|
Due to licensing requirements, laptop manufacturers are quite strict about recovery media.
The partition on my HP laptops is hidden and labeled "RECOVERY" and at the end of a disk. The recovery media creator which if lost can be recovered from install.wim on that partition by mounting the WIM with DISM, and getting the details with get-wiminfo, then mounting index usually 2 but could be another index, and finding the installer in swsetup folder.
The laptop boots the recovery partition with the F11 key at start up, by loading the WIM file on that partition in a special way, but it loads it loads it through the EFI partition which normally loads the main OS so that must at least be present. It somehow does a chain load which is normally not possible with some special modifications. It specifically has a way of loading "recovery\WindowsRE\WinUCRD.wim" despite the "boot\BCD" on the recovery partition specifying "recovery\WindowsRE\winre.wim" so obvious something special happens to make that work. If you modify your partitions too much it may be hard to get it to work. Its hard to know all the trade secret details involved. What it seems is a special driver provides a file system link to the right WIM and faking the non existent winre.wim. It also seems its very finicky and if you modify the BCD to winre.wim which probably used to work on older laptops about 10 years back but now it will detect it and refuse to proceed. Or it will just load a normal recovery environment if you try to put add it to the BCD on the main OS.
There is a recovery media creator as mentioned, and this only allows use one time. However someone monitored the files created during it and those can be removed to create it again, also they have a script one can find "hp_recovery_discs_control.exe" to automate the removal. I don't know if it works in the latest versions or not.
Worse yet, HP botched the recovery on many systems so anyone trying it will get a failure log with McafeeMLS showing failure to install after an hour and a half of things working, which is particularly annoying since nobody really wants Mcafee anyway, and the logs make it look like Mcafee crashes and reboots the system, and the finicky recovery process will not proceed on any sort of unexpected error deleting some key files, adding some error flag files and making is pretty much hopeless to recover. The simple thing to do is on the first reboot menu of the factory install, load a USB with a WinRE on it, and modify McafeeMLS install.cmd to jump to a label which writes out the successfully installed info to the log and just effectively skips and disables it. I am going to test this idea if all else fails, but if there are dependencies with other Mcafee later installs, it could be an annoying situation when its an hour and a half per try to get there.
On my Toshiba laptop, its a different situation, you boot the recovery partition by holding down 0 which seems to use a special MBR in the 2nd sector on the disk (though I am not entirely sure - should winhex these sectors to verify) to DVD-style boot the recovery partition in a special way. It also seems to do the same trick with a WIM pointer. Any other main OS BCD modifications to add factory reset as a tool to the Windows boot up menu have simply loaded a normal Windows recovery environment and not the factory reset one.
If you create recovery media on a USB drive, and then make an ISO of it with methods mentioned, the ISO will simply not work no matter what I have tried. It seems you cannot use the Microsoft default MBR and EFI loaders. You probably need to rip those off the USB drive first, but I am not entirely sure how to do that without getting out winhex and starting to look into the first sectors on the disk to at least determine how many sectors the boot code is, and if it proceeds to normal file system from there or some more custom boot code. But its annoying to have a large flash drive tied up and not be able to back up a simple reapplyable ISO that rufus can deploy at anytime.
The HP Cloud Recovery tool which allows unlimited use I have also tried and it refused to detect my 32GB SanDisk Cruzer USB drive. It was quite easy to reverse it with IDA, find some checks regarding whether the USB is on a fixed or removable drive using some flags, and simply NOP out the CALL instruction, however the recovery media created just loads and reboots and does not work unfortunately.
Has anyone ever figured out some of the trade secret details of these recovery partitions and recovery disks beyond what I mention. I have scoured the web for HP and Toshiba and found only a small bit of truly useful information. What's worse is most people give up and just install a Windows image without the factory fresh files when things don't work out. Sometimes even changing out a hard drive can cause things to fail though not always. Sometimes BIOS updates erase DMI settings which need to be "retattooed" by the OEM at a servicing center unless the OEM offers some special tools which can make it happen or a special key like Ctrl+A in the BIOS that allows the DMI strings to be hand specified.
Anyone with special info? I think reversing this stuff is quite interesting. Theoretically all the hardware checks could be disabled, all the single use recovery media creators can be patched, too many partition changes or trying to recreate a recovery partition manually should be possible, etc. There are probably only a handful of simple key details involved. And it seems most manufacturers are using the same techniques in general. Probably a very special MBR or EFI loader, some scripts in BOOT.WIM for the checks, and some file markers for single-use recovery creation. Of course MBR and UEFI are slightly different beasts, but its probably just one crucial detail for each to get them to work.
|