Wednesday 17 May 2023

Add WinPE to your USB boot drive for Secure Boot

In some situations, you may need to UEFI Secure Boot to a multiboot USB drive such as a Ventoy or E2B USB drive. However, multiboot USB drives such as Ventoy and Easy2Boot, etc. do not fully support direct UEFI x86 64-bit Secure Booting because the \EFI\BOOT\BOOTX64.EFI is not signed (and will never be signed because the code is by it's very nature insecure as it allows us to boot from all sorts of insecure ISOs, VHDs, IMG files, etc.).

You may often come across a system which has been set to Secure Boot and you may be unable to disable Secure Boot in the BIOS settings. Some solutions such a Ventoy will prompt you (via MokManager) to add a 'whitelist' certificate key for the insecure EFI boot file, however MokManager does not seem to run on many systems and even if it does, by adding a new key, you are making the target system insecure, so you must remember to remove the Ventoy key afterwards.

However, you can always Secure Boot to WinPE because the boot file is signed by Microsoft. Once booted to WinPE you can run any s/w you like!

Note that WinSetupFromUSB is a multiboot solution that does allow you to directly Secure Boot and run Windows/WinPE payloads (but not Linux-based payloads).

WinPE

WinPE is a cut-down Windows OS that is intended to be used for Windows pre-installation and recovery purposes. You can get a 32-bit WinPE and a 64-bit WinPE. 

In it's basic form, WinPE does not support WoW64, so a 64-bit WinPE will not be capable of running 32-bit Windows applications, however WoW64 components can be added to WinPE64 and then it will run most 32-bit Windows applications as well as 64-bit applications.

An easy way to check if a WinPE supports WoW64 is to boot to a 64-bit version of WinPE and run a 32-bit .exe from a USB drive - e.g. \_ISO\SWITCH_E2B.exe from an E2B USB drive. If it does not run then WoW64 is not fully supported.

Since WinPE's are UEFI-booted using the signed BOOTX64.EFI file from Microsoft, 99.9% of modern UEFI systems should boot to WinPE without any modification to the BIOS settings or non-volatile RAM on the target system (assuming that USB booting is enabled).

Add Secure UEFI Booting

Unlike legacy/BIOS booting which requires boot code to be written to the boot sectors or partition boot record of a USB drive before it can legacy boot, UEFI boot is much easier to set up. For UEFI64 Secure or insecure booting, all that is required is a formatted FAT partition on a USB drive (FAT12, FAT16 or FAT32 is allowed but not exFAT, NTFS, ext2/3/4, etc.) and the initial EFI boot file which must be at \EFI\BOOT\BOOTX64.EFI. Other files are usually also required but all files can simply be copied onto the FAT partition without needing any special utility to write boot code. i.e. typically we can add a new partition to any USB drive as follows:

  1. Create a new FAT32 partition on a USB drive. Use a tool such as Easeus Partition Master or MiniTool Partition Wizard if you need to shrink an existing partition. Make sure the new FAT32 partition is a PRIMARY partition (check Advanced options in case LOGICAL has been auto-selected) and that it is large enough to hold all the WinPE files which you will extract from an ISO. For E2B, this means creating a FAT32 Partition 3 on your E2B USB drive. Note that Windows will only allow a FAT32 partition of 32GB maximum, so you must keep the size below 32GB.
  2. Extract the files from your WinPE ISO directly to the new FAT32 partition. Make sure you have a \EFI\BOOT folder (amongst others) which should at least contain a BOOTX64.EFI file. Note: Your AV software may give warnings about many of the files as they are unpacked and copied!
  3. To UEFI boot from the new partition, connect the USB drive to the target system, switch it on and press the BIOS Boot Selection hotkey (e.g. F8 on most Asus systems). Now select your FAT32 USB partition from the list presented.
If you want to legacy boot to the new partition, you should be able to use the legacy E2B or agFM menu system to boot to a boot file such as bootmgr or select a bootable .wim file (e.g. \sources\boot.wim).

Useful WinPE's

  1. Microsoft's Windows PE: Build a lightweight version of Windows that can be used for deployment and recovery purposes. It can be used to create a bootable media on a USB drive that includes a range of diagnostic and repair tools. Download link: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive. You will need to add WoW64 components if you want to run 32-bit apps however.
  2. AOMEI PE Builder: A free tool that can be used to create a WinPE-based bootable media on a USB drive. The bootable media includes a range of recovery and diagnostic tools. Download link: https://www.aomeitech.com/pe-builder.html

    This free tool is very easy to use and can create a new WinPE ISO and allows you to add your own 64-bit applications, drivers and folders, etc. Note WoW64 is not supported and you cannot run most 32-bit Windows apps although some 64-bit apps such as BootIce, CPU-Z, 7-zip, Recuva, SumatraPDF, Notepad2, QTWeb browser, Pe Network and OSFMount are included.
  3. Acronis True Image Bootable: A backup and disk imaging software that includes a bootable media builder. The bootable media is based on WinPE and can be created on a USB drive. It includes a range of backup, restore, and recovery tools. Download link: https://www.acronis.com/en-us/support/documentation/ATI2021/index.html#22779.html
  4. Paragon Rescue Kit Free: A free WinPE-based bootable media that includes a range of backup, restore, and recovery tools for Windows. It can be created on a USB drive and is easy to use. Download link: https://www.paragon-software.com/home/rk-free/download.html
  5. Macrium Reflect Rescue Media: A WinPE-based bootable media that can be created on a USB drive using the free version of Macrium Reflect. It includes a range of backup, restore, and recovery tools. Download link: https://www.macrium.com/reflectfree - ISO at https://www.majorgeeks.com/files/details/macrium_reflect_free_edition.html. No WoW64.
  6. Medicat USB:  (has WoW64) Medicat USB is a comprehensive WinPE-based bootable media that includes a wide range of diagnostic and repair tools for Windows. It is regularly updated and includes the latest versions of popular software. Based on Ventoy and must be written to a USB and consists of two partitions. https://gbatemp.net/download/the-medicat-dvd.36186/. As this is Ventoy-based it is not signed and so does not seamlessly support Secure Boot.

Secure Boot 64-bit WinPE's with 32-bit app support (WoW64) + utilities

  1. Gandalf's WinPE: (has WoW64) A modified version of Windows PE that includes a range of diagnostic and repair tools for Windows. It can be downloaded from the internet and used to create a bootable USB drive. Download link: http://windowsmatters.com/ - ISO https://www.fcportables.com/gandalf-boot-iso/
  2. WinPE 10 Sergei Strelec: (has WoW64) A popular WinPE-based bootable media that includes a range of diagnostic and repair tools for Windows. It is regularly updated and includes the latest versions of popular software. It can be downloaded from the internet. Download link: https://sergeistrelec.ru/winpe-10-8-sergei-strelec-x86-x64native-x86-2022-01-05-free-download.html or try WinPE 11-10-8 Sergei Strelec 2023.04.18 (x86/x64) available as English or Russian version. https://sergeistrelec.name/
  3. Bob.Omb's Modified Win10PEx64: (has WoW64) A modified version of Microsoft's Windows PE that includes a range of diagnostic and repair tools for Windows. It can be downloaded from the internet and used to create a bootable. 2GB+ RAM required https://www.fcportables.com/modified-win10pe/
  4. Hirens Boot CD PE: (has WoW64) HBCD-PE is a bootable media that includes a range of diagnostic and repair tools for Windows and other operating systems. It is a WinPE-based environment. It can be created on a USB drive and is easy to use. https://www.hirensbootcd.org/download/. Systems with 4GB or more RAM is required.
  5. DLCBoot (has WoW64) is a tool that allows you to perform multiple tasks on your computer system. It is an all-in-one solution that includes a collection of utilities that help computer users solve various issues related to computer software and hardware. The software comprises of a bootable CD or a USB drive that lets you restore or fix your system, bypass Windows login passwords, and retrieve lost or deleted files. https://www.fcportables.com/dlc-boot/ DLCBoot2022V4.1.220629


Some of the above WinPE's may contain files which are flagged as containing viruses. The HBCDPE and Bob.Omb's WinPEs are probably the 'safest' ones to use, although I have not heard of any of the others containing malicious code either (apart from 'hacking' tools).

How to Secure Boot to different payloads using E2B

You can add various OS's that support UEFI64 Secure Booting by creating partition image files (.imgptn23) and adding them to your E2B USB drive. For instance WinPE ISOs can converted to .imgPTN23 files and placed on Partition 1 (the main NTFS partition) of your E2B USB drive. Then you can switch-in any of those images and Secure Boot to them.

  1. Secure Boot to your WinPE FAT32 partition 3 on the E2B USB drive.
  2. Browse to the E2B USB \_ISO folder and run SWITCH_E2B.exe.
  3. Select any of your .imgptn23 files which contain a Secure Boot OS (e.g. Ubuntu, Red Hat, WinPE, Windows, Fedora, Debian, etc.) and switch it in to replace Partition 1.
  4. Reboot and use the BIOS Boot Selection menu to boot from Partition 1.
  5. When finished, reboot to your WinPE partition again and run SWITCH_E2B.exe to restore the original E2B Partition 1 of your E2B USB drive.




Modify any WinPE!



It is possible to modify any WinPE without needing to change it or recompile it.

You can change the Wallpaper, add Desktop icons, auto-run programs at startup, add registry entries and drivers, etc. by using a very useful app called PEStartup.

Simply add the files to your E2B USB drive (Partition 3) and once you boot to your WinPE OS, you can run the batch file which will run PEStartup and apply the changes.

You can also add Portable Apps in this way too, so Portable apps can be added to any WinPE (32-bit WinPE or  64-bit WinPE with WoW64 is needed).

For instance, you can add all your favourite Portable Apps plus any Desktop shortcuts to other apps present on your USB drive and then boot to any WinPE and run PEStartup to modify it. So DLCBoot, Strelec, BomOmbs, HBCDPE and Gandalf can have your wallpaper and the same Desktop icons. You can also add any drivers (e.g. NVMe, touchscreen, etc.).

No comments:

Post a Comment