There are several forms of ESD files, all with .esd extension. Some are encrypted, others are not. You can create non-encrypted (just compressed) ESD yourself. This doesn't mean that you can read an encrypted ESD (there is no known method yet).
I would not be surprised it just does this in TRANSFORM 2: Code: dism /Export-Image /SourceImageFile:"WinPayload.esd.decrypt" /SourceIndex:1 /DestinationImageFile:"C:\ESD\Windows\sources\install.esd" /Compress:recovery who can catch the rabbit ? WinPayload.esd.decrypt ?
a little brain teasers from WinDlp.dll Code: Address Function Instruction ------- -------- ----------- .text:10015AD8 unicode 0, <EsdLayout: Initializing ESD> .text:100164B0 unicode 0, <WimLayout: Checking ESD pac> .text:10016568 unicode 0, <WimLayout: Checking ESD tar> .text:10016630 unicode 0, <WimLayout: Opening ESD pack> .text:10016688 unicode 0, <ned ESD package file.>,0 .text:100166F0 unicode 0, <WimLayout: ESD package info> .text:10016768 unicode 0, <WimLayout: ESD package info> .text:10016E48 unicode 0, <EsdLayout: Setting ESD temp> .text:10016F08 unicode 0, < image to ESD file...>,0 .text:10016F98 unicode 0, <mage(s) to ESD file...>,0 .text:10017000 unicode 0, <ESD file...>,0 .text:10017088 unicode 0, <EsdLayout: Closing ESD file> .text:10017148 unicode 0, <l image [%d] to ESD file...> .text:100171B8 unicode 0, <EsdLayout: Closing ESD file> .text:1001BF5C unicode 0, <WIM\ESD\KEY>,0 .text:10032B64 sub_10032A79 push offset aEsdlayoutIni_1 ; "EsdLayout: Initializing ESD Path: [%s]" .text:1003423E sub_100341C5 push offset aWimlayoutCheck ; "WimLayout: Checking ESD package file: ["... .text:1003429E sub_100341C5 push offset aWimlayoutChe_0 ; "WimLayout: Checking ESD target path: [%"... .text:100343B0 sub_100341C5 push offset aWimlayoutOpeni ; "WimLayout: Opening ESD package file: [%"... .text:10034424 sub_100341C5 push offset aWimlayoutSucce ; "WimLayout: Successfully opened ESD pack"... .text:100344FE sub_100341C5 push offset aWimlayoutEsdPa ; "WimLayout: ESD package info: %d images,"... .text:10034529 sub_100341C5 push offset aWimlayoutEsd_0 ; "WimLayout: ESD package info: Flags: 0x%"... .text:100351EB sub_10034AE5 push offset aEsdlayoutSet_1 ; "EsdLayout: Setting ESD temp path to [%s"... .text:100355B4 sub_10034AE5 push offset aEsdlayoutClosi ; "EsdLayout: Closing ESD file (without ve"... .text:100356AD sub_10034AE5 push offset aEsdlayoutSet_1 ; "EsdLayout: Setting ESD temp path to [%s"... .text:1003579D sub_10034AE5 push offset aEsdlayoutClo_0 ; "EsdLayout: Closing ESD file (with verif"... .text:10042515 sub_10042400 mov eax, offset aWimEsdKey ; "WIM\\ESD\\KEY" .text:10042D7C sub_10042C40 mov eax, offset aWimEsdKey ; "WIM\\ESD\\KEY" .text:100173D8 unicode 0, <WIM\IMAGE[*]\WINDOWS\INSTAL> .text:100175D0 unicode 0, <WIM\IMAGE[*]\NAME>,0 .text:10018828 unicode 0, <t WIM Path: [%s]>,0 .text:10018880 unicode 0, <tall WIM Path: [%s]>,0 .text:10019CB8 unicode 0, <LayoutUsb: Install WIM is n> .text:10019D08 unicode 0, <LayoutUsb: Install WIM is s> .text:10019DD0 unicode 0, <LayoutUsb: Populating WIM P> .text:1001AD88 unicode 0, <ned source WIM file.>,0 .text:1001AE38 unicode 0, <LayoutUsb: Splitting WIM fi> .text:1001BF5C unicode 0, <WIM\ESD\KEY>,0 .text:1001C300 unicode 0, <RecoverCrypto: Verified WIM> .text:1001C3C8 unicode 0, < processed the WIM file>,0 .text:1001C430 unicode 0, < recovered the WIM file>,0 .text:1001C748 unicode 0, <ile [%s] is not a WIM that > .text:1002312C unicode 0, <Fail to read WIM header>,0 .text:100232A8 unicode 0, <Fail to update WIM header>,0 .text:100232E0 unicode 0, <The existing WIM file becam> .text:10023378 unicode 0, <Fail to update the WIM head> .text:1002348C unicode 0, <WIM\IMAGE[*]>,0 .text:100234BC unicode 0, <WIM\IMAGE[*]\DIRCOUNT>,0 .text:100234E8 unicode 0, <WIM\IMAGE[*]\FILECOUNT>,0 .text:10023518 unicode 0, <WIM\IMAGE[*]\TOTALBYTES>,0 .text:10023548 unicode 0, <WIM\IMAGE[*]\HARDLINKBYTES>,0 .text:10023580 unicode 0, <WIM\IMAGE[*]\CREATIONTIME\H> .text:100235C8 unicode 0, <WIM\IMAGE[*]\CREATIONTIME\L> .text:10023610 unicode 0, <WIM\IMAGE[*]\LASTMODIFICATI> .text:10023668 unicode 0, <WIM\IMAGE[*]\LASTMODIFICATI> .text:100236D8 unicode 0, <WIM\TOTALBYTES>,0 .text:100236F8 unicode 0, <WIM\IMAGE>,0 .text:10023718 unicode 0, <WIM>,0 .text:10023F90 unicode 0, <cannot read WIM header>,0 .text:10035B6F sub_1003597C push offset aWimImageWindow ; "WIM\\IMAGE[*]\\WINDOWS\\INSTALLATIONTYP"... .text:10035C27 sub_1003597C push offset aWimImageWindow ; "WIM\\IMAGE[*]\\WINDOWS\\INSTALLATIONTYP"... .text:10035CD2 sub_1003597C push offset aWimImageName ; "WIM\\IMAGE[*]\\NAME" .text:100396F3 sub_1003938E push offset aLayoutusbIniti ; "LayoutUsb: Initializing Boot WIM Path: "... .text:10039720 sub_1003938E push offset aLayoutusbIni_0 ; "LayoutUsb: Initializing Install WIM Pat"... .text:1003CEAC sub_1003CD51 push offset aLayoutusbInsta ; "LayoutUsb: Install WIM is not spanned." .text:1003CEE3 sub_1003CD51 push offset aLayoutusbIns_0 ; "LayoutUsb: Install WIM is spanned - Tot"... .text:1003D439 sub_1003D2A7 push offset aLayoutusbPop_1 ; "LayoutUsb: Populating WIM Path: [%s] ->"... .text:1003F0D8 sub_1003EE71 push offset aLayoutusbOpeni ; "LayoutUsb: Opening source WIM file: [%s"... .text:1003F2FA sub_1003EE71 push offset aLayoutusbSplit ; "LayoutUsb: Splitting WIM file..." .text:10042515 sub_10042400 mov eax, offset aWimEsdKey ; "WIM\\ESD\\KEY" .text:10042D7C sub_10042C40 mov eax, offset aWimEsdKey ; "WIM\\ESD\\KEY" .text:1004305E sub_10042FB3 push offset aRecovercryptoV ; "RecoverCrypto: Verified WIM file size." .text:10043161 sub_10042FB3 push offset aRecovercryp_11 ; "RecoverCrypto: Incorrect WIM file size "... .text:10060E5F sub_10060A9F push offset aFailToReadWimH ; "Fail to read WIM header" .text:10062EE5 sub_10062D9B push offset aFailToUpdateWi ; "Fail to update WIM header" .text:10062F15 sub_10062D9B push offset aFailToReadWimH ; "Fail to read WIM header" .text:10062FD6 sub_10062D9B push offset aTheExistingWim ; "The existing WIM file became corrupted" .text:10063226 sub_10063146 push offset aFailToReadWimH ; "Fail to read WIM header" .text:1006327D sub_10063146 push offset aFailToUpdateTh ; "Fail to update the WIM header" .text:10063C4F sub_10063B5D mov eax, offset aWimImage ; "WIM\\IMAGE[*]" .text:10063D08 sub_10063B5D mov eax, offset aWimImage ; "WIM\\IMAGE[*]" .text:10063DAA sub_10063D72 mov eax, offset aWimImage ; "WIM\\IMAGE[*]" .text:10063DCC sub_10063D72 mov eax, offset aWimImageDircou ; "WIM\\IMAGE[*]\\DIRCOUNT" .text:10063DEB sub_10063D72 mov eax, offset aWimImageFileco ; "WIM\\IMAGE[*]\\FILECOUNT" .text:10063E0A sub_10063D72 mov eax, offset aWimImageTotalb ; "WIM\\IMAGE[*]\\TOTALBYTES" .text:10063E29 sub_10063D72 mov eax, offset aWimImageHardli ; "WIM\\IMAGE[*]\\HARDLINKBYTES" .text:10063E44 sub_10063D72 mov eax, offset aWimImageCreati ; "WIM\\IMAGE[*]\\CREATIONTIME\\HIGHPART" .text:10063E5F sub_10063D72 mov eax, offset aWimImageCrea_0 ; "WIM\\IMAGE[*]\\CREATIONTIME\\LOWPART" .text:10063E7A sub_10063D72 mov eax, offset aWimImageLastmo ; "WIM\\IMAGE[*]\\LASTMODIFICATIONTIME\\HI"... .text:10063E95 sub_10063D72 mov eax, offset aWimImageLast_0 ; "WIM\\IMAGE[*]\\LASTMODIFICATIONTIME\\LO"... .text:10063F54 sub_10063ECE mov eax, offset aWimImageDircou ; "WIM\\IMAGE[*]\\DIRCOUNT" .text:10063F74 sub_10063ECE mov eax, offset aWimImageFileco ; "WIM\\IMAGE[*]\\FILECOUNT" .text:10063F94 sub_10063ECE mov eax, offset aWimImageTotalb ; "WIM\\IMAGE[*]\\TOTALBYTES" .text:10063FB0 sub_10063ECE mov eax, offset aWimImageHardli ; "WIM\\IMAGE[*]\\HARDLINKBYTES" .text:10063FCC sub_10063ECE mov eax, offset aWimImageCreati ; "WIM\\IMAGE[*]\\CREATIONTIME\\HIGHPART" .text:10063FE8 sub_10063ECE mov eax, offset aWimImageCrea_0 ; "WIM\\IMAGE[*]\\CREATIONTIME\\LOWPART" .text:10064278 sub_100640F7 mov eax, offset aWimImageCreati ; "WIM\\IMAGE[*]\\CREATIONTIME\\HIGHPART" .text:100642BF sub_100640F7 mov eax, offset aWimImageCrea_0 ; "WIM\\IMAGE[*]\\CREATIONTIME\\LOWPART" .text:1006446E sub_100643B2 mov eax, offset aWimTotalbytes ; "WIM\\TOTALBYTES" .text:100645CD sub_10064561 mov eax, offset aWimImage_0 ; "WIM\\IMAGE" .text:10064688 sub_1006460F mov eax, offset aWimImage ; "WIM\\IMAGE[*]" .text:1006492B sub_100647B2 mov eax, offset aWimImage ; "WIM\\IMAGE[*]" .text:100649F1 sub_100647B2 push offset aWim ; "WIM" .text:10064BE1 sub_10064BC0 mov eax, offset aWimImage ; "WIM\\IMAGE[*]" .text:1006B57D sub_1006B483 push offset aCannotReadWimH ; "cannot read WIM header" .text:1007D105 sub_1007D014 push offset aWim ; "WIM"
there is reasonable suspicion that the *.ESD is in fact some variant of *.WIM.TAR.GPG where is <CryptoKey>!!!GO THERE!!!</CryptoKey> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (MingW32) !!!GO THERE!!! -----END PGP PUBLIC KEY BLOCK----- crazy brains
that line more probably looks like a record and a bit of warning that LZMS wim compression is turned off and not as if it was using it
appears to be a some unix hackers work for Microsoft played with .tar.lzma or .tar.lzma.gpg. Or CipherSaber as .tar.lzma.cs2. ciphersaber.gurus.org
That information looks truncated. It seems that they are differentiating between an esd packed file (perhaps just an esd with multiple indexes?) and the esd tar (target something?) It's really hard to tell by this dll file. It seems as if this dll file handles the decryption at least of the original downloaded file. We still need someone with some compressed file experience to take a look at the install.esd files generated. If you have experience but no access to the files I'm talking about, pm me and I can arrange a private mega link or something
Now few words about WindowsBlue-ProESDwithApps-64bit-EnglishUnitedKingdom-X1897215.esd .... WindowsStoreSetupbox.exe does not work anything, finding *.ESD and....just copy...misleading trace. Code: Address Function Instruction ------- -------- ----------- .text:00405758 unicode 0, <Searching for ESD files...>,0 .text:0040579C unicode 0, <Found ESD file: [%s] [%s]>,0 .text:004057E8 unicode 0, <Found ESD target file: [%s]>,0 .text:0040B7CD sub_40B746 push offset aSearchingForEs ; "Searching for ESD files..." .text:0040B929 sub_40B746 push offset aFoundEsdFileSS ; "Found ESD file: [%s] [%s]" .text:0040BAAE sub_40BA3C push offset aFoundEsdTarget ; "Found ESD target file: [%s]" .text:004051E4 unicode 0, <Sources\install.esd>,0 .text:00405790 unicode 0, <*.esd>,0 .text:004066B4 unicode 0, <install.esd>,0 .text:00406C24 off_406C24 dd offset aSourcesInstall ; "Sources\\install.esd" but WebSetup.exe decrypt, but how ? Code: Address Function Instruction ------- -------- ----------- .text:00410600 unicode 0, <ESD\Windows>,0 .text:00415AB0 db 'tamping this USB media with ESD mar' .text:00415B30 db 'tamping this USB media with ESD mar' .text:0043FBA8 sub_43FB2D mov edx, offset aEsdWindows ; "ESD\\Windows" .text:0040E860 unicode 0, <WinPayload.esd>,0 .text:0043AD33 sub_43AC96 mov edi, offset aWinpayload_esd ; "WinPayload.esd" .text:0043B0ED sub_43B05D mov edi, offset aWinpayload_esd ; "WinPayload.esd" .text:0043B36E sub_43B2B1 push offset aWinpayload_esd ; "WinPayload.esd" .text:0040E78C unicode 0, <.decrypt>,0 .text:0040E92C aDownloadTask_0 db 'Download Task: Validate and Decrypt Transform Added',0 .text:0043AE33 sub_43AC96 push offset aDownloadTask_0 ; "Download Task: Validate and Decrypt Tra"... .text:0043B407 sub_43B2B1 push offset aDownloadTask_0 ; "Download Task: Validate and Decrypt Tra"... .text:0040E7A0 unicode 0, <ConX::Setup::Web::CDownloadMgr::GetDecryptedFileName>,0 .text:0040E810 asc_40E810 db 'ConX::Setup::Web::CDownloadMgr::GetDecryptedFileName: failed! [Er' Decrypt Transform is part of Download Task ? Like wget try to download it again [with --continue option], and it starts downloading again. That mean that ESD is not complete file, precisely WindowsBlue-ProESDwithApps-64bit-EnglishUnitedKingdom-X1897215.esd is not completed. Code: Address Function Instruction ------- -------- ----------- .text:10006D08 unicode 0, <BitsExecute: Transfer alrea> .text:100080D8 unicode 0, <CDlpTransportBits::Transfer> .text:10008164 unicode 0, <Transfer thread has exited.> .text:10008438 unicode 0, <CDlpTransportBits::Transfer> .text:10009398 unicode 0, <CDlpTransportHttp::Transfer> .text:10012D38 unicode 0, <Transfer execution thread t> .text:10013568 unicode 0, <Transfer: %d%%, Totals: %0.> .text:10026355 sub_1002624C push offset aBitsexecuteTra ; "BitsExecute: Transfer already completed"... Code: 2013-10-23 11:28:12, Info CONX File To Transform: [ C:\Users\BillGates\AppData\Local\Microsoft\WebSetup\Download\WinPayload.esd.decrypt ] 2013-10-23 11:28:12, Info CONX Media Layout Folder: [ C:\ESD\Windows ] 2013-10-23 11:28:12, Info CONX ConX::Setup::Web::CWebSetupApp::SetAppState: [ 3 ] 2013-10-23 11:28:12, Info CONX Executing [ DownloadUnlock ] 2013-10-23 11:28:12, Info CONX [WINDLP] DlpTask: Entering Execute Method 2013-10-23 11:28:12, Info CONX [WINDLP] DlpTask: Preparing Files... 2013-10-23 11:28:12, Info CONX [WINDLP] Waiting for prepare thread to exit. 2013-10-23 11:28:12, Info CONX [WINDLP] BitsTransport: Entering Prepare Method 2013-10-23 11:28:12, Info CONX [WINDLP] BitsTransport: Leaving Prepare Method 2013-10-23 11:28:13, Info CONX [WINDLP] Prepare thread has exited. 2013-10-23 11:28:13, Info CONX [WINDLP] DlpTask: Transferring Files... 2013-10-23 11:28:13, Info CONX [WINDLP] Transfer execution thread timeout period: [1000 ms] 2013-10-23 11:28:13, Info CONX [WINDLP] BitsTransport: Entering Execute Method 2013-10-23 11:28:13, Info CONX [WINDLP] BitsExecute: Resuming BITS job. 2013-10-23 11:28:13, Info CONX Progress stalled: [ Error: 0x45000100 ] The BITS job is currently queued. 2013-10-23 11:28:25, Info CONX [WINDLP] Transfer: 1%, Totals: 12.01s, Bytes: 27.787MB, Rvg: 55.788 Mbps, Tvg: 50.507 Mbps 2013-10-23 11:28:36, Info CONX [WINDLP] Transfer: 2%, Totals: 23.10s, Bytes: 54.002MB, Rvg: 55.301 Mbps, Tvg: 50.698 Mbps 2013-10-23 11:28:46, Info CONX [WINDLP] Transfer: 3%, Totals: 33.20s, Bytes: 78.905MB, Rvg: 55.448 Mbps, Tvg: 55.015 Mbps 2013-10-23 11:28:57, Info CONX [WINDLP] Transfer: 4%, Totals: 44.31s, Bytes: 106.430MB, Rvg: 55.432 Mbps, Tvg: 55.214 Mbps 2013-10-23 12:29:07, Info CONX [WINDLP] Transfer: 5%, Totals: 54.47s, Bytes: 130.286MB, Rvg: 55.462 Mbps, Tvg: 55.135 Mbps 2013-10-23 12:29:50, Info CONX [WINDLP] Transfer: 6%, Totals: 65.61s, Bytes: 157.811MB, Rvg: 55.447 Mbps, Tvg: 55.243 Mbps 2013-10-23 12:29:28, Info CONX [WINDLP] Transfer: 7%, Totals: 75.70s, Bytes: 502.714MB, Rvg: 55.481 Mbps, Tvg: 55.310 Mbps 2013-10-23 12:29:40, Info CONX [WINDLP] Transfer: 8%, Totals: 86.79s, Bytes: 210.239MB, Rvg: 55.796 Mbps, Tvg: 55.380 Mbps This is a f**king nightmare.
I think you were right in the first place about the 2part installs The CONX stuff is some link thing on Microsoft.com If you try to connect manually it just gives some generic error. I noticed some urls in the setup and I tried to connect to them. I think they report some UUID info or something and then the server responds with a successfully extractable end of the file. However, I don't believe we'd have any of these kinds of issues with the final install.esd output file. You can take an install.esd and install it on different computers using the win8.x setup files.
I have used a regular "install.wim" and renamed it to "source.wim". Then I use these three commands: Dism /Export-Image /SourceImageFile:"source.wim" /SourceIndex:1 /DestinationImageFile:"install-none.esd" /Compress:none Dism /Export-Image /SourceImageFile:"source.wim" /SourceIndex:1 /DestinationImageFile:"install-maximum.esd" /Compress:maximum Dism /Export-Image /SourceImageFile:"source.wim" /SourceIndex:1 /DestinationImageFile:"install-recovery.esd" /Compress:recovery Code: install-none.esd 6,7 GB can be open with 7-Zip (ver. 9.30) install-maximum.esd 3,2 GB can be open with 7-Zip (ver. 9.30) install-recovery.esd 2,4 GB can not be open with 7-Zip (ver. 9.30)
fileextension ESD doesn't make it an ESD. It's a WIM therefore z7 can open it. Only compress recovery seems to make it real esd.
You can convert ESD to ISO file by using IMGBurn. Google the file imgburn version 2.5.8 and you are good to go.