Sunday, June 20, 2010

On Watch: Forensically Focused…

4705595191_451ab59e55

Black Hawk watch” CC image on flickr by The U.S. Army

Wow.  Can’t believe how long it has been since I’ve been able to find enough free time to do do a forensic focused link-fest post.

Rest assured, I’ve been hard at work in the trenches, ever vigilant for tips and tricks to help both forensic pros and sysadmins find common ground in responding to Windows system incidents.

I hope you won’t leave disappointed…

QCC Information Security “CaseNotes” Updated

I’ve been using QCC’s CaseNotes for some time and find it really does an excellent job fitting my needs. The Digital Standard: Case Notes had a recent post that highlighted many of the best features of this freeware tool and that got me thinking.  Has it been updated lately?

Yep.  Pleasantly so!

  • More CaseNotes Updates – QCC blog post on the latest (June 8, 2010 ish) version of this application..

  • CaseNotes Updated! – and the QCC blog post from May 2010 that had some earlier fixes with in-depth explanations.

Major fixes include:

  • Case file backups only made during explicit user initiated saves
  • Backup copies now stored in a dedicated sub-folder
  • Number of case file backups increased from 3 to 10
  • Greater assistance for the corrupt case file 'password' issue
  • New menu item to reset screen position data to fix maximised windows
  • Fix for Open File dialog not recognising .Notes files in Windows 7
  • New dedicated 32 & 64 bit versions (emphasis mine! Woot!)
  • Supporting documentation still needs to be updated - coming soon.

I’ve found it challenging to keep up with updates on many such tools and utilities, fortunately, I was able to find RSS/Atom feed links this time so if you RSS feed-read, take these down:

MANDIANT Update Madness!

  • M-unition » Blog Archive » Web Historian: Reloaded.  Yep.  MANDIANT has gone wacky and updated their already wonderful Web-Historian application and taken it to a whole new level!  So far I’ve been using it in full “installed” mode. But I suspect that with some tweaking of the custom/advanced path settings it might be supported in a “portable” mode.  New version supports FF2/3+, Chrome, and IE 5-8. Man!  The GUI has been majorly re-worked and can scan both local and “off-line” sources. Thumbnail previews are supported on compatible browsers. It also can export a “sanitized” version of history usage for sharing.  This is a really advanced tool now and worth of checking out.  Did I mention it was free?  Tip: Read the PDF that comes with it.  Saves a lot of of time on the learning curve. From the blog post….
    • Collects web history, cookie history, file download history, and form history into data sets  
    • Perform a live artifact scan of the local system
    • Perform an artifact scan of one or more arbitrary history files from all supported browsers
    • Data displayed in gridview style with full search, sort, and filter capabilities
    • Export data sets to XML, HTML or CSV
    • Extract and export history files used in live artifact scan
    • Customizable scan settings can tweak the scan to target specific browsers and data sets
    • View page thumbnails and indexed content
    • Export sanitized version of history results to distribute to others
    • Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
    • Website Profiler shows a quick “report card” of artifacts for various websites

  • Web Historian 2.0 – download – register if you wish or just click the “Download Now” arrow at the bottom.

  • M-unition » Blog Archive » New Memoryze, Audit Viewer, and Training.  Yep. Memorize and Audit Viewer also got updated!  Lots of new features and stuff.  From the post….

So what is included in Memoryze and Audit Viewer 1.4? Well, here is the short of it.

Memoryze:

  • Support for Windows 2003 x64 SP2
  • Improved support of Vista SP1 and SP2 including port enumeration and a better installer
  • Enumeration of digital signatures for all loaded modules in a processes’ address space, hooked and hooking drivers, and all drivers found by driver signature scans
  • Enumeration of MD5/SHA1/SHA256 hash on disk for all loaded modules in a process’ address space and all drivers found by driver signature scans
  • Updated documentation
  • Single installer for 64-bit and 32-bit versions

Audit Viewer:

  • Improvements to the Malware Rating Index (MRI)
  •      Report visualization of MRI results
  •      MRI rule editors that will allow users to graphically edit the MRI rule file
  •      Handle Trust view to help identify suspicious handles
  • Ability to search results within a specific process
  • Multi-select with copy
  • Multi-select and export to a CSV file

I also see tantalizing teases about possible future public releases of MANDIANT tools for Memoryze/Audit Viewer for x64-bit Windows, and free tools to analyze Windows Vista/2003 (64-bit)

Forensic LiveCD Updates

What’s new?

      • Update: Sleuthkit 3.1.1 and Autopsy 2.24
      • Update: Xplico to 0.5.7 (100% support of SIP – RTP codec g711, g729, g722, g723 and g726, SDP and RTCP)
      • Update: Initrd
      • Bug fix: Dhash report (reports were not generated)
      • Bug fix: DEFT Extra bug fix (a few tools did not work if the operator click on their icons, added the dd tool for x64 machines)
  • CAINE 1.5 – CAINE forensic LiveCD is out. See this Release page for details.

  • CAINE 2.0 (code name "NewLight") is cooking – CAINE news blog.

WinFE Developments

WinFE is not my primary forensic LiveCD.  I’ve got a few others that come first in point-rotation. However, it still has a very warm and dear place in my heart.

So I was excited to see the hard work Brett Shavers has done in keeping this tool not only active, but expanding the knowledgebase and ability of others to use and build this WinPE kissing-cousin.  Provided below is the main page as well as great WinFE resources and posts to peruse.

Well done, Brett!

Also, though not part of Brett’s project, the following Praetorian Prefect post is a great and fresh primer on WinPE and forensic work. I particularly found useful the tips on DiskPart with read-only mounting of the off-line mounted volumes/drives.

Kon-Boot News 

While Kon-Boot might not be a tool for most forensic folks, sysadmins could have great use for it.  I’ve mentioned it a bit here on GSD and have been quite fascinated with the tricks it can perform as a bootkit.

  • Kon Boot – Kryptos Logic – This latest version is fully commercial and (reasonably so) you now need to pay-to-play, though a 1-user personal license is just $15.99 and a 1 year 1 user commercial license is just $60 more.

  • What’s My Pass? » Kon Boot 1.1 – What’s MY Pass blog has a roundup of some of the newer features in the commercial version.

  • All this said, the original KON-BOOT - ULTIMATE WINDOWS/LINUX HACKING UTILITY is still offering up free downloads of that earlier build so go grab them while they are still kickin’ free.

Windows Incident Response Blog: Link Madness!

I sometimes feel guilty for cross-linking to Harlan’s most-excellent adventuring forensics blog, who in turns cross links back here to the humble GSD blog but hey, good things often go full circle!

Here are some of the wonderful posts I’ve found extremely resourceful in content.

And though not a Windowsir blog post, this seemed the best place to put this quick-reference gem from Tim Mugherini…

Rolling on with RegRipper…

Since I’m still exhaling from Harlan’s site…seems worth-while to drop these links on morphing the incredible RegRipper (which got a site design refresh as well).

There is a whole lot to find and examine on the new RegRipper site so put some time in there.

  • RSS Feed – RegRipper site.  New as well the ability to RSS feed news and updates.  Sweet step-mother of baby Jebus! .

Please forgive me while I pause to get a fresh cool minty beverage and recover for a moment.

Command Line Goodness Series

CLI tips and tricks from cepogue on The Digital Standard blog that can’t be ignored.

A Big TinyApps way…

Not to be out-done, TinyApps bloggist is laying down the whack of his own.

And in case you missed in embedded in the the previous GSD post…

SANS Computer Forensic Investigations and Incident Response blog

Yet another source of amazing tips and linkage. Oh my.

And because I can’t remember if I found it on WindowsIR blog or here at SANS…

  • nabiy.sdf1.org offers a great tool (USB History Dump) and article about extracting USB Trace Evidence from the Windows registry.  See also the NirSoft tool USBDeview and the Woanware tool USBDeviceForensics.

Security/Response Checklists 

John mentions these Lenny Zeltser productions in particular and encourages tweaking these CC v3 licensed works to fit your own needs.

Who’s been cooking Sausage?!!

Why it’s DC1743 of course over in the Forensics from the Sausage Factory blog!

Alvis and I prefer a pork/venison mix, steamed.  Go figure.

The Final Four

Yep four more links to go.

  • NTPWEdit – Reset Windows password – 4sysops blog – Tool that works very well in WinPE/FE builds. Not that any of you forensic guys would be making such changes to a suspect system.  However syadmins may need to if malware or sheer local-user maliciousness boggled out the Admin password.

  • Forensic Pagefile: SAM Cracking using Ophcrack and Encase – I’ve not used Encase to do so, but I have followed a modified method to extract SAM files from an off-lined system, brought them over into a VM running the installed version of Ophcrack, then cracked dem profile passwords to accomplish my l33t sysadmin needs (…self-mocking there guys…).

  • Tableau Revision History – TIM. In case you didn’t get the email, Tableau’s Imager (TIM) software product has had a few updates that are pretty important to get and upgrade to; involving both critical bug fix as well as minor ones.

  • (IN)SECURE Magazine issue 26 released – Chock full of security tips, news, and other goodness.  Related:  Harlan offers this free new issue link (PDF) to Hakin9 magazine.  Get the read on!

Be safe, be thorough, be fair and objective.  Be ever vigilant.

Cheers.

--Claus V.

Father’s Day Linkfest: Slowly Smoked Goodness…

Here is quite the collection of Windows-related links.  Although it has been quite a while since the last one, I promise I’ve been diligently collecting the most promising links I could find, and slowly roasting them over the past weeks.

The fat has dripped out and burned on the bottom of the smoker pit leaving only these tender, flavor-laden morsels behind.

Savory.

Plate up!

Windows System Utilities

Freaking and Tweaking Windows

Remote Desktop Management: Reloaded

  • Microsoft Download: Remote Desktop Connection Manager (RDCMan) – This is a really neat tool (though not the only out there) that allows you to manage all the different Remote Desktop connection accounts you have.  It presents them in a tree/list format on the left and then shows them in thumbnail format (or active in a single pane) on the right. (4sysops blog has great screenshots of it in action in his post Free RDP client.)  I’m using it right now to manage multiple remote packet capture systems across our network and it makes hopping between them a breeze.  Natively supported on Windows 7; Windows Server 2003; Windows Server 2008; Windows Server 2008 R2; Windows Vista, folks with Windows XP or Windows Server 2003 will need to obtain version 6 or newer of the Remote Desktop Connection client software. See Description of the Remote Desktop Connection 7.0 client update for Remote Desktop Services (RDS) for Windows XP SP3, Windows Vista SP1, and Windows Vista SP2 for more information and the download links at the bottom of the page.

  •  mRemote -- (free version) – Was a similar multi-remote connection management tool I found mentioned in a few comments about the above application.  I had never heard of it before but it seems to support a very wide range of remote protocols, and allows uniform management of them all, including RDP, VNC, SSH, Telnet, HTTP/S, Rlogin and a few others.  What was nice was that once you download and install, it will then assist you in locating/sourcing any additional downloads to support other protocols it can handle that it doesn’t find pre-loaded on your system.  Seems to have a strong fanbase. Overview

  • chriscontrol - Project Hosting on Google Code -- (freeware) – ChrisControl was another interesting remote control tool I rediscovered in it’s new home on GoogleCode pages.  The Beta 2 version was released in January 2010 so the author is still hard at work refining it.  ChrisControl is curious in that as long as you have the target system’s IP address/hostname and a valid account id/pw, then you have a good chance of connecting to it.  First it see if RDP or VNC is installed/running.  if RDP is available, it uses that to connect.  If VNC is present it will use that.  If neither, then it prompts the user to remote install VNC server on the target system!  You have options to uninstall the VNC server when done. 

  • I’d recently posted this link to the Remotely Enable Remote Desktop :: IntelliAdmin - (free tool) – but it seems appropriate to re-include it again.  This utility automates a trick to get RDP started when not enabled on the box.. Get the micro-file from this link: Enable Remote Desktop – Remotely (exe download-link from IntelliAdmin).  I tend to avoid direct links but the download link from their blog-post page actually points to their full-featured application, and not the standalone tool.  I’ve had the opportunity over the past few weeks to use this tool a few times and every time it save my bacon.

  • TeamViewer 5 is now out (free for personal (non-commercial) usage) and has some new enhancements.  Check out the TeamViewer Download page.  There is also a TeamViewer Portable version.  I found really cool that if you download the setup installer and run it, it gives you two options; “Install” to fully install on the system or “Run” to execute TeamViewer on the system “portably/temporarily” (and without the need for the user profile to have “admin” privileges on the system.  That’s a cool feature that calls to mind the way ShowMyPC offers the exe download of it’s own product which when executed, unpacks and runs…rather than installs.  ShowMyPC, btw, was updated recently to v3050.  Speaking of TeamViewer, I had been able to use TeamViewer on WinPE builds with great success.  However, the newest versions didn’t seem to execute well. I did manage to create an ugly work-around that again lets me keep use of TeamViewer as an option to remote-connect to a WinPE 3.0 booted system.  Yes, another blog post awaits on this one…

  • 2X Client Portable 8.1.870 Released -- PortableApps.com. This multi-connection management tool has also been recently updated.  It also is similar to the Microsoft RDC-Manager and does support RDP connections.  I’ve dipped my feet into using it a bit as well and was pleasantly surprised with the performance.  I really like the “tabbed” remote system display arrangement.  While the “client” tool is free, you can also use it to connect to systems running the 2x Application Server.  Check out the 2X ApplicationServer download page for more information on that side of operations.

Free Microsoft Money!

No. Seriously!  I mean it!  Get Microsoft Money free.  This “Sunset” version doesn’t require any on-line activation.  It is really slick and for a former Quicken user, is very mature and polished.  Lavie and I love it.  What don’t you get with this wonderful and sophisticated yet approachable financial management tool?  Well, as well as I can tell, almost nothing is missing except integration with Microsoft’s own on-line “Live” capabilities, which for the poor folk like Lavie and I, isn’t much we would be using currently anyway.  It is simply an amazing opportunity.

Even if you don’t really think you would use it, if you don’t already have a personal finance management (banking/credit/loans/etc.) software, download this and play around.  Heck, at least download the installer and keep it handy.  Read the download details page linked below carefully for full details.

“From the MS download page Overview

All versions of Money Plus sold at retail and online, required users to perform an “Online Activation” step in order to keep using the product, even if online services had already expired. Online Activation was also required for every machine onto which Money Plus was installed. Now that Money Plus is no longer available for purchase, the online activation step will eventually become unnecessary and unsupported. This Money Plus Sunset package is targeted at removing the activation dependency. There are two versions of Money Plus Sunset. The Money Plus Sunset Deluxe version is meant to replace Premium, Deluxe, and Essentials versions of Money Plus. The Money Plus Sunset Home and Business version is meant to replace Money Plus Home and Business. Please note that Money Plus Sunset versions come preconfigured with: · No online services (no online quotes, no bill payment, no statement downloads initiated by Money, no data sync with MSN Money online services, etc…) · No support services (support services are limited to online self-help only, see Money Plus Sunset EULA and Microsoft’s Support Lifecycle pages for more details) · No need to activate the product.

Don’t let all that scare you off.  You can still manually import transactions from banks (if they support MS Money or compatible formats) down into this version of MS Money to save time from hand-entering them.

Seriously…Microsoft is giving away Money for free.  Who would have ever thunk?

Google Sites

So a while back I was working on another side project and found some tips on using Google Sites to host files and other materials for downloading by your blog’s fans.  Sounded like a clever idea although I do have a handy and free Box.net account already with a few publically made shared folders like that one that contains reg.keys for enabling/disabling InPrivate Mode for IE 8.

Eventually I came back to Google Sites and figure it had enough features and such to be worthwhile to set up a basic GSD site page. Nothing there worth seeing for now, but in time I might be able to use it to make a more technically organized website of tips and such.

There are lots of pre-built templates to get started with.  I chose a “project tracking” format for some reason.   We’ll see what happens.

A Tiny, TinyApps Diversion

The succinct TinyApps bloggist has been hard at work finding “outside the box” solutions for external storage media and usages.

Get your crazy on with these amazing tips and hardware finds!

Of course, all the USB HDD talk has got me crazy thinking about other related items.

  • Into The Boxes: Issue 0×0 had a great tip from Don C. Weber on page 14 regarding re-purposing the controller/connecter from external HDD enclosures .  Sure, toss (destroy/hammer) the bad 2.5” HDD, but keep the USB mini-port to SATA  hardware adapter in your kit.  It’s a dead-simple way to access SATA drives and is a “green-recycling” solution to boot.

  • USB Boot Without BIOS Support – Kent Hall’s “What the….?” blog – Although most all “modern” BIOS systems support booting from external USB devices (properly configured of course), some hardware you encounter might not.  Chris’s trick involves using PLoP Boot Manager and RawWrite (if making a floppy) to create a bootable floppy/CD pre-booter if you will, that then leverages up the USB device to do the actual post-pre-booting from.  Not an everyday need but so simple it wouldn’t hurt to have such a boot-CD pre-crafted, just in case.  PLoP Boot Manager supports a number of features and is worth looking at even if this scenario doesn’t fit your need.

Free Firewalls for Windows

Currently, the Windows 7 firewalls and my own home router are providing me sufficient firewall protection for my comfort zone.  Maybe in a while I will revisit my Windows Firewall post roundup and see which ones still remain and if any new-comers of late are present.

In the meantime, snack on these….

Graphically Seen and Heard

  • RasterVect Softwarescan. – (freeware) – Great tool to convert raster images into vector formats.  See also Vector Magic which can “vectorize” bitmap images online for free or the $ desktop version.  I really love and depend on Vector Magic.

  • Bing’s Best-3, Windows 7 Themepack Released – The Windows Club.  I love to download these themepacks and extract the wallpapers from them.  I’ve got a massive wallpaper folder I run now with these best-of images.  Beautiful stuff.

Utility Gumbo.

It’s all in the pot today!

And the Browser Wars continue…. 

Whew!

Happy Father’s Day!

--Claus V.

Saturday, June 19, 2010

Slick Script solution for imagex DVD-based (or USB bootable-based) deployments

No worries dearest GSD blog friends.

I’ve been very busy, hard at work for the taxpayers of Texas who pay my salary, making sure they get the most bang-for-the-buck with their own hard-earned dollars.  Thank you kindly.

I’m also grounded on my primary system…the silly Gateway laptop.  Seems the DC plug fix about a year ago failed again in the past couple of months so now I’ve had to rig the laptop up on my desk…static-style…to keep it running.  Kinda defeats the purpose of a laptop.  However I’m not willing to invest another $250 in a 2nd solder repair.  So I’m negotiating with Lavie and doing some shopping/dream-system config-ing on the Dell site.  I’m bouncing back-n-forth between a Alienware system or a Studio 17 build.  I think the Alienware case is a bit cheezy for my tastes. I’m open to other suggestions as well. Looking around at $1,300 price point or so which still seems like a LOT of money to this penny-pincher.  Leaning to the Dell line as I’ve supported these at work for 10 years or so and they are very reliable and sturdy systems.  Loving my new Latitude E6400 system at work (though it is still running XP Pro).

Dream features:

Quad-core Intel i5 processor (or higher to 8 processor threads with an Intel i7 chip perhaps?), 6GB RAM, 500 GB SATA drive, 512-1GB video system. Blu-ray support and a true 1080 HD supported screen.  I really would hope to find a modular DC-plug solution such that if the jack fails, its not hard-mounted on the system-board.  This is a lot of fire-power but I do lots of virtualization and hope to crank up some higher-end digital video/photo processing work as well.  Besides…it may be the first chance I’ve had to actually design and select my very own laptop system, so as an investment, it makes sense to get something I really would be proud to use.

Only sticking thing is I have a pair of beautiful Samsung LCD screen monitors.  I’d love to find an internal video-card solution that would output to both, while still allowing use of the laptop monitor.  However I will probably have to consider a Matrox DualHead2Go: Three Monitors, One Laptop : The Matrox DualHead2Go type solution, which really wouldn’t be bad at all. (for self reference: Matrox Graphics - Products - Graphics eXpansion Module – DualHead2Go )

Anyway, I digress. On to this post’s “meat-n-potatoes”…

The Setup

As noted, our shop is beginning a round of system refreshes for our end users.  In the end we are looking at close to 1000+ systems.  Our sub 20-person team would be greatly challenged to deliver this so a vendor was contracted to assist.

The factory images are “fresh” but not out of the oven fresh.  So the vendor setup/migration times are running 2-4 hours per system.  I know. Right?  So one of the things we do to minimize migration time for our own techs are deploy the fresh-baked images I prepare for our systems.  These are fully updated with all MS and third-party software patches, as well as contain our own system tweaks that are done post-install.  As such we can deploy a system in less than 1 hour.

Typically we deploy the images using bootable USB HDD’s and manually feeding the disk-prep and image application commands manually.

I’ve always toyed with the idea of scripting the process but with close to ten different images, and different HDD system configurations it is a bit challenging.  So we’ve kept with the manual model for now.

One drawback is that if the techs aren’t paying attention to drive lettering in DiskPart, more than one has wiped the portable HDD they are serving the images from. Oops!

Imaging for the Vendor

However, we wanted to retain some control over the images provided to our vendor, and giving them the system images (2 system configurations at this point) on a HDD wasn’t a popular idea.  Luckily each image would fit on a DVD and handing out/collecting DVD’s is much easier than USB HDD…and much more durable.

So I did some research and came up with a slick scripted mix of command-line batch goodness, ImageX/Diskpart fun, and WinPE to boot; literally!

I found an elegant solution offered by Neil “Frawlz” Frawley on MS Windows Client TechCenter: Scripts to deploy imagex images.

He uses a series of batch files and a text file to automate the process.

I did have some issue with the version/commands offered in his 2007 version and the choices.exe file used at that time and the newer ones.  For lots of sources on additional “choices.exe” background check out this About choice.com and choice.exe page.

However, I eventually got it armed and working.

Construction

I did a stock WinPE 3.0 build in a winpe_x86 folder and added three additional folders under the “ISO” folder; “images”, “scripts”, and “tools”.

In the “images” folder I placed the WIM file for the particular system the DVD was designed for use in image deployment.

In the “scripts” folder I placed the “choice.exe” file I got working, a “deployimage_localimage.bat” file, a deployimage_networkimage” file, a ”diskpartcmds.txt” file and finally a “menu.bat” file.

The choice.exe file I used reports as 19.5 KB and dated 12/9/1994.  I have some more work to do on this but this one works for now.

Although pulling the WIM image file from the network or a USB drive could be supported, I’ve tweaked it at bit to just support the DVD-based local image disk prepping and imaging.

In the “tools” folder, just my “imagex.exe” file is present.

The menu.bat file consists of the following, slightly tweaked from Neil’s OEM script.  It is this batch file that is called once the PE reaches the CMD prompt.

Note: the blog template is doing some text-wrapping here so double check against Neil’s original and also copy/paste any actual batch scripts below into Notepad or your fav. text editor to ensure you get the full line formats.  Line-breaks in incorrect places can cause the processes to fail.

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SOE DEPLOY SCRIPT
::
:: Language     Win32/MS-DOS compatible Batch File
::
:: Title menu.bat
::
:: Parent:     
::
:: Purpose:     Displays a menu in Windows PE to deploy an imagex image
::
:: Comments: UFD stands for USB Flash Drive
::
:: Author: Neil Frawley
::
:: Version: 1.0
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@ECHO OFF

::VARIABLES
SET title=DEPLOY IMAGEX IMAGE MENU
SET script_dir=%0\..

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Display Title
cls
ECHO %title%
ECHO.

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Menu
ECHO Press the number to select the option
ECHO.
ECHO 1) DEPLOY IMAGEX IMAGE, IMAGE ON UFD OR DVD
ECHO 2) DEPLOY IMAGEX IMAGE, IMAGE ON NETWORK SHARE -- not supported
ECHO.

%script_dir%\choice /C:12

ECHO.
IF ERRORLEVEL 2 GOTO :NETWORK
IF ERRORLEVEL 1 GOTO :LOCAL

:LOCAL
%script_dir%\deployimage_localimage.bat
goto END

:NETWORK
%script_dir%\deployimage_networkimage.bat
goto END

:END

Then the “deployimage_localimage.bat” file gets called up

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SOE DEPLOY SCRIPT
::
:: Language     Win32/MS-DOS compatible Batch File
::
:: Title deployimage_localimage.bat
::
:: Parent: menu.bat
::
:: Purpose:     Deploy an imagex image, with the image being on a UFD or DVD
::
:: Comments: UFD stands for USB Flash Drive
::  This script could be run from a CD instead of a DVD, but it is unlikely the imagex image will fit on a CD
::
:: Author: Neil Frawley
::
:: Version: 1.0
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@ECHO OFF

::VARIABLES
SET title=DEPLOY IMAGEX IMAGE, IMAGE ON DVD OR UFD
SET script_dir=%0\..

SET diskpart_script=diskpartcmds.txt
SET local_drive=C:
SET image_name=imagenamehere.wim

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Display Title
cls
ECHO %title%
ECHO.

ECHO Press the number to select the option
ECHO.
ECHO 1) I AM USING A DVD
ECHO 2) I AM USING A UFD -- not supported

ECHO.

%script_dir%\choice /C:12

IF ERRORLEVEL 2 GOTO :UFD
IF ERRORLEVEL 1 GOTO :DVD

:UFD
SET tools_drive=E:
SET image_path=E:\images
ECHO WinPE run from UFD
GOTO :PREP

:DVD
SET tools_drive=D:
SET image_path=D:\images
ECHO WinPE run from DVD
GOTO :PREP

:PREP
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Prepare hard-drive
ECHO **** PREPARE HARDDRIVE ****
ECHO.
%script_dir%\choice /N "diskpart will now wipe the contents of your hard-drive erasing all data. Do you wish to continue?"
IF ERRORLEVEL 2 GOTO :END
diskpart /s %script_dir%\%diskpart_script%

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Apply Image to hard-drive
ECHO **** APPLY IMAGE ****
D:\tools\imagex.exe /apply D:\images\LatE6400_04-10.wim 1 C:\

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Reboot computer
ECHO We are now ready to reboot the computer to continue system setup; remove DVD and
pause
ECHO **** REBOOT ****
wpeutil reboot

:END

Were the imagenamehere.wim matches the filename of your image WIM file located in the “images” sub-folder.

You will notice the clever bit is the call to the disk preparation text file “diskpartcmds.txt” which is the following:

select disk 0
clean
create partition primary
select partition 1
active
assign letter = C
format FS=NTFS quick
exit

You can pop over to the original link I provided to find the network imaging deployment batch file if you want.

Final Thoughts

Using an optical-based DVD source for the image does take a bit longer to access/copy the data rather than a portable HDD or flash-media based source.  So keep that in mind.  If you had a few 4-6 GB flash drives you could easily make them bootable and apply this solution to them instead.  DVD’s are relatively cheap and easy to make duplicates of.  And if one is damaged no biggie.  Plus you don’t have to worry about files getting overwritten!

I’m sure there are more sophisticated and elegant solutions.

Because you can “stack” images inside an imagex wim file, with some more work you could easily create a single wim file that could support multiple systems.  Then with some clever updates to the batch file and image-picker lines, you could call whichever image package you wanted from a single wim file.  Depending on how big your base image was and the add-on levels, it might not fit on even a DVD, but still, it would probably work out for an 8-16 GB flash drive; and be crazy-easy on a bootable USB HDD drive.

Pretty cool…

Claus V.