Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - chatdean

Pages: [1]
1
The utility I am referring to is WinBuilder.

2
To answer your and Lancelot questions and comments.

WinFE is the term Microsoft came up with back when Troy Larsen first came up with the registry mods that do not mount internal drives. WinFE is a normal WinSE/PE build with the write protect script added to make it not mount internal drives, plus adds the Writeprotect tool written by Colin Ramsden, which allows you to mount internal drives as read only after booting.

The validation process I was talking about is a documented series of tests that verify that the WinFE USB will boot the system without mounting drives and once the internal drives are mounted as read only, they are still protected from alteration by the OS and a variety of forensic utilities commonly used from a WinFE drive.

As to your comment about commercial use, not part of my work. I train law enforcement for free teaching them how to build their own WinFE using their own licensed copy of the OS and forensic utilities. My courses are specific to investigations involving children, including abuse, exploitation, and abduction.

In a way, your assistance has an impact in saving many children from dangerous abusing situations, all over the world. I thank you for your assistance.

3

As promised, I've completed the validation process for WinFE10 and it does validate. WinFE10 is a forensically sound platform even though the fantom drives are present.

I am having problems with one tool used by law enforcement for triage purposes that will not run in WinFE10, but works fine in WinFE8? More research required.

Thanks again for all of your help and suggestions, not to mention such an outstanding utility!

4
Tried your suggestion:  Win10PESE\Build\"CdDrive - X: - Y:" --> "Disable plugin and Reset to Default settings"

No change, Phantom drives still present.

BTW, the Floppy drive script returns an error as file not found when it attempts to download the script.

I'm going to start the validation process and see if it will pass. I'll let you know.

And Thank you all very much for your suggestions!

5
Both the script and the "don't mount" option still result in the phantom drives, which is the original reason for my post. I've been searching for a cause and have found others with the Phantom drive problems in regular W10 installs. I've also been looking for a Windows utility that will unmount any drive that is not currently attached.

It's odd that Explorer displays these Phantom drives but device manager, the registry,  and disk management do not. Could this be an Explorer bug?


UPDATE:
I created a new build with the wp.script and included Explorer++, Total Commander, and Explorer_Q-Dir. All of the apps displayed the phantom drives with ? marks as usual. Registry, Device Manager, and Disk Management did not list the phantom drives.

BTW, the phantom drives start with U:, V:, W:, Y: and Z:, for a total of 5 phantom drives.

6
On Win10PESE and all other SE projects

Finals\'Optimization' plugin have option with name:

"Don't mount local harddrives"


I looked at the script text and that option is using the same two registry mods that the WP.SCRIPT uses. Explains why I'm getting the same results.

I need to use the script as it puts a WP Tool on the desktop that allows the unmounted drives to be mounted as read only. That way the drive can be triaged without altering the contents.

7
I have tried the option you suggest, but I still get the phantom drives.

I have worked with ChrisR on this issue back under W7 and W8. I've attached the wp.script for your review.

The WP Scripts.7z file contains two versions, the original version is wp.script. The version that was modified by ChrisR is WP2.script

8
Update more testing:

- I created a W10PE USB thumb drive and booted my test system. As expected, everything normal, no phantom drives.
- I applied the two registry edits manually:
--Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr\Parameters\SanPolicy\0x00000003
--Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mountmgr\NoAutoMount\0x00000001
- I unmounted both the internal HD and the USB Boot W10PE drive.
- When I opened Explorer, the phantom drives appeared.
- When I remounted the W10PE USB Thumb drive, the phantom drives mirrored the USB drive again!

This is definitely a wp.script issue that is far above my abilities to decode. Anyhelp would be greatly appreciated!

9
It just lists the X: drive as \DosDevices\X:

Like I said, phantoms!  :smile:

Even after I mount the internal drive and the boot USB drive, the registry only list the actual drives, not the phantom drives.

However in Explorer all of the Phantom drives mirror the boot USB drive, in contents, name, size, and status(RO or RW). If I copy a file to the boot USB drive (G: in my case), all of the phantom drives update at the same time with the same data. Same thing happens when I copy or delete a file from a phantom drive, the boot USB (G:) and all phantom drives match the action.

10
Everything works fine with W8.1 builds. Using all same settings in 10. Using latest W10 Pro ISO.

11
I keep getting four phantom drives appearing when I make a build using the WP.SCRIPT (Write Protect) that makes the build forensically sound. The phantom drives are always V, W, Y, and Z.(X is the normal build drive) The drives match the size of my boot USB thumb drive, but have question marks next to them until I mount the boot USB thumb drive. Then they all mirror the actual USB thumb drive contents. Any thoughts or suggestions?

12
Win8.1 SE HomePage / Java in Win8.1 SE?
« on: July 23, 2015, 10:24:38 AM »
Does the current Win8.1 SE build include Java?
Or is there a script available to add it?

13
Win8.1 SE HomePage / Re: DotNet script error
« on: December 04, 2014, 07:13:24 AM »
Thank you, that fixed the error I was seeing!
Again, great work on a wonderful product that is so useful to so many!
Thank you and all of the contributors!

14
Win8.1 SE HomePage / Re: DotNet script error
« on: November 26, 2014, 07:10:58 AM »
Forgot to mention that I am using the current DotNet.script file.

15
Win8.1 SE HomePage / DotNet script error
« on: November 26, 2014, 07:09:45 AM »
First thanks to all of you that have shared your knowledge and skills to make these projects so successful!!!

I've been sucessfully building Win81SE USB drives for some time now, but I always get one error message that I can not figure out. It involves the implimentation of DotNet 2.0-4.5.
Here's a portion of the log file with the error:
                                           Run - Processed section [Call_DirCopy_P] in file: [%BaseDir%\Projects\Win8.1SE\Build\Macro_Library.script]
                                     Run - Processed section [Call_DirCopy] in file: [%BaseDir%\Projects\Win8.1SE\Build\Macro_Library.script]
                               Run - Processed section [CallC_DirCopy] in file: [%BaseDir%\Projects\Win8.1SE\Build\Macro_Library.script]
                         Run - Processed section [_CenterCa] in file: [%BaseDir%\Projects\Win8.1SE\Build\Macro_Library.script]
                         [Success] IF - Directory does not exist: [%BaseDir%\Target\Win8.1SE\Program Files (x86)\Reference Assemblies\Microsoft,FileCopy,%BaseDir%\Mount\Win8.1SE\Source\InstallWimSrc\Program Files (x86)\Reference Assemblies\*] evaluated string: [If,Not,ExistDir,"%RefAssemblyFolder_x86%\Microsoft,FileCopy,%InstallSRC%\Program Files (x86)\Reference Assemblies\*",%RefAssemblyFolder_x86%]
                        [Warning] Unrecognized command: [%RefAssemblyFolder_x86%]
                   Run - Processed section [CopyNet3.0Assembly64] in file: [%BaseDir%\Projects\Win8.1SE\Components\DotNet.script]
                   [Info] Copy DotNet 4.0/4.5 64Bit Assemblies...

16
Win8.1 SE HomePage / Re: Mouse and Keyboard not working
« on: August 05, 2014, 10:56:49 AM »
Sorry for the late response, but you can create a UEFI/BIOS compatible bootable USB drive with Rufus. It uses FreeDOS by default. I have several that I use old DOS based utilities on for data recovery.  http://rufus.akeo.ie/

17
Win8.1 SE HomePage / Re: Broken script
« on: March 19, 2014, 06:49:41 AM »
ChrisR,

Thank you! The app now loads successfully.

Question:
The two regedit's that employ Troy Larsen's write protect, write protect all drives, including the USB used to boot the system. This causes errors as the balance of the boot from the USB are blocked. In W7 and W8.0 builds Colin Ramsden's WP tool loaded before the desktop executed, so I could remount the USB drive and the boot process continued successfully. Is there a way to get the WP tool to load before the desktop in W8.1, so I can remount the USB drive and attain a successful boot?

Thanks again for your work on this!

18
Win8.1 SE HomePage / Broken plugin
« on: March 18, 2014, 10:22:51 AM »
Greeting to the group. First, thank you all for the fantastic work you are doing on the various Win projects. Amazing tools!!!

I've been using a script created by Colin Ramsden and Royal Meier to add write protection to a build. This allows for accessing systems without altering the internal drives. The script, Wprotect.script has worked in the W7 and W8 versions with Winbuilder. However, with the W8.1SE project, the application, Wprotect.exe does not load at system start. This failure causes the USB drive to not mount and the normal load process does not happen.

Here's the lines of script I believe normally cause the app to load at system start:
// Patch Winpeshl.ini
TXTReplace,%target_sys%\winpeshl.ini,[LaunchApps],#$qWProtect.exe#$q
TXTAddLine,%target_sys%\winpeshl.ini,[LaunchApps],PREPEND

Any suggestions would be greatly appreciated!

Pages: [1]
Powered by EzPortal