Microsoft has published a utility called disk2vhd.exe that is meant to make it easy to convert a physical Windows system into a virtual disk.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that is online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion.

A customer asked for help tracking down errors when they tried to use the utility. They were unable to get a snapshot started because it immediately posted a non-descriptive error. With a little sleuth work I found that disk2vhd.exe has quite a bit of trouble as a result of its dependency on the Volume Shadow Copy Service (VSS). Here is how I located and resolved the VSS errors.

First, the Event Viewer is essential to unlocking problems on Windows. Open it up and review the Application event lists. Look for a VSS error. Open the Services control (run services.msc) and restart “Volume Shadow Copy” service. You may see something like this:

Ignore that link for more help. It actually is no help. Instead, note Event ID 12302 and go to Microsoft knowledgebase article 907574:

You receive a “Volume Shadow Copy Service” error message and event 5013 or event 12302 is logged when you use the Backup feature in Windows XP or in Windows XP Tablet PC Edition 2005…

This problem occurs because the Location registry entry in the following registry subkey is incorrect or missing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs
This problem occurs when you uninstall a program that is listed in this registry subkey, but only the location information is removed from the registry subkey.

Follow the instructions for fixing or removing the bad subkeys. That worked on one system.

Another method to find errors is to check VSS operations with vssadmin.

Type “vssadmin list writers” at a command prompt and you may see this:

This brought me to the same Event ID but Microsoft proposed a different solution. Knowledgebase article 940184 covers how to clear and reset a failure in COM and VSS:

This problem may occur if the following registry key is corrupted: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions

Their solution is a bit lengthy, so here is a quick batch file version that should make it easy.

Copy and paste the following commands into a file named VSSrepair.bat, then run it to execute the commands from 940184:

@echo off
REM
REM https://www.flyingpenguin.com
REM
REM Batch file to repair a Volume Shadow Copy (VSS) installation
REM based on https://support.microsoft.com/kb/940184
REM
echo --- !! WARNING !! WARNING !! WARNING !! WARNING
echo.
echo --- Run this with Administrator privileges only
echo.
echo --- NOT for use with Windows Vista, Windows Server 2008,
echo --- or later versions of Windows. Windows Vista and
echo --- Server 2008 use manifest-based component installation;
echo --- manual registration of components can cause serious failure
echo --- and require Windows reinstall to resolve.
echo.
echo --- !! WARNING !! WARNING !! WARNING !! WARNING
REM
pause
cd /d %windir%\system32
echo.
net stop vss
net stop swprv
regsvr32 ole32.dll
regsvr32 oleaut32.dll
regsvr32 /i eventcls.dll
regsvr32 vss_ps.dll
vssvc /register
regsvr32 /i swprv.dll
regsvr32 es.dll
regsvr32 stdprov.dll
echo --- vssui.dll is only for Windows 2003. Ignore this error on XP
regsvr32 vssui.dll
regsvr32 msxml.dll
regsvr32 msxml3.dll
echo --- msxml4.dll is optional and thus may fail. Ignore this error
regsvr32 msxml4.dll
pause

The knowledge base article then recommends you type “vssadmin list writers” from the command prompt. Success means you will see a list like this one:

Hope that helps save some time. There could be more issues to VSS, but these two methods worked for me.

Updated to add: if you have Visio installed you may have to remove the following registry entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\Visio

The Center for Automotive Embedded Systems Security (CAESS), a collaboration between the University of California San Diego and the University of Washington, has exposed a weakness in modern automobile engineering.

Their analysis was done by connecting to an ODB-II (a federally-madated On-Board Diagnotics port in almost every car) that gives access to a vehicle’s controller area network (CAN), also known as the CAN-bus. It turns out that someone who simply plugs into the ODB-II is granted open control of every other device in the car. Very simple tests revealed the lack of security.

While the automotive industry has always considered safety a critical engineering concern (indeed, much of this new software has been introduced specifically to increase safety, e.g., Anti-lock Brake Systems) it is not clear whether vehicle manufacturers have anticipated in their designs the possibility of an adversary.

One worst-case scenario suggested by the research team is that malformed traffic on an automobile’s CAN-bus can cause a life-threatening malfunction. Random packets sent to a brake, for example, caused a wheel to lock. This type of failure could be related to another system failing on the CAN-bus and not necessarily a targeted attack.

Another consideration is that all the new user-upgradable systems for audio and communications interface with the CAN-bus and emphasize wireless connectivity. Easy to imagine one of these devices or a “tuner” upgrade malfunctioning, as they tend to do already, and causing far more widespread impact by being integrated into the telematics platform of an automobile.

They study intentionally avoids discussion of the threats. They only mention physical and wireless access as areas for future research.

Clearly this is an area ripe for discussion as very few people (outside the engineers who build the systems and hope threats do not emerge) understand the extent to which a new car can be remotely monitored and controlled via the Internet. This calls out the notion that developers, often trusted to do the right thing and develop a secure system, may instead use on a thin veneer of obscurity and hope no one is looking.

Anyone who believes the automobile companies will rise to the security challenge and fix issues without independent assessments and regulation has not read the latest update on the Ford Explorer roll-over crisis. Ford actually lowered the strength ratio to a minimum federal requirement (1.5 times the weight) while the standard was being raised (3.0 times the weight), all the while claiming that the car design was good but the tires were entirely at fault. They are just now being forced to admit the Explorer design was also to blame.

Steve Forrest conducted several drop tests showing the performance of the production and reinforced UN150 Ford Explorer. He was able to establish through that testing that the strength of the Explorer roof could have been tripled for a cost of approximately $40. His testing showed that a reinforced roof in Ms. Parker’s wreck would have crushed approximately two inches instead of ten inches.

We also proved that the seat belt system in the 1999 Explorer was defective and failed to retain Ms. Parker in the vehicle during the rollover sequence. The evidence presented showed that slack could be introduced into the belt system when the B pillar was crushed inward. Plaintiff’s expert, Steve Meyer, testified that due to the poor roof design, the seat belt system should have included a cinching latch plate or been integrated into the seat back instead of being mounted to the B pillar. Mr. Meyer also testified that performance of the seat belt could be improved if the roof was strengthened.

Ford fought this for many years. Only in Argentina did they admit dangerous weaknesses in the Explorer design, but they characterized it as a response to the different “driving style” in that country.

This is like a car company claiming that the threat of wireless attack is only a risk in Argentina, or that a rogue device on the CAN-bus will only happen in Argentina. Does that sound like reasonable threat modeling?

Allowing the company to dismiss or weigh risk decisions entirely on vulnerability tests, and without realistic threat modeling, is not an acceptable gamble. Ford is one of the companies pushing hard for cars to adopt a new telematics platform, which could even allow third-party applications to be installed. A system such as this must address security properly in terms of threats as well as vulnerabilities. The CAESS is thus doing a great service with the report, helping the automobile industry see better how to protect their most valuable assets on and off the road.