Hello, under W8-1 and W2012 R2 the manifests stored in: %windir%\winsxs\manifests\ are compressed to some DAT format starting with strings: DCM and A30 (in Total Commander Viewer). Pls how to extract them to plain text XML? Thanks...
Not just .manifest files, but some components that aren't installed by default (the TFTP client, for example) are compressed/encrypted (more or less) the same way. I went crazy Googling around trying to figure out the format, but gave up in disgust after a few days. The only thing I could think of would be to hook CBS with OllyDbg to figure out what's going on, but I'll leave that to someone with more knowledge on the subject than I. Sorry I can't be more help. Rest assured, I'm just as frustrated as you by this 'development'.
Bump, for a damn good reason: (I think) I've identified the compression method - a bit of file comparison suggests it's a variation of Microsoft's semi-famous - but poorly-documented, since it's under patent - BDC (Binary Delta Compression). Does anyone know of a tool (besides EXPAND.EXE) that handles, or can at least tell us something about, BDC files? Bonus gun-jumping: I take it back: BDC (or at least the MS Patch API it's based upon) appears to be very well-documented. I'm slaving over a hot compiler as we speak (hurrah, a real language again after all that VBScript ).
Because EXPAND.EXE only handles BDC in very specific situations - and this isn't one of them. I'm currently writing some native code to interface directly to MSDELTA.DLL. Haven't made much headway yet. The file format is becoming clearer to me though: the first four bytes (DCM$01 or DCN$01 usually) appear to be flags for compression/decompression, and the rest is just a standard BDC PA30-format compressed file, similar to the components of a Windows update. If I don't make a breakthrough in the next hour or so, I'll shim MSDELTA.DLL, and trap the calls made during the install of the TFTP client on Windows 8.1. That should reveal everything.
I'm in no way an expert on winsxs package extraction stuff, but are the files you are trying to extract, copied from the winsxs folder?
I got your point. I'll try it again directly on W2012 R2 installation without copying the files elsewhere...
Ze Bubble has screwed up. I freely admit it. moderate's right. I've screwed up badly. There are two, slightly different, kinds of compression used in WinSxS: (what I call) the 'M1' method (used by .manifest files), and the 'N1' method (used by everything else, it seems). It was a mistake to ignore that four-byte header... My tool, as it is, only handles 'N1' compression. I've been working on it for the last few hours, and I'm not sure what's wrong. These are the possibilities, in increasing order of 'badness'. Bug in my decompression routine. Unlikely, since it works on N1 just fine; M1 isn't a truly 'source-less' delta. Most likely, just need find the source file the delta applies to, and the file will decompress; M1 is a noticeably different method to N1. Unlikely, but I'm really paranoid it could be true. Results pending...