Jump to content











Photo
- - - - -

Bitlocker access from PE?


  • Please log in to reply
19 replies to this topic

#1 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 30 July 2008 - 12:23 PM

I am wondering if anyone had made a tool for mounting a bitlocker'ed partition from PE. I know that in the Lenovo rescue and recovery Partition found on newer Lenovo machines (x,t61-M75 ect...) (this partition is a PE2.0 based tool) it automatically detects the presence of a bitlocker partition and prompts for the recovery media or Key. could this be modified or adapted to Vista PE Or could we learn from it to build our own? the reason I ask is I have a machine with a damaged SYSTEM HIVE file and the partition is bitlocker'ed. Usualy it easy to replave the file from the last backup but not when the drive is encrypted, even though I have the key.....

Also I tried to search on this and just kept getting error from the search function in this fourm

#2 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10557 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 30 July 2008 - 01:39 PM

Hi DeathsPal, welcome to our community! :cheers:

There is a bug on the search box.

You enter the keywords to search and need to manually select "All forums" otherwise it defaults to "None"

---

This sounds an interesting features, would really thank if you could debug how Lenovo makes this work.

:cheers:

#3 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 30 July 2008 - 09:01 PM

well I guess I'll be breaking down the .wim files for both their PE and the Vista install media as the both have support built in for Bitlocker..... Hopefully I can find a way to package what they are doing into an include script.... :cheers:

#4 booty#1

booty#1

    Frequent Member

  • .script developer
  • 285 posts
  • Location:Near Frankfurt
  •  
    Germany

Posted 03 August 2008 - 11:59 AM

Hi DeathsPal,

as the Vista installation DVD has the function to mount Bitlocker enabled volumes it should be possible to add that feature to VistaPE, too. I don't know if the files and settings are already included - I assume that they aren't included.

booty#1

#5 rehtorix

rehtorix

    Member

  • Members
  • 62 posts
  •  
    Finland

Posted 04 August 2008 - 07:50 AM

It MIGHT be that because the VistaPE is build the way that it only adds some stuff and not all files from the DVD (or WAIK), some functionality is not working right (for example USB drives are not always recognized unless you manually copy the full set of PE 2.0 files from the install DVD..).. I did a post about this couple of months ago.. Unfortunately I don't have a bitlocker partition to try out.. but should be quite easy to try it out, I'll try to see if it works in my own PE version.

#6 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 13 October 2008 - 06:04 PM

I think from what I have been reading lately that what we have in VistaPE is most of what we need to get Bitlocker working... It looks like the only missing part may be drivers for the TPM in the machine you are working on

[codebox]http://technet.microsoft.com/en-us/library/cc749341.aspx[/codebox]


Now that the summer projects I have been working on are mostly done I intend to get this working and Will of course Share what a learn here.... :confused1:

#7 pecd.net

pecd.net

    Silver Member

  • .script developer
  • 947 posts
  •  
    Germany

Posted 13 October 2008 - 06:07 PM

looking forward to it...thanks!

#8 booty#1

booty#1

    Frequent Member

  • .script developer
  • 285 posts
  • Location:Near Frankfurt
  •  
    Germany

Posted 14 October 2008 - 11:45 AM

I think from what I have been reading lately that what we have in VistaPE is most of what we need to get Bitlocker working... It looks like the only missing part may be drivers for the TPM in the machine you are working on

Sorry, but I disagree. The TPM is only usable if you boot up your system using exactly the same Vista installation which was used for setting up Bitlocker. Otherwise the TPM will detect a different boot sequence and the stored keys are inaccessible (that is how a TPM is designed to work).

The only chance to access Bitlocker from VistaPE is using a recovery key stored on a USB stick or by entering the a bit lengthy recovery password.

Therefore don't waste your time for the TPM driver. They are useless in a PE environment.

booty#1

#9 pecd.net

pecd.net

    Silver Member

  • .script developer
  • 947 posts
  •  
    Germany

Posted 14 October 2008 - 11:54 AM

this is good news, so we should get it working without tpm anyway:-)

#10 ludovici

ludovici

    Silver Member

  • .script developer
  • 610 posts
  • Location:France
  •  
    France

Posted 07 November 2008 - 11:40 AM

Have you progress on Bitlocker acess from PE ?

#11 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 10 November 2008 - 10:11 PM

Ok here is what I have gathered so far.... Although I'm not sure how to turn this into a PE Script

Files involved.

%Windir%/fveapi.dll
%Windir%/fveRecover.dll
%Windir%/Inf/tpm.inf
%Windir%/Inf/tpm.PNF
%Windir%/System32/fveapi.dll
%Windir%/System32/fveapi.dll.mui
%Windir%/System32/fveRecover.dll
%Windir%/System32/fverecover.dll.mui
%Windir%/System32/fvevol.sys


Bit_Locker_API.reg
Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5d674230-ca9f-11da-a94d-0800200c9a66}]

@="Microsoft-Windows-BitLocker-API"

"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

  00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

  5c,00,66,00,76,00,65,00,61,00,70,00,69,00,2e,00,64,00,6c,00,6c,00,00,00

"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\

  6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\

  00,66,00,76,00,65,00,61,00,70,00,69,00,2e,00,64,00,6c,00,6c,00,00,00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5d674230-ca9f-11da-a94d-0800200c9a66}\ChannelReferences]

"Count"=dword:00000001



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5d674230-ca9f-11da-a94d-0800200c9a66}\ChannelReferences\0]

@="System"

"Id"=dword:00000008

"Flags"=dword:00000001




BitLocker_Driver.reg
Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{651df93b-5053-4d1e-94c5-f6e6d25908d0}]

@="Microsoft-Windows-BitLocker-Driver"

"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

  00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

  5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,66,00,76,00,65,00,76,\

  00,6f,00,6c,00,2e,00,73,00,79,00,73,00,00,00

"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\

  6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\

  00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,66,00,76,00,65,00,76,00,\

  6f,00,6c,00,2e,00,73,00,79,00,73,00,00,00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{651df93b-5053-4d1e-94c5-f6e6d25908d0}\ChannelReferences]

"Count"=dword:00000001



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{651df93b-5053-4d1e-94c5-f6e6d25908d0}\ChannelReferences\0]

@="System"

"Id"=dword:00000008

"Flags"=dword:00000001





Filter.reg
Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FVEVOL]

"NextInstance"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FVEVOL\0000]

"Service"="fvevol"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000000

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="BitLocker Drive Encryption Filter Driver"

"Capabilities"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FVEVOL\0000\Control]

"*NewlyCreated*"=dword:00000000

"ActiveService"="fvevol"





service.reg
Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fvevol]

"DisplayName"="BitLocker Drive Encryption Filter Driver"

"Group"="PnP Filter"

"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\

  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,66,00,76,00,65,00,76,00,6f,00,6c,\

  00,2e,00,73,00,79,00,73,00,00,00

"Description"="Bitlocker Drive Encryption Filter Driver"

"ErrorControl"=dword:00000003

"Start"=dword:00000000

"Tag"=dword:00000005

"Type"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fvevol\Enum]

"0"="Root\\LEGACY_FVEVOL\\0000"

"Count"=dword:00000005

"NextInstance"=dword:00000005

"1"="STORAGE\\Volume\\1&19f7e59c&0&Signature7BEA0821Offset100000Length1AD900000"

"2"="STORAGE\\Volume\\1&19f7e59c&0&Signature7BEA0821Offset1ADA00000Length2337BFF000"

"3"="STORAGE\\Volume\\1&19f7e59c&0&Signature7BEA0821Offset24E5600000Length5DC00000"

"4"="STORAGE\\Volume\\1&19f7e59c&0&Signature5B6AC646Offset7E00Length1BF26F0400"


Then Lenovo uses 2 custom file in there app but I don't know if they are needed for what we are doing

tvt_bitlocker_status.exe

and

tvt_bitlocker.vbs

'* WinPE BitLocker unlocker

'* Copyright Lenovo 2006



'* Parse command-line arguments

'* Expected parameters are:

'*	recovery drive (i.e. F:) 

'*	or 

'*	recovery password (i.e. 456797-056694-508112-287199-593120-658229-632797-168916)

'*

If WScript.Arguments.Count <> 1 Then

 &#39;WScript.Echo &#34;Usage&#58; *.vbs &#91;<recovery drive> | <recovery password>&#93;&#34;

 WScript.Quit 1

End If



&#39;* Setup log file

logDir = &#34;x&#58;\windows\system32&#34;

logFile = &#34;\tvt_bitlocker.log&#34;

Set objFSO = CreateObject&#40;&#34;Scripting.FileSystemObject&#34;&#41;

If objFSO.FileExists&#40;logDir & logFile&#41; Then

  objFSO.DeleteFile&#40;logDir & logFile&#41;

End If

Set objFile = objFSO.CreateTextFile&#40;logDir & logFile&#41;

objFile.Close

Log&#40;&#34;Running tvt_bitlocker...&#34;&#41;



keyParam = WScript.Arguments.Item&#40;0&#41;

&#39;WScript.Echo &#34;KeyParam=&#34;, keyParam

mode = 0

If InStr&#40;keyParam, &#34;&#58;&#34;&#41; <> 0 Then

  Log&#40;&#34;Mode = recovery drive&#34;&#41;

  mode = 1

ElseIf InStr&#40;keyParam, &#34;-&#34;&#41; <> 0 Then

  Log&#40;&#34;Mode = recovery password&#34;&#41;

  mode = 2

Else

  WScript.Quit 1

End If





&#39;* Connect to WMI

&#39;*

Log&#40;&#34;Connecting to WMI&#34;&#41;

Set objLocator = CreateObject&#40;&#34;WbemScripting.SWbemLocator&#34;&#41;

Set objService = objLocator.ConnectServer&#40;&#34;.&#34;, &#34;root\cimv2\Security\MicrosoftVolumeEncryption&#34;&#41;

objService.Security_.ImpersonationLevel = 3

Set LockedDevices = objService.ExecQuery&#40;&#34;SELECT * FROM Win32_EncryptableVolume&#34;&#41;



&#39;* Iterate through Win32_EncryptableVolume instances

&#39;*

For each LockedDevice in LockedDevices

  returnCode=100

  status = 100

  &#39;WScript.Echo &#34; Device ID&#58; &#34;, LockedDevice.DeviceID, VBNewLine, &#34;Volume ID&#58; &#34;, LockedDevice.PersistentVolumeID

  Log&#40;&#34;Device ID&#58; &#34; + LockedDevice.DeviceID + &#34;, Volume ID&#58; &#34; + LockedDevice.PersistentVolumeID&#41;



  &#39;* Check current lock status, return if no unlock is necessary

  returnCode = LockedDevice.GetLockStatus&#40;status&#41;

  If status = 0 Then

	&#39;WScript.Echo &#34;Lock status&#58; UNLOCKED&#34;

	Log&#40;&#34;Lock status&#58; UNLOCKED&#34;&#41;

	WScript.Quit 0

  &#39;ElseIf status = 1 Then

	&#39;WScript.Echo &#34;Lock status&#58; LOCKED&#34;

  End If



  If mode = 1 Then

	&#39;* Process external key file mode

	isKeyProtectorAvailable = False

	keyProtectorType = 2		&#39;2 is External key

	

	returnCode = LockedDevice.IsKeyProtectorAvailable&#40;keyProtectorType, isKeyProtectorAvailable&#41;

	If returnCode <> 0 Or isKeyProtectorAvailable = False then

	  Log&#40;&#34;ERROR&#58; Could not access keyProtector&#34;&#41;

	  WScript.Quit 1

	End If



	returnCode = LockedDevice.GetKeyProtectors&#40;keyProtectorType, volumeKeyProtectors&#41;

	If returnCode <> 0 Then

	  Log&#40;&#34;ERROR&#58; Could not get keyProtector&#34;&#41;

	  WScript.Quit 1

	End If

	

	&#39;* Iterate through key protectors

	For each volumeKeyProtector in volumeKeyProtectors  

	  &#39;WScript.Echo &#34; Key Type &#58; &#34;, keyProtectorType, VBNewLine, &#34;Key Protector&#58; &#34;, volumeKeyProtector

	  Log&#40;&#34;Got keyProtector, now get externalKey&#34;&#41;



	  returnCode = LockedDevice.GetExternalKeyFileName&#40;volumeKeyProtector, fileName&#41;

	  If returnCode <> 0 Then

		Log&#40;&#34;ERROR&#58; Could not get externalKeyFileName&#34;&#41;

		WScript.Quit 1

	  End If



	  &#39;WScript.Echo &#34;Key Protector&#58; &#34;, volumeKeyProtector, VBNewLine, &#34;File Name&#58; &#34;, fileName

	  Log&#40;&#34;Key Protector&#58; &#34; + volumeKeyProtector + &#34;, File Name&#58; &#34; + fileName&#41;

	  fileName = keyParam + &#34;\\&#34; + fileName

	  &#39;WScript.Echo &#34;Getting key from file&#58; &#34;, fileName

	  Log&#40;&#34;Getting key from file&#58; &#34; + fileName&#41;



	  returnCode = LockedDevice.GetExternalKeyFromFile&#40;fileName, externalKey&#41;

	  If returnCode <> 0 Then

		Log&#40;&#34;ERROR&#58; Could not get key from externalKeyFile&#58;&#34; + fileName&#41;

		WScript.Quit 1

	  End If

	  &#39;WScript.Echo &#34;Got key, now unlocking&#34;

	  Log&#40;&#34;Got key, now unlocking&#34;&#41;



	  returnCode = LockedDevice.UnlockWithExternalKey&#40;externalKey&#41;

	  If returnCode <> 0 Then

		&#39;WScript.Echo &#34;UnlockWithExternalKey failed!&#34;

		Log&#40;&#34;ERROR&#58; UnlockWithExternalKey failed!&#34;&#41;

		WScript.Quit 1

	  End If

	  &#39;WScript.Echo &#34;UnlockWithExternalKey succeeded!&#34;

	  Log&#40;&#34;UnlockWithExternalKey succeeded!&#34;&#41;



	Next

  ElseIf mode = 2 Then

	&#39;* Process key password mode

	returnCode = LockedDevice.UnlockWithNumericalPassword&#40;keyParam&#41;

	If returnCode <> 0 Then

	  &#39;WScript.Echo &#34;UnlockWithNumericalPassword Return Code&#58; &#34;, returnCode

	  Log&#40;&#34;ERROR&#58; UnlockWithNumericalPassword failed!&#34;&#41;

	  WScript.Quit 1

	Else

	  &#39;WScript.Echo &#34;UnlockWithNumericalPassword succeeded!&#34;

	  Log&#40;&#34;UnlockWithNumericalPassword succeeded!&#34;&#41;

	End If

  End If



  &#39;*Verify unlock succeeded

  returnCode = LockedDevice.GetLockStatus&#40;status&#41;

  If status = 0 Then

	&#39;WScript.Echo &#34;Yup, it&#39;s unlocked alright.&#34;

	Log&#40;&#34;Status is now unlocked.&#34;&#41;

	WScript.Quit 0

  ElseIf status = 1 Then

	&#39;WScript.Echo &#34;Nope, it&#39;s still locked.&#34;

	Log&#40;&#34;Nope, it&#39;s still locked.&#34;&#41;

	WScript.Quit 1

  End If



Next  







Function Log&#40;line&#41;

	ForAppending = 8

	Set objFSO = CreateObject&#40;&#34;Scripting.FileSystemObject&#34;&#41;

	Set objFile = objFSO.OpenTextFile&#40;logDir & logFile, ForAppending&#41;

	objFile.WriteLine&#40;line&#41;

	objFile.Close

End Function





WScript.Quit 0



Donno if any one can help me put this into something useful but that what I know so far...

#12 ludovici

ludovici

    Silver Member

  • .script developer
  • 610 posts
  • Location:France
  •  
    France

Posted 12 November 2008 - 05:23 PM

hello DeathsPal :cheers:
I have realized this little script with your parameter Bitlocker script

#13 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 24 November 2008 - 02:31 PM

hello DeathsPal :)
I have realized this little script with your parameter Bitlocker script




So have you been able to test this.... Thank you much for this information! I'm very excited to see this progress

#14 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 24 November 2008 - 04:40 PM

I tryed this and I get the following errors ... seems the file are not in the correct place from the sorce. I will look into it further yet today...


[Failed] FileCopy - Failed to copy [%BaseDir%\Temp\VistaPE-Core\InstallWimSrc\windows\System32\en-US\fveRecover.dll] to: [%BaseDir%\Target\VistaPE-Core\windows\System32\en-US\fveRecover.dll]

[Failed] FileCopy - Failed to copy [%BaseDir%\Temp\VistaPE-Core\InstallWimSrc\windows\fveRecover.dll] to: [%BaseDir%\Target\VistaPE-Core\windows\fveRecover.dll]

[Failed] FileCopy - Failed to copy [%BaseDir%\Temp\VistaPE-Core\InstallWimSrc\windows\fveRecover.dll] to: [%BaseDir%\Target\VistaPE-Core\windows\fveRecover.dll]

[Failed] FileCopy - Failed to copy [%BaseDir%\Temp\VistaPE-Core\InstallWimSrc\windows\System32\fvevol.sys] to: [%BaseDir%\Target\VistaPE-Core\windows\System32\fvevol.sys]

[Failed] IF - unrecognized clause: [existdir]. evaluated string: [If,Not,ExistDir,%Target_Prog%\%ProgramFolder%,DirMake,%Target_Prog%\%ProgramFolder%]

#15 JonF

JonF

    Gold Member

  • .script developer
  • 1185 posts
  • Location:Boston, MA
  •  
    United States

Posted 25 November 2008 - 02:08 PM

Try this version ... no build errors, but I haven't been able to test it against a locked drive.

Attached File  Bitlocker.7z   1.6KB   528 downloads

#16 ludovici

ludovici

    Silver Member

  • .script developer
  • 610 posts
  • Location:France
  •  
    France

Posted 25 November 2008 - 03:53 PM

Try this version ... no build errors, but I haven't been able to test it against a locked drive.

Attached File  Bitlocker.7z   1.6KB   528 downloads

Thanks for your participation JonF, i haven't seen my error... :)
Add Bitlocker Drive Encryption Crashdump Filter : %WinDir%\System32\drivers\dumpfve.sys
Add this line:
FileCopy,"%BootSRC%\windows\System32\Drivers\dumpfve.sys","%TargetDir%\windows\System32\Drivers\dumpfve.sys"

I have seen the suggestion of booty#1 but if you want :
If you use BitLocker Drive Encryption with TPM chip:
Add TPM Device Driver : %WinDir%\System32\DriverStore\FileRepository\tpm.inf_601dc269\tpm.sys
Add this line:
CopyDrv,tpm.inf_601dc269

P.S : Maybe replace %BootSRC% with %InstallSRC%

#17 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 25 November 2008 - 09:17 PM

OK will build with this and give it a shot tomarrow.....



--DeathsPal

#18 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 26 March 2009 - 12:36 PM

My tomorrow never came..... Has anyone had any progress on this issue.... I was looking at the Vista Install DVD and realized that they are doing what we need in their recover console. but for some reason the Vista recovery console in VistaPE does not prompt for a bitlocker Key when a bitlocker-ed drive is present. Don't know if this would likely be the best place to start....

#19 DeathsPal

DeathsPal

    Newbie

  • Members
  • 12 posts
  •  
    United States

Posted 01 April 2009 - 08:17 PM

--Bitlocker.vbs--

&#39;* Parse command-line arguments

&#39;* Expected parameters are&#58;

&#39;*	recovery drive &#40;i.e. F&#58;&#41; 

&#39;*	or 

&#39;*	recovery password &#40;i.e. 456797-056694-508112-287199-593120-658229-632797-168916&#41;

&#39;*

If WScript.Arguments.Count <> 1 Then

 &#39;WScript.Echo &#34;Usage&#58; *.vbs &#91;<recovery drive> | <recovery password>&#93;&#34;

 WScript.Quit 1

End If



&#39;* Setup log file

logDir = &#34;x&#58;\windows\system32&#34;

logFile = &#34;\bitlocker.log&#34;

Set objFSO = CreateObject&#40;&#34;Scripting.FileSystemObject&#34;&#41;

If objFSO.FileExists&#40;logDir & logFile&#41; Then

  objFSO.DeleteFile&#40;logDir & logFile&#41;

End If

Set objFile = objFSO.CreateTextFile&#40;logDir & logFile&#41;

objFile.Close

Log&#40;&#34;Running bitlocker...&#34;&#41;



keyParam = WScript.Arguments.Item&#40;0&#41;

&#39;WScript.Echo &#34;KeyParam=&#34;, keyParam

mode = 0

If InStr&#40;keyParam, &#34;&#58;&#34;&#41; <> 0 Then

  Log&#40;&#34;Mode = recovery drive&#34;&#41;

  mode = 1

ElseIf InStr&#40;keyParam, &#34;-&#34;&#41; <> 0 Then

  Log&#40;&#34;Mode = recovery password&#34;&#41;

  mode = 2

Else

  WScript.Quit 1

End If





&#39;* Connect to WMI

&#39;*

Log&#40;&#34;Connecting to WMI&#34;&#41;

Set objLocator = CreateObject&#40;&#34;WbemScripting.SWbemLocator&#34;&#41;

Set objService = objLocator.ConnectServer&#40;&#34;.&#34;, &#34;root\cimv2\Security\MicrosoftVolumeEncryption&#34;&#41;

objService.Security_.ImpersonationLevel = 3

Set LockedDevices = objService.ExecQuery&#40;&#34;SELECT * FROM Win32_EncryptableVolume&#34;&#41;



&#39;* Iterate through Win32_EncryptableVolume instances

&#39;*

For each LockedDevice in LockedDevices

  returnCode=100

  status = 100

  &#39;WScript.Echo &#34; Device ID&#58; &#34;, LockedDevice.DeviceID, VBNewLine, &#34;Volume ID&#58; &#34;, LockedDevice.PersistentVolumeID

  Log&#40;&#34;Device ID&#58; &#34; + LockedDevice.DeviceID + &#34;, Volume ID&#58; &#34; + LockedDevice.PersistentVolumeID&#41;



  &#39;* Check current lock status, return if no unlock is necessary

  returnCode = LockedDevice.GetLockStatus&#40;status&#41;

  If status = 0 Then

	&#39;WScript.Echo &#34;Lock status&#58; UNLOCKED&#34;

	Log&#40;&#34;Lock status&#58; UNLOCKED&#34;&#41;

	WScript.Quit 0

  &#39;ElseIf status = 1 Then

	&#39;WScript.Echo &#34;Lock status&#58; LOCKED&#34;

  End If



  If mode = 1 Then

	&#39;* Process external key file mode

	isKeyProtectorAvailable = False

	keyProtectorType = 2		&#39;2 is External key

	

	returnCode = LockedDevice.IsKeyProtectorAvailable&#40;keyProtectorType, isKeyProtectorAvailable&#41;

	If returnCode <> 0 Or isKeyProtectorAvailable = False then

	  Log&#40;&#34;ERROR&#58; Could not access keyProtector&#34;&#41;

	  WScript.Quit 1

	End If



	returnCode = LockedDevice.GetKeyProtectors&#40;keyProtectorType, volumeKeyProtectors&#41;

	If returnCode <> 0 Then

	  Log&#40;&#34;ERROR&#58; Could not get keyProtector&#34;&#41;

	  WScript.Quit 1

	End If

	

	&#39;* Iterate through key protectors

	For each volumeKeyProtector in volumeKeyProtectors  

	  &#39;WScript.Echo &#34; Key Type &#58; &#34;, keyProtectorType, VBNewLine, &#34;Key Protector&#58; &#34;, volumeKeyProtector

	  Log&#40;&#34;Got keyProtector, now get externalKey&#34;&#41;



	  returnCode = LockedDevice.GetExternalKeyFileName&#40;volumeKeyProtector, fileName&#41;

	  If returnCode <> 0 Then

		Log&#40;&#34;ERROR&#58; Could not get externalKeyFileName&#34;&#41;

		WScript.Quit 1

	  End If



	  &#39;WScript.Echo &#34;Key Protector&#58; &#34;, volumeKeyProtector, VBNewLine, &#34;File Name&#58; &#34;, fileName

	  Log&#40;&#34;Key Protector&#58; &#34; + volumeKeyProtector + &#34;, File Name&#58; &#34; + fileName&#41;

	  fileName = keyParam + &#34;\\&#34; + fileName

	  &#39;WScript.Echo &#34;Getting key from file&#58; &#34;, fileName

	  Log&#40;&#34;Getting key from file&#58; &#34; + fileName&#41;



	  returnCode = LockedDevice.GetExternalKeyFromFile&#40;fileName, externalKey&#41;

	  If returnCode <> 0 Then

		Log&#40;&#34;ERROR&#58; Could not get key from externalKeyFile&#58;&#34; + fileName&#41;

		WScript.Quit 1

	  End If

	  &#39;WScript.Echo &#34;Got key, now unlocking&#34;

	  Log&#40;&#34;Got key, now unlocking&#34;&#41;



	  returnCode = LockedDevice.UnlockWithExternalKey&#40;externalKey&#41;

	  If returnCode <> 0 Then

		&#39;WScript.Echo &#34;UnlockWithExternalKey failed!&#34;

		Log&#40;&#34;ERROR&#58; UnlockWithExternalKey failed!&#34;&#41;

		WScript.Quit 1

	  End If

	  &#39;WScript.Echo &#34;UnlockWithExternalKey succeeded!&#34;

	  Log&#40;&#34;UnlockWithExternalKey succeeded!&#34;&#41;



	Next

  ElseIf mode = 2 Then

	&#39;* Process key password mode

	returnCode = LockedDevice.UnlockWithNumericalPassword&#40;keyParam&#41;

	If returnCode <> 0 Then

	  &#39;WScript.Echo &#34;UnlockWithNumericalPassword Return Code&#58; &#34;, returnCode

	  Log&#40;&#34;ERROR&#58; UnlockWithNumericalPassword failed!&#34;&#41;

	  WScript.Quit 1

	Else

	  &#39;WScript.Echo &#34;UnlockWithNumericalPassword succeeded!&#34;

	  Log&#40;&#34;UnlockWithNumericalPassword succeeded!&#34;&#41;

	End If

  End If



  &#39;*Verify unlock succeeded

  returnCode = LockedDevice.GetLockStatus&#40;status&#41;

  If status = 0 Then

	&#39;WScript.Echo &#34;Yup, it&#39;s unlocked alright.&#34;

	Log&#40;&#34;Status is now unlocked.&#34;&#41;

	WScript.Quit 0

  ElseIf status = 1 Then

	&#39;WScript.Echo &#34;Nope, it&#39;s still locked.&#34;

	Log&#40;&#34;Nope, it&#39;s still locked.&#34;&#41;

	WScript.Quit 1

  End If



Next  







Function Log&#40;line&#41;

	ForAppending = 8



SO this should be it except I don't think I have the correct WMI bits in my build of PE as I still cannot get it to work anyone wanna take a stab at creating a script to install into VistaPE the parts needed to make this vbs function???

For referance the MSDN info :good:

http://msdn.microsof...09(VS.85).aspx

#20 techvslife

techvslife

    Member

  • Members
  • 77 posts
  •  
    United States

Posted 13 April 2010 - 05:11 PM

NOTE: In Win7 pe's (pe3), vbs scripting is no longer necessary to access and unlock bitlocker drives.
The file system32\manage-bde.exe handles it (and can handle bitlocker drives encrypted by vista of course).

However, I haven't gotten it to work yet in the win7 pe's here--perhaps they don't have all the right files. Any help is appreciated.

If you have ideas, please post reply to this:
http://www.boot-land...?...ost&p=97868

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users