Wes Miller Systems Management

Getting Started with Windows PE

Chances are you don’t know much about the Windows Preinstallation Environment, or Windows PE as it’s usually called, even though it shipped the same day as Windows XP. Windows PE was designed to allow Windows setup or a 32-bit imaging program to run on a PC even with Originally, the Windows setup CD included no version of Windows installed. The idea was to make things easier for OEMs. Windows both a prebuilt version of Windows PE and PE has evolved over the years and, as you’ll see, it can make your life easier as well. a toolset that let you create your own build. For quite some time, MS-DOS® played a big part in Windows installation and setup, Today, Windows PE is shipped only as the but eventually that became problematic. As both Windows and hardware grew more so- toolset; you need to build your own copy. phisticated, MS-DOS couldn’t keep up. Its shortcomings as a setup initiator for doing a Eventually, Windows PE spread beyond custom setup were plentiful. Performance the OEM community it was designed for. • The history of Windows PE was a big issue, so was driver availability. ISVs, enterprise, education and government • How Windows PE can stand in for These problems became the key impetus for customers all took advantage of it, and they MS-DOS replacing MS-DOS for OEMs and eventu- used it for far more than the deployment sce- • How to customise Windows PE ally enterprise customers. narios we initially envisioned. They used it • Windows PE Q&A A developer on the Windows setup team for recovery and diagnostics as well. Today, came up with the idea of integrating the dif- Windows PE is available for customers with Wes Miller is the Product Technology Strategist at Winternals ferent components of setup into one solu- Software Assurance, as well as Enterprise AT A GLANCEAT Software in Austin, Texas, where he focuses on all Winternals products, including Protection Manager, the Winternals Enter­ tion so that a simple boot CD could provide Agreements, Campus Agreements, and as a prise Security product. Previously, Wes worked at Microsoft as a minimal environment that would let 32- component of several other licensing agree- a Program Manager and Product Manager for Windows enter­ bit setup run, eliminating the problems with ments with Microsoft. prise deployment. MS-DOS. With that, Windows PE was born. When running, Windows PE looks like 36 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine Windows PE Q&A PE Windows Send your Windows PE questions to [email protected] and I’ll answer them as time allows.

Doesn’t using Windows PE Qcompletely violate the NTFS secu- rity of Windows? Under Windows PE, the user runs all tasks as System, which is more powerful than local administrator.

It turns out this really isn’t Aan issue. Law number 3 of the 10 Immutable Laws of Security says, “If a bad guy has unrestricted physi- Figure 1 Default Configuration of Windows PE Booted to the Command Shell cal access to your computer, it’s not your computer anymore.” (See micro­ Figure 1. You’ll note that it doesn’t include not be available. Windows PE users began soft.com/technet/archive/community/columns/secu­ Windows Explorer, and as such does not have to regularly request a number of addition- rity/essays/10imlaws.mspx for the complete any of the regular Windows shell available. al features. We were unable to officially en- It’s truly a bare-bones installation. gineer these features into the product, but article). we did provide a script that would allow a The point is that if someone can What You Get Windows PE admin to add ADO connectiv- physically access your computer, As you can see in the sidebar “Windows ity to a Microsoft SQL Server, and HTML there are numerous other methods PE Releases”, there have been a number for Applications (HTA) and Windows Script besides Windows PE (a parallel install of upgrades. The basic functionality of Host (WSH) support to an image. These of Windows, an NTFS-capable install Windows PE was broadly expanded to al- provided a handy framework of tools that of Linux or even Mac OS X, or physical low OEM partners and enterprise custom- have enabled some creative deployment and removal of the drive to another system ers to perform WMI queries on hardware recovery solutions. Windows PE 2.0, which running Windows) to remove or poten- and to initialise classes of devices that no is scheduled to ship with , tially destroy your data. True, Windows one originally had expected would be used will add notable new capabilities. PE makes this more convenient. under Windows PE. Windows PE was ini- To counter this threat—as well as tially designed to boot from CD; network Booting Windows PE boot via PXE was an afterthought, and the When you’re starting with Windows PE, Law number 3 as a whole—you should hard drive method came very late in devel- one of the first considerations is how you either physically secure your system at opment. The intent with Windows PE was want to boot. Over the years the number of all times or use EFS to at least secure always to allow for a 32-bit environment boot mediums supported by Windows PE your data, or a full disk encryption with TCP/IP networking, hard disk access has grown (see Figure 2). product, which will secure your data to enable imaging or scripted installation of Technically, Windows PE can also boot and even your entire system . Windows, and basic video support. Windows from an LS-120/LS-240 disk, though I’d nev- This is something you should be do- PE always uses the same basic VESA mode er recommend it due to serious performance ing with your mobile systems anyway video driver regardless of the card in use. issues. USB Flash Drive boot is something if they are storing any sort of confi- This lets it display very good colour depth we worked hard on for Windows PE 1.6. It dential data. and resolution on modern VESA-compliant works very well, though it’s only supported hardware, though some older hardware may by Microsoft when an OEM provides it with Can I PXE-boot Windows PE default to a very unpleasant (though usable) a new system because there’s no reliable way colour depth and resolution. to ensure that systems would have the nec- Qfrom anything besides RIS? From the beginning Windows PE had essary capabilities. This method requires only very basic Win32® API support, mean- BIOS-specific functionality that must be With the RAMDisk boot ca- ing that the Microsoft .NET Framework, provided by the PC manufacturer, as well Apability in Windows PE 2005, yes DirectX®, TAPI/MAPI/SAPI, audio and as USB 2.0 support. you can. many other high-level Windows would Your particular needs will determine how TechNet Magazine October 2006 37 Systems Management

you can best use Windows PE. The impor- family) or the one immediately preceding. tant thing to remember is that you can ba- Figure 2 Windows PE Boot Options So for Windows PE 1.5, the build tools will check for either RTM sically reuse the same technology across PXE (Pre-boot eXecution Environment) multiple boot methods, no matter which using RAMDisk boot technology media (either the Standard or Enterprise one(s) you choose. RIS (the Microsoft proprietary Editions) or Windows XP Service Pack 2 Before you begin creating your build of PXE implementation, which is tradition­ (SP2) integrated media. Note that the WMI Windows PE, you’ll need to make some de- ally used to launch Windows setup over features in 1.5 require Windows XP SP2, and the network) the RAMDisk and USB Flash Drive features cisions. A key question you’ll need to answer Hard Disk (either directly or via a is who’s in charge? Will this be a self-service RAMDisk) in 1.6 require Windows Server 2003 SP1. reinstallation solution that non-technical CD (or an ISO-formatted DVD) To create a build of Windows PE 1.6, then, users will execute, or will it be used by your RAMDisk (this allows for some very you will want to have the 1.6 build tools technical or IT support staff? interesting scenarios which I’ll describe as well as a copy of Windows Server 2003 in depth in an upcoming article) SP1 integrated media. Launch a command This is a critical question, since it will dic- USB Flash Drive (UFD) tate whether you’ll have corporate brand- prompt and go to the directory where you ing on the user interface, whether you need copied the Windows PE build tools. At the to build protections in to keep users from partitions, getting build information from prompt, type the following (the last four running the installer accidentally, and many SQL Server or a network share, and mix- arguments are optional): other issues. Here roaming user profiles or a ing and matching PXE and CD/DVD boot mkimg.cmd [source] [destination] [ISO Image] separate user data partition for Documents mechanisms. The best part about Windows [/PNP] [/WMI] [/NOWF] and Settings can come in handy. PE is the countless ways in which you can Let’s say your Windows Server 2003 SP1 in- You’ll also need to decide if you’ll build configure it to do your bidding. tegrated media is on your D: drive; you want in some help and support for your users, to build in C:\Staging and add WMI support; and whether the solution should run com- Building Windows PE and you don’t want to create an ISO image pletely hands free. Building Windows PE generally requires immediately. Enter the command Deployment and recovery solutions with two things: Windows PE build tools and a mkimg.cmd D:\ C:\Staging\ /WMI and you’ll end up with a CD-ready layout Windows PE can be as simple or as highly matching set of . The rule of Windows PE with WMI support in your engineered as your requirements deem nec- of thumb is that Windows PE build tools C:\Staging\ directory. essary. I’ve seen some incredible solutions require a copy of Windows from that build Now let’s add HTA and WSH support. At developed on this platform, including hidden of Windows (same service pack and product the same command line, enter: buildoptionalcomponents.vbs /S:D:\ /D:C:\ Staging\ /HTA Here are the five releases of Windows PE, along with the name used to refer to each and its new features. You don’t need to specify WSH; the script Windows XP RTM (Windows PE). This version included PXE boot, CD boot, implicitly adds it because it’s required by and a complicated boot from hard drive method that used the Windows HTA. (You could also add ADO, but you as a bootstrap. You could build it from Windows XP don’t need it for the samples here.) Once Professional RTM media. this build has completed, be sure to add the Windows XP SP1 (Windows PE 1.1). It supported standalone Distributed File optional components installation command System (DFS) roots, improved boot from hard drive technique. You could to the startnet.cmd file (the “autoexec.bat” build from Windows XP SP1 media. of Windows PE, if you will—it’s the file that Windows Server 2003 RTM (Windows PE 1.2). This version could build from automatically executes every time Windows Windows XP SP1 or Windows Server 2003 (Standard or Enterprise Editions) PE boots after Win32 has started). Open the media. startnet.cmd file in Notepad (be careful not Windows XP SP2 (Windows PE 2004/Windows PE 1.5). This version had sup- Windows PE Releases port for WMI, the ability to add additional classes of drivers, the ability to to execute it on your PC as it can cause an cause plug and play rescan after boot, and the Windows Firewall. It could errant machine rename). To the bottom of build from Windows XP SP2 or Windows Server 2003 media. startnet.cmd, add the line: Windows Server 2003 SP1 (Windows PE 2005/Windows PE 1.6). RAMDisk OC.BAT boot capability, USB Flash Drive boot capability, WMI, Drivers, PnP, Windows This batch file will install HTA and WSH Firewall. It could build from Windows XP SP2 or Windows Server 2003 SP1 support once Windows PE has booted. media (RAMDisk and UFD only supported with Windows Server 2003 SP1 Now you can add the sample HTA- Windows PE). based wizard that’s available on the TechNet The last two releases became known as “Interim Windows PE” or simply Magazine Web site (microsoft.com/technet/technet­ iWinPE for short. They delivered a collection of features often requested by mag/code06.aspx) to your Windows PE image. enterprise customers and OEM partners that simply could not wait for the ar- Just download the ZIP file, open it, and rival of Windows Vista. copy all the files to your C:\Staging\I386\ 38 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine Systems Management

System32 directory. I’ve designed these scripts so that the most destructive parts are placeholders that show you what the command should be, but they don’t really repartition, reformat or reinstall anything. If you want the wizard to run automati- cally upon boot, add wizard1.bat after the OC.bat line. See Figures 3 and 4 for a view of what the finished utility wizard looks like. Figure 3 Windows PE Wizard This is merely a simplistic HTA example I’ll build on in future articles, but the basics are here to allow you to begin a user-initiated setup procedure. Once you have added the HTA files and any drivers or other files you want on your CD, you can easily create an ISO image by entering the command: OSCDIMG -n –betfsboot.com C:\Staging\ C:\ Staging.ISO Note that you must include the -n param- eter in this command or the names of the WinSxS directory (containing Windows side-by-side assemblies) will be trimmed and basic elements of Windows PE, such as Notepad, will silently fail. After you create the ISO, you can burn it Figure 4 Choosing a Task to a blank CD or DVD. Remember that the CD-burning software built in to Windows trollers used to be quite complicated. Since (specific to the Windows PE install we’ve XP won’t work for this—you’ll end up with Interim Windows PE, all that has changed, been building) to add the driver. (Note that a coaster with a copy of the ISO on it. You thanks to DRVInst. you can’t use a USB Flash Drive or any other need either a third-party software package To add a new driver now, all you do is run kind of media here.) that will burn ISO images directly to me- drvinst, specifying the class of drivers you 1. Create a directory called Driver1 under dia or use the freely available solution called want to install, the source, and the destina- C:\Staging\I386\System32. ISO Recorder. You can download it at iso­ tion Windows PE install. To add all network 2. Copy the entire contents of the floppy recorder.alexfeinman.com/isorecorder.htm. drivers from any Windows CD that have not disk/image provided by your vendor to been included yet, run: the Driver1 directory. This is the best Maintenance drvinst.exe /OSCD:D: /onlyclass:NET C:\staging way to ensure you don’t omit any DLL When we first shipped Windows PE in Adding the operator /q to this command or other files required by the driver in 2001, I thought people would have to main- will cause it to run without asking for any order for it to load. tain it periodically to install new drivers. verification. Only network drivers (they 3. Using Notepad, open C:\Staging\I386\ The ubiquity of IDE drives and standard have class=Net in their .inf files; most also system32\winpeoem.sif. 10/100 Ethernet meant that the driver set we have names that begin with “net*” but you 4. Remove all semicolons from the shipped with Windows XP was huge. The can’t count on that) are installed post-boot [OEMDriverParams] section (three set that shipped later with Windows Server for Windows PE. If you want to add any lines total). 2003, while more refined (it dropped some other driver types, you can use drvinst to 5. Add Driver1 to the OEMDriverDirs line. NIC and storage controllers that are more add them to your Windows PE image, but Do not include quotes, and if you need consumer-focused), still covered most sys- you’ll also have to add the /PNP command to repeat the first step for multiple driv- tems unless they had SCSI storage or gigabit when building Windows PE, or Windows ers, add them here as well, separated by or other high-end Ethernet. The prolifera- PE won’t initialise them. commas. tion of Serial ATA and Gigabit Ethernet (and Alas, mass-storage controllers aren’t so Note that you may have to edit the vendor’s other high-end storage and networking) easy. You either need to press F6 very early txtsetup.oem file to ensure the device you means that adding drivers to Windows PE as Windows PE boots and specify a floppy are trying to load is the one specified in the isn’t something reserved for the datacentre disk that contains a txtsetup.oem file and [Defaults] section of txtsetup.oem. Only build team anymore. Adding network con- the driver to use or use the following steps one default can be specified. l TechNet Magazine October 2006 39