9 replies to this topic

[misty]

Hi,

I'm working on a Winbuilder project which includes a WinFE script. I was wondering if you can shed some light on why the following registry edits were added to the "WinFE Write Protect Tool" script, and whether they are required when converting an unmodified WinPE to WinFE (e.g. a very basic unmodifed WAIK WinPE) -

//Generic Patches - Disable TRIM to be on the safe side
RegWrite,"HKLM",0x4,"DTSetup\ControlSet001\Control\FileSystem","DisableDeleteNotification","0x00000001"
//Disable Dynamic Disks
RegWrite,"HKLM",0x4,"DTSetup\ControlSet001\services\volmgrx","Start","0x00000004"

I also stumbled across this http://technet.micro...ibrary/hh825063 - which mentions different SanPolicy values were introduced with 6.2.9200 (Windows 8) WinFE builds. Previous WinFE versions (2.*/3.*) required a SanPolicy value of 3. According to the linked to article a SanPolicy value of 4 is "New for Windows 8. Makes internal disks offline. Note - All external disks and the boot disk are online."

Regards

Misty

[Wonko the Sane]

Very likely of interest for you (only seemingly OT):
http://www.msfn.org/...ive-on-c-drive/

The TRIM disable is of course only useful for SSD's and similar devices.
The DynamicDisk disabling is something that is not AFAIK fully documented/resolved, but that "simply works" check:
http://reboot.pro/to...c-disk-problem/


Wonko

[misty]

@Wonko
Thanks. The first thread you linked to was interesting. I have not personally done any tests to check whether the system BCD store is in fact modified when booting WinPE 4 or 5 - I've certainly not noticed any modifications to the boot entries.

I was shocked to hear that it is seemingly possible to boot WinPE on a hibernated machine! I found the comments about not being able to clear the readonly attributes similarly interesting as I was also having this problem and had in fact stumbled on the very thread you linked to the day before your post.
 

DISKPART> attributes volume clear readonly noerr

DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

I tried many different diskpart command sequences and could not clear the readonly flag on an internal drive - but could on a USB connected drive. I had no difficulty mounting internal drive partitions as readonly and suspect this is a further precaution for forensic analysis.

Interestingly using Colin Ramsden's excellent Write Protect Application (http://www.ramsdens.org.uk/) I could clear the readonly flag on all internal and external drives.

The second thread was also interesting and I'm curious about whether a basic WAIK build of WinFE has the same issue with Dynamic disks being mounted - there are contridictory posts in the thread. The following is quoted from Mr Ramsden's website -
 

WinBuilder (http://winfe.wordpress.com/) was chosen by Brett as the preferred deployment platform due to its ease of use and the scripts which were available to enhance the user experience of WinFE.

During testing, it became apparent that for reasons unknown, WinFE could not handle dynamic disks, and the result would be that if dynamic disks were encountered, no disks were automatically write protected, which is not good news for forensic computing!

It was then decided to start again from grass roots, WinFE was built again from the Microsoft Windows Automated Installation Kit (WAIK), where it was found that creating WinFE this way overcome the dynamic disk issues which were encountered with WinBuilder editions of WinFE.

WinFE Lite was subsequently born!

Speak soon,

Regards

Misty

[misty]

@Everyone
Another question. Using WinPE 3.1 and the WinFE registry settings (SanPolicy 3) none of my partitions were mounted, however the system (internal) disk was online and the disk and all volumes were writable.

Is this normal? I thought that all partitions were automatically set as read-only, however I haven't played around much with WinFE for a long time.

[Wonko the Sane]

NO.

 

The mentioned thread provides the way to have ALSO a Winbuilder made WinFE have Dynamic Disks "right":

Provided by cramsden

http://reboot.pro/to...oblem/?p=156482

Tested successfully by tbd879:

http://reboot.pro/to...oblem/?p=156542

 

The solution evidently involves volmgrx "disabling", and is reported as working, what is the problem?

This http://www.ramsdens.org.uk/ :

During testing, it became apparent that for reasons unknown, WinFE could not handle dynamic disks, and the result would be that if dynamic disks were encountered, no disks were automatically write protected, which is not good news for forensic computing!

 

is most probably striken for a reason .

 

Wonko

[misty]

@Wonko

 

There is no problem - other than not wanting to make any unnecessary registry changes however small they might be. A philosophy you were a strong advocate of in a little project I got involved in last year

 

Whilst Colin's comment was probably stricken through for a reason he still appears to be working towards a more minimalist WinFE approach and I was merely wondering how to get this working in a base WinPE (i.e from WAIK).

 

Regards,

 

Misty

[Wonko the Sane]

THE SAME WAY , disabling "volmgrx" (if enabled).

 

To be fair, Dynamic Disks are not like an "everyday" item, I can count the number of machines that had them and that I have dealt with in the last 13 years (Dynamic Disks were introduced with Windows 2000) without needing to take my shoes off.

 

Wonko

[misty]

@Wonko

 

Thank you for clarifiying that disabling volmgrx works in both environments - something I was aware of after following your earlier links.  I just wanted to know whether a registry change is required before messing around with the registry - if it's not required then why add it? The http://reboot.pro/to...c-disk-problem/ thread gives two conflicting accounts about whether it is needed in a basic WAIK build. My build is more similar to the WAIK than the majority of Winbuilder WinPE projects I have so far experimented with. What (if anything) was added to the Winbuilder builds to require the fix? Or is it an issue in WAIK builds anyway, as tbd879 suggests (http://reboot.pro/to...oblem/?p=156542).

 

Personally I have never encountered a Dynamic disk - hence my questions about whether this registry change is actually required in a more minimal WinPE.

[Wonko the Sane]

Yep, what happened (timeline) was that intiially a WAIK WinPE build (so called WinFE Lite) seemingly was compatible with Dynamic Disks while the Winbuilder WinFE was not.

 

That was possibly/probably an accident (as the behaviour was NOT confirmed, as a matter of fact denied by tbd879).

 

We have only the "positive" report by cramsden about the WAIK build working "as is" and the "negative" one by tbd879, but at the end of the day it seems like that disabling of volmgrx is needed in both (and it is perfectly possible that - without knowing the exact source used by the two testers, the build environment or the actual machines on which the WAiK WinFE was built could lead to different results), as an example if cramsden built the WAIK tool on a machine with NO Dynamic Disks connected and tbd879 built it on one where Dynamic Disk were, for all we kno wit is possible that one built resulted with that thingy disabled and the other one with that still enabled.

 

So the WinFE lite was originally a "bridge" solution, temporary until the volmgrx was found and implemented in the Winbuilder WinFE project BUT resulted in a more "eesential" tool that though less featured that the Winbuilder based WinFE came out as useful for a subset of the activities one may want to carry in forensics use, i.e. it had it's own merits and dignity.

 

As said Dynamic Disks are not-so-common (and I would say they are nowhere to be found on desktops, while they are more common in servers) but since it costs nothing (and seemingly has no "side effects") making sure that the thingy is disabled represents "good practice".

 

Wonko

[misty]

Hi Wonko,
 

...but since it costs nothing (and seemingly has no "side effects") making sure that the thingy is disabled represents "good practice".

Thanks.
 

...(and it is perfectly possible that - without knowing the exact source used by the two testers, the build environment or the actual machines on which the WAiK WinFE was built could lead to different results), as an example if cramsden built the WAIK tool on a machine with NO Dynamic Disks connected and tbd879 built it on one where Dynamic Disk were, for all we kno wit is possible that one built resulted with that thingy disabled and the other one with that still enabled.

This is theoretical possible (the build environment effecting the build), but very unlikely. All the WAIK does is basically copy the same .wim file and the required boot files (bootmgr, boot.sdi, etc) depending on the architecture selected (e.g. one .wim file if the user wants to build an x86 based WinPE, a different .wim for x64) - irrespective of the build environment. This .wim is only modified by the user - usually at a later stage - not by running copype.cmd.

A WinBuilder project building from the WAIK will essentially duplicate this behaviour. Any changes/modifications are then down to the individual project scripts.

The only difference between a WAIK built WinPE and a Winbuilder one is the modifications made by the user. In a basic WAIK build this could be the addition of packages and the injection of drivers. I don't have a setup with dynamic disks and can't test any of this so I'm guessing.

In order to accurately test whether a basic WinFE is compatiably with Dynamic Disks without the volmgrx fix we would need to test a WinFE with and without packages - perhaps trying all possible combinations of packages. A tedious and labourious job and one that I sadly can't do due to not having a suitable test environment (and don't mention using a VM - I'm not actually volunteering!)

Regards,

Misty