Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

WINPE 4.0 boot modifes BCD hive on C drive

- - - - -

  • Please log in to reply
20 replies to this topic

#1
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
When I use my WinPE 4.0 based USB drive to boot a machine, the existing file C:\Boot\BCD file is modified. I have no idea why the bootmgr would be accessing that file since I'm booting into ram. I know the C drive is marked as active. WinPE 3.0 did not do this. I noticed this when i booted a hibernated box using my WinPE 4.0 USB. After I shutdown and tried to resume from hibernate, it showed the "..not shutdown properly..." display. Upon further investigation, the BCD entry in {bootmgr} for resume (resume yes) was gone. If I manually edit the BCD file (bcdedit /set {bootmgr} resume yes), the box came out of hiberate as expected. To ensure hibernate wasn't causing an issue, I booted a shutdown box. At the command line, I checked the modified date of the BCD on the C drive and it inidcated it was changed during the boot on WinPE.

Why is the BCD being used and how can I stop it from happening? Thanks for any advice.
Josh


How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,923 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

I've never considered booting to PE a machine that was hibernating... But I wonder if you tested this using a CD as well? (Not that I expect it to be any different, but you never know). :unsure:
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#3
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
May I ask some clarifications?

You have a normal install of (say) Windows 7 or 8 on a machine.
You hibernate that machine.
Then how can you boot to the PE (WinPE4 in your case)?
What do you do exactly to be able to boot to the (I presume added) USB thingy from a hibernated state?

jaclaz

Edited by jaclaz, 16 May 2013 - 09:17 AM.


#4
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
Like you I didn't plan on booting a hibernated box with PE and can't imagine why you would but it did point to the fact that the BCD hive is being modified during the boot process even if not hibernated. I have tried using a PE CD with the same result. I have not tried not auto mounting the drives (via SanPolicy) but I would then have to go mount them to fix whatever issue the box is having. Just seemed like a pain. I'm sure I'm screwing something up but I can't figure out what it is. Again, WinPE 3.x did not work this way so there maybe some new setting I should be making in my build process I just don't know what it is.

#5
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz,

Yes, I have normal Win 7 on a box. I hibernated the machine. Some boxes (like Dell) allow you to change the boot order (F12) and boot from USB even though the box is hibernated. Then PE will boot. With WinPE, after I shutdown WinPE, I could boot normally and the old hibernated Win 7 box would resume. Of course, you can screw up everything if you change the disk while in hibernate state so be careful.

All
I think we should take hibernate out of the issue. If I boot a normally shutdown box with a WinPE 4.0, and then , once booted, navigate to the location of the normal BCD file (typically c:\Boot\BCD) and check the modified date of the file. It will have a time that is consistent with when the WinPE was booted. That is what I don't understand.

#6
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,923 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

I think we should take hibernate out of the issue.


No, I think it is perfectly valid. Even if you had done it by accident or unknowingly, it is a clear way to see that the BCD is being modified. Otherwise it should have resumed normally!

Also I don't think I have anything that lets me boot from something else on hibernate. Most of the systems I use seem "aware" at the BIOS level that the HDD is in hibernate, and none of the function keys "work" except maybe going into the BIOS. Even so, I wouldn't only be able to confirm that it does indeed do that or not, and not really be able to offer any other thoughts on the subject like a fix or whatever else. Truthfully, the BCD still kinda scares me. ;)
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#7
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Some boxes (like Dell) allow you to change the boot order (F12) and boot from USB even though the box is hibernated. Then PE will boot. With WinPE, after I shutdown WinPE, I could boot normally and the old hibernated Win 7 box would resume. Of course, you can screw up everything if you change the disk while in hibernate state so be careful.

Thanks :), did not know that, of course it sounds like a perfect recipe for disaster, if (as often happens) you have USB devices connected, and you are distracted by something, etc. :unsure:

All
I think we should take hibernate out of the issue. If I boot a normally shutdown box with a WinPE 4.0, and then , once booted, navigate to the location of the normal BCD file (typically c:\Boot\BCD) and check the modified date of the file. It will have a time that is consistent with when the WinPE was booted. That is what I don't understand.

So, the \boot\BCD on the active partition on the disk (which is not first in boot sequence) is accessed anyway by a WinPE 4 (and this is not an issue by itself, but it can be if the PC was in hibernate state and "boot from other device" via F12 is allowed).

Are you talking of a WinPE 4.0 made:
  • from AIK/WAIK
  • from "recovery.exe"
  • other (please specify)
some reference/background for the above question:
http://reboot.pro/to...e-40-usb-drive/

Additionally, is the USB drive booting as "hard disk" or as "super floppy"?
And is it a USB stick or a USB hard disk drive?

Can you try setting in your WinPE the keys to prevent automount (as WinFE uses):
http://www.forensics....org/wiki/WinFE

and try again?
Explanation:
It is possible that the access is done by the BOOTMGR of the WinPE because the internal disk is the only "fixed disk" (if the WinPE is on a USB stick, which is normally "removable") or it is possible that it is done by the mount manager when the volume is mounted.
This way we could maybe understand what actually accesses the \boot\BCD on the intenal disk.

jaclaz

#8
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz

WinPE 4.0 is made from AIK/WAIK. As for your "hard dirve/super floppy" question, you've gone beyond my level. How do I tell? I will try the WinFE method listed (but with the SanPolicy=4 as stated by other sites). I would think that the answer is the BCD will not be changed.

#9
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

jaclaz

WinPE 4.0 is made from AIK/WAIK. As for your "hard dirve/super floppy" question, you've gone beyond my level. How do I tell? I will try the WinFE method listed (but with the SanPolicy=4 as stated by other sites). I would think that the answer is the BCD will not be changed.


If the USB device is a hard disk, then it is partitioned.
If it is a USB sttck it may be partitioned (even if only one partition) or be "directly" a violume (i.e. a super-floppy).
If you prefer, if the first sector of the device is a MBR (and thus contains a partition table) then it is "hard disk like", if first sector of device is a bootsector, then it is a "super-floppy".

The BCD is a Registry Hive, it is normally auto-mounted in the Registry as HKEY_LOCAL_MACHINE\BCD00000\ (I am tlaking here of a "plain" installed Vista :ph34r: or later), but only the one used for booting (i.e. the \boot\BCD relative to the BOOTMGR actually chainloaded by the bootsector or boot manager) should, and this should happen after the first part of booting has happened, i.e. (unless I am mistaken) BOOTMGR itself should not be able (or wasn't up to 7) to write to the \boot\BCD.

This is why it is important to understand WHAT modifies it and WHEN exactly this happens.

And (OT :w00t: ; but for the benefit of Tripredacus :)) it is not something to be actually scared of, besides being stupidly assembled in a senselessly (and mindboggingly) complex way, it a "normal", plain Registry Hive, which is BTW a filesystem (some say a half-@§§ed one):
http://rwmj.wordpres...ks-technically/
http://reboot.pro/to...s-a-filesystem/

jaclaz

#10
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz

I do the following to make my WinPE USB:

diskpart
select disk "some disk number"
clean
create partition primary
select partition 1
active
format fs=FAT32 quick Label=WINPE
assign

bootsect /nt60 "drive letter assigned"

copy all files toWinPE usb

Of course, this might not be the correct way to build it but it seemed to work, I will try the WinFE mode and let you know.

#11
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Of course, this might not be the correct way to build it but it seemed to work, I will try the WinFE mode and let you know.

No, no, it is perfectly correct :thumbup simply not the "only" way.

The possible issues, briefly, are as follows:
  • a USB stick in 99.999% (please read as 100%) of cases is set as "removable" device in factory (this can be changed in the actual controller of the stick through the appropriate Manufacturer tool but see also #4 below) and it is not partitioned.
  • a USB hard disk drive in 100% of cases is set as "fixed" device in factory (and any "fixed" device *needs* to be partitioned, i.e. Windows *wants* a MBR on a "fixed" device)
  • by partitioning the USB stick, you make it *resemble* a "hard disk" (but the "removable" bit of the device is still set)
  • as an alternative to "flipping the bit" in the controller it is possible to install in the windows (or in the PE) a "filter driver" that makes the "removable" bit as "fixed" to the OS
  • as a further peculiarity, a USB mass storage device has however some "differences" (as seen from the NT OS or the PE) when compared to an "internal" disk, (as an example you cannot normally have a pagefile on a booted from USB OS, or Windows Update will not work properly/fully) and there is one of the available "filter drivers" that, additionally to the "removable" status filters also the "external" status.
Any of these "filter drivers" are presumably loaded by the OS, i.e. they "come into play" after BOOTMGR has done whatever it is supposed to do and WINLOAD.EXE continues the booting.

So, if the access/change to the \boot\BCD of the internal disk is performed by the BOOTMGR, it is possible that it is *somehow* connected to the "removable" status of the device BUT there is NO way to prevent this behaviour through a "filter driver" (and possibly not even by the Registry settings WinFE uses), while IF the access/change to the \boot\BCD is performed by the booted OS, even in it's initial loading stage, then it is possible that the WinFE Registry settings and/or a "filter driver" can change the behaviour.

jaclaz

#12
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz
I built my WinPE the "WinFE" way and repeated the test. I booted my hibernated system, used DiskPart to bring the disk online and assigned a drive letter to the volume that normally gets booted. The BCD file was not changed and resumed as normal. I could not clear the readonly attribute of the disk or volume so the WinFE method will not work for me since I need to fix (ie change) the disk to fix whatever problem the user ultimately was having.

#13
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

jaclaz
I built my WinPE the "WinFE" way and repeated the test. I booted my hibernated system, used DiskPart to bring the disk online and assigned a drive letter to the volume that normally gets booted. The BCD file was not changed and resumed as normal. I could not clear the readonly attribute of the disk or volume so the WinFE method will not work for me since I need to fix (ie change) the disk to fix whatever problem the user ultimately was having.


Try again :w00t:
The "WinFE settings" are two distinct keys:
"HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr
NoAutoMount=1
and
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters
SanPolicy=3

BTW the one you probably set as "4", which is seemingly :
http://technet.micro...290(WS.10).aspx
the new setting used for Windowstogo:
http://social.techne...ep-by-step.aspx

Apply the new SAN policy setting OFFLINE_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk.



Try only with the first one, and/or try with the 3 one.

Also it is possible that Windows 8 (and conversely WinPE 4.0) has "inherited" this feature of Server 2008 :unsure:
http://support.microsoft.com/kb/971436


You can then try to do this from the PE "as is" when you manually mount the volume:
http://blogs.technet...-completes.aspx

select disk <disk#>
online disk noerr
attribute disk clear readonly noerr


jaclaz

#14
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz
I did the test again setting the "NoAutoMount=1" and leaving the SanPolicy=1 (default). After booting into PE, the disk was online but the volumes were offline. Using diskpart, I assigned a drive letter to the appropriate volume and verified the BCD had not been changed. BTW, the disk/volume were set to be read/write. I shutdown PE and rebooted and the hibernated system resumed as expected. I did the same test but not from a hibernated state, got the volume online and created a file at the root level. I then rebooted back into the normal system and the file was present as hoped/expected.

I will do the test again only changing the "SanPolicy=3" to see what it does including can I ever get the disk/volume to be writeable.

#15
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

jaclaz
I did the test again setting the "NoAutoMount=1" and leaving the SanPolicy=1 (default). After booting into PE, the disk was online but the volumes were offline. Using diskpart, I assigned a drive letter to the appropriate volume and verified the BCD had not been changed. BTW, the disk/volume were set to be read/write. I shutdown PE and rebooted and the hibernated system resumed as expected. I did the same test but not from a hibernated state, got the volume online and created a file at the root level. I then rebooted back into the normal system and the file was present as hoped/expected.

Good :), so workaround #1 worked, right?

This might mean that after all the Windows 8/WinPE 4.0 BOOTMGR does check those Registry keys, there should be no differences between auto-mounting and manual mounting AFAIK, if not a timing difference, but that should not give different results anyway :unsure: .

I will do the test again only changing the "SanPolicy=3" to see what it does including can I ever get the disk/volume to be writeable.

Yes :yes: , this is a good occasion to explore all the possible ways, since you have that particular machine which has the hybernate feature with Fxx keys active.

jaclaz

#16
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz

I did the test with SanPolicy=3. That worked as far as not changing the BCD hive but I could not get the fixed drive to remove the readonly bit. All the drives (including the PE drive came up "offline" as expected. I used diskpart to mark the disk "online" which was successful and did the "attributes" command. It failed with the "Diskpart failed to clear disk attributes" msg. I repeated the steps on the PE drive and the "attributes" command was successful. From that, since I may need to fix a problem on a users drive, I think the SanPolicy=3 won't work. Of course I may just be doing something dumb but at this point I'm going to go down the "NoAutoMount" path and see what happens.

I can try other things if you would like.

BTW, if you have VMWare, you can build a Win 7 VM normally and then configure the boot sequence in the VM BIOS to first try booting from CD then hard drive. You can then build an ISO from you PE USB drive using:
"oscdimg -n -betfsboot.com "drive_where_your_PE_DISK_IS" name.iso. You can then attach your iso to your VM and boot it and your WinPE will be in control. I used this method to initially look at the hibernated state issue (I hibernated my Win 7 VM image and then attached my WinPE iso to it and rebooted. All of my above test where done on real hardware though. Never know when VMWare is not telling you the truth.

#17
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I can try other things if you would like.

Yes, there are two "levels" of read/write.

Try booting then check BOTH the disk and volume status, see:
http://emalf-pc.blog...ows-server.html

If you could post a copy of the commands and feedback you get would be nice.

Was the disk online?
You may need to put it offline, and then attempt changing the read only status (or viceversa :ph34r: )...

It is possible that BOTH the disk and volume are set as "read only" :unsure: or maybe the disk (or volume) being in hibernated state prevents the command with 3 or 4?

Try also if this:
http://www.happysysa...policy-set.html
Diskpart> san
applies....


jaclaz

#18
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz

With SanPolicy=3, I could never get the disk writeable. Here is the output of my DISKPART session


DISKPART

Microsoft DiskPart version 6.2.9200

Copyright © 1999-2012 Microsoft Corporation.
On computer: MININT-2DO01EC

DISKPART> san

SAN Policy : Offline All

DISKPART> san policy=onlineall

DiskPart successfully changed the SAN policy for the current operating system.

DISKPART> rescan

Please wait while DiskPart scans your configuration...

DiskPart has finished scanning your configuration.

DISKPART> list disk

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Offline 465 GB 0 B
Disk 1 Offline 1912 MB 0 B

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> detail disk

WDC WD5000BEVT-75ZAT0
Disk ID: E1F2EA89
Type : SATA
Status : Offline (Policy)
Path : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : Yes
Read-only : Yes
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No

There are no volumes.

DISKPART> attributes disk clear readonly noerr

DiskPart failed to clear disk attributes.

DISKPART> rescan

Please wait while DiskPart scans your configuration...

DiskPart has finished scanning your configuration.

DISKPART> list disk

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
* Disk 0 Offline 465 GB 0 B
Disk 1 Offline 1912 MB 0 B

DISKPART> detail disk

WDC WD5000BEVT-75ZAT0
Disk ID: E1F2EA89
Type : SATA
Status : Offline (Policy)
Path : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : Yes
Read-only : Yes
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No

There are no volumes.

DISKPART> online disk noerr

DiskPart successfully onlined the selected disk.

DISKPART> rescan

Please wait while DiskPart scans your configuration...

DiskPart has finished scanning your configuration.

DISKPART> attributes disk clear readonly noerr

DiskPart failed to clear disk attributes.

DISKPART> detail disk

WDC WD5000BEVT-75ZAT0
Disk ID: E1F2EA89
Type : SATA
Status : Online
Path : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : Yes
Read-only : Yes
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 1 C RECOVERY NTFS Partition 15 GB Healthy
Volume 2 E NTFS Partition 450 GB Healthy
Volume 3 FAT Partition 78 MB Healthy Hidden

DISKPART> list volume

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 D DVD-ROM 0 B No Media
Volume 1 C RECOVERY NTFS Partition 15 GB Healthy
Volume 2 E NTFS Partition 450 GB Healthy
Volume 3 FAT Partition 78 MB Healthy Hidden

DISKPART> select volume 2

Volume 2 is the selected volume.

DISKPART> detail volume

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
* Disk 0 Online 465 GB 0 B

Read-only : No
Hidden : No
No Default Drive Letter: No
Shadow Copy : No
Offline : No
BitLocker Encrypted : No
Installable : Yes

Volume Capacity : 450 GB
Volume Free Space : 434 GB

DISKPART> attributes volume clear readonly noerr

DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

DISKPART> detail volume

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
* Disk 0 Online 465 GB 0 B

Read-only : No
Hidden : No
No Default Drive Letter: No
Shadow Copy : No
Offline : No
BitLocker Encrypted : No
Installable : Yes

Volume Capacity : 450 GB
Volume Free Space : 434 GB



#19
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

jaclaz

With SanPolicy=3, I could never get the disk writeable. Here is the output of my DISKPART session

Hmmm. :unsure:
Cannot really say what is preventing the thingy to change attributes.

Check this:
http://blogs.technet...-only-help.aspx

I also had this problem and noted this post did not fix the issue. I was able to resolve this issue on my computer by modifying the following registry key from 1 to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect

Switch from a 1 to 0.

but that should only affect USB drives.

DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

Is there anything worth of note in the event log (if it exists in your PE)...

jaclaz

Edited by jaclaz, 20 May 2013 - 06:22 AM.


#20
jtalbot35

jtalbot35

    Newbie

  • Member
  • 10 posts
  • Joined 16-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
jaclaz

Thanks for all of your help. Not sure why the original issue happens (BCD file changed on boot) but I'm going to work around it with the NoAutoMount setting. Thanks again.

#21
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Thanks for all of your help. Not sure why the original issue happens (BCD file changed on boot) but I'm going to work around it with the NoAutoMount setting. Thanks again.

You are welcome :).

Re-thinking about the Read-only that cannot be cleared, maybe it is because as soon as you put the disk online volume on it were mounted to a drive letter.
Maybe all volumes need to be unmounted to allow to change the read-only status? :unsure:

jaclaz

Edited by jaclaz, 20 May 2013 - 06:42 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users