Saturday, January 24, 2009

Custom Win PE Boot Disk Building: VistaPE 12 RC1 Walkthrough

Yes I know.

I did last say we would be looking at dead-ends first in my post Custom Win PE Boot Disk Building: Dead Ends Ahead!

But as I thought about it, it doesn’t do any good to talk about those dead-end paths until we get the next element constructed in our custom Win PE boot disk building.

That would be a working base version of VistaPE using WinBuilder 12 RC1.

So let’s knock that one down first.

Summary

The purpose of this overall project is to build a Win PE 2.0 based boot-disk, that has a great VistaPE GUI interface (instead of the standard CLI shell) and the PGP WDE drivers injected so we can “liveCD-boot” a PGP WDE system (assuming we have the user’s passphrase).  Oh yes, and it has to handle the Dell GX 7xx series USB keyboard drivers.

If you are just joining us, please go back and review the following posts to get up to speed:

Done?

Great!  On to the task at hand.

Foundations

As I have mentioned before VistaPE is build on the Win PE 2.0 foundation.  It provides a slick shell for an otherwise command-line based environment. I’ve been building VistaPE boot disks for a long time and have not encountered any issues until attempting to use them on recent Dell GX-7xx series systems.

I found that a standard WAIK built VistaPE disk just didn’t properly load the USB keyboard drivers.  And while a VistaPE disk built using a Vista setup DVD would properly load the drivers, that led to a different problem.  Since we have gone enterprise-wide to using PGP WDE, we needed a method to continue to decrypt the drives “on-the-fly” for data-recovery and off-line service.  I worked out injecting the PGP WDE drivers into both VistaPE versions.  However, while that worked perfectly under the WAIK-based VistaPE, the stupid Dell USB keyboard wouldn’t work.  And under the Vista DVD-based VistaPE, the boot disk would blue-screen due to a driver conflict.

Eventually I worked out a way to successfully hack out a WAIK-VistaPE + Win PE 2.0 + PGP WDE injected driver disk that does successfully load the Dell GX-7xx series USB keyboard drivers.

If you have been following along, we last created a WinPE 2.0 boot.wim file that has the PGP WDE drivers injected into it.

Now we need to build a parallel VistaPE wim file…and then suck the life out of it for our nefarious purposes!

What follows is an updated version of a previous post I had written walking through using VistaPE WinBuilder 011.

Now I am going to present a walkthrough on using VistaPE WinBuilder version 12 RC1 to create the raw source materials for the next stage of our project.

Something you should know before beginning

When we work the the VistaPE WinBuilder, the build-folder (and sub-files/folders) must have a user security permissions object "Everyone" with full rights assigned for that user. 

Beginning with version 010 (I think) the scripts were modified and unless the files during the build process have full "Everyone" rights, you can build the ISO for VistaPE, but during the boot process, the files that are created don't carry with them sufficient security permissions to allow the boot process to execute. 

So what do you do?  I'll cover that in a minute (look for item #3 a bit below). But for now, if you have XP Pro (or Vista) you shouldn't have any issues setting up the security rights.  If you have XP Home, it isn't as easy.  See my GSD post "Get the Security Tab in XP Home! For Free!" to see what options you will have to consider.

Also, there are a lot of cool things that can be done and customized in VistaPE.  I’m only addressing this walkthrough with the purpose of meeting our custom project needs.  Maybe later when I wrap this series up will I go into a “typical” VistaPE-WAIK and VistaPE Vista Setup Disk based walkthrough and comparisons…

Shall we proceed?

Some Pre-Assembly Required

I will perform this version 12 RC1 build walkthrough on a XP-SP3 system.  Mine is a XP Home version.  I have done this quite well on both XP Professional and Vista.  There may be some slight differences between the OS versions, but if you understand the concepts, you should be good to go. 

First, the drive partition you are doing your mastering on MUST BE formatted as NTFS.  If you don't know what I am talking about, you might not be at the point of taking on this project. 

I always just do my building in a C:\VistaPE_WinBuilder_v12RC1 folder on the root of my C: drive.

Also, be sure your drive/partition has enough space to build the project.  One GB should do nicely for this base project, but two would be better.  You will be creating an ISO file for the disk so you need that room for it as well as the build files and applications you will be fetching down to your local drive.

First: System and Program Prepping

  1. Note, for this project, we have already installed the Windows Automated Installation Kit (Windows AIK). If you are just joining us or want to just follow along for a default VistaPE 12 RC1 build, then go back and do the stuff in that post that gets the WAIK installed first.) 
  2. Download and unpack WinBuilder to your NTFS partition.  It is a .rar file format, but most all compression programs should be able to unpack it. If not, just get and use either the free 7-Zip or the more user-friendly free jZip.  I unpacked mine on the root at C:\VistaPE_WinBuilder_v12RC1 .  Note: I am using the download-link offered for the "Latest stable version 12 RC1 (21.10.2008)" on the download page for this guide.  Again, you can actually put the file anywhere you wish, but it must be on an NTFS formatted partition!
  3. Once the main build folder is ready, we must prep the file and folder security permissions.  Right-click on the folder and select "Properties".  Now click the "Security" tab.  Add/Create a user account called "Everyone."  Now select that account and ensure that all the items in the bottom window are checked to "Allow".  Good.  Save, apply, and click on out.

Tip1: If you forget for some reason to do this on a NTFS formatted partition, when you run the final build file (virtually or off a burned disk) it will boot to a point but then stop at the following error: "...winload.exe is either corrupt or missing."  That's because you didn't do the building on a NTFS formatted partition. If this is the case find and move your WinBuilder folder and contents over onto one and try another ISO build again.  It should work fine the second time.

Tip2:  If you are completely lost about step 3 about with setting of security permissions, see these related (illustrated) posts from assorted websites:

Second: Download the VistaPE WinBuilder components

  1. Browse to where you unpacked WinBuilder and run the exe file. (You did remember to set the Everyone account and set full permissions, right?)
  2. The version I am using reports "WinBuilder 075 – beta 5 j" in the title bar.  If yours is different you probably can still follow the principles outlined here, but some of the references might not exactly match.
  3. Take a moment to examine the “Download Center” window. This appears the very first time you run the program. There are three buttons: Main, Servers, and Download.  You should also see a folder tree with a dropdown arrow.
  4. You can click on the "+” items to expand the folder tree.  Basically these are all the program and script elements that will make up the VistaPE build and be included.  You can include/exclude an item by toggling the respective check box.  Let’s leave them all alone for now.
  5. Click the "Servers" tab and take a look.  I recommend starting out with just the default server.  Checking others provides additional project scripts for extra building features.  Play with this once you have mastered the basic steps. Leave the default value set.
  6. On the left hand side, you will see "Complete" in a drop-down option box.  If you click the drop-arrow you will see additional projects "Minimum," "Recommended," “Complete,” and "Beta."  Again, let's leave it on "Complete" for this build run. Play with the others as you gain experience.
  7. Note that on the info area for this tab (at the top) you should see that you have 147 files selected and about 118.40 Mb of data to download. I hope you have a broadband Internet connection!
  8. Click the "Download" button at the bottom and the WinBuilder will begin fetching the files and scripts needed for your project.  A "Projects" folder will be automatically created in your C:\VistaPE_WinBuilder_v12RC1 (or whatever you called yours) and the files placed into there.
  9. On the left-hand side you will see the detail elements being ticked off as they are obtained with a download status bar showing the progress on the bottom right hand side.  This may take a while so get up and go spend some time with your loved ones (family, friends, cat, rat, etc.)
  10. WinBuilder should restart when done.

Additional notes:  Once you get the basics of VistaPE building down, come back here and play around on this page. Note that when you select other Web Servers, additional projects or project sub-elements appear.  There are a lot of cool ones so take your time exploring.  Unless you start out on the "Complete" build version to begin with, you will need to do the download process again to bring down the additional project scripts and programs.

Third: Set your Environmentals!

You should now see third buttons have been added to our WinBuilder window.  There are the Script, Source, and Code Box buttons.  We also see four icons in the top-right corner: Play, Tools, Refresh, and Download.  Now the fun begins!

  1. Click on the "Source" button and set your Source directory.
    • If  you are using the WAIK and installed it to the defaults, browse to the following location using the folder icon next to the blank line: "C:\Program Files\Windows AIK". The "Target directory" is set by default.  I would leave it alone for now.
  2. The "ISO file" location and name is set by default.  I would leave it alone as well.
  3. Click the "Script" button (next to the "Source" button) again.
  4. On the left-hand side next to "VistaPE" project, you will see the project elements listed in detail. Each of these also has a "+" you can select to expand if you find it helpful and you are curious.

Fourth: Fine tuning ahead!

  1. Back on the "Script" area on the right-hand side, you will see two small and blue arrows (forward and back) separated by a light line.  These allow us to step through the project elements and "tweak" the build.
  2. We should be on the "Main Configuration" item.  For the most part, I leave the options alone:
    1. Screen resolution to "1024x768".
    2. Main Shell is "BS Explorer" as it mimics a Windows theme.
    3. System Locale = Auto
    4. Grub4Dos Skin = Face
  3. Let's leave the "VPE Main Configuration" radio buttons set, as-is.
  4. On the right-hand side, Click the little right-facing blue arrow.
  5. Notice we are now in the "Base" sub-element area of the project.
    • If you are using the WAIK, you should see the path listed.
    • Since we are using the WAIK, the Windows Vista source settings here don’t apply. Leave them alone.
    • Leave the "install.wim" container value set on "1".
  6. On the right-hand side, Click the little right-facing blue arrow again.
  7. We are now in the "Additional files and drivers" sub-element.
    • Since we are using the WAIK as our build source, uncheck both boxes so we don’t get errors when the program looks for the Vista Install DVD.
  8. On the right-hand side, Click the little right-facing blue arrow again.
  9. We are now in the "Custom Folder" sub-element.
    • Just leave it set to the default.
  10. On the right-hand side, Click the little right-facing blue arrow again.
  11. We are now in the "Basic configuration and tools" sub-element.
    • Here we have a drop-down to set the FBWF cache size value.  I must confess, I didn't know what the heck this was at first.  It is the "File-Based Write Filter" which allows PE "...to maintain the appearance of read and write access to write sensitive or read only storage. FBWF makes read and write access transparent to applications."
    • I just left it at the default "64" setting. Once you get used to building, you can fiddle with higher values.  64 seems to work fine for my tests on various systems.
  12. On the right-hand side, Click the little right-facing blue arrow again.
  13. We are now in the "BS Explorer 2" sub-element.
    • You can set the Desktop label.  I leave it at the default.
  14. On the right-hand side, Click the little right-facing blue arrow again.
  15. We are now in the "Explorer Shell" sub-element.
    • This requires use of the Vista DVD to work, so since we are using the WAIK as our source instead, let’s uncheck its shaded folder tree element (remove the green check) for this item in the left-hand side to disable it.
  16. On the right-hand side, Click the little right-facing blue arrow again. .
    • Now you will jump down into "Addons" elements (and others) and can set custom options for these as you advance through them.  I would just leave everything set as-is for now.  They are generally very self-explanatory.  Add and remove project script applications as you see fit.  For now why don't you just leave them set to the defaults.
  17. On the right-hand side, keep clicking the little right-facing blue arrow again as you cycle down the list on the right hand side.
  18. When we get to the “OtherOS”, let’s make things simple for us and untick the green checks next to the default enabled OS elements.  This will disable loading these in our building process.  We really don’t need them for our custom project. However if you do a standard WinPE disk, they could be really cool to include and bring along to your boot-disk party.
  19. On the right-hand side, Click the little right-facing blue arrow again.
  20. We are now under the "Finalize" folder and on the “PostConfig” item.
    • Leave the options at the default.
    • On the right-hand side, Click the little right-facing blue arrow again.
    • We are now on the “Create ISO/CD/USB” menu.
    • Leave the options at the default.
      • Yes. You can make a USB-bootable device boot-version with this latest WinBuilder version.  It does work and is VERY cool.  But that will have to wait.

We should now be all set.  If you want to go back and check something in your project configuration, you can just click on the specific element on the left-hand side tree structure...just be careful to not accidentally uncheck something.

Fifth: Let-er-Rip!

All ready?  Good!

We are about to process all the pieces to make our masterpiece!

  1. Click the BIG blue arrow "Play" at the top-right of the WinBuilder window.
  2. WinBuilder will start to process the build.
    • If something errors out, that (usually) doesn't prevent the build process from completing, just that element may fail to work.
    • You will see a nice progress meter for each stage of the process.  If additional programs are needed, it will attempt to go and fetch them.
    • If all is well, you might see a DOS window for mkISOfs pop up and it will show the progress of rolling up the ISO file.  Depending on your system's CPU, RAM and drive-speed, this might take a moment, but should be relatively quick. On my system it takes about 5 minutes or less for a "Complete" build.
    • When all is done (I didn’t see a single error myself following these steps) you should get an “Information” window saying “Build sucessfull”. Ignore the spelling error and click “OK”
  3. When done you will be back to WinBuilder with the "Log" window displayed.
  4. I sometimes have a few "Warnings" as I noted where the builder was actually looking for associated Vista DVD files that don't exist when you use the WAIK as the building source.  No big deal. You can explore this window if you want.  As you get used to things, you will discover what scripts call to the Vista DVD and can disable them (uncheck them) if you are using just the WAIK as your build source.

Playtime!

Although we won’t be using it for this custom project, you can enjoy your VistaPE boot disk creation by burning it to a CD, or mounting it in a virtual machine.  Virtual PC works well.

Might as well play with your work for a bit before I move on to the next stage.  Poke around in the WinBuilder application and play with the boot disk.  It should help you better understand the issues I was facing and the dead-ends I went down in the next posts.

If you want, go into the C:\VistaPE_WinBuilder_v12RC1\ISO folder of your WinBuilder location and find the actual ISO file. Mount it and boot from it in a virtual session or burn it and try it out on a real system.

From what I understand, you really need to set your virtual machine at 512 MB system RAM.  Lower than that and the WinPE 2.0 environment gets kinda cranky.  Go too low and it won't boot.  Seems to apply this way in "real-life" system booting as as well.

WinBuilder does allow you the options (under the second "Finalize" element) to burn the ISO directly to a CD when done as well as run the ISO in a VirtualBox session automatically.  You do have to have VirtualBox (freeware) installed on your system prior to doing the build with this option selected, however. WinBuilder provides you a link to the site or you can get it here.

If all went well, you should see a GRUB4DOS boot loader with the blue-face wallpaper background.  

image

Pass through that and you should also a familiar Windows Loading progress bar, then you will see a Vista'ish logo appear in the "Complete" build version; again a very nice and professional touch.

image

When the default configuration comes up, you should see a “VistaPE Loader. Preparing system…” configuration process.  It's turning on some services and starting a network connection.

If all goes well, you will have a sexy task-bar, the familiar Windows navigation structure, and various application icons on the desktop. I launched a few things below for you to see.

image

So what can you do?  A lot!  Click on the Start menu and get playing (carefully as there could be a lot of high-powered tools here).   

Heck, if you didn’t need PGP WDE drivers, and you don’t intend to use it on a Dell GX-7xx system with USB keyboards, you could stop here and be wonderfully happy.

Unfortunately, I need all those things…so my project must continue.

What Next?

Well we will take a trip down two (fascinating) dead-ends, then proceed to gut and fillet this VistaPE 12 RC1 fish we just caught and took so much time to create!

Then we will cram all the best parts back into our PGP WDE injected Win PE 2.0 wim file we made in step two.

Sounds like fun doesn’t it?

--Claus

Mandatory Security Addendum…

Call me an alarmist, but I just don't feel comfortable leaving a folder/zone on my drive with the "Everyone" account on it and full rights.

Looks like a playground full of mischief waiting to happen.

What I do is this: Once I have completed my VistaPE building activity for the day, I go back to the folder, right-click and select "Properties" then the Security tab.  I select the Everyone account group I made, then go to the window below and unclick all the "Allow" checkboxes. 

When I apply the change this effectively removes the power from this "Everyone" account on the folder and contents.

Next time I need to do more building, I go in and recreate it with the rights and do my building again.

There are other ways (setting the items in the account to "deny" or deleting the Everyone account at the top) but I just personally like this technique.

Were any malware or other baddies get on my system, it would prevent them from using this folder as a launching ground for rouge behavior.  It's not perfect, but is better than leaving it there.

The choice is yours…you’ve been warned.

--CV

No comments:

Post a Comment