes"
WilliK-4039 answered WilliK-4039 commented

Hello LimitlessTechnology-2700,

thanks for your quick reply. As already stated, I had some luck in getting the UWFUtility working again. Not the big problem yet, but I need to go on to figure out how to fix the problem with the missing WMI instances (I'll try your sugeestions regarding that later).

Do other question the customer is requesting an answer for: How can this happen. I you have an idea, don't hesitate to tell us what you mean ;-)
However, thanks for your inputs.

I will post my experience here once I've found out what's going on here.

Yours Willy K.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would think that any time you have multiple power outages on a PC, you run the risk of something bad happening to the file system. Have you run a chkdsk? Is the file system ok?

For WMI you can run "winmgmt /verifyrepository" to see if that shows anything. The mofcomp utility might be able to rebuild the WMI repository.

https://techcommunity.microsoft.com/t5/ask-the-performance-team/wmi-recompiling-wmi-mofs/ba-p/373848

I do not have any experience with UWF, but from a "normal" Windows troubleshooting perspective, removing and reinstalling the feature might be the best way to get a "fresh" install.

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-turnonuwf

1 Vote 1 ·

thank you for replying back with your findings, it is actually very interesting.

Unfortunately, even I remember having seen something like this in the past, I never had the time needed to analyze and deep dive into some of this kind of exotic issues, as usually in my sector I need to prioritize customer solutions over root causes.

What I can suggest is the next article explaining everything about WMI Namespaces, which hope can provide more context to the security and permissions.

https://docs.microsoft.com/en-us/windows/win32/wmisdk/access-to-wmi-namespaces

Best regards,

0 Votes 0 ·
WilliK-4039 avatar image WilliK-4039 LimitlessTechnology-2700 ·

II already checked the permissions in the WinMgmt.msc MMC plugin but found no differences. I also found out that "uwfmgr get-config" does only work for "common users" as long as UWF is disabled. Once UWF is enabled, "common users" are not able to call "uwfmgr get-config" any more resp. get the "Access is denied" error message. It seems that is per design...

0 Votes 0 ·

The same applies to the avialability of the UWF_Filter class:

133497-grafik.png


0 Votes 0 ·
grafik.png (117.5 KiB)
WilliK-4039 avatar image
0 Votes"
WilliK-4039 answered

OK, after some more investigation it seems to be related to permissions (?). If I run "uwfmgr get-config" / check WMI providers using WMIExplorer as common user, I get "access denied" resp. the instance of UWF_Filter class is missing (this does not happen on a cleanly installed system). If I do the same as Administrator everything is fine (also the UWF_Filter class is available).

I compared the permissions through root\StandardCimv2\embedd using winmgmt.msc but they are the same. What kind of permissions may block here?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sean-Liming avatar image
0 Votes"
Sean-Liming answered Sean-Liming commented

uwfmgr.exe and UWF WMI API (UWFUtility.exe) require elevated Administrative privileges. If you run UWFUtility.exe as Administrator or uwfmgr.exe in a elevated command window, do they run correctly?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Sean,

it is known that the UWFUtility requires elevation, but comparison against a "good" system has shown that "uwfmgr.exe get-config" usually works without elevation - this doesn't work on the accefted system(s).
Even if UWFUtility is launched with elevated priviledges, it terminates immeditely (a small strack trace, that seems to show some kind of enumeration, is logged in the Application event log). I that is related to the fact that the instance of the UWF_Filter class is not available to "common" users. The workaround was to disable/enable UWF using uwmgr.exe with elevated priviledges, after that UWFUtility started as expected.

The root question is how this could happen. Bringing the system back to common operation is good, but not the only thing that customers expect (8D...). As stated above, it is common that users do not shutdown the O/S but simply turn the machine off/on believing that UWF should protect the file system anyhow. Chkdsk did not raise any problems in the file system, but maybe there is something outside the filesystem that may let UWF behave in that way.

0 Votes 0 ·

Ok. There still is a problem.

UWF + NTFS + power sensing circuitry in boot drive - these can mitigate disk corruption. There is a small chance that something can go wrong. Why the whole UWF name space is missing, is unusual. I wouldn't think this would have been a power off issue. Did a virus get in the system? Was a Windows updated applied to the system?

1 Vote 1 ·

I currently have no access to the affected system. I will check for viruses or updates when I have access again, but as far as I know the systems in field have no internet access and the possibility of viruses is quiet low. In addition to that I'll perform of sequence of power cuts w/o shutting down the O/S to see if I can reproduce the problem.

I'll will come back to this as soon as I got new findings.

0 Votes 0 ·
Show more comments
WilliK-4039 avatar image
0 Votes"
WilliK-4039 answered Sean-Liming commented

Hi all,

I'm still on investigating, but had to interrupt for some time due to illness. Unfortunately the number of complains have increased to around 5 in mean time, and we need to find out how to get rid of that problem.

The "power-cut-test" I have announced recently has also been performed in mean time, but after 50 power off/on sequences w/o shutting O/S down properly - as seen on customer's device - did not raise that problem (in meaning of UWFUtiliy was still working). We did this a second time where we UWF was enabled, but we were not able to reproduce the problem in that way.

There was an interesting insight during this tests: As already mentoined, we have seen lots of critical entries in the System event log that tell that the system has restarted w/o shutting down properly. During our tests such message were only produced when UWF was disabled (note: System.evtx is written to a non-protected partition). I already assumed that s/o at customer's site forgot to enable UWF, but know I'm in doubt since number of error reports of this kind increases. In looking forward that customers claim/assure they have UWF enabled, the new question is,if UWF has/may has become disabled w/o being instructed to to so (neither by uwfmgr nor UWFUtility). UWF also has an own eventlog, but I didn't know that before and therefore logs to protected volume - so I also can see that UWF was set to enabled, but no information when it has become disabled.

A second device has been returned to our site that still has the problem. Is there anything I can inspect that might help to find out what happened?

Regarding UWFUtility itself, here is what the Application EventLog has recoreded (translated):

Record # 1: Application error, EventId 1000 (Category: Application crash)
Application: UWFUtility.exe, Version: 2.0.0.0, Timestamp: 0x599a0c08
Name of faulting module: KERNELBASE.dll, Version: 10.0.17763.1728, Timestamp: 0x16e07148
Exception code: 0xe0434352
Error offset: 0x001226c2
ID of failing process: 0x7fc
Startup time of faulting application: 0x01d7941b7f472737
Path to faulting application: C:\Program Files\UWFUtility\UWFUtility.exe
Name of faulting module: C:\Windows\System32\KERNELBASE.dll

**Record #2: .Net Runtime, EventId 1026 (Category: None)
Application: UWFUtility.exe
Framework version: v4.0.30319
Description: The process has been terminated because of an unhandled exception.
Exception information: System.Management.ManagementException
at System.Management.ManagementException.ThrowWithExtendedInfo(System.Management.ManagementStatus)
at System.Management.ManagementObjectCollection+ManagementObjectEnumerator.MoveNext()
at UWFUtility.UWFUtility.UWFStatus()
at UWFUtility.UWFUtility..ctor()
at UWFUtility.Program.Main()

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is there error you seeing the result of the UWF_Filter name space missing?

0 Votes 0 ·

I'm have to re-check this on a system where UWF resp. UWFUtility is back to normal operation. For the moment the question in scope is why UWF seems to be disabled on the systems that have been returned.

0 Votes 0 ·

We are still waiting for the Administrator password so that we can check if it is possible to bring UWF back to normal operation by using the "uwfmgr" tool (this "workaround" worked in the last known cases).

This brought me to another question: The only (official) application-sided way I know to interact with UWF is the UWF WMI API, and the UWF_Filter class is responsible for enabling/disabling UWF. Since it seems that this class resp. the instance for that is missing, there is the question why we were able to disable/enable UWF via the uwfmgr tool. Is there antoher API except the UWF WMI Provider we should know about?

0 Votes 0 ·

Not to my knowledge. The issue that it is missing in the first place needs to be solved.

1 Vote 1 ·