Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-26-2020, 03:40
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Creating boot WinPE ISO from USB drive with min. disk space+factory reset prtn. info

I have found it interesting that lots of utilities which will create bootable ISOs from a USB literally mirror the whole drive even if a small amount is actually used. Creating ISOs that are not bootable will efficiently just mirror the file system. The trouble is that ISO was designed for DVD booting.

Emulating USB drives to directly capture an ISO is also not really easily possible. There are some utilities, but even those have to treat the space as an unknown blob. The utilities often are not even detected by some software utilities as being valid USB drives due to some quirks with how the driver class is defined in the registry. So with all the various utilities that create USB drives it is hard to fake. There are even utilities to do this by emulating DVD writable drives and they work pretty good. Though after you create the image, if it does not use the full drive, you will want to mount that image and create another image.

Here are some interesting use cases:
Windows 7 SP1/10 latest Recovery Drive
Factory Reset partition drive
Some tools like MSDART will create an ISO for you and not require extra effort. There is also a process to take a bootable WIM file and make an ISO manually though there are some steps and work involved mostly to get the MBR and UEFI boot files into place.

So what is involved?

Well despite that I cannot find any utility that properly does this there are some things to know:
1) there are utilities that can extract a boot sector from a USB drive often as if it were just a floppy drive.
2) since most of the time, the boot routes are known be they from MBR or UEFI, we can simply use these standard routes to define how to do this.

Only requirement is the Windows Assessment and Deployment Kit's Oscdimg utility which is freely available as a download from Microsoft.

Here is an example with a single command creating a dual MBR and UEFI bootable ISO (from a USB containing the Windows 10 1909 x64 recovery drive made in control panel):
Quote:
"D:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Oscdimg\Oscdimg.exe" -bootdata:2#p0,e,bC:\Windows\Boot\DVD\PCAT\etfsboot.com#pEF,e,bC:\Windows\Boot\DVD\EFI\en-US\efisys.bin -u2 -m -h -lRECOVERY F:\ D:\Win10Recovery1909x64.iso
And here is one for MBR only (similarly can make UEFI only):
Quote:
"D:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Oscdimg\Oscdimg.exe" -bC:\Windows\Boot\DVD\PCAT\etfsboot.com -u2 -m -h -lHDDRECOVERY H:\ D:\Output.iso
Where H: is the drive with the files on the USB drive or a mounted ISO. -l specifies the label which should ideally match that of the source drive or image.

MBR boot uses
Quote:
C:\Windows\Boot\DVD\PCAT\etfsboot.com
which uses the BCD in the \boot directory while UEFI boot uses
Quote:
C:\Windows\Boot\DVD\EFI\en-US\efisys.bin
and uses a BCD in EFI\Microsoft\Boot. The boot\boot.sdi is a virtual hard drive mount driver for the .WIM file.

If you have done a lot of changes with your drives in a laptop, and still have the factory recovery partition, and you would still like to make proper factory recover disks or boot off of it here are some things to note:
1) the label of the drive, GUID type on UEFI or ID on MBR, and the hidden settings are important for it to be seen.
2) utilities which create recovery disks will want this special partition likely on the same drive you boot off of so mirror it over if you have to and likely they will work.
3) often the first sector MBR of the factory default system is the normal MBR like we are used to. But the second sector has a special MBR which DVD boots the factory recovery partition. I have not been able to fix this on a laptop I have with several tricks to ever get the factory reset button to work again. But if I set it to the active partition, it DVD boots that drive and works. The key here is the BCD must load off the factory reset partition. You cannot have your normal active drive BCD try to load it no matter how clever the BCD entries you add are - it will at best boot a Windows Recovery disk, not a factory reset environment.
4) with UEFI if you switched your main OS to an SSD, there is little hope you will convince the system to UEFI boot the recovery partition even from the UEFI menu. There are a lot of tricks though: you can create a recovery USB drive just by copying all of the files in this partition to a USB drive which you make MBR/UEFI bootable using the technique above.
5) if the recovery disk utility works, then simply make the USB drive and make the ISO from procedure described. This can be saved and put back on the USB drive for recovery at any time which is probably faster than recovery from HDD and has the benefit of more easily clearing the whole disk.
6) almost all changes that are needed can be done with the diskpart utility built into Windows for changing GUIDs or IDs or hidden setting or even the active drive, and mounting drive letters. A visual tool like EASEUS Partition Manager can be nice as well and can a lot of advanced repartition tricks when needed.

A final note, if you wish to chain load with a BCD, it can only really be done with a boot sector BCD entry, and this can allow Windows boot loader to boot to Linux but you will need to precisely set this to a .COM/.BIN file with the boot sector code. It seems likely it could be done with UEFI and not just MBR but I have not tried it. You cannot chain load boot managers though from one UEFI drive to another. Once the BCD on a drive is loaded, you are stuck with it. Depending on your BIOS, you can still write the volumes you want to boot on another drive in, and can hope the BIOS will boot it. I have an old laptop which used the small SSD as a cache drive and when I made it primary for a larger SSD, it would refuse to UEFI boot off it and by creating a UEFI partition on both drives with nearly identical BCDs, at last I could fool the laptop to secure booting but there are special boot cases where it has trouble finding partitions.

Some interesting information for those who ever need it. I felt I would document it here since most of it is little found on the web or at least in one place.

Last edited by chants; 02-26-2020 at 03:49.
Reply With Quote
The Following 3 Users Say Thank You to chants For This Useful Post:
niculaita (02-26-2020), RiRye (02-28-2020), uranus64 (02-26-2020)
  #2  
Old 02-28-2020, 04:13
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Another interesting nuance is that if your ISO will have files > 4GB inside of it, then it will not be capable of being deployed to a USB drive later with FAT32 but will require NTFS which supports large files.

In the case of NTFS, a tool like rufus which is one of the best to put an ISO on a USB drive, will get errors if your ISO contains the:
Quote:
$RECYCLE.BIN
"System Volume Information"
files due to having already formatted for NTFS which creates those files with security permissions set. Even running rufus as admin will not help. So the solution: do not put these 2 NTFS specific and controlled folders into your ISO. Without those, an ISO should be deployable to NTFS just fine. The other NTFS special files are not even visible to the file system at all so they do not matter - only a tool like winhex can see them. But these 2 in particular can cause problems. But specifically in practice, "System Volume Information" is the one which will cause problems, $RECYCLE.BIN is optional - the permissions are not strict there are in practice it writes out fine.

Quote:
Extracting: F:\$RECYCLE.BIN\S-1-5-21-2268161641-1247138040-2706703942-1001\desktop.ini (129 bytes)
Extracting: F:\$RECYCLE.BIN\S-1-5-21-3434372678-3681868793-1947244583-1001\desktop.ini (129 bytes)
Extracting: F:\$RECYCLE.BIN\S-1-5-21-824727643-1572714910-144252577-1002\desktop.ini (129 bytes)
Extracting: F:\$RECYCLE.BIN\S-1-5-21-824727643-1572714910-144252577-500\desktop.ini (129 bytes)
Extracting: F:\System Volume Information\Chkdsk\Chkdsk20170601211123.log (7 KB)
Unable to create file: [0x00000003] The system cannot find the path specified.
Unfortunately OSCDIMG does not allow exclusions. So the options are to either to delete those 2 folders before image creation (which might require copying the whole file set if the source is read only), or using a tool like PowerISO which can rewrite the ISO with those directories deleted. There is an option to ignore files that cannot be accessed without failing in OSCDIMG (-k) however as well as not specifying the hidden files option (-h) but you will need the hidden files for booting and at least you will want to know if there are access issues beyond "System Volume Information" so you can take ownership and add permissions and get those files before making the final ISO. But those would both be valid workarounds but only in the right context where you do not need a bootable image or any hidden files or there are no permission issues beyond "System Volume Information".

Lastly according to Microsoft, if the image will be greater than 4.5GB, you should create a boot order file that makes the boot files at the start of the drive so the loader can find them. This option is specified as
Quote:
-yoC:\temp\bootOrder.txt
while the file bootOrder.txt contains along the lines of:
Quote:
boot\bcd
boot\boot.sdi
boot\bootfix.bin
boot\bootsect.exe
boot\etfsboot.com
boot\memtest.efi
boot\memtest.exe
boot\en-us\bootsect.exe.mui
boot\fonts\chs_boot.ttf
boot\fonts\cht_boot.ttf
boot\fonts\jpn_boot.ttf
boot\fonts\kor_boot.ttf
boot\fonts\wgl4_boot.ttf
sources\boot.wim

Last edited by chants; 02-28-2020 at 04:36.
Reply With Quote
The Following 2 Users Say Thank You to chants For This Useful Post:
niculaita (02-29-2020), RiRye (02-28-2020)
  #3  
Old 02-29-2020, 21:49
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Due to licensing requirements, laptop manufacturers are quite strict about recovery media.

The partition on my HP laptops is hidden and labeled "RECOVERY" and at the end of a disk. The recovery media creator which if lost can be recovered from install.wim on that partition by mounting the WIM with DISM, and getting the details with get-wiminfo, then mounting index usually 2 but could be another index, and finding the installer in swsetup folder.

The laptop boots the recovery partition with the F11 key at start up, by loading the WIM file on that partition in a special way, but it loads it loads it through the EFI partition which normally loads the main OS so that must at least be present. It somehow does a chain load which is normally not possible with some special modifications. It specifically has a way of loading "recovery\WindowsRE\WinUCRD.wim" despite the "boot\BCD" on the recovery partition specifying "recovery\WindowsRE\winre.wim" so obvious something special happens to make that work. If you modify your partitions too much it may be hard to get it to work. Its hard to know all the trade secret details involved. What it seems is a special driver provides a file system link to the right WIM and faking the non existent winre.wim. It also seems its very finicky and if you modify the BCD to winre.wim which probably used to work on older laptops about 10 years back but now it will detect it and refuse to proceed. Or it will just load a normal recovery environment if you try to put add it to the BCD on the main OS.

There is a recovery media creator as mentioned, and this only allows use one time. However someone monitored the files created during it and those can be removed to create it again, also they have a script one can find "hp_recovery_discs_control.exe" to automate the removal. I don't know if it works in the latest versions or not.

Worse yet, HP botched the recovery on many systems so anyone trying it will get a failure log with McafeeMLS showing failure to install after an hour and a half of things working, which is particularly annoying since nobody really wants Mcafee anyway, and the logs make it look like Mcafee crashes and reboots the system, and the finicky recovery process will not proceed on any sort of unexpected error deleting some key files, adding some error flag files and making is pretty much hopeless to recover. The simple thing to do is on the first reboot menu of the factory install, load a USB with a WinRE on it, and modify McafeeMLS install.cmd to jump to a label which writes out the successfully installed info to the log and just effectively skips and disables it. I am going to test this idea if all else fails, but if there are dependencies with other Mcafee later installs, it could be an annoying situation when its an hour and a half per try to get there.

On my Toshiba laptop, its a different situation, you boot the recovery partition by holding down 0 which seems to use a special MBR in the 2nd sector on the disk (though I am not entirely sure - should winhex these sectors to verify) to DVD-style boot the recovery partition in a special way. It also seems to do the same trick with a WIM pointer. Any other main OS BCD modifications to add factory reset as a tool to the Windows boot up menu have simply loaded a normal Windows recovery environment and not the factory reset one.

If you create recovery media on a USB drive, and then make an ISO of it with methods mentioned, the ISO will simply not work no matter what I have tried. It seems you cannot use the Microsoft default MBR and EFI loaders. You probably need to rip those off the USB drive first, but I am not entirely sure how to do that without getting out winhex and starting to look into the first sectors on the disk to at least determine how many sectors the boot code is, and if it proceeds to normal file system from there or some more custom boot code. But its annoying to have a large flash drive tied up and not be able to back up a simple reapplyable ISO that rufus can deploy at anytime.

The HP Cloud Recovery tool which allows unlimited use I have also tried and it refused to detect my 32GB SanDisk Cruzer USB drive. It was quite easy to reverse it with IDA, find some checks regarding whether the USB is on a fixed or removable drive using some flags, and simply NOP out the CALL instruction, however the recovery media created just loads and reboots and does not work unfortunately.

Has anyone ever figured out some of the trade secret details of these recovery partitions and recovery disks beyond what I mention. I have scoured the web for HP and Toshiba and found only a small bit of truly useful information. What's worse is most people give up and just install a Windows image without the factory fresh files when things don't work out. Sometimes even changing out a hard drive can cause things to fail though not always. Sometimes BIOS updates erase DMI settings which need to be "retattooed" by the OEM at a servicing center unless the OEM offers some special tools which can make it happen or a special key like Ctrl+A in the BIOS that allows the DMI strings to be hand specified.

Anyone with special info? I think reversing this stuff is quite interesting. Theoretically all the hardware checks could be disabled, all the single use recovery media creators can be patched, too many partition changes or trying to recreate a recovery partition manually should be possible, etc. There are probably only a handful of simple key details involved. And it seems most manufacturers are using the same techniques in general. Probably a very special MBR or EFI loader, some scripts in BOOT.WIM for the checks, and some file markers for single-use recovery creation. Of course MBR and UEFI are slightly different beasts, but its probably just one crucial detail for each to get them to work.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
uel888 (03-01-2020)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best all-in-one WinPE boot environment for reversers (2020)? chants General Discussion 8 06-30-2020 06:44
A drive letter is related to which physical disk?! just4urim General Discussion 3 11-05-2007 15:16
Info on creating process dumper Ghandi2006 General Discussion 8 08-02-2006 18:27


All times are GMT +8. The time now is 17:46.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )