Is there somewhere an exhaustive documentation available about NT5.1/5.2 setup, or a good place for starting to create such doc collaboratively ? I mean for all architectures (x86, amd64, ia64), editions setupp.ini (e.g. pid and extradata structures) dosnet.inf (e.g. list of all ProductType) layout.inf txtsetup.sif winnt32.exe directory structure i386, amd64, ia64
I'll try to explain all of my knowledge. Setupp.ini It decides behaviour of setup. While I don't know many things about ExtraData value, I know that it can change between full or upgrade CDs. ExtraData=70656C7063627770737A9EA8ADEC29 If the ExtraData value is like that, it means the CD is upgrade CD. And cannot be used for clean installation. Pid=?????AAA AAA here decides licensing type of the installation media. If AAA = 335 => Retail. It accepts retail keys only. Requires activation. If AAA = 270 => Volume Licensing. It accepts volume licensing keys only. Does not require activation. However if you use any of the blocked keys, then you'll see warnings about piracy and won't be able to login. If AAA = OEM => OEM. It only accepts OEM keys only. Dosnet.inf It is used for booting to setup. Correct me if I'm wrong. ProductType is used to decide the ProductSuite registry value. It also exist on TXTSETUP.SIF file. However, the SETUPREG.HIV file is also important since changing the value only won't change the edition. 0 = Professional 1 = Standard Server 2 = Enterprise Server 3 = Datacenter Server 4 = Home Edition 5 = Web Server 6 = Small Business Server And there's the DestinationPlatform value for architectures. Sadly changing only DOSNET.INF and other files like TXTSETUP.SIF won't change the architecture. Because the executables are built for specific architecture. Even changing PE values by some tools will not work. The ServicePack value does not require explanation. Layout.inf is used for copying files during GUI-mode setup. While TXTSETUP.SIF is for text-mode setup. Here is the trick. If you see an message following: It means that the cdtag files used by setup does not exist on media root. It's defined by setup. WIN51XY X = Architecture, I for x86, A for x64; M for IA64. Y = SKU. I hope I could be helpful enough.
I wrote a little piece of Python code to check if ExtraData in setupp.ini is upgrade or not. Code: #!/usr/bin/env python3 import binascii import zlib def has_valid_length(extradata_bin): return len(extradata_bin) == 15 def has_valid_checksum(extradata_bin): cksum = 0 for b in extradata_bin[0:-1]: cksum += b cksum &= 0xff return (cksum == extradata_bin[14]) def has_valid_crc(extradata_bin): crc = zlib.crc32(extradata_bin[0:10]) # Microsoft modified the standard CRC-32: # The final xor is 0 instead of 0xffffffff. We need to undo this here. crc ^= 0xffffffff return crc == int.from_bytes(extradata_bin[10:14], 'little') def is_upgrade(core_bin): return (((core_bin[3] - ord('a')) % 2 == 1) and ((core_bin[5] - ord('a')) % 2 == 1)) def main(extradata_str): extradata_bin = binascii.unhexlify(extradata_str) print(extradata_bin) if not has_valid_length(extradata_bin): return if not has_valid_checksum(extradata_bin): return if not has_valid_crc(extradata_bin): return print("checksum and CRC-32 ok") core = extradata_bin[0:10] print("core extradata: %s" % core.decode('utf-8')) if is_upgrade(core): print("is upgrade") else: print("is not upgrade") if __name__ == '__main__': import sys main(sys.argv[1])
With XP source leak, we can finally figure out what other bytes in ExtraData mean (other than the upgrade check), the code is in base/ntsetup/complnce/pidinit/pidinit.c. Nothing, these are just 10 (non-secure-) random bytes from 'a' to 'z' inclusive, changed to encode the upgrade check.