Slashdot Mirror

There is a sort-of "Winnopix" that's available. It's called BartPE. It's a CD bootable version of WinXP that lets you add almost any software package, including foreign registry editors, spyware and virus scanners, and data recovery/forensics tools. You can find it here.

Its doesn't pack as many tools as Knoppix, but BartPE can be extremely useful for getting at busted 2000/XP/2003 boxes.

I've been using Pebuilder for my recovery needs with great success.

It's easy to customize with plugins that you can create, download, and add. The UBCD for Windows is a must have for pebuilder and makes it a real powerful tool. from browsing to e-mail, web browsing, disk recovery and lots more. I basicially used one of these CD's as my PC's OS while I was waiting for Dell to send me a new hard drive when the one in my machine at work crashed.

Funny, just yesterday I blogged about some similar experiences...I had an XP box that would log me out as soon as I went to log in, and because all my passwords were blank some of the linux rescue CD based fixes wouldn't work...

I decided to just grab my personal files off (one rule I have is to put all my personal stuff in c:\data\ ) To make a long story short, Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD, at the recommendation of Enkidu on alt.os.linux, turned out to be a better bet for my needs, letting me shove the files onto my laptop over the network. (I'm proficient at both Windows and Unix commandlines but not too great as an admin on either, so maybe that has something to do with my problems with, says, system-down rescue cd linux)

http://www.nu2.nu/pebuilder/

A good rootkit will only let you see what the rootkit wants you to see

Anyone who does computer repair (knows/should know) that Bart PE is a great windows based system that is built from the Windows XP Preinstall Environment and boots of CD. It runs most x86 programs, can use drivers with small modification, has a full registry hive and editor, has usb support, etc. However, to keep MS off his ass, Bart (the author) has limited the PE system to running 6 concurrent processes, so that it can't be used as a bootleg operating system. Not that I am suggesting or condoning it, but if someone was to make a HAL for Bart PE and remove the process limit, the XP on XBox project would be as close to done as your gonna get.

http://www.nu2.nu/pebuilder/

I'm something of a big fan of Bart's Portable Evironment Windows boot disc. Native R/W ntfs support, supports McAfee command line virus scanner (with a custom gui), adaware, networking support and many other useful plugins. All in all, a great recovery tool. I wonder if this here portable firefox would work with the Bart boot disc. It would make a nice addition to an alreay powerful tool.

The other great, untapped tool is BartPE. This is a bootable windows xp cd. You can have ad-aware, clamwin, mcafee, and f-prot all load up from a bootable cd where they can download internet updates, and scan a hard drive. You don't know how many times I have "cleaned" people's computers with ad-aware & spybot while booted into their windows os, but some spyware has built in functions to hide itself, so spyware keeps reappearing. Using bartpe solves that problem, you boot off of it first, get the really nasty spyware, trojans, and viruses out of the way, then you boot into windows and run ad-aware and spybot again to get whatever was left behind (usually registry entries).

Ad-Aware runs on a BartPE Boot CD. I've heard Spybot also runs on BartPE, but I don't think there are handy instructions for adding it to the image.

If nothing else run your whole network on Bart's PE. That thing is great.

All I needed to get started helping home users and small businesses (like my dentist) was:

invoices

and

a CD from Microsoft

I also put together a boot CD to scan and clean virri

I charge $75 an hour to 'fix' windows PCs here in California using these two CDROMs and an invoice book.

If you want to be really nice give people a copy of The Open CD (it has good software for home and office users)

You can also add AdAware to bartPE. Very handy.

A piece of software which fulfils the requirements listed in the parent post, as well as enabling you to perform many other useful functions is available and has been for some time.
It is essentially a Windows version of Knoppix, i.e. a Windows boot cd, and is named Bart's Preinstalled Environment (BartPE) after the creator Bart (really?!) Lagerweij.
The software enables you to create a bootable cd from a Windows XP/Server 2003 setup disk. A very simple module functionality has been implemented, so that hundreds of third party modules are now available covering a huge scope of useful (and not so useful) programs including Ad-Aware and several anti-virus programs.

As the homepage so rightly says "being an Admin is hard enough...", and I can say from experience that this does make clearing up infected Windows computers a whole lot easier and safer. Especially with the prevalence of particularly evil spyware and viruses which are almost impossible to remove while the host system is actually running.

Just my £0.02...

Use BartPE it works great. But you're limited to McAfee Antivirus. But it works very well.

You could do something similar to this by using BartPE. It is a Bootable CD version of WindowsXP. You won't have to worry about messing up the NTFS partition with a bad write since it is a "native" tool. And, the BartPE community has created hundreds of plugins, including registry checkers, virus scanners, and spyware cleaners.

First off, I love linux, but in this case I think there's a better tool for the job. (The following is not really a shameless plug).

I use Bart's PE Builder. In a nutshell, it's a bootable cd with a Win32 network, disk (with native NTFS support) and GUI API load. The best thing is that it's built using actual Windows dll's and the like. Of course, you have to have a copy of XP or Server 2003 to built it, and it may not be strictly within Microsoft's licensing agreement to use their IP in this fashion, but that doesn't bother nor stop me.

Anyway, there's a native Ad-Aware plugin for BartPE, and I've hacked together a Spybot S&D plugin, as well. My usual proceedure is to boot the system with my cd, run AAW & S&D to clean up files on the hard drive. Then, I boot from the hard drive into safe mode with networking support, install the latest versions of AAW & S&D, and run them again. This cleans the registry as well (which unfortunately I haven't figured out how to do under BartPE... yet). This method has worked well in situations where the system is so infested I can't start from safe mode.

Part of the problem is that even with the proliferation of anti-spyware programs, often to completely eradicate these nasties, manually crawling for files and registry entries may be necessary. At least for the forseeable future I don't see this becoming a fully automated task.

You don't need Linux to do it. BartPE works very well for this purpose.

i dont know, that barts pe stuff just didnt seem as easy as burning an iso. ive built several windows machines for people and had more than a couple linux distros going, so im not a moron. maybe it has gotten easier since i tried it about a year ago...

here is the link if anybody wants to check it out

Note: WinXP sp2 adds the option "Disable automatic restart on system failure" on the F8 menu. So press F8 as the computer is booting, and you should see it listed on the menu along with Safe Mode.

On Windows 2000 and XP SP1 the following works:

0) Boot with a BartPE CD
1) Run RegeditPE from a floppy disk or CD....
2) If prompted to load remote user profiles for editing, you can choose "No."
3) Go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\CrashControl]
4) Change the value of the DWORD AutoReboot from 1 to 0.
5) Close RegeditPE, and restart the computer.

There are scads of folks out there busily building their own add-ons and plugins for the BartPE environment which you can just download and include in your own installation- everything from Java Runtime to Citrix ICA client to Trillian. And literally a hundred more.

I've found it an indispensible Windows recovery tool. I can boot off the CD and run Adaware, Spybot and McAfee scans on the system hard drive, removing all the IE trojan nonsense before it starts up and get resident in memory. I can connect to network shares and transfer data from machines that won't boot.

You don't even have to boot from the CD- it will autorun in an active Windows XP session and give you the same NU2 menu. So it can be used to run applications locally that you don't want to install on the client's machine.

There are scads of folks out there busily building their own add-ons and plugins for the BartPE environment which you can just download and include in your own installation- everything from Java Runtime to Citrix ICA client to Trillian. And literally a hundred more.

I've found it an indispensible Windows recovery tool. I can boot off the CD and run Adaware, Spybot and McAfee scans on the system hard drive, removing all the IE trojan nonsense before it starts up and get resident in memory. I can connect to network shares and transfer data from machines that won't boot.

You don't even have to boot from the CD- it will autorun in an active Windows XP session and give you the same NU2 menu. So it can be used to run applications locally that you don't want to install on the client's machine.

I wish there was a Winoppix

There is a sort-of Winnopix available. It's called BartPE. It's a CD bootable version of WinXP that lets you add almost any software package. YOu can use it for data recovery, forensics or as a temp OS. YOu can find it here.

That is what I do anyway. And I tend to agree with you. It was just a point of interest. With people creating Windows 98 Live CD's and Pre-Install versions of Windows, I wondered how difficult it would be to recreate the install CD. Not necessarily in its origional form, but in a form where you could easily install it on another machine.

All of your bullet-point suggestions are practically impossible for a normal human user to implement except for Long-term backups are important. This is an excellent point and one that I forgot to include.

Firewalls are important in malware control for two primary reasons:

1. They separate the target system from the hostile environment.
   Even the simplest firewall protects you from most IP-borne worms
2. They provide a choke-point for information where it can be restricted and audited.
   This allows you to stop infections before sigs/patches are available and determine if machines are infected with unknown malware.

Automated patching is critically important for the masses. This doesn't mean that windows update should be set on all machines to 'download and install' mode. It means that there should be a mechanism for machines to be easily updated to correct problems. WU is a step in the right direction and so far having 'download and install' enabled would have prevented almost all of the major outbreaks that involved the Windows OS components and would have broken a small percent of machines with mostly rare configurations.

I wish that MS would have taken heed of my suggestion to allow for multiple signatures on patches (and a mechanism in the OS to verify/act on them.) This would allow users to delegate any number of trusted third parties to verify that the patch: came from MS, actually works, and doesn't adversely affect the other apps that I run. This could all be done without the user having to look at any code or test it themselves.

Warning when things on the machine seem strange can definitely prevent virus outbreaks because it provides the user with an indication that something may be amiss. Many people have spread malware for months because they didn't realize that it was there. Simple things like 'Are you sure you want SpamPasser.exe to access your address book?' (implemented in OL 2002 SP2) or 'Should fileBot5.exe be granted access to the Internet?' (implemented in XP SP2) are steps in the right direction to at least clue-in people that there may be a problem. In fact, I think that behavior-based detection will be used in favor of signatures in the NearFuture(TM).

To put a system in a 'known-good' state, boot from your favorite OS CD. Knoppix is an excellent example of this. There is also a very good Windows XP-based CD called BartPE.

Finally, limited execution environments are excellent for dealing with untrusted code in a secure system, but make it more difficult to allow useful (and fast) interaction between processes. In the *NIX world there are quite a few options that work reasonably well (jail, chroot, emulated execution, VM.) In Windows NT+ you can launch processes in different user contexts with limited separation. These have existed for a while and work well for some medium-security applications. Unfortunately, it usually slows down execution and as one wise security guru once told me, 'Functionality trumps security every time.'

Use Bart's PE Windows XP Live CD if you need to muck around with your NTFS filesystems.

Releasing a "Windows: Troubleshooting Edition" might help out a lot of admins, but would break this image.

This kind of exists. it's called BartPE. it's not released by microsoft, it's a script that builds a knoppix-like windows xp livecd from an existing windows xp installation. well, it's not nearly as cool as knoppix, but it's still really useful for troubleshooting borked windows systems.

RTFM and follow directions on how to make a bootable BartPE CDR, and then how you can install BartPE to a hard drive.

Then download and install OOO.

Then give Microsoft and Billy Boy the middle finger. ;)

Or try this alternative and install it to your hard drive for a Non-Windows edition and still give Microsoft and Billy Boy the middle finger.

*pling* You have advanced one level.

You are not the common Windows user. You know how to keep Windows XP running without seeing the need to re-install. For lots of others this painstakening procedure is part of their montly routine. Even if there'd be more convenient ways to do/fix things with the CLI, the registry editor or the recovery console. And if even this fails Bart's PE Builder may still save you from rebuilding XP from scratch.
But most users just don't know that these things exist. They tend to rely on a fresh installation, even if it wouldn't be necessary. An example: one of my customers bought a small neat router to connect his computer to DSL. Some sites wouldn't open in his browser. So he kept on re/installing Windows instead of fixing the MTU size. The only systems he knew were the old DOS-based Windows. Back then re-installing seemed to work like a charm for most issues he had.

I can't say that re-installing is always useless, though. If there's any trace of unknown processes that seem to listen on ports that haven't been opened by intention I'd always advice quarantine, re-installation of Windows and all programmes, offline-patching and restoration of data from an unaltered backup that dates before the current system was compromised. With all those Sasser-like worms compromisation happens quite frequently.

You shouldn't be worrying about what goes on while they're there, but after the rental ends just pop over with the live cd, restore the disk image, and it's fresh for the next rental.

Thanks! Here's my list. The stuff I carry is usually for cases where I can't access the network or hardware. If the machine sees the network, I've got it made.

I mentioned these two, but here are details.

chntpw, reset NT/2k/XP passwords with the full bootable floppy version.

Bart's network boot disk built into a 2.88 meg image allows a huge load of network drivers, and with a copy of ghost I don't ever have to mess with building boot floppies for ghost again. I also included basic DOS utilities for manipulating the HDD and testing.

Bootable CDs with floppy images can be useful, and Bart provides a handy utility for building them. Put a disk image of chntpw on a bootable CD with other goodies per instructions at Bart's site.

I also carry Knoppix or perhaps a nice Bootable Business Card with lots of network drivers. With read-only NTFS access and networking, I've stripped data off of drives I couldn't even access for a fresh NT/2k install. Pour it across the network, and you're a hero. Also good for a slow clone with dd, or an emergency Remote Desktop Client. If you pick a livecd with a nice recent version of kparted, you can resize live NTFS partitions (I used SystemRescueCD). I've needed to do this more often than I'd have expected. Knoppix's NTFS tools were less useful at the time.



I'm looking forward to using the Captive NTFS drivers, but that seems less neccessary with one more set of tools from Bart's site, the bootable XP/2000 pre-execution environment in BartPE. These allow full access to NTFS, as well as providing an environment you can run Adaware and other Windows tools from. One of these made my day last week. It's dog slow to boot, but running Adaware or other utils (chkdsk, AV, undelete), from NOT the boot drive is great.

Thanks! Here's my list. The stuff I carry is usually for cases where I can't access the network or hardware. If the machine sees the network, I've got it made.

I mentioned these two, but here are details.

chntpw, reset NT/2k/XP passwords with the full bootable floppy version.

Bart's network boot disk built into a 2.88 meg image allows a huge load of network drivers, and with a copy of ghost I don't ever have to mess with building boot floppies for ghost again. I also included basic DOS utilities for manipulating the HDD and testing.

Bootable CDs with floppy images can be useful, and Bart provides a handy utility for building them. Put a disk image of chntpw on a bootable CD with other goodies per instructions at Bart's site.

I also carry Knoppix or perhaps a nice Bootable Business Card with lots of network drivers. With read-only NTFS access and networking, I've stripped data off of drives I couldn't even access for a fresh NT/2k install. Pour it across the network, and you're a hero. Also good for a slow clone with dd, or an emergency Remote Desktop Client. If you pick a livecd with a nice recent version of kparted, you can resize live NTFS partitions (I used SystemRescueCD). I've needed to do this more often than I'd have expected. Knoppix's NTFS tools were less useful at the time.



I'm looking forward to using the Captive NTFS drivers, but that seems less neccessary with one more set of tools from Bart's site, the bootable XP/2000 pre-execution environment in BartPE. These allow full access to NTFS, as well as providing an environment you can run Adaware and other Windows tools from. One of these made my day last week. It's dog slow to boot, but running Adaware or other utils (chkdsk, AV, undelete), from NOT the boot drive is great.

Thanks! Here's my list. The stuff I carry is usually for cases where I can't access the network or hardware. If the machine sees the network, I've got it made.

I mentioned these two, but here are details.

chntpw, reset NT/2k/XP passwords with the full bootable floppy version.

Bart's network boot disk built into a 2.88 meg image allows a huge load of network drivers, and with a copy of ghost I don't ever have to mess with building boot floppies for ghost again. I also included basic DOS utilities for manipulating the HDD and testing.

Bootable CDs with floppy images can be useful, and Bart provides a handy utility for building them. Put a disk image of chntpw on a bootable CD with other goodies per instructions at Bart's site.

I also carry Knoppix or perhaps a nice Bootable Business Card with lots of network drivers. With read-only NTFS access and networking, I've stripped data off of drives I couldn't even access for a fresh NT/2k install. Pour it across the network, and you're a hero. Also good for a slow clone with dd, or an emergency Remote Desktop Client. If you pick a livecd with a nice recent version of kparted, you can resize live NTFS partitions (I used SystemRescueCD). I've needed to do this more often than I'd have expected. Knoppix's NTFS tools were less useful at the time.



I'm looking forward to using the Captive NTFS drivers, but that seems less neccessary with one more set of tools from Bart's site, the bootable XP/2000 pre-execution environment in BartPE. These allow full access to NTFS, as well as providing an environment you can run Adaware and other Windows tools from. One of these made my day last week. It's dog slow to boot, but running Adaware or other utils (chkdsk, AV, undelete), from NOT the boot drive is great.

There is something like this. It's called Bart's PE. Putting Spybot on the CD is an option.

Not open source, but free: BartPE

Usually you have a path rule to allow everything in %SYSTEMROOT% (the Windows directory). Then you can use filesystem permissions to prevent files from being added/changed. If you want an actual list, the loaded module list from msinfo is a good place to start. Run msinfo32.exe from \program files\common files\microsoft shared\msinfo\, look at loaded modules under software environment. I guess you could always add every file in the windows directory :)

If your system stops working because of a bad rule, you can still fix it by mounting the registry using a good install. First you need a windows install with physical access to the drive. A bootable BartPE CD is probably the best way. An extra backup install would work, and transplanting the hard drive to another computer as a last resort. Then you open regedit, select a mount point, say HKLM, select File->Load Hive. Find the 'software' file under windows\system32\config\ on the damaged install. Now you have the entire software branch of that computer's local registry mounted. Navigate to (on the new tree) software\policies\microsoft\windows\safer\. All the rules are stored here. It's not as nice as the MMC snap-in, but you can delete bad rules in an emergency. When you are done, select the registry hive you mounted, and select Unload Hive from the File menu.

Psst. Do a google for "Windows PE" sometime. It's a happy, beautiful thing. Other than the fact that it's based on XP, I mean, which I guess makes it a sad, emotionally scarring thing.

You're right. Internet explorer is not integral to the operating system.

Bart Lagerweij of Bart's Boot diskfame has created a Windows Live CD very similar to Microsoft's Windows Pre-installation environment. The BartPE disk is "a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on." It has specific packages which enable you to perform work on a Windows NTFS system without booting from the hard drive. I find it still very cool and useful.

It compares favorably, to me, the functionality of the PCLinuxOS Mandrake live CD. Both enable me to boot, plug in my USB hard drive and copy files from my Windows XP/2000 NTFS partition with no security checks!

Bart Lagerweij of Bart's Boot diskfame has created a Windows Live CD very similar to Microsoft's Windows Pre-installation environment. The BartPE disk is "a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on." It has specific packages which enable you to perform work on a Windows NTFS system without booting from the hard drive. I find it still very cool and useful.

It compares favorably, to me, the functionality of the PCLinuxOS Mandrake live CD. Both enable me to boot, plug in my USB hard drive and copy files from my Windows XP/2000 NTFS partition with no security checks!

Live bootable CDs that don't require installation

My point is that its not a "Linux Innovation".
And they are Windows Innovations when Apple and Unix were truly first?

Lack of major third party support? Real Player? QuickTime 6.X? The point is that you can't say Mozilla = Linux, so any innovation in Mozilla isn't a Linux innovation.
There is Real Player support for Linux and they contribute to it, just don't officially support it.
QuickTime (and Real) works with most Linux video playback software. You only need to right codec's (which is no different then anything else)
Correct, internet browsers are not a far comparison since only Microsoft considers their browser to be part of the OS, claiming Innovation

http://www.nu2.nu/pebuilder/
Thanks for that link, it's a start but still involves the user to build the ISO themselves. Avoiding Microsoft's licensing problems.
Thanks though, I did not realize there was such a project

No we are talking about "Linux innovation" vs. "Windows innovation". If Unix (in general) had it before Linux was even created, then how can it be a Linux innovation?
How can it be a Windows Innovation, also?

1. It is way too complex. There is no way you can understand it all or hand edit it if required.

That's a programmer problem, not a design problem. Not to mention that many config files are way too complex as well. One thing that's nice about config files, however, is that you can include comments. While you could do this with the registry (with the EXPAND_SZ, expand string, type) it's not optimal as it increases the size. And nobody does it. [aside]If programmer's don't want you to change values or the values are meaningless...why make it changeable? Why not hard code it?

A redesign of the registry with a seperate table for comments would be interesting, I think. That way, when using editing tools, the comment table could be referenced. But, when loading or executing software, the comments would not hinder performance.

If it is corrupted, your whole OS won't even boot.

While I somewhat agree on this point, I have to note that corrupted config files will also prevent Linux from booting. I don't know the format that Windows uses for the registry tables, but it should be recoverable. Also note that I've yet to see any registry corruption on Win2000+, except with HW failures. I think the inclusion of something similar to BartPE or ERD Commander would also be a worthwhile replacement to MSFT's extremely limited Recovery Console. And frequent, automated, timed backups of the registry (at least OS configuration) should be done.

3. Its huge! 45MB of my fairly clean XP box.(although it is in a domain and has policies applied to it, etc, etc, but not much software)

My Win2003 server, excluding registry backups and the user.dat portion, is only 23MB. 17MB of that is in HKLM\SOFTWARE (I have a lot of software installed). Perhaps someone handier than me in Linux could tell us what size all of the config files for a normal desktop come to (actual space on disk, ot just data size).

You can't move the registry between machines, let alone between different versions of Windows. I can move my .config file between the 2.4 & 2.6 kernel if necessary, it just ignores what it doesn't know.

While true that you can't move some parts of the registry between machines (parts dealing with hardware and the like), software configuration is easily moved. I don't recommend moving the entire hive, as it would no doubt cause problems, but .REG files can be imported/exported with no problem. And .REG files are pretty portable (and text based), though it does require some editing and checking of data types to move from NT based to 9x based machines. With NT becoming the standard, though, that concern should go away.

Several smaller independent registiries might work better. e.g. one for linux conf, one for X, one for KDE, etc. So each one has a small well definied file for all configs.

Perhaps a DBA could chime in with better info, but I think that you would then be duplicating database structure overhead on each of those files. While I see the concern of a single point of failure for all software in the machine, automated backups and sensible defaults should mitigate that somewhat.

I think the main advantage of the registry is a central location for configurable values. By using a database, you should also have the advantage of database reliability and performance. Of course, the real problem with it would be getting everyone to use it.

Yes, I know I risk that rath of the Linux folk, and personally I use a Knoppix CD most of the time, but there is a way of building a live CD with a copy of WinXP on that runs *entirely* from the CD. Legally too, it would seem.

http://www.nu2.nu/pebuilder/ has a application that builds a modified, bottable .ISO image to be burnt by your program of choice.

You can add various AV products, network connectivity stuff and Ad-Aware, plus tons of other stuff I can't be bothered to list.

(Apologies for any typos or a bad URL - preview doesn't seem to be working right now...

PEBuilder.

Windows Live CD! And internet explorer is not integrated as a bonus.

And MSN Messenger will never bug you again!

here

You may have seen the Slashdot article on it a few weeks ago, but I'd seriously recommend checking out Barts PE Builder. I've been using it since October on customer's machines and you'd be amazed how often just an Adaware scan will bring a machine from barely running on its knees to being extremely usable again. It's an amazing tool, and it's saved me a ton of time that otherwise would've been spent doing a full reload, restoring settings and other software.

Trust me, I understand how badly the average user abuses their machine, and that sometimes reloads are the only way out. I've just noticed that there's a rather large percentage of Slashdotters that experience the same problems when they should know better. If you're one of the more technically inclined, I don't really see an excuse. That's the reason I felt compelled to jump up in XP's defense, even though I far prefer Linux or OS X over Windows.