Error Handling in MMC

In this article, I want to provide some information about error handling in MMC (Microsoft Management Console) framework.

Based on my latest analysis, in case of error, regardless of what internal error codes gives, MMC will eventually show this typical error :

With the text version, for the searching purposes :

MMC cannot open the file [MSC File]
This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.

This is verified by presenting 2 sample of controlled (deliberated) error generating procedure.

The first case is by changing the signature byte of the binary MSC file. As you may already know, the binary format of MSC file is one of the form of Compound Binary File Format.

The Structured Storage API routine provided by Windows will checks for this signature to determine whether this file is a valid Compound Binary file or not.

If not, it will gives the 0x80030050 (STG_E_FILEALREADYEXISTS) error codes indicating that the file is not a valid Structured Storage file.

Comparing it with the above error message, although in the sense that it is a correct general error message, it tends to too generic and rather misleading.

The second case is by changing some internal structure of MSC file. This time the file is a valid Structured Storage file as far as the API can tell, but is invalid by the MMC’s point of view.

Now the error codes gives 0x80004005 (E_FAIL) after the call to mmc!CAMCDoc::ScOnOpenDocument, but the error box is still the same as above.

The internal error codes of the above two cases is obtained by examining the error checking routine in mmcbase.dll (MMCERROR::SC) :

:01038E10 8D4DE4 lea ecx, dword[ebp-1C]
:01038E13 FF15441C0001 call dword[01001C44 {__imp_??BSC@mmcerror@@QBE_NXZ}]
;;call mmcbase!mmcerror::SC::operator bool
:01038E19 84C0 test al, al

The above assembly code is part of CAMCDoc::OnOpenDocument in MMC.EXE framework.

Before the call, the memory dump of ecx, after being filled by address of ebp-0x1c is as follows :

0:000> d ds:0007f778
0023:0007f778 03 00 00 00 05 40 00 80-c8 b5 04 01 00 00 00 00 …..@……….

Offset 0x4 which is 0x80004005 is the internal error codes
Offset 0x8 which is 0x0104B5C8 is the originating function when the error is occured, in this case, the originating function is :

0:000> d ds:0104b5c8
0023:0104b5c8 43 00 41 00 4d 00 43 00-44 00 6f 00 63 00 3a 00 C.A.M.C.D.o.c.:.
0023:0104b5d8 3a 00 4f 00 6e 00 4f 00-70 00 65 00 6e 00 44 00 :.O.n.O.p.e.n.D.
0023:0104b5e8 6f 00 63 00 75 00 6d 00-65 00 6e 00 74 00 00 00 o.c.u.m.e.n.t…

It reads CAMCDoc::OnOpenDocument. So, the calls to this function resulted in error code 0x80004005

Given from the above error structure, this routine will determine whether or not to stop processing MSC file by set the al register to 0x00 when there are no error, or 0x01 when some error is occured.

So, the conclusion is, do not fully believe the error message given by MMC, but checks it by yourself 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: