Tripredacus

[Project] Windows PE as a recovery partition

35 posts in this topic

NOTE: Because of the nature of this project, I may be unable to provide any source code or code examples. If any code examples are posted in response to any of my issues, I cannot post whether or not I had used them or not in my program.

I have restarted my attempts to create a recovery partition using Windows PE. I have been successful (at last) getting the recovery partition to be bootable, and those details are here:

http://www.msfn.org/board/index.php?showtopic=130609

On my eval unit, the recovery partition contains the contents of the winpe_x86\ISO folder on my Technician PC. The technician PC, aka UNCLESOCKS, specs can be see in the "my servers" link in my signature. My PE has all extra packages installed (as with my other PE versions) with a couple of additional items:

- Flash Projector EXE as the GUI

- AutoIT EXEs in the fscommand folder for full.exe, repair.exe, restart.exe and admin.exe.

- MBR.EXE (this also must exist in the main image)

- Recovery.wim (the image of the drive)

Full.exe will clean Partition 1, redeploy recovery.wim.

Repair.exe leaves the disk alone and just redeploys the wim.

restart.exe will restart the computer using wpeutil reboot.

admin.exe is an authentication wrapper to grant access to the command prompt. I felt it best that this could be used by technicians to do any advanced PE commands, but also so that the end-user does not have this ability. So if you type in the correct password, you get the command prompt. If you type in the wrong password, it displays an error. The credentials are encrypted into the EXE itself and not stored on the system in any other way.

Current Tasks

1. Need to determine which mix of commands for DISKPART is needed to reimage the © hard drive without damaging the recovery partition. When you boot into the recovery partition, it becomes the C drive (instead of X drive common with Win PE). I could accomplish this if I can make it so the Win PE boots using a different drive letter, or by examining the partition information in my next round of testing.

2. Currently, the repair (and full) options will attempt to restart the computer after deploying the image. Unfortunately, this is called using AutoIT's RUNWAIT function, and for some reason the computer attempts to restart before the image is deployed. I will have to remove this option.

3. The Projector (while it is 1024x768) does not open maximized and you can still see the command prompt behind it. I need to make this take up the entire screen.

4. I need to disable ALT+TAB options, which I should be able to do via the Win PE registry or by using ActionScript within the Projector.

0

Share this post


Link to post
Share on other sites

Full Recovery diskpart script has been completed. After booting into the recovery partition, the VOL and PART info is the same, but the drive letters are switched. Also, the PE does load up in a RAMDISK. Image redeployment takes about 5 minutes, but I am going to put up a progress timer for about 7 minutes.

diskpart
select disk 0
select vol 0
delete vol
create part pri size=62220
select part 1
active
assign letter=d
format fs=ntfs quick

Now with diskpart, we assign the letter D to the drive that will be C. On the reboot, the correct letters appear.

Also in addition to running the MBR reset, I also need to reapply the hidden value to the recovery partition or else it becomes visible in Windows.

My task now will be to create the GUI and figure out Projector settings. I am using Flash right now for testing, and to keep me in some sort of practice using it. Not sure if we will end up using it at all, or using a different app instead.

I made this thread thinking it would be more involved or harder than this. I am surprised really.

0

Share this post


Link to post
Share on other sites

You could accomplish all your tasks in an HTA instead of Flash. I've configured our workstations with a bootable RAM disk PE image in the boot menu that runs an HTA via startnet.cmd. I use the cmdow.exe tool (freeware) to hide the PE command prompt and then use it to reveal it if a special key combo is pushed and password entered. If you want to leave it visible, here's a snippet that would prevent ALT+TAB unless a password has been entered at some point, and hides the system menu (prevents minimize):

<html>
<head>
<title>HTA Test</title>
<HTA:APPLICATION
ID="objTest"
APPLICATIONNAME="HTA Test"
SCROLL="yes"
SINGLEINSTANCE="yes"
WINDOWSTATE="Maximize"
CAPTION="no"
SYSMENU="no"
>
</head>

<script LANGUAGE="VBScript">

Dim boolPasswordEntered
Dim boolALTkey, boolTABkey
boolPasswordEntered = False

Document.OnKeyDown = GetRef("CheckKeys")
Document.OnKeyUp = GetRef("ClearKeys")

Function Window_OnLoad
' Do your stuff and something to make boolPasswordEntered = True
...
End Function

Function CheckKeys

Select Case Window.Event.KeyCode
Case 18 ' ALT
boolALTKey = True
Case 9 ' ALT
boolTABKey = True
End Select

If boolALTKey And boolTABKey And Not boolPasswordEntered Then
DoNothing
End If

End Function

Function ClearKeys

boolALTKey = False
boolTABKey = False

End Function

Function DoNothing

Window.Event.returnValue = False

End Function

</SCRIPT>

<body>
...
</body>

</html>

You can then insert functions to perform your various tasks.

You could have your password prompt always visible, but I don't display mine unless a special key combo is pushed. I like to use tables in my <body> section with <span> and <div> so I can put together a string of code anywhere in the script and then assign it to the <span> or <div> dynamically. For instance, when my key combo is pushed, I call a function to assemble a string that has password_box and submit (button) input objects and then set SPAN_ID.InnerHTML = TheString. If the correct password is entered, I unhide the command prompt and close the HTA.

Just throwing this stuff out there since you'd need more VBScript and HTML code to add all the things you want to do, but it wouldn't be too difficult.

0

Share this post


Link to post
Share on other sites

I now have a fully working recovery partition. I added the MBR commands into the actions of the PE, and fixed the reimaging issue. Made some typos, such as confusing the X with C drives. And the D with C drive. It works now but doesn't look that good.

For example, it doesn't use any sort of progress bar or anything yet. I had problems scripting it to reboot after recovery, because it would reboot first. So right now the Full recovery formats the drive and reloads the image.

Also, In order to be able to use the recovery partition again, you need to reboot the system manually. The MBR command to hide the recovery partition is in the reboot code. So if you hit the reset button while in the recovery partition, you wouldn't be able to get back into it. I could try putting this code in the startnet.cmd after it resets the MBR, but I am wondering if that will effect the drive before the next reboot.

Projector also has a command to allow fullscreen, but I haven't tried it yet:

fscommand("fullscreen", "true");

Wrex, I'll check out your idea only if my company decides not to go the route of Flash.

0

Share this post


Link to post
Share on other sites

Well the decision was made not to use Flash, so I am experimenting with the HTA route. Here is my current setup order:

[diskpart]
sel disk 0
clean
create part pri size=62220
active
assign letter=c
format fs=ntfs quick
create part pri
sel part 2
assign letter=d
format fs=ntfs quick

imagex /apply z:\image.wim 1 c: (the OS partition)
imagex /apply z:\image.wim 3 d: (the recovery partition)

[diskpart]
sel disk 0
sel part 2
att vol set nodefault drive letter

mbr 0 /install selm 5 11 "Press F11 for Recovery" 0xC 0x1C
mbr 0 1 /h

The OS works fine, but again the F11 does not work. I am using the same process as my last attempt so I'm not sure what is so different...

0

Share this post


Link to post
Share on other sites

I think the problem I am experiencing is that the Recovery partition is NTFS, and in my test, I used Fat32. 0xC 0x1C is for FAT32 and not for NTFS, which is the format for it now. By using Terabyte Unlimited's Partinfo tool, I was able to determine the following:

The OS partition ID is 0x7. The Recovery Partition is 0x17.

:whistle:

going to try this instead:

mbr.exe 0 /install selm 5 11 "Press F11 for Recovery" 0x7 0x17

0

Share this post


Link to post
Share on other sites
3. The Projector (while it is 1024x768) does not open maximized and you can still see the command prompt behind it. I need to make this take up the entire screen.

Would it be possible for you to modify the Winpeshl.ini in PE to:

- Launch wpeinit.exe

- Launch your GUI

Using the INI file will avoid the startnet.cmd being processed, so should stop any command prompt window from appearing...

From there I would just GUI entirely in Autoit :whistle:

0

Share this post


Link to post
Share on other sites

Yes, the partition will be after, which is how our current recovery partition is used.

I am using an HTA for the partition. I am going through its development testing now.

0

Share this post


Link to post
Share on other sites

The HTA design is nearly complete. I have the following to now do:

1. Remove the button that allows the user to open the command prompt, and add a function that would launch the command prompt via a keyboard shortcut.

2. Test launching the HTA via winpeshl.ini. This will remove the need to disable ALT + TAB since there would be no command prompt behind the program.

Unfortunately, I cannot post the code for this HTA any longer because it has now been branded and is the IP of myself and my company.

I also got to learn some good Photoshop skills today. Man paths were frustrating and confusing at first but now I wonder how I had lived without them!

0

Share this post


Link to post
Share on other sites
You could accomplish all your tasks in an HTA instead of Flash. I've configured our workstations with a bootable RAM disk PE image in the boot menu that runs an HTA via startnet.cmd. I use the cmdow.exe tool (freeware) to hide the PE command prompt and then use it to reveal it if a special key combo is pushed and password entered. If you want to leave it visible, here's a snippet that would prevent ALT+TAB unless a password has been entered at some point, and hides the system menu (prevents minimize):

<html>
<head>
<title>HTA Test</title>
<HTA:APPLICATION
ID="objTest"
APPLICATIONNAME="HTA Test"
SCROLL="yes"
SINGLEINSTANCE="yes"
WINDOWSTATE="Maximize"
CAPTION="no"
SYSMENU="no"
>
</head>

<script LANGUAGE="VBScript">

Dim boolPasswordEntered
Dim boolALTkey, boolTABkey
boolPasswordEntered = False

Document.OnKeyDown = GetRef("CheckKeys")
Document.OnKeyUp = GetRef("ClearKeys")

Function Window_OnLoad
' Do your stuff and something to make boolPasswordEntered = True
...
End Function

Function CheckKeys

Select Case Window.Event.KeyCode
Case 18 ' ALT
boolALTKey = True
Case 9 ' ALT
boolTABKey = True
End Select

If boolALTKey And boolTABKey And Not boolPasswordEntered Then
DoNothing
End If

End Function

Function ClearKeys

boolALTKey = False
boolTABKey = False

End Function

Function DoNothing

Window.Event.returnValue = False

End Function

</SCRIPT>

<body>
...
</body>

</html>

You can then insert functions to perform your various tasks.

You could have your password prompt always visible, but I don't display mine unless a special key combo is pushed. I like to use tables in my <body> section with <span> and <div> so I can put together a string of code anywhere in the script and then assign it to the <span> or <div> dynamically. For instance, when my key combo is pushed, I call a function to assemble a string that has password_box and submit (button) input objects and then set SPAN_ID.InnerHTML = TheString. If the correct password is entered, I unhide the command prompt and close the HTA.

Just throwing this stuff out there since you'd need more VBScript and HTML code to add all the things you want to do, but it wouldn't be too difficult.

I'm trying to figure this out but it just isn't working for me. As I said previously, I no longer need to disable ALT+TAB after switching to winpeshl.ini loading functionality. However, now the request is that I remove the button I had to launch the command prompt. They want that button to not be visible but use a key combination that launches that program.

So my question is, how can I use that function to launch a program instead of doing nothing? I have researched this function online but I can find no specific examples. Most likely because people use these scripts for games and online websites, and putting in code that opens a program this way (on the internet) would likely be considered malware of some degree.

0

Share this post


Link to post
Share on other sites

Here's some code for how to do it with CheckKeys and ClearKeys:

Function CheckKeys

Select Case Window.Event.KeyCode ' Standard ASCII keycodes
Case 65 ' A
boolFirstKey = True
Case 66 ' B
boolSecondKey = True
Case 67 ' C
boolThirdKey = True
End Select

If boolFirstKey And boolSecondKey And boolThirdKey Then
cmd = "%comspec% /c start ""Command Prompt"" %comspec%"
objShell.Run cmd,0,0 ' Invisible command window to run the start command, which will be visible, don't wait on return
End If

The bool* variables would need to be declared with Dim at the beginning of the <script LANGUAGE="VBScript"> section so that they're global since the CheckKeys function will only set one of them to true and then exit when a key is pressed. This also assumes you want to push the keys A, B, and C at the same time, since ClearKeys would reset the variables when any key was released.

You can put whatever you want in that cmd string, like "%comspec% /c X:\WINDOWS\SYSTEM32\Notepad.exe" or something.

0

Share this post


Link to post
Share on other sites

Hey WreX, I am using this method instead:

<script>Sub RunAdmin
Set objShell = CreateObject("WScript.Shell")
objShell.Run "fscommand\admin.exe"
On Error Resume Next
Set objShell = Nothing
End Sub</script>
<html><input id=runbutton style="width:153" class="button" type="button" value="Admin Prompt" accessKey="k" name="admin_button" display="none" onClick="RunAdmin">
</html>

Using AccessKey. This allows ALT+K to be used to run the function.

0

Share this post


Link to post
Share on other sites

Great project! I can definatly see a need for me to use this as well. :)

0

Share this post


Link to post
Share on other sites

Cool. I would've used that if we didn't want to make our key combo so complex. I'll shove that little accessKey tidbit into my bag of tricks.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.