Live CD’s are great. When I first downloaded and booted up Knoppix, it blew my mind. A whole operating system that runs off a CD. But why not. The concept behind these distributions is simple enough. After all, the kernel of your OS must be in memory anyway, and most modules and applications are loaded up as needed from storage, which in most cases can be read-only. The only areas where you actually need write permissions are few select directories that the system use to dump log files and temporary garbage. But you can easily implement a virtual disk in RAM that will pretend to be a traditional read-write storage system and you are good to go. Simple, easy to implement and incredibly useful.
Initially this technique was used mostly by a range of novelty linux distributions built to be emergency system rescue platforms, tech demos or stripped down miniature OS’s that you could carry with you in your pocket. Nowadays however use of live CD’s is widespread. Large and popular distributions such as Ubuntu use them by default on their installation CD’s for example. Such a CD can then act as a demo disk, an installer and rescue disk that can allow the user to recover his data when the installed OS gets hosed for some reason. It is a beautiful, user friendly and elegant way to package the system. There is almost no reason not to do this.
And yet the dominant player in the OS market does not even acknowledge this methodology as an option. I think that everyone would agree that a Live Windows CD would be a nice addition to the toolbox of every IT professional. Of course the windows support niche has been filled out by Linux distros quite well. The NTFS support is quite good these days and Linux based tools that allow you to edit windows registry are becoming more reliable each day. Still, it is a bit ironic that you usually have to use Linux to repair or recover a Windows installation – especially considering how much money Microsoft spends on the FUD campaigns against it. You would think that someone at Redmond would notice this, and decide to create a Live Windows version instead of offering users baroque solutions such as the “Windows Recovery Console”.
Sadly, I doubt this will ever happen. After all, Microsoft has spent the last decade trying to tie their OS to the underlying hardware and make it less portable. Reversing their policy and creating a version of Windows that could be carried around on a CD, and boot on any machine without some crazy online activation scheme is probably out of the question.
Of course trying to stifle progress is futile. If enough people want Live Windows CD, it will be made with or without Microsoft’s help. Enter BartPE – a project to create just that, Microsoft be damned. Of course since Windows is a proprietary OS, it is not possible to distribute an actual Live CD of it without incurring legal wrath of the software giant. What can be distributed however is a set of tools that will take your existing (legally licensed) Windows XP CD and turn it into a Live CD. Unless of course you happen to have an OEM version of the CD in which case it does not work.
Not so long ago I ran into a scenario that a live linux CD could not fix. I was dealing with a computer protected by Pointsec for PC full disk encryption. The windows installation on the system was hosed most likely due to a HD damage – at least that’s what I suspected judging from the agonizing grinding noises it was making while trying to load Windows. It was clear that parts of the file system are still intact though because the system would hang or crash at different points during the boot procedure. What I needed from that machine were 3 excel and PDF files that could not be easily recovered if they were lost. The user naturally didn’t back up, because hell – why for, right?
I could of course attempt to decrypt the whole drive (I had the recover file, and admin passwords to do so), but that seemed like a risky move. With a hard drive on its last legs, last thing I wanted it to do is to work real hard for several hours copying bits all over the place. What I wanted to do was to get in, and access the files I needed before the drive collapses upon itself. Live distro was the way to go.
Check Point is actually nice enough to offer a BartPE plug-in on their installation CD’s. They don’t talk about it though, probably because they don’t want to tempt Microsoft which pretends BartPE does not exist. The plugin is unsupported but it works well enough for what I needed it to do. The problem was that to build a BartPE disk I needed a Windows XP CD and the only copy I had on me was a Dell OEM with Service Pack 2 included on the disk. My initial build failed miserably because that Windows CD is crippled in some subtle way.
I did some googling and found a writeup that explains how to use Dell OEM disk to create an UltimateBootCD. It is not exactly what I needed, but following these instructions yielded quite positive results. I had to tweak the writeup in a few places, but for the most part it worked. I will reproduce it here with less atrocious formatting and appropriate corrections.
CD Used for the Build: Windows XP Pro SP2 DELL OEM
Platform on which the build was performed: Windows XP Pro SP3
- Copy the contents of the CD to some directory (say C:\WINXP). Make sure you are copying hidden and system files as well as normal files.
- Go to BartPE installation directory
- Go to the Plugins folder
- Create a directory named Dell
- Inside create a file named fixdell.inf
- The contents of fixdell.inf should be as follows:
[Version] Signature= "$Windows NT$" [PEBuilder] Name="Fix Dell Windows XP OEM boot problems" Enable=1 [SourceDisksFiles] iastor.sys=4,,4 a320raid.sys=4,,4 aarich.sys=4,,4 aac.sys=4,,4 cercsr6.sys=4,,4 afamgt.sys=4,,4 NvAtaBus.sys=4,,4 nvraid.sys=4,,4 symmpi.sys=4,,4 megasas.sys=4,,4
- Download subinacl from Microsoft website here
- Install it (choose all default options)
- Go to C:\Program Files\Windows Resource Kits\Tools
- Copy the subinacl.exe to C:\WINXP\i386\ (or change WINXP to whatever you named your folder in step 1
- In C:\WINXP\i386 create a batch file (eg. fixdell.cmd) with the following:
reg query HKU | find /i "pebuilder" > fixdell.txt for /f %%a in (fixdell.txt) do reg unload %%a reg load HKLM\DELL setupreg.hiv subinacl /subkeyreg hkey_local_machine\dell\controlset001\services\iastor\ /objectcopysecurity=hkey_local_machine\dell\controlset001\services reg unload HKLM\DELL del fixdell.txt del /ah setupreg.hiv.log echo Check output to see if there are any errors. pause
- Run the batch file.
- Build BartPE CD
Note that if BartPE throws up warnings about missing files, you should probably go back to step 6 and add these file names to your fixdell.inf file using the same pattern as all the other ones.
If you have a SATA drive, you may need to also slipstream the SATA drivers into your build. You need to do that before you actually build the BartPE CD:
- First download the DriverPacks Base and extract it anywhere (eg c:\dp\
- Next, grab the DriverPacks Mass Storage bundle. It is currently only available via torrent so if you are behind a firewall, this might be a tricky step.
- Take the DP_MassStorage_wnt5_x86-32_1209.7z bundle you just torrented and put it in c:\dp\DriverPacks directory.
- Run DPs_BASE.exe (it’s located in your c:\dp\ directory.
- In the Location section page select BartPE use the browse button “Browse” to select your BartPE Plugin\ folder.
- Make sure that DriverPack MassStorage text mode is selected under the DriverPacks™ section:
- Hit Slipstream!. This will extract the drivers into your BartPE plugin directory.
- Finally, run the BartPE builder tool, and make sure your plugins are initialized correctly. The #DriverPacks.net – BASE should be set to No and #DriverPacks.net – Mass Storage should be set to Yes, as pictured below:
- Finally, build your BartPE CD.
This ought to give you a CD that can both access encrypted Pointsec drives, and deal with SATA.
To finish my story – it worked. I was able to create a BartPE disk with the Pointsec for PC plugin and then use it to recover the files from the encrypted drive. There is a little trick to it though – you can’t just boot BartPE from disk as usual. You have to let the machine load the Pointsec Pre-Boot Environment, log in as a user authorized to access the machine and then hit Ctrl+F10. This will shoot you over to a customized Pointsec boot selection menu, where you can choose to start the system from the CD. That’s actually the only way to do this. If you allow the system boot from the CD before the Pointsec Pre-Boot Environment kicks in, the encrypted disk will remain inaccessible.
I hope this helps anyone who is trying to build BartPE with a crippled OEM disk. I know this works for Dell OEM, but chances are it might work for other versions too.