Slashdot Mirror

Roll your own WinXP Live CD: http://www.nu2.nu/pebuilder/

If you poke around the various torrent sites or mIRC, you should be able to find pre-made ISOs.

Anyhow, this way you won't get any strange looks from non-techies who become suspicious of anything other than the normal Windows GUI. And you can even run as Administrator.

a live cd + USB thumbdrive and you'll have all your files & settings to go.

I concur with the parent as far as building unattended installs goes:
a few resources (some of which were mentioned earlier):
MSFN.org
nlite
BartPE
Technet XP Deployment ref
Disclaimer: Scan anything you download thoroughly for viruses. The worst thing you could do is inject a vulnerability in your image framework.

If you are in the position to need to reload your systems for any reason remotely I would suggest using a PXE deployment solution of some kind. Ghost/Altiris both provide good PXE and post-install config utilities. We use altiris and deploy our images through PXE. This allows for imaging in place after the fact, something that we try do semi-anually.

Every major vendor provides UNDI-Driver capable on-board nics now-a-days, so the headache of PXE (nic specific) boot images is pretty much a thing of the past (unless you were one of the saps who bought the Gateway E-4300s.)

There's something about booting to your nic, loading an image on a station in 8 minutes and monitoring the unattended install from a remote TS console miles away from the station you're reloading.

Yeah, but is it hardened against me booting BartPE and reflashing the BIOS with this?

Actually, if you follow the links in the article to read how it works, its obvious that booting from a linux DVD bypasses their time subscription/metering servers and all the software components they had to ad to Windows to lock out the user.

Actualy, booting from one of the hacked bootable Windows DVDs (yes, its possible to run Windows from a DVD - you can make your own bootable one by going here :http://www.nu2.nu/pebuilder/) also bypasses their time metering system.

You might want to give Win PE (Microsoft Windows Preinstallation Environment) a try.

http://www.microsoft.com/licensing/programs/sa/ben efits/winpe.mspx

If that doesn't work for you, then by all means take a look at BartPE, as the person above recommended.

http://www.nu2.nu/pebuilder/

Good luck!

You can make a bartpe dvd with all the drivers installed to work on most hardware.
There is a DVD floating around on BT sites that have an updated winxp with all patches/drivers and some needed applications. But I recommend making one yourself for security reasons. (rootkit/etc)

Driver packs and Driverpacks.net
Ryan's windows xp updates
nlite to help modify a windows install.
Bart PE - bootable dvd/cd for windows install.

Anybody have a bootable LIVE XP distro I can try to compare?

You have no idea what you're talking about - the recovery console runs in protected mode just as Windows itself does. The only part of Windows that's in real mode is the NTLDR.

There are products available that offer a better recovery environment than the Windows recovery console. Two that come to mind are Bart's PE Builder and ERD Commander.

At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

You mean like a plugin to this?:

http://www.nu2.nu/pebuilder/

While slipstreaming service packs is a common practice, you can also slipstream hotfixes. Hack when I was in IT support we used this great script to automate the process. Some of the other links I still had bookmarked may be of value to people who not only want to slipstream service packs/hotfixes but also build an unattended installation CD. In our case we installed all the apps common to our PC images (except for office) from one CD. We threw the CD in, booted from it and came back 2 1/2 hours later to find a fully installed desktop with all our standard apps. This method is superior to using Ghost or other imaging software when you have a heterogenius enviroment where PC hardware varies drastically from depertment to department or desktop to desktop.

http://www.nu2.nu/bootablecd/
http://www.microsoft.com/technet/prodtechnol/ie/ie ak/default.mspx
http://unattended.msfn.org/unattended.xp/
http://www.appdeploy.com/packages/

This last link related to a commercial software distribution enviroment but but it includes an archive of the known switches accepted by various installers to make them silent. The technique we used was to use the unattended.txt file to add a RunOnce registry entry, to regedit (to marge a secondary gegistry file containing other RunOnce entries) to be executed on the second reboot to silently install our list of apps, where the installer commands used included the switches detailed on the appDeploy website (and many other palces across the web).

There are a relatively small number of installers out there that take a relitively well known set of switches to make the installation silent (accepting all the defaults). These methods saves us thousands of man-hours in PC deployment in the two years they was in use.

--CTH

This Website was very well done. It explains how to make a bootcd, and how to get the ServicePack in as well. Very quick and easy. As long as you follow a few steps. This will work for Win2k.xp..prolly 2003 as well. Hope it helps. This also works for BIOS updates et al.

I've used many tools before but I always seem to go back to using the good old dos prompt even on xp. Everday I remove malware from clients systems and find a lot get past ad-aware/spy-bot/anti-virus so I have to remove many by hand.

If you have something hiding in the windows\system32 folder the "dir /od /a-d" command shows the last added/changed files. Then if your unshore about a small file I use "edit" to open a file and look for clues in the file. If it has UPX or FSG inthe header I delete the file, other clues are things strings that refer to website I don't like or encryption that hides string tables.

But if I can't delete the file I'll reboot using BartPE and then delete the files. In BartPE you can use the regedit mount a registry hive then edit a registy file offline.

But remember some malware have deadman switches so if you remove it your system won't boot. ie NewDotNet puts its self in the LSP (Winsock stack) so if you delete the files winsock stops working :(

The tools I would not leave home are:
http://www.sysinternals.com/Utilities/Autoruns.htm l
http://www.sysinternals.com/Utilities/ProcessExplo rer.html
http://www.nu2.nu/pebuilder (bartPE)
then
hijackthis,ad-aware(www.lavasoft.de),spybot,avg(gr isoft.com)
and not to forget those builtin tools:
msconfig, cmd, regedit, "sfc /scannow", edit, "shutdown -a".

happy hunting [sVen]

I first try removing junk via Add/Remove programs and then cleanup startup/autorun entries with Startup CPL

Security Task Manager (shareware) rates each process in how likely it is to be malicious and gives you the option of killing or quarantining (or uninstalling the corresponding program if appropriate). I've had good success with eliminating nasties that were sucking so much CPU that Ad-Aware and Spybot couldn't finish scanning.

BartPE is a great live CD, especially with the RunScanner plugin that lets you run Ad-Aware on the local machine's registry. RegeditPE was also mentioned by someone.

BartPE should do the trick nicely LOL.

The solution is to make a 'Windows Bugspray' CDROM using Firefox on Linux to download all the patches form Microsoft. That way, you can do all the fixes pretty quick. If you are really serious, then you can Slipstream the fixes into a new install CD.

Also see this: http://www.nu2.nu/pebuilder/

Bart's PE is very handy for deleting files that Windows normally cannot delete, or simply to use as an incorruptable Windoze.

Along the lines of fixing your filesystem (because you can't boot, even in safe mode...)

BartPE is your friend: http://www.nu2.nu/pebuilder/

Download the basic BartPE CD builder and have it make you a standard BartPE ISO. Burn it to disk and then boot off the CD.

Once it's done loading, launch a command window and run:

chkdsk /r C:

(checkdisk "repair" C:-drive)

Or whatever drive needs fixing. Once it's done, reboot. This should repair your filesystem and probably get you going again.

implies Windows, for which live CDs are not available.

While the suggestion is crazy (to use live cds to get around this problem), you're wrong about Windows and Live CDs. You'd still need a windows licence, and might or might not be allowed to do this, depending on your juridictions take on silly EULAs etc, but:

• http://www.nu2.nu/pebuilder/
• http://en.wikipedia.org/wiki/LiveCD#Microsoft_Wind ows_based

It can. It is called BartsPE:
http://www.nu2.nu/bootablecd/

I think the best way to detect a rootkit is to simply put something between it and the internet that can log net traffic, say a router or somesuch.. course, you'd have to make sure the router hasn't been exploited too... :)

Oh, here's a useful tip for people.. there is a cheaper alternative to WinPE.. BartPE, it requires Windows XP to build the bootable cd but in terms of usefulness it's a nice little life saver.
Can also be extended with Ultimate Boot CD (UBCD).

According to Bart PE's own web page, that Program Manager is in error.
  It says "Q. "BartPE is an unlicensed version of WinPE and of Windows XP."
A. This is not correct, BartPE is not WinPE and will never be WinPE. BartPE builds from Windows XP or Server 2003 files. BartPE is not built from any WinPE file and does not use any files that belong to Windows PE!
Note: Previous versions of PE Builder did instruct the enduser to download certain WinPE network components from the internet when enabling the network support, but v3.0.30 and higher have built-in network support."

From: http://www.nu2.nu/pebuilder/ under the Legal Information section.

I've had to make a BartsPE CD so that I could use a Windows-only firmware utility. It wouldn't work in Wine, and I didn't know how to use qemu or the like, so I thought of going through the BartsPE route.

I didn't want to pirate a copy of XP, so I downloaded the evaluation version of Windows Server 2003 instead (BartsPE needs at least XP or Server 2003). Although the Server 2003 evaluation version on the harddrive expired after 180 days, the BartsPE CD created from that install still works.

I found that BartsPE was a real pain to build, because you have to hunt down all the software and drivers, and edit *.ini files.

BartsPE is kind of cool, and is better and faster for accessing NTFS partitions than captive-ntfs, but compared to Knoppix (and its derivatives), it's not that useful.

Knoppix has far more and useful software and networks automagically. Unlike BartsPE, you don't need to build Knoppix, you just download it and burn it to CD.

I'm not thinking of resolutions. Is 2D/3D hardware acceleration completely supported? Does it support (tested/debugged) OpenGL and DirectX 9 in hardware?

You're right - Dell should have checked before pasting MS trademarks all over the CD.

Damn straight they should have! There's this thing called QA that someone tell Dell about.

My point is that most or all OEM recovery CDs are customized to some extent. Dell tells MS, "We need these drivers on this CD", and MS supplies those drivers on that CD. It just bothers me that you tried to use a recovery disk supplied by Dell on a Dell computer, and when it didn't work you automatically blame MS without knowing whether it's really MS's fault. If it were me, I'd be screaming at Dell for shipping a recovery disk without the correct drivers. I paid good money to Dell and Dell would owe me a good recovery CD.

Let's stick to blaming MS for their known faults without automatically blaming them without sufficient information.

And no, you can't get an official MS Windows live CD. But you can get instructions on how to make bootable Windows recovery CD here.

Don't like safe mode, then try BartPE. It's basically a live windows CD, quite customisable. http://www.nu2.nu/pebuilder/

As of last year, they don't. I have unpacked their patches to patch machines that cannot be autopatched (such as BartPE).

Actually windows does have a ive cd.

Bart's PE Builder helps you build a "BartPE" (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks. It will give you a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on.

This may be useful:
http://www.nu2.nu/bootcd/#clean

I prefer a Windows live CD. You get a full working NTFS read/write driver that way, and you can get support for any other drivers Windows has that way. Go to http://www.nu2.nu/pebuilder/ and you get the software necessary to build it. It's a little bit of a pain to set up, but once done you boot to a working Windows evnironment.

Knoppix is nice for Linux recovery, and I did encounter one NTFS partion that was seriously messed up that Windows didn't know was NTFS but Knoppix could (sorta) read.

I'd say with a PE (like BartPE) and some tools it's possible to remove malware that are hiding themselves with rootkit techniques. Booting from read only media is the classic way of preventing execution of hostile code, but sadly it's often overlooked nowadays. It can be very time consuming though to locate and remove malware though, especially when you don't know it's there. It's not something an average user would likely succeed in doing, so I guess you're mostly right when you say it's impossible to remove without fdisk/format.

Here is the link to save some time.
http://www.nu2.nu/pebuilder/

The only thing I would actually want Microsoft to do is freakin make an XP product that can run from a USB key or a bootable CD. That would be a valid competitor to the various thin-client projects.


There is such a thing as a LiveCD for windows, you might want to check out Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD for more information. It's actually pretty usefull sometimes. Check it out.

It would be a good source for PeBuilder licenses.

I think HIPPA requirements are met by the electronic equivalent of a cross-cut shredder, destruction beyond all possible recovery is not required. A multi-pass overwrite is probably enough. Almost all bootable Linux CDs have the basic tools to do this, but you may find it handy to write a shell script to automate the process. Some may even have e-z shredders right there in the KDE or Gnome menus. Get a distro that reads USB drives and an external USB/IDE box and you are in business.

Another possiblity is to use Bart's PE Builder and one of many MS-Windows-based shredders to make a bootable MS-Windows XP CD that does the same thing.

If overwriting the data one or more times does NOT meet legal requirements, then you should overwrite the data once as a precaution in case someone steals the drive before you can permanently erase it, disassemble the drive, drill holes in the platters, then heat the platters, including the drilled-out parts, long enough to completely degauss them. A fireplace should do the trick, but an autoclave or better yet a pottery or cement kiln would do a better job. A kiln might actually melt the platters, which is pretty much the ultimate in data destruction.

It's called BartPE. There are many Plugins available. People involved with this seem to all be members of the CD Forum.

I tried this on a machine with no hard drive, and I still got 40m swapped. Bug?

Then, quite simply, for most people who just want email and browsing it's more than sufficient for them.

Cd's like these are very useful, even in our Windows-centric company. One laptop had a fried harddrive, Windows crashed upon starting. First I tried the recovery console which was no help because the disk was beyond repair, then I tried a BartPE XP cd but that wouldn't recognize neither the nic in the docking nor a USB nic (no, I didn't want to have to add all sorts of drivers etc. to it first). Downloaded a FreeSBIE cd and it worked perfectly. The guy was very happy about his saved data, the shmuck.
*goes off to browse the site*

OpenFirmware is a hell of a lot more featureladen than the PC's BIOS. While attempts to update BIOS are ongoing (see LinuxBIOS), a more effective shortterm solution is to emulate part of the functionality: boot off a livecd/floppy and network/fileshare over tcpip (nic or firewire). I'd advise u to look towards the always excellent Bart Lagerweij site

The local graduate school had an old lab with Pentiums and K6's running Win95 and IE3 for email/web browsing/instant messengers/word processing. Over the year's end, they decided to move on to some Linux distro with IceWM and Mozilla.

The computers are unusable.

There are three different classes of users here. Some of them just can't figure out what to do when Mozilla presents them with a "Choose User Profile" dialog, and leave in frustration. The second class can sort that dialog out, but Mozilla takes so long to load they give up before it even shows up and leave in frustration. The third class will wait until Mozilla loads, and leave soon after in frustration after the computer chokes trying to render some ordinary website -- like Slashdot.

Nevermind the fact that we don't get to use instant messengers or jot down some text. I don't blame the admins; the computers would probably catch fire trying to run Mozilla, Gaim and OOWrite at the same time.

Everyone is unhappy.

Everyone is unhappy and they all hate Linux already, and will always remember Linux as the cheap, slow, inferior solution. I'm considering leaving a few BartPE Windows liveCD's around so someone gets to do something at those computers.

I wish people would stop advocating Linux as a solution for breathing life into outdated equipment. It's not. It's VERY VERY frustrating.

http://www.nu2.nu/pebuilder/

Windows can happily run off a CD too. Here's more info on making Windows Live CDs/DVDs. (I personally still prefer Linux though.)

Bart, of Bart's PE fame, says in the Bart PE FAQ:

Q: Why can't Windows 2000/NT4 be used to build BartPE? Is there a technical reason for this?
A: Yes, that kernel does not support the "/minint" switch and therefore cannot boot from readonly media... Also the layout.inf does not contain required information.

There you have it. NT and 2000 cannot boot from CD (well, mabye they could using a boot-loader-initialized ramdisk hack).

Win95, 98, and ME are all DOS-based kernels, and should be able to boot from CD.

One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
1. The process would not show up in task manager
2. The related files would not show up in Explorer
3. The related registry keys did not show up in regedit
4. It some how was being called by Winlogin, so it ran even in safe mode.

The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.

Sure, there's Bart's Preinstalled Environment bootable-cd-maker but MS really should release a bootable CD of its OSes, complete with cleanup- and other system-maintenance tools, to the community. Heck, I wouldn't even mind typing in my MS-Windows serial number or inserting a floppy that had a key-holding file copied from my hard disk every time I boot. Heck, I'll even pay $5 for the media and give Microsoft my name and address for a tool this useful.

Knoppix rocks but there are some Windows-maintenance things that are much easier in a Windows-booted environment.

So, it surprises me that a report about this kind of ad-ware/viruses is just now coming out because we have been dealing with impossible-to-remove software for at least a year now. Fortunately the only way to defeat a BartPE scan is to install a BIOS virus - and almost nobody does that any more. :-)

BartPE.

Microsoft doesn't make a commercial livecd BUT there is a boot cd that runs a custom Windows PE environment called Bart's PE http://www.nu2.nu/pebuilder/ With the addition of the XPE plugin http://sourceforge.net/projects/winpe/ and some tweaking you can have an almost fully fuctional Windows XP desktop from a live cd.

Microsoft has one it is called WinPE
Tools: Microsoft Windows Preinstallation Environment
You can't have it unless you qualify for the license.

For mere mortals that want a M$ based live CD there is BartPE which is not M$ endorsed. It uses you Windows XP or Windows 2003 Server CD to build the Live CD. There is also an option to extract the files from your current install on your system if the place you bought it from opted not to give out an install disk.
Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD

I've used BartPE to rescue important files off several Windows XP Pro systems hosed by SP2 (thanks M$). Knoppix works very well for this task too. The fun part of using Knoppix is the owners of the computers can see how cool a GNU/Linux can be. In a few cases the owners asked for a copy of Knoppix to play around with afterwards.

OpenBSD may not be Linux but if someone should make a LiveCD for assuming one isn't out there already. Secure by default LiveCD would be a nice warm and fuzzy.

All I needed to get started was this and this.

And maybe make one of these with Stinger, Antivir, and Ad-aware to clean trojans and virii.

Of course, service is the key to this. I make house calls and often spend an extra hour of non-billable time explaining things. Since I am in California I charge $75 an hour to wealthy clients and $45 an hour for the non-wealthy.