Topic: Execution or filecopy before registry loads (immediately after wim)- Win10PESE  (Read 467 times)

0 Members and 1 Guest are viewing this topic.

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 271
Is this possible?

Trying to create optional "Do/Don'tMount Local drives" on boot - Is there any way to copy a file or execute a file before system registry hives load?

Thinking of a ForensicMode file on root,(empty file with no extention that just exists) with a IfExist or something similar to copy a system hive that doesnt automount if the file is there BEFORE the system boots up.

Was tinkering around with adding values while logging in as admin to pecmdext.ini but the system mounts the drives before this as the system hive is loaded before admin logon. It defeats the point because it loads the drives and updates the NTFS timestamp before it can be disabled.

This option has been requested several times here and on my release page so I think its worth looking into making an option that isnt permanent and doesnt require editing the WIM.


Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7758
Try
Finals\Optimization plugin -> enable Don't mount local harddrives

I guess it should not change ntfs time stamp. ???

*
Regarding to your question:
As far as I know systemhive must be loaded.

Maybe ! after ntfs drivers loaded (or simply after you can access ntfs)
before time stamp update
You can have an application for early start.
ex: famous CHKDSK
There are very rare utilities like that due to the limited environment.
tip:
google "procmon early start"
--> will give you clue how to implement early start.
tip:
Gena have Early starter plugin for similar goal (not related to ntfs) but development ended.
plugin may give you some ideas.


+
also check bootloader capabilities on early boot things ex: grub4dos.

:turtle:

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 271
First I am trying optimizations>Do not mount local drives (Checked)

Then...

Created batch file(%Windir%\System32\AutoMount.CMD):
Code: [Select]
@ECHO OFF
CLS
REG DELETE "HKLM\SYSTEM\ControlSet001\services\mountmgr" /v NoAutoMount /f
REG ADD "HKLM\SYSTEM\ControlSet001\services\partmgr\Parameters" /v SanPolicy /t REG_SZ /d 1 /f
REG ADD "HKLM\SYSTEM\ControlSet001\Control\FileSystem" /v DisableDeleteNotification /t REG_SZ /d 0 /f
REG ADD "HKLM\SYSTEM\ControlSet001\services\volmgrx" /v Start /t REG_SZ /d 2 /f
REG ADD "HKLM\SYSTEM\ControlSet001\services\volmgrx" /v DelayedAutoStart /t REG_SZ /d 1 /f
EXIT

Then...

Inside pecmdEXT.ini on USB root:
Code: [Select]
CALL ForensicMode

////////////////////////////////////////////////////////////////////////////////////////////////
_SUB ForensicMode

// Forensic Mode: Disables AutoMounting of local disks
// Add // to the beggining of the below line to turn Forensic Mode ON (Remove them to turn it back OFF)
EXEC != %WinDir%\System32\AutoMount.CMD

_End
////////////////////////////////////////////////////////////////////////////////////////////////

When build is complete I'll let you know...

*Update----Build Complete

No luck.  There appears to be an issue with the "Do not mount local drives" checkbox.  It causes PE to show phantom drives and strange behavior, ALSO it definately still accesses drives  :confused:  I'll look into keys for this when I resolve my original issue.  I saw this on another thread if I find an answer I'll post it there(and update its location in here).

For now more research....
« Last Edit: December 27, 2017, 11:06:01 AM by bob.omb »

 

Powered by EzPortal