The Oven

Project World => Win10PE SE HomePage => Topic started by: chatdean on September 13, 2017, 06:48:53 AM

Title: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 13, 2017, 06:48:53 AM
I keep getting four phantom drives appearing when I make a build using the WP.SCRIPT (Write Protect) that makes the build forensically sound. The phantom drives are always V, W, Y, and Z.(X is the normal build drive) The drives match the size of my boot USB thumb drive, but have question marks next to them until I mount the boot USB thumb drive. Then they all mirror the actual USB thumb drive contents. Any thoughts or suggestions?
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: bob.omb on September 13, 2017, 09:08:54 AM
I'm just one of your peers here to learn but 2 heads are better than one.. Which shell are you using? Which build of Win10? Did this work on a previous PE for you?(If so I assume same settings used?) Are you using the CD Drive X: Y:.script? Love to help you figure this out if possible but need more input =) Which -other- scripts are you using?
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 13, 2017, 11:39:27 AM
Everything works fine with W8.1 builds. Using all same settings in 10. Using latest W10 Pro ISO.
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: bob.omb on September 13, 2017, 01:20:53 PM
What does it say in the registry when you see the phantom drives at the below location?

HKLM\SYSTEM\MountedDevices
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 14, 2017, 02:37:15 AM
It just lists the X: drive as \DosDevices\X:

Like I said, phantoms!  :smile:

Even after I mount the internal drive and the boot USB drive, the registry only list the actual drives, not the phantom drives.

However in Explorer all of the Phantom drives mirror the boot USB drive, in contents, name, size, and status(RO or RW). If I copy a file to the boot USB drive (G: in my case), all of the phantom drives update at the same time with the same data. Same thing happens when I copy or delete a file from a phantom drive, the boot USB (G:) and all phantom drives match the action.
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 15, 2017, 05:56:54 AM
Update more testing:

- I created a W10PE USB thumb drive and booted my test system. As expected, everything normal, no phantom drives.
- I applied the two registry edits manually:
--Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr\Parameters\SanPolicy\0x00000003
--Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mountmgr\NoAutoMount\0x00000001
- I unmounted both the internal HD and the USB Boot W10PE drive.
- When I opened Explorer, the phantom drives appeared.
- When I remounted the W10PE USB Thumb drive, the phantom drives mirrored the USB drive again!

This is definitely a wp.script issue that is far above my abilities to decode. Anyhelp would be greatly appreciated!
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: Lancelot on September 16, 2017, 03:40:15 AM
This is definitely a wp.script issue that is far above my abilities to decode. Anyhelp would be greatly appreciated!
There is no wp.script plugin on our servers or project.

We do not have a project with name W10PE or WinFE


**
On Win10PESE and all other SE projects

Finals\'Optimization' plugin have option with name:

"Don't mount local harddrives"

-->
nothing "forensic", you simply do not mount local harddrives to avoid possibility of windows write harddisk,
 and inspect harddisk with related tools,
  It is one of reason using PE since BartPE.


You can test this option and report things if you like.

:turtle:
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: bob.omb on September 16, 2017, 05:17:50 AM
I would still like to try can you attach the wp.script?
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 18, 2017, 05:02:09 AM
I have tried the option you suggest, but I still get the phantom drives.

I have worked with ChrisR on this issue back under W7 and W8. I've attached the wp.script for your review.

The WP Scripts.7z file contains two versions, the original version is wp.script. The version that was modified by ChrisR is WP2.script
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 19, 2017, 05:16:42 AM
On Win10PESE and all other SE projects

Finals\'Optimization' plugin have option with name:

"Don't mount local harddrives"


I looked at the script text and that option is using the same two registry mods that the WP.SCRIPT uses. Explains why I'm getting the same results.

I need to use the script as it puts a WP Tool on the desktop that allows the unmounted drives to be mounted as read only. That way the drive can be triaged without altering the contents.
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: Lancelot on September 19, 2017, 08:57:31 AM
On Win10PESE and all other SE projects

Finals\'Optimization' plugin have option with name:

"Don't mount local harddrives"


I looked at the script text and that option is using the same two registry mods that the WP.SCRIPT uses. Explains why I'm getting the same results.

I need to use the script as it puts a WP Tool on the desktop that allows the unmounted drives to be mounted as read only. That way the drive can be triaged without altering the contents.

Create a plugin with
Utils\PC Packed
using WProtect.exe attached to wp old scripts.

This will give you option to put shortcut to desktop.
and side by side with
Finals\'Optimization'  "Don't mount local harddrives"
you may get the thing you are after.


***
Or you can check internet for tools to mount drives as read only on internet.

Still same road:
Utils\PC Packed
and
Finals\'Optimization'  "Don't mount local harddrives"


***
Or
with
Finals\'Optimization'  "Don't mount local harddrives"
use diskpart to mount drives as read only
(check google - diskpart mount drive as read only  )

:turtle:
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 20, 2017, 04:21:11 AM
Both the script and the "don't mount" option still result in the phantom drives, which is the original reason for my post. I've been searching for a cause and have found others with the Phantom drive problems in regular W10 installs. I've also been looking for a Windows utility that will unmount any drive that is not currently attached.

It's odd that Explorer displays these Phantom drives but device manager, the registry,  and disk management do not. Could this be an Explorer bug?


UPDATE:
I created a new build with the wp.script and included Explorer++, Total Commander, and Explorer_Q-Dir. All of the apps displayed the phantom drives with ? marks as usual. Registry, Device Manager, and Disk Management did not list the phantom drives.

BTW, the phantom drives start with U:, V:, W:, Y: and Z:, for a total of 5 phantom drives.
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: Lancelot on September 21, 2017, 12:49:11 AM
I've been searching for a cause and have found others with the Phantom drive problems in regular W10 installs.
Good to know.
So issue is not about Win10PESE but Windows

Only phantom drive I know is "fake floppy drive" from old days.  :wink:

I've also been looking for a Windows utility that will unmount any drive that is not currently attached.
see command line utility:
mountvol
available on all projects via
Components\"CMD Adds" plugin
Related:
Downloads\ComponentsY\Tweaks\"Remove Floppy ALL Mount Point 'BL MountVol'"

It's odd that Explorer displays these Phantom drives but device manager, the registry,  and disk management do not. Could this be an Explorer bug?
probably.


***
Main reason behind using
Finals\"Optmizations" plugin "Don't mount local hard drives" is to inspect disks with relevant disk utilities.

From your posts I guess main trouble comes with "USB connected" drive where you boot Win10PESE
 which produce "phantom drives" following reverse drive letter order for whatever reason ????

  --> other than cosmectic this does not effect your inspecting local hard drives with whatever disk utility you use.


Just an idea:
Use:
Win10PESE\Build\"CdDrive - X: - Y:" --> "Disable plugin and Reset to Default settings"
than create your bootable "Win10PESE" usb flash, and test again.
does phantom drives appear again ????
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: chatdean on September 23, 2017, 11:35:25 AM
Tried your suggestion:  Win10PESE\Build\"CdDrive - X: - Y:" --> "Disable plugin and Reset to Default settings"

No change, Phantom drives still present.

BTW, the Floppy drive script returns an error as file not found when it attempts to download the script.

I'm going to start the validation process and see if it will pass. I'll let you know.

And Thank you all very much for your suggestions!
Title: Re: Phantom drives appearing when booting as WinFE(Forensic)
Post by: Lancelot on September 24, 2017, 02:07:54 AM
Related:
Downloads\ComponentsY\Tweaks\"Remove Floppy ALL Mount Point 'BL MountVol'"

returns an error as file not found when it attempts to download

Plugin downloads fine here.
See Tutorial:
Adding 3rd party plugins: \Downloads\ - MyPlugins_Direct - Yomi
http://theoven.org/index.php?topic=1236.0