8 replies to this topic

[Mikka]

Hi,

one thing that really bothers me, is the automatic creation of the Windows objects $Recycle.Bin and System Volume Information, an even bigger annoyance than the cr**py My Documents innovation.

Using a Win7PESE build, I do not want to get these objects being (re-)created on every drive and partition I access.

I'm searching methods ("hacks", whatever...) to tell Windows/Win7PESE:

• not to create any $Recycle.Bin/$RECYCLE.BIN objects at all; never, for noone
• to delete files and folders immediately, not using any Recycler (maybe via NukeOnDelete)
• if necessary, to set any Recycler size to 0 MB
• to globally disable the System Restore service/functionality
• if feasible somehow, not to create any System Volume Information objects
• not to protect any of these objects if found, enabling me to remove them

According to some rumors I found a couple of registry values, such as

RegWrite,HKLM,0x4,"Tmp_Software\Policies\Microsoft\Windows NT\SystemRestore",DisableSR,1
RegWrite,HKLM,0x4,"Tmp_Default\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0E62E162-BDED-4E74-88F1-EE99FD717DEB}Machine\Software\Policies\Microsoft\Windows NT\SystemRestore",DisableSR,1

dealing with System Restore or

RegWrite,HKLM,0x4,Tmp_Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket,NukeOnDelete,1
RegWrite,HKLM,0x4,Tmp_Software\Microsoft\Windows\CurrentVersion\policies\Explorer,NoRecycleFiles,1

for Recycler settings, but that didn't get me further.

Has anybody already tried to achieve this? Maybe forensic folks out there...?
I do not want to mount a host system read only as I'm running my backup programs in Win7PESE, but I want to prevent the PE build to tamper with the host and external (NTFS formatted) hdds...

Any suggestions?

Thanks in advance!

[u2o]

Hi Mikka! Take a look here: Prevent System Restore Points on a External Drive

[Mikka]

u2o, that's for a live system, but even doing that you cannot dissuade Windows from re-creating $Recycle.Bin and SVI folders that way.

So even if I manage disabling Microsoft's System Restore, Windows File Protection, the Recycler functionality and (maybe, I do not know if I have to, on the other hand this option isn't needed in a PE) the Windows 7 Libraries, I want to make sure, they're gone and won't reappear.

[MedEvil]

I doubt, that there are registry settings, which stop these folders from being created.

You could probably set PE to delete instead of moving to recycle bin and then hack some files to stop creation of recycle bin folder.

No idea on the volume information though.

[Mikka]

hack some files to stop creation of recycle bin folder.

Would be great—in case there's no other, easier method.

No idea on the volume information though.

As a compromise I'd imagine some sort of login script that selectively searches and deletes SVI instances on NTFS drives.
Don't know anything about login scripts (scripting engine...) for Win7PE, though, maybe a cmd/batch file...

As for deletion, some sort of rd /q/s %folder% should do.

[Mikka]

Don't know anything about login scripts (scripting engine...) for Win7PE, though

By the way, does anybody know when Windows 7/Win7PESE [re]creates [missing] $Recycle.Bin or SVI folders?
And when would it be best to trigger a deletion action like the one above?
Does Win7PESE know logon or startup scripts (gpedit.msc)?

Edited by Mikka, 17 August 2012 - 07:53 PM.

[MedEvil]

Try a minimal build. The smallest possible. With CMD as shell.
If the folders are still created, it's probably the kernel or maybe even the driver.

[Mikka]

With CMD as shell

Errr... is there any script available which configures that for me?
I suppose, unticking any Shell entries isn't enough...

[MedEvil]

No unticking the existing ones will give you no shell at all.

If there's no script, you have to create one. It will have basicly just one line of code, the one which tells PE to use cmd.exe as shell.
Just have a look at the available shell scripts.

It should be an entry into one of the ini or cfg files or into the registry.