Embedded Systems: Windows Special Purpose
Hello!
O mighty habramen and the most beautiful habramimen! The insignificant remarked that the surah about the brilliant Windows Embedded is not yet recorded in the book of the wisdom of Habr. Let me, the unworthy one, be allowed to tell you one enlightening story about how a particularly bulletproof Windows ® ™ was built and implemented at the facilities of a Russian railway corporation.
So, one morning, a messenger from programmers arrived at our modest abode of System Software with terrible and sad news. Truly, I tell you - programmers on a business trip could not update the software in the workplace, because it wrapped around Shaitan and populated it with viruses, Trojans, pornos, and a contractrake (non-unique users had nothing to do with it).
')
Our wisest caliph, having learned of such indecency, convened a sofa. And so said the wise men of the court and astrologers:
The anti-virus was not installed due to the absence of Internet stations at the stations (stations are scattered across the entire surface of Russia and traveling with an offline base for updating is somehow not an option). At some stations there is an access to the intranet, where there is a corporate antivirus, but firstly: not at all, secondly: the antivirus there is chthonic Symantec, old and kind.
After a certain amount of service, it was decided to replace the Windows desktop with something more durable and reliable, but at the same time win32-compatible. Of the whole mass of suitable platforms, Windows XP Embedded was chosen, since according to it, there were already some developments and, in general, such a system is really cool.
We figured out what can be done with the built-in IDE tools in Windows Embedded:
But it's all boring and simple. The bosses were inspired by the idea of ​​modular software ™, which consists in dividing the application, system software and configuration into “modules” - FS files that combine software according to functional features. Advantages of this approach:
It seems that there are no obvious minuses, it would seem - implement and rejoice. But the fact that for QNX (originally a modular system was developed for our industrial computers) was simple and naturally Windows became a hellish migraine and looked like an attempt to cross a sea urchin with a crane. In the end, it turned out to be implemented, but first and foremost.
How to solve the problem of the points:
Searches for software for mounting images in Windows were long and painful. Came across only the implementation of the RAM-drive, which is certainly cool, but not that. I remembered that the utility for mounting vhd files is included in the Windows Virtual Server kit, but how to add it to my WinXP and whether it is legal at all, I never opened. The project of the century has almost covered itself with a copper basin, I wondered how to get off with less blood and avoid developing my own driver, when suddenly a link to a great filedisk appeared in Google. Fits all articles - it can mount images as logical disks (it is not able to emulate media, but it was not required), made in the form of a driver, which makes it easy to add to the XP Embedded project, it contains a console utility for managing disks out of the box necessary for use in start scripts. In general - one hundred percent hit.
The driver is installed, but where do you get the images themselves? We take dd for windows and create images of the required size from its virtual / dev / null. We connect them with the help of filedisk, we see logical disks without FS, we create NTFS on them, we fill them with contents.
On one of the images I placed the startup scripts that run after the logon and make some settings (setting the IP address, screen resolution, etc. from the config file). It is clear that by the time Logon, the images should already be mounted. And then I tried a bunch of options - Schtasks , which allows you to perform the task with Logon (but it did not always work somehow), drove the script to mount disks into services using sc - while the contents of the images were not available to user accounts on behalf of which they were running application software (as an option, it would be possible to transfer tasks from scripts to a service, but for some reason, script-writing is nicer to me than this soulless C ++). As a result, Skolhozil - AutoExNt performs the mount before the logon, and the system configuration tasks are performed using encrypted cpau tasks on behalf of the administrator (because the autologon occurs under the account of a regular user). It was the first of the stable working options, and by that moment debugging got me so hard that I spat on the ugliness of the method and left it as it is.
Additionally, I developed a small simple autorun utility, because Explorer Shell was excluded from the project and no one was processing the Avtoran keys in the registry, and someone had to start the programs at the start.
On this, my torment with the Windows system software is basically over, it is time to think about how all this crap will be installed on the target machine.
Windows XP Embedded does not contain tools for partitioning and formatting the disk, unlike the usual Windows XP. Those. XPe installation consists of copying the project directory structure to the root of a partition formatted with FAT32 / NTFS and marked as active (the boot flag is set). The XPe package includes the WinPE disk, which contains the utilities necessary for partitioning, but the usage scenarios for this disk are rather vague (for example, it cannot be used as a recovery disk). After praising such user care for myself, I decided not to bother with Microsoft products for deploying XPe (although there seems to be a free Windows AIK, but from previous experience of trying to understand the licensing restrictions of Microsoft products, it was decided to look for something on the side).
I decided to try my luck with GNU / Linux, because The ntfs-3g driver has been stable for quite a long time and has worked quite well (and, by the way, in quite strange places, Realtek is in the whim, in the SDK for their multimedia platforms it is used as the default file system for external drives). I took the Ubuntu LTS Live-CD, cleared it from the logos and the mention of Ubuntu (because for a deep modification of the system, Canonical puts forward such requirements) and began to customize. The choice of distribution was due to personal preferences.
The first version of the deployment environment was a bash script that communicated with the user using zenity. Simple and tasteful. It was rejected as not divine enough in terms of UI.
The second version was written in Mono (C # is the corporate standard) and contained almost all GTK graphic elements. The high commission noted that the UI is still not divine enough, but still viable.
The installation procedure itself consisted of calling external utilities - parted for markup, mkfs.ntfs from the ntfsprogs package (ntfstools) to create filesystems and rsync to copy data from the installation media.
Next - reboot and go directly to the deployment of Windows Embedded.
Now Windows XP Embedded (Windows Embedded Standard 2009) is rapidly losing relevance (although support will continue until 2015) - it has been replaced by Windows Embedded 7, which is much, much, much more convenient than XPe, but my colleague, I work with it he described (as he could, hehe) his own experience. I hope someone will find something useful in this collection of harmful tips.
In conclusion, I will provide a list of useful resources for Windows Embedded:
O mighty habramen and the most beautiful habramimen! The insignificant remarked that the surah about the brilliant Windows Embedded is not yet recorded in the book of the wisdom of Habr. Let me, the unworthy one, be allowed to tell you one enlightening story about how a particularly bulletproof Windows ® ™ was built and implemented at the facilities of a Russian railway corporation.
How we came to such a life
So, one morning, a messenger from programmers arrived at our modest abode of System Software with terrible and sad news. Truly, I tell you - programmers on a business trip could not update the software in the workplace, because it wrapped around Shaitan and populated it with viruses, Trojans, pornos, and a contractrake (non-unique users had nothing to do with it).
The software is an electromechanical workstation of the signaling system, written in VC ++ 6 + MFC + WINAPI.
')
Our wisest caliph, having learned of such indecency, convened a sofa. And so said the wise men of the court and astrologers:
The anti-virus was not installed due to the absence of Internet stations at the stations (stations are scattered across the entire surface of Russia and traveling with an offline base for updating is somehow not an option). At some stations there is an access to the intranet, where there is a corporate antivirus, but firstly: not at all, secondly: the antivirus there is chthonic Symantec, old and kind.
After a certain amount of service, it was decided to replace the Windows desktop with something more durable and reliable, but at the same time win32-compatible. Of the whole mass of suitable platforms, Windows XP Embedded was chosen, since according to it, there were already some developments and, in general, such a system is really cool.
Windows XP Embedded is an embedded component operating system based on Windows XP Professional Edition and is designed for use in various embedded systems: industrial automation systems, ATMs, medical devices, cash registers, gaming machines, VoIP components, etc. Windows XP Embedded includes additional functions for embedding, including a write protection filter (EWF and FBWF), boot from flash memory, CD-ROM, a network, use of its own system shell, etc.
Currently known as Windows Embedded Standard.
Windows on steroids
We figured out what can be done with the built-in IDE tools in Windows Embedded:
- disable disc writing
- restrict user credentials
- prevent the user from launching anything other than AWP
- close unused ports
- disable mounting external USB drives
- exclude from the system the application and system software that is not required for the direct operation of the AWP (Media Player, Outlook Express, Paint, Explorer, etc.)
But it's all boring and simple. The bosses were inspired by the idea of ​​modular software ™, which consists in dividing the application, system software and configuration into “modules” - FS files that combine software according to functional features. Advantages of this approach:
- software structure becomes more streamlined
- more convenient software versioning system (I apologize for this wonderful term, the best was not invented)
- Increase the speed of deployment / software update - a large file is written faster than many smaller ones
- Increasing system flexibility, for example, system software (OS) can be mounted in read-only, without affecting application programs.
It seems that there are no obvious minuses, it would seem - implement and rejoice. But the fact that for QNX (originally a modular system was developed for our industrial computers) was simple and naturally Windows became a hellish migraine and looked like an attempt to cross a sea urchin with a crane. In the end, it turned out to be implemented, but first and foremost.
Truncation of windows
How to solve the problem of the points:
- we use EWF with data mapping in RAM to block writing to disk
Advanced write filter - a driver intercepting write access to a hard disk and buffering them depending on the settings:
- on a specially hidden section
- in RAM
There is no real write to the protected partition; it is executed only at the user's request (so-called commit), for which the kindest Microsoft provides the API and the ready-made utility ewfmgr. When using a special section for buffering, data will be saved between reboots, in the case of buffering in RAM - no.
- Create an account from the pre-installed Windows template - “regular user” and put it into autologon
- create a component of the Shell type (system shell) that starts the AWP as the system shell; exclude from the system explorer.exe. A particularly ingenious user still has the ability to view the directory structure through the save file dialog in one of the AWP windows, but:
- this is the problem of programmers (hehe)
- don't forget about filtering a record and limited account
- because I am not a big fan of WHS-th dialect of VB, then I used the batch file, jerking netsh.exe firewall
- with extra components, I just entered - I created a XP Embedded project that contains only vital components (i.e., components automatically added by hardware dependencies + required infrastructure for AWS operation)
- Disabling external USB-drives was performed by the barbaric method , namely, the driver for USB-drives and the installation wizard of the new equipment were excluded from the system image, and the wizard of the new equipment was turned off when the unknown PnP device was connected via the registry key
The problem of disabling PnP devices can be solved in several ways (and there is still devcon ), but this one attracted me with its global nature, i.e. at the same time, any other unauthorized peripherals will be disconnected from the USB drives, but it will still be possible to replace the USB mouse / keyboard (since the driver is in the system and it contains a digital signature — such drivers are installed automatically)
Mounting images
Searches for software for mounting images in Windows were long and painful. Came across only the implementation of the RAM-drive, which is certainly cool, but not that. I remembered that the utility for mounting vhd files is included in the Windows Virtual Server kit, but how to add it to my WinXP and whether it is legal at all, I never opened. The project of the century has almost covered itself with a copper basin, I wondered how to get off with less blood and avoid developing my own driver, when suddenly a link to a great filedisk appeared in Google. Fits all articles - it can mount images as logical disks (it is not able to emulate media, but it was not required), made in the form of a driver, which makes it easy to add to the XP Embedded project, it contains a console utility for managing disks out of the box necessary for use in start scripts. In general - one hundred percent hit.
The driver is installed, but where do you get the images themselves? We take dd for windows and create images of the required size from its virtual / dev / null. We connect them with the help of filedisk, we see logical disks without FS, we create NTFS on them, we fill them with contents.
On one of the images I placed the startup scripts that run after the logon and make some settings (setting the IP address, screen resolution, etc. from the config file). It is clear that by the time Logon, the images should already be mounted. And then I tried a bunch of options - Schtasks , which allows you to perform the task with Logon (but it did not always work somehow), drove the script to mount disks into services using sc - while the contents of the images were not available to user accounts on behalf of which they were running application software (as an option, it would be possible to transfer tasks from scripts to a service, but for some reason, script-writing is nicer to me than this soulless C ++). As a result, Skolhozil - AutoExNt performs the mount before the logon, and the system configuration tasks are performed using encrypted cpau tasks on behalf of the administrator (because the autologon occurs under the account of a regular user). It was the first of the stable working options, and by that moment debugging got me so hard that I spat on the ugliness of the method and left it as it is.
Additionally, I developed a small simple autorun utility, because Explorer Shell was excluded from the project and no one was processing the Avtoran keys in the registry, and someone had to start the programs at the start.
On this, my torment with the Windows system software is basically over, it is time to think about how all this crap will be installed on the target machine.
Deployment
Windows XP Embedded does not contain tools for partitioning and formatting the disk, unlike the usual Windows XP. Those. XPe installation consists of copying the project directory structure to the root of a partition formatted with FAT32 / NTFS and marked as active (the boot flag is set). The XPe package includes the WinPE disk, which contains the utilities necessary for partitioning, but the usage scenarios for this disk are rather vague (for example, it cannot be used as a recovery disk). After praising such user care for myself, I decided not to bother with Microsoft products for deploying XPe (although there seems to be a free Windows AIK, but from previous experience of trying to understand the licensing restrictions of Microsoft products, it was decided to look for something on the side).
I decided to try my luck with GNU / Linux, because The ntfs-3g driver has been stable for quite a long time and has worked quite well (and, by the way, in quite strange places, Realtek is in the whim, in the SDK for their multimedia platforms it is used as the default file system for external drives). I took the Ubuntu LTS Live-CD, cleared it from the logos and the mention of Ubuntu (because for a deep modification of the system, Canonical puts forward such requirements) and began to customize. The choice of distribution was due to personal preferences.
The first version of the deployment environment was a bash script that communicated with the user using zenity. Simple and tasteful. It was rejected as not divine enough in terms of UI.
The second version was written in Mono (C # is the corporate standard) and contained almost all GTK graphic elements. The high commission noted that the UI is still not divine enough, but still viable.
The installation procedure itself consisted of calling external utilities - parted for markup, mkfs.ntfs from the ntfsprogs package (ntfstools) to create filesystems and rsync to copy data from the installation media.
Next - reboot and go directly to the deployment of Windows Embedded.
Conclusion
Now Windows XP Embedded (Windows Embedded Standard 2009) is rapidly losing relevance (although support will continue until 2015) - it has been replaced by Windows Embedded 7, which is much, much, much more convenient than XPe, but my colleague, I work with it he described (as he could, hehe) his own experience. I hope someone will find something useful in this collection of harmful tips.
In conclusion, I will provide a list of useful resources for Windows Embedded:
- First of all, this is of course the thematic section on MSDN
- Russian-speaking forum of the company "Quart" - the official supplier of Windows Embedded in Russia. Probably the only major Russian-language resource for Windows Embedded.
- There was also a great repository of user scripts and xpefiles.com components, but something bad happened to it.
Source: https://habr.com/ru/post/138630/
All Articles