                                 RELEASE NOTES
                                 =============


                                 Ghost Walker
                              SID update utility


                                 Version 1.1.2



  Contents:
  ---------

     1. Licenses
     2. Product Description
     3. NT Versions tested
     4. Limitations
     5. Operation
     6. Command Line Interface Syntax
     7. Registry Files
     8. Changing SIDs for Workstations participating in a Domain
     9. Issues when updating existing NT Workstations
     10. Identical User Names AND Passwords across Workstations
     11. Extended Memory
     12. Future Additions
     13. Bug Fixes


  1. Licenses:
     ---------

     Ghost Walker SID update utility has been designed to allow unlimited
     operation if a valid Ghost license has been applied to it.

     To apply a Ghost license to Ghost Walker, use the /#E=<license file>
     switch  where <license file> is the filespec of your license file.

     By default, Ghost Walker SID update utility provides for operation
     until a timeout date and time as specified on the startup banner.



  2. Product Description:
     --------------------

     The primary design goal of Ghost Walker is to update every instance of
     the Security Identifier (SID) for an NT Workstation so that it appears
     to have assumed a new unique identity to an NT Server.

     This requirement has arisen as a direct result of:

     A. The loss of uniqueness of an NT Workstation's SID following disk
        cloning.

     B. Widely reported MS publicity that NT Version 5 would not support
        NT Workstations bearing non-unique SIDs.



    Ghost Walker satisfies the design goal by:

    A. Generating statistically unique SIDs.

    B. Updating textual and binary SID representations in NT Registries
       residing on both NTFS and FAT volumes with a new SID.

    C. Updating binary SID instances in the security data held as part of
       NTFS File Systems.

    D. Updating textual SID instances in the security data held in directory
       and filenames on NTFS File Systems.

    E. Prompting for and updating the Computer Name used by the NT
       Workstation.



  3. NT Versions tested:
     -------------------
     Ghost Walker has been tested on the following versions of NT:

     A.   NT 3.51 - No service packs
     B.   NT 3.51 - Servive Pack 5

     C.   NT 4.0  - No Service Packs
     D.   NT 4.0  - Service Pack 1
     E.   NT 4.0  - Service Pack 2
     F.   NT 4.0  - Service Pack 3




  4. Limitations:
     ------------

    A. Update of textual versions of the SID imbedded in directory and
       file names of FAT File Systems is not supported.

    B. Update of SID representations residing in structures that are not file
       system or operating system structures is not supported

    C. Update of compressed Registry Hive files is not supported.

    D. Workstation, User and Group SIDs embedded in data objects external to
       the Workstation are not updated. 



    
  5. Operation:
     ----------
    
     NB 1: Ghost Walker is a DOS application designed to run under native
           DOS only (not an NT or 95 DOS shell).

     NB 2: If the Workstation is currently participating in an NT Server
           Domain, you MUST remove it from the Domain BEFORE changing the
           SID or Computer Name.

           YOU MUST REMOVE THE WORKSTATION FROM THE DOMAIN TO A WORKGROUP
           IN THE NETWORK PROPERTIES DIALOG ON THE WORKSTATION ITSELF

           It is not enough to remove the Workstation from the Domain using
           the Server Manager.

           This also applies to cloning or creating Ghost images of
           NT Workstations which will then subsequently have their SIDs
           updated.


     A. The first task of Ghost Walker is to identify all bootable NT Systems
        on a machine's hard drives.
        To do this, it takes each hard drive in turn, then each partition
        on that hard drive and looks for \BOOT.INI.

        If \BOOT.INI is located, it interprets all of the NT boot paths in
        the [operating system] section and attempts to locate an installed
        NT System at the location described by each boot path.

        Ghost Walker will determine that there is an installed NT System at
        the location if a full set of Registry Hive Files and the NT operat-
        ing system kernel executeable can be located in the proper locations
        relative to the system root path described in the boot path.

        Example BOOT.INI [operating system] section:
        .
        .
        .
        [operating systems]
        multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Workstation ...
                             ^           ^ {----}
        where:              drive    part  system root

     B. Once all possible drives and partitions have been searched, Ghost
        Walker displays a full list of all NT Systems detected including:

          1. Logical ID - assigned by Ghost Walker
          2. drive
          3. partition
          4. volume label
          5. partition type
          6. Computer Name
          7. Machine SID of the volume


        In addition to the NT Systems detected, Ghost Walker displays all
        interpretable volumes on the machine.
        These are displayed so that some or all of them may be included in
        the SID update process, even though they do not contain the actual
        NT System.


        Details about these volumes displayed are:

          1. Logical ID - assigned by Ghost Walker
          2. drive
          3. partition
          4. volume label
          5. partition type

     C. At this point, Ghost Walker will either:

        1. Prompt you to select an NT System to update if there is more
           than one NT System on the machine

        or

        2. Detect that there is only one installed NT System and automatically
           select that NT System for update.

        or

        3. If a NT System was specified on the command line (/BV=x:y), then
           that NT System will automatically be selected for update.
           Specifying a command line NT System will override options 2 and 3
           above.

     D. The user is then asked to select an option from the following:

        NB: If /SURE was specified in the command line, these options are
            not prompted for and the utility proceeds on to update the
            selected NT System.

        1. Press <ENTER> to continue and Update the NT System and any
           selected additional non-bootable volumes.

        2. Add/Remove additional non-bootable volumes to be updated.
           If there was only one NT System detected, then all of the
           volumes on the machine will be automatically selected for
           update.

           If any additional volumes were specified on the command line
           by /AV=x:y or /AV=ALL then these selections will already be
           reflected as defaults in the list of additional volumes.

        NB:You MUST include any additional NTFS volumes which may have
           security information relating to the Bootable NT System imbedded
           on them.  Failure to do so may result in instances of the older
           SID on the File System not being updated to the new SID with a
           subsequent mismatch between the SID in the registry and the SID
           on the filesystem.



        3. Change the NT System's Computer Name - If you decide to change
           the Computer Name, the new name must be exactly the same length
           as the old name. See the section entitled 'Updating Existing
           NT Workstations ' below.

           If a new Computer Name was specified on the command line with the
           by /AV=x:y or /AV=ALL then this will already be displayed as the
           default new name.


     E. Once <ENTER> to Update has been selected, Ghost Walker displays a
        new SID that will replace the old SID and asks whether you are sure
        you want to continue and Update.

        Press 'Y' or <ENTER> to continue.

        NB:  This step is skipped if /SURE was specified on the command line.


     F. Ghost Walker will search and update:

        1. The Registry of the selected NT System

        2. The filesystem that the NT System resides on

        3. Then any additional volumes selected for update.

        NB:You MUST include any additional NTFS volumes which have security
           information relating to the Bootable NT System selected.  Failure
           to do so will result in instances of the older SID not being
           updated to the new SID and a subsequent mismatch between the SID
           in the registry and the SID on the filesystem.

     G. Once the update has finished, the user will be returned to the
        initial prompt with the new SID and Computer Name displayed.


  6. Command Line Interface Syntax:
     ------------------------------

          GHSTWALK [/CN=\"<New Computer Name>\"]
                   [/BV=<drv>:<part> [/AV=ALL|/AV=<drv>:<part> ... ] ]
                   [/SURE] [/DIAG] [/XINT13ON]
                   [/#E=<license file>]

     where:

           /CN="New Computer Name"   specifies a new Computer Name to use.
                                 NB: New Computer Name must be the same
                                     length as the original name
      
           /BV=<drv>:part> ........  specifies the drive number and
                                     partition number of the Bootable
                                     NT Installation to update
    
           /AV=<drv>:part> ........  specifies the drive number and
                                     partition number of an Additional
                                     Volume containing a File System to
                                     update.
                                 NB: More than one may be specified
                                     by repeating the argument for each
                                     additional volume.
                                 NB: Cannot be combined with /AV=ALL argument
      
           /AV=ALL ................  specifies ALL other volumes are
                                     to be included as Additional Volumes.
                                 NB: Cannot be combined with /AV=x:x argument
      
           /SURE ..................  Specifies that update should start
                                     without user confirmation.
    
           /DIAG ..................  Specifies that the utility should ONLY
                                     generate a diagnostic dump file and NOT
                                     update the SID.
    
           /XINT13ON...............  Specifies that the utility should use
                                     an Extended Int13 interface if one is
                                     detected.  Default behaviour is to use
                                     the normal Int13 interface if the drive
                                     can be accessed in total using the normal
                                     interface even if an extended interface
                                     is available.
    
           /#E=<license file>......  Specifies a Ghost Multi User or
                                     Commercial license file to apply to
                                     Ghost Walker.

     Example:
     --------

         GHSTWALK /BV=1:2 /AV=1:1 /AV=2:1 /CN="WS4-3452" /SURE

         i)   Update NT Installation located on the 2nd partition of the 1st
              disk.
      
         ii)  Update File Systems on Additional volumes on the 1st partition
              of the 1st and 2nd disks.
      
         iii) Change the Computer Name to WS4-3452.
      
         iv)  Don't prompt the user for final confirmation


  7. Registry Files:
     ---------------

     Ghost Walker will not update an NT Registry if it cannot find some or
     all of the core Registry Hive Files OR if it detects that they are in
     compressed form (on NTFS volumes).

     These are:

     A. <system root>\WinNT\System32\Config\Sam
     B. <system root>\WinNT\System32\Config\Security
     C. <system root>\WinNT\System32\Config\Software
     D. <system root>\WinNT\System32\Config\System
     E. <system root>\WinNT\System32\Config\Default

     If some or all of these files cannot be located Ghost Walker will not
     interpret the Volume as an installed NT system.

     In addition to this, Ghost Walker will also not interpret a Volume as
     an installed NT System if it can not locate an internally referenced
     User Hive File
     ie. <system root>\WinNT\Profiles\Administrator\ntuser.dat.



  8. Changing SIDs for Workstations participating in a Domain:
     ---------------------------------------------------------

     Ghost Walker can be considered a tool for changing the 'identity' of a
     Workstation. This identity consistes of the Machine Name and the Machine
     SID.

     The relationship between a Domain Controller and a Workstation is based
     on the Domain Controller's identity and the Workstations identity.

     If you decide to change either participant's identifying features
     (Machine SID or Machine Name) then you MUST:

     A. Terminate any existing relationship with the other participant(s)
        BEFORE the feature is changed

     and

     B. Re-establish the relationship after the feature has been changed.

     This is done by removing the Workstation from the Domain before the
     SID or Machine Name is changed then re-adding the Workstation to the
     Domain using the new SID and Machine Name.

     If this is not done then the other participant will not know who the
     changed participant is.
     ie. The Domain Controller will not be able to identify the Workstation
     based on its record of Workstations with an established relationship
     with it.


  9. Issues when updating existing NT Workstations:
     ----------------------------------------------

     A. Loss of access to external data objects:
     -------------------------------------------

     Changing the SID of a Workstation (or a clone of a Workstation) that has
     been in use for some time may be more problematic than changing the SID
     of a newly installed Workstation (or a clone of a newly installed
     Workstation).

     When a Workstation User (as opposed to a Domain User) creates data
     objects on machines other than the Workstation itself, it may have
     security information created for those data objects which are based on
     the User's SID (which is based on the Workstation SID).

     When Ghost Walker updates the SID, it not only changes the Machine SID
     but all of the Workstation User and Group SIDs.
     This must be done as User and Group SIDs are assumed to be based on the
     Workstation's Machine SID (which is now updated).

     This may mean that the security information on external machines no
     longer matches the new SIDs of the Workstation Users resulting in a loss
     of access to those data objects.

     B. Domain User Profiles:
     ------------------------

     If an existing Workstation has had Domain Users (as opposed to
     Workstation Users) logging on to the Domain via the Workstation, then
     a local Domain User Profile is created on the Workstation.
     If the Workstation's SID is changed then it appears that NT can not
     locate that Domain User's local profile any more.
     Instead it will create a new profile based on the Default User profile
     just as if that were the first time that the Domain User was logging on
     to the Domain via that Workstation.

     This means that any information stored in the local Profile will be lost
     eg. Menu options, colour schemes etc.


  10. Identical User Names AND Passwords across Workstations:
      -------------------------------------------------------

     If there are 2 Workstations in a domain that happen to have 2 users
     with the same user name AND password, the domain will give each of them
     access to the others resources EVEN IF THEIR SIDS ARE DIFFERENT.

     This is a fairly common situation following cloning.

     It appears that the 'accessing' user is given the rights that the
     'accessed' user has by proxy
     ie. the access is performed on behalf of the accessing user by the
     accessed user, just because there is a user name/password match.

     This can best be seen when specific access rights are granted remotely
     by the accessing user to a resource on the accessed machine.

     Inspection of the Access Control List will show that the accessed user
     has been nominated as the user who has been given rights to the
     resource.

     It is important to realise that updating the SIDs on a Workstation
     will NOT stop this situation occurring.  You must change the password
     of one or other of the users.

     A future enhancement to Ghost Walker is to make changes to a user's
     profile to force a user to change their password the next time that they
     log in.


  11. Extended Memory:
      ----------------

    Ghost Walker will perform poorly on NTFS Volumes without the availability
    of XMS memory for disk caching.

    For this reason you should load suitable XMS memory drivers.
    Ghost Walker will allocate up to 8 Mb of XMS memory for disk caching.


  12. Future Additions:
      -----------------

    Future releases may provide the ability to:

    A. Nominate specific Registry keys for update with new values
       ie. update of static TCP/IP addresses.

       These new values could be supplied by hard coding, prompting the
       user or random value generation.

    B. Manipulating User Account data ie. forcing passwords to be changed at
       the next logon.
       This stops the proliferation of User Accounts with the same Name AND
       same Password.
       This would otherwise allow the cloned User Accounts to assume the
       privileges of the source User Account on shared resources by virtue of
       a match in User Account Name AND User Account password.

    C. Addition of a customizeable file search and update mechanism to allow
       users to customize the operation of Ghost Walker to work on files
       other than the Registry Hive files and the Security attributes of files.


  13. Bug Fixes:
      ----------

       Fixed
      Version  Enhancement/Bug Fix
      ======================================================================

       1.1.2   Domain users' Profiles now handled properly.
               Previously presented as a loss of access to the Domain User's
               Profile hive file.

               Bug in NTFS FileSystem update corrected.
               Previously evident from loss of access to resources due to
               incorrect security information.

       1.1.1   NT Installations for some languages using character sets other
               than English based character set now supported (specifically
               Scandinavian character sets).
               Previously resulted in error opening Registry User Hive file
               followed by error opening Registry followed by failure to
               identify a bootable NT installation.

               Removed limitation on number of FAT partition files able to
               be read.  FILES=xx statement no longer required in CONFIG.SYS.
               Previously resulted in error opening Registry Hive file
               followed by error opening Registry followed by failure to
               identify a bootable NT installation.

               Assertion failure "sd.Revision == 1" in SECDESC.CPP fixed.

               Compaq, IBM and other disks containing a Partition Table Entry
               order differing from the physical location order now supported.
               Previously this scenario resulted in no bootable NT install-
               ations on disk being identified.

               User now prompted if Ghost Walker can not determine what DOS
               drive letter to use for a FAT partition - previously this
               situation resulted in an assertion in FATPART.CPP.

      ----------------------------------------------------------------------
