Creating WinFE Boot Disc

20. December 2011 by Ric.

Creating a forensic bootable environment to run tools on a target system using WinPE.

1. Download Windows AIK iso.  This file will aid in providing necessary files to create the winFE.

2. Mount Windows AIK file KB3AIK_EN.iso.

a. Use a .iso mounter like Virtual Clone drive. After installing right-click on the icon.

b.  Mount the downloaded KB3AIK_EN.iso file.

3. Open the contents, locate StartCD.exe and execute.

4. Install Windows AIK Setup.

5. Default installation path.

6. Open Administrator command prompt.  Right click command prompt and run as administrator.

7. Change directory in the PRTools area.

cd “c:\Program Files\Windows AIK\Tools\PETools”

8. Copy the necessary files to your winFE creation area.

copype x86 c:\winFE

9. Mount the bootable area.

Dism /Mount-Wim /WimFile:c:\winFE\winpe.wim /index:1 /MountDir:c:\winFE\mount

10. Should see the mount area is populated.

11. Time to mod the registry so that the disc will not automount onboard drives.  Open regedit.  Start –> regedit.exe –> <enter>.

12.  Highlight HKLM

13. Select File –> Load Hive …

14.  Locate c:\winFE\mount\Windows\System32\config\system –> Open

15.  Name it “winFE”

16. Under HKLM should be winFE

17. Locate the following key HKLM\winFE\ControlSet001\Services\mountmgr –> Right click right panel and select New –> DWORD.

18. Name it NoAutoMount = 1

19.  Modify HKLM\winFE\ControlSet001\Services\partmgr\parameters\sanpolicy = 3

20. Highlight winFE

21. Select File –> Unload Hive…  Confirm  Close

22. Modify the wallpaper if you like.  Name the BMP winpe.bmp and overwrite existing under c:\winFE\mount\Windows\System32

23. Add directory tools under c:\winFE\mount\

24. Drop tools like RegRipper, Cygwin, FTK Imager Lite, NetCat, Winrar unplugged, IrfanView, etc in this location.

25. Add VBS scripting capability:

dism.exe /image:c:\winFE\mount /add-package /packagepath:”c:\Program Files\Windows AIK\Tools\PETools\x86\winpe_fps\winpe-wmi.cab”

26. (Hint use the arrow up key in the keyboard and change wmi to hta) Add HTA:

dism.exe /image:c:\winFE\mount /add-package /packagepath:”c:\Program Files\Windows AIK\Tools\PETools\x86\winpe_fps\winpe-hta.cab”

27. Add scripting:

dism.exe /image:c:\winFE\mount /add-package /packagepath:”c:\Program Files\Windows AIK\Tools\PETools\x86\winpe_fps\winpe-scripting.cab”

28. Add .vbs scripts (props: http://praetorianprefect.com/archives/2010/04/winpe-3-0-forensics/) under tools.

29. Add driver packs that way what ever system you come across should boot and see the onboard drives without issue. I extracted them to my c:\

dism.exe /image:c:\winFE\mount /add-driver /driver:c:\DP_MassStorage_wnt6-x86_1110 /recurse

30.  I ran the following driver packs.

a. DP_CardReaders_wnt6-x86_11041

b. DP_Chipset_wnt6-x86_11051

c.  DP_LAN_wnt6-x86_1109

d.  DP_MassStorage_wnt6-x86_1110

e. DP_WLAN_wnt6-x86_1104

31. Closing the image.  ***Make sure you close all related windows linked to c:\winFE***  If you dont the image will not close properly.

32. Make sure your not in the command prompt c:\winFE area when you issue the command.

cd c:\

dism /unmount-wim /mountdir:c:\winFE\mount /commit

33.  Should get a successful completion.

34.  Copy file

copy c:\winfe\winpe.wim c:\winfe\iso\sources\boot.wim /Y

35. Remove bootfix.bin so that you are not prompted to hit any key to boot from disc.  This would be bad if we forgot and booted the operating system.

del /f /q c:\winFE\ISO\boot\bootfix.bin

36. Create ISO

oscdimg -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFE.iso

37. Should have your .iso file here:

38. Dont forget to test it out…through vmware or live test system before using it within production.

39. To add additional tools, drivers, scripts etc start at step 9 and follow until creating the .iso.

Posted in Imaging | No Comments »