MicroWinpeBuilder to adapt its own Winpe : tutorial or 'under the hood'?

Hi slore,
Thank for your feedback. My English is so poor that sometime, someone can't undestrand me.
When i said

And Yes, this solution is not a good idea because with the next version of winpe, the address will be modify.

I speak about "my" solution because address base + 2F9 can change with a new version of windows.
And yes, the WinpeSe team's solution with wind+MsgHook" is the best solution because it doesn't use an "hard" address but implement all the code that explorer.exe doesn't do.
And no, i'm not good in disassembling program. I use Windbg like a beginner.

just write 100 lines code in 1 or 2 hours

Bravo! i don't be able to do that.

You said

I want make a hard patch to switch the default jump, but the explorer.exe cann't startup with the change

- i use a exe and hook.dll to do that "dynamicaly" and put it on early posts
- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
- can you see with procmon64 some thing or make a save file .PML ?

note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8. 

00007ff6`01c96a7f 418887f9020000  mov     byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba
00007ff6`01c96a86 84c0            test    al,al
00007ff6`01c96a88 0f851f660700    jne     explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a8e 4138bff8020000  cmp     byte ptr [r15+2F8h],dil
00007ff6`01c96a95 0f8512660700    jne     explorer!`TileBadgeProviderLogging::Instance'::`2'::`   >>>>>>>>> change jne to je

So, twice 6  "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.

See you later

hi, noelBlanc

so quick reply.

>just write 100 lines code in 1 or 2 hours
EnumWindow,check window state and save them, then ShowWindow(Sync), some thing like this,
for me that is easy rather than ~"Windbg" things.~

>- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
yes, 0f85xxxxx -> 0f84xxxxx, and PEchecksum.exe explorer_modifed.exe.

- can you see with procmon64 some thing or make a save file .PML ?
I will try this.

>note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8. 
sorry, I had a typo on it.I was changed the first jne not the second one.
(learn the windbg skill from you, I follow the Tray::ModeChange message get the BASE+171h in my version,and it is the first check in Tray::_RaiseDesktop)

>use a exe and hook.dll to do that "dynamicaly" and put it on early posts
I change the BASE+171h,or the jne to je in  "dynamicaly" with Visual Studio, That also worked.

>twice 6  "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.
I will try the 909090909090

thank again, that you is sharing your research(also the process), and How to  disassemble explorer.exe with windbg.

Hi,
@ slore : i hope you get your goal.

I'm happy, i get a winpe for version 1703 (rs2) with my scripts wrote in PS. I detect many bugs.
The first (and i forget it each time i'm in front of a new version) is the missing D2D1.DLL.MUI. With DWM, winpe displays a black screen. Cursors are diplaying but not the border and not the text of a cmd box.
And for research, i use procmon and the functionality "capture on boot" : very friendly in a vhd and mode Flat !

Also, in my last PDF, i put an email address. And i'm happy to receive an email. And happy to help  to get a winpe ( 1607 ) producted by ADK and with mstsc and NLA , with nothing else.
For the fun i get mstsc with NLA in the winpe 1703 in which implementation of NLA is a little different than winpe 1607.

Currently, I meet a lot of anomalies with the 1703 version. The main: Desktop/explore hangs with the session System. And also delays for the ADM session.

I'm going to bike for a long time from 15 May. So not sure i can finish PDF and scripts. Maybe in a few months.

Hello
Version 1703 imposes many changes in the PDF file and in my scripts.
Several anomalies have appeared with this version.
I have very little tested and I have not made any changes in the scripts since I left in May.

MSTSC with NLA works in this version: This is the only point I really tested.

I just finished the update of the PDF file v 3.6. Main additions:
-an investigative method when switching to a new version when nothing works
-Launch of Procmon.exe automatically when starting WINPE : all activity is captured

hello,
After more than a week without understanding why the popup menu "NEW" was empty, I ended up finding what Chrisr and the Theoven team had found Ben long ago.
And besides, I checked in their script as a final check, to be sure I had all the elements in hand.
Bravo to them.
I drop my scripts adapted for the V1709 which do not serve much but which are the result of my long evenings of laborious quest.
I will do a little bit of doc to explain another method of investigation:
From a freshly installed W10 in a VM, explain how to modify the essential hives to get a WinPE with "almost" all elements of W10, services, files, keys and also the elements added by the installation phase of W10 (very Important to keep that in mind)

But since I have to reinstall everything to validate, this will be for later.

In this new version for only v1709:

USB printers are always available. But requires a bit of personal work to inject the drivers of its printer and modify the scripts.
Network printers are available for the ADM session only.
I try to make them visible in the control Panel "devices and Printers"
IE64 ok for ADM, but F12 NOK and download NOK for System
MSTSC works from the System session with the NLA mode

I am trying to run Termservice (incoming call in WinPE). For fun because not really useful

"Tscon.exe 1" resists me.
(Because my bad english i use a translator...)

Hi, noelBlanc

nice to see you back, to continue some research. 

I will do a little bit of doc to explain another method of investigation:
From a freshly installed W10 in a VM, explain how to modify the essential hives to get a WinPE with "almost" all elements of W10, services, files, keys and also the elements added by the installation phase of W10 (very Important to keep that in mind)

hi Slore,
Happy to see you again.

My goal to occupy this early winter :
- in a VM (hyperV), i install a W10Ent
- i put new objects and modify some others
- and now the VM boot under Winpe with a "big" context ( files, keys, new objects, etc, which came with install)

It's well documented on internet ( perhaps in this site ). It's not the first time i use it. I think it's an other good way to investigate.
it's an easy way to disable services ou drivers, compare files, etc.
Need some time to modify manually.

I try to note the modifications in the attached files before to update my pdf.

The next action ( next week ) is to put the VHD in a USB disk and boot on a physical machine. I hope material recognition will be ok.

The real reason is that I do not find how to make the printers appear in the "classic" winpe configuration panel when they appear well in this "obese" winpe.
Idem for MSTSC from a computer to a winpe machine ( yes, not very usefull to see the screen of winpe on my computer, but funny to search ).
Session ADM not very good in this big winpe.

I just try the VHD in a physical machine : it works very well, mp4, printers, and i can use mstsc from an other computer via RDP.

I want to build microwinpebuilder. One time i had built previously and lots of time passed until from that time. Today i try to build but it wants ADK for to be installed. Why it needs ADK? Does it uses boot.wim and other packages from ADK? ADK build, installed system build and the build that is used by microwinpebuilder versions needs to be match each others? Microsoft frequently relases builds and it is difficult to mach versions. Which windows build does it support latest. I want to build from 16299.15.170928-1534 does it supported?

Hello vvurat,
Happy to see you.
Be patient with me, because my poor english. I use a translator but ...
When a new version is product by Ms, i forget old ones. Actually, ADK and ISO for public match 16299.rs3.170928. I construct my VHD from this version.
My goal is to investigate how to put explorer.exe and some other elements in winpe. And because MS makes many changes each time, my script should become a long sequence of "if version = x". Too complexe for me.

Yes, like i say in the file PDF (section "Construction scripts") and in the "presentation", the scrips PS is only an help to inject "data" in the file boot.wim that comes from ADK.
So, ADK is mandatory. This is a big difference with winbuilder and the new pebacker.
The first step launch "copype.cmd" of ADK.

The second step launch many "dism" to add packages of ADK. You can modify the script for remove or add other packages, drivers.
When this two steps are done, the script product a file named "boot.wim.AvecPaquetsDeBase.export".
For the third step you can use your own boot.wim file if you want ( with your packages and drivers and so on). My scripts use the tree that becomes from "copype.cdm".
Only rename your file with the good name "boot.wim.AvecPaquetsDeBase.export". You can modify the script "traitement.ps" if you want to change this name.

The third step mounts boot.wim, mounts its hives in the registry, and use some files from the ISO of the OS Win10.
So Yes, the version of ADK much match the version of the ISO of Win10. You must mount the install.wim of this ISO for the script can copy some files (the third parameter in the tab "Entries") .
This step use also some tools (dism...) from the host. So, it's better (perhaps mandatoty ?) that the host machine version matches the ADK.
This step copy files, modify hives of the boot.wim, dismount boot.wim. Because i'm the only one user, the script has a few custom for my site and my use ( drivers, printer). You can modify or i can help you.

Actually, the first time the step 3 is playing, it missed many files. I use this first "step 3" to read the log and see if bigger errors occur.
Perhaps it's time to correct some thing in script.
After this fisrt "step 3", i put my drivers and wifi informations (SIID and password), drivers printers for my site, etc, in the good directory.
There is an "issue" in my scripts, i can't put before the tree is construct by "copype.cmd".

At this time, only one person ask me to use my scripts. At the end of his request, i create a simple script "cmd" for him. He only want to put mstsc with NLA works with a gateway server in his boot.wim without launching my scripts.

I hope this can help you. If not, you can use MP. ( or my email in the pdf or one you know )

In the middle of your technical explanations (as i understand you want to get rid of "unknown hard error" of explorer.exe) do not want to distrub and ask my stupid and easy questions of "how to build". So want to keep it short but i need a working iso build and that build needs to match my own handmade build so maybe i can find where i make a mistake. As you said there are lots of frequent builds of microsoft it is difficult to match build numbers. I could not find a warez build so i try if i could build myself with other tools. I try with winbuilder but it does not accept 16299.15.170928-1534 source iso or maybe i could not succeed. I thought maybe because iso has install.esd so i converted esd to install.wim but not accepts iso file. I have try your builder on windows 7 but it asks powershell 5.0 so i have succeed to open under windows 10 but confused if (WINDOWS I USE VERSION=?need match=?ADK VERSION=?need match=?ISO I WANT TO USE version) I will try to build but if i could not succed i want you to share prebuild version of yours with me if you mind 16299.15.170928-1534.

You and me looks same because we are alone and try to make somethings by ourselves. There is nobody that can help us. Other projects have teams and when someone stucks at some point they can go on with the help of another person. I wish to help you but you are nearly know as much as me. You know how to use all registry, only thing i could help can be as file list.  Because of Microsoft renews iso frequently building winpe is not interesting much. When you finish one version another windows version releases and your all work goes to nothing. People alwas interested to latest versions. For me 10240 or 10586 could be enough but it is not interesting if nobody interests with you same time. When you try to discover the latest version this time if you could not solve a problem and do not know how to solve (registry or file list) nobody could help you so you need to wait until some other projects reach your level and find the solution. I have not try to build windows 10 build last 1-2 years, only watching other projects solve registry file list and give me fundementals for me to build my own. So i do not loose my weeks and months to find them :) this is much better. Sometimes (like now) i try to build on my own not to forget my knowledge and for to remember. I appreciate your effort and courage that you have not gived up to work alone. Up topics you said you have spent long evenings. Why? Is it just a hobby or for your work software you need a winpe. As i remember you were need this winpe for your job.

One time i have try your build (you have send me) It was ok and nice but you keep file list too much. Last user probably will not demand to use it because it is big and lazy. I do not know how it is now, probably big again beacuse you are working on printer and remote desktop. I can advise just make a simple small fast effective build as default after add some powershell files to add more features maybe can pull interest of other people on it.

Best people on building Winpe are chineese people. Because everything is free for them. They can share every file, build, distribution. They do not bother, care, american laws. So there is nothing to stop their development. Maybe there should be password protected subforum close to public to share everything.

Keep it easy. Do not bother with "if version = x". Let the users can customize it. If you can do it take a simple file list txt file, can change in every version 1709.txt maybe. Registry is the most easy stuff convert to X:\, change a few values very simple and customizable.

I continue to play with IE11-64bits

Do you have a list of services/files needed for IE11x64?  I would like to integrate into my build... btw have you tried x64dbg?

Hi bob.omb,
My two lists ( files and keys) is embeded in the script "traitement.ps1".
Perhaps you need to modify it because explorer and InternetExplorer are very dependant.
And it is possible that i use a file for explorer that winpese does not.
In my pdf, i explain the "key" : x86AppPath
And also some limitation for "system" account and "dowload" action.
If you dont find all you need, tell me and i'll post these lists
I use only windbg, too difficult and too late to change.
Ps : sorry for my english, at this time of the nigth i try pour write without using a tranlator

noelBlanc,

    I pieced together a plugin for IE11 but it is not working correctly.  I have the download function working fine but I am missing something else.

Any chance you can take a peek and see what I missed? (If you remember..) Or post list? I didn't get it all.

http://theoven.org/index.php?topic=2385.0

Source + Host: Win10 1709 16299.15

Hi,
@bob.omb
Thank you  for reporting that my email "noelblanc.winpe(at)free.fr" is currently inaccessible.

This email account doesn't work since April 2017.
That those who would have wanted to join me at this address excuse me.
I invite them to join me by MP if need be.
...
My email is now ok.

Hi,
The idea is to implement the traces in Explorer. exe since there is a WPP record.
But before that, I want to start with an apprenticeship with WinDbg.
The trace mechanism looks identical to me in Explorer. exe and in TERMSRV. dll.
I have long wanted to understand how to implement WinDbg in a service.
And a wrapper around Termsrv. dll caught my attention by the complexity of its code and its few lines.
So I start by trying to implement Windbg to figure out how to enable traces in Termsrv.

The DebugService. txt file contains the log of my "searches".
The note. txt file contains the bits of code that seemed useful to me to progress.

The conclusion after almost a month of reading and analysis:

- ETW traces are available in WinPE
- Their implementation with logman worked only in my "full-flat" environment (see in first post)
- The traces bring information that is not in the event log (terminal...) but are less verbose than I thought. There is no tracking functions (the code is not present or I do not know how to activate it)
- logman produces an ETL file
- MOF files are missing, so TRACERTP does not produce "CSV" and EVENTVWR. MSC does not display anything

Question: Would the "checked" version of the OS binaries bring a better result?
Note: I don't even know how to get it and its volume must be huge.

good to see you make progress in bit

I am good in coding than tracing.(I hope I can do it)
as I develop some Windows program,
the SYSTEM session also called as LOCAL SYSTEM ACCONUT(LSA).
in the session has high file privilages but no NETWORK service access privilage.
so this make IE , printer work hard.
teamviewer need Administrator account.

I hope there is a way to have a option for runas Admin not to
switch to Admin session.

Hi slore,
I'm happy th read you.   :smile:I know you are a good developper and a good user of debugger with VS.
VS is too complex for me. Windbg is small and simple.
I read all posts in this topic for collect some informations about "security" issues in system session.
I find something and i look in my pdf :
"Procmom displays the message « loading symbol...». But the download does not take place and
therefore symbols not displayed.
It is where the local cache is very useful. We start by making the same consultations with the ADM
session and cache fills. Then we start again with the session System: procmon consults the cache
previously filled"
With windbg (i look in termsrv.dll to get trace) : same issue.
And it works in adm session !

In system session.

-I can install spooler. I can install my printer in local. I can use it . And it's true, i can't install it via a remote machine
-In adm session, i can use local and remote printer !
-IE64 works fine. Also "degugger F12". But feature "download" does not work completely.
File is downloaded on the machine in a directory. But not appear in the directory "download" of the profile.
I explain somewhere that the directory "...\appData\local\microsoft\windows\inetCache\ie" doesn't contain the 4 subdirectories "XXXXX".
But the dowloaded file is stored under "...\IE" directly.
I also note the absence of the environment variable %localAppDAta% in the system session

Nevertheless,in the system session, i can do "net use \\remote..\share /usesr:...".
So System session can access to the network.

Without real research on my part:
- i see some posts ( but where ) about teamviewer and i always think it works in winpe. "my poor english..." if I misunderstood.
- in a sens, mstsc + NLA works fine. From my winpe i can use my win10 normal.
- in the other sens, in my "full-flat" winpe (see newMethodeInvestigation upper), i constat that "remote desktop" works fine. I can take control of winpe from my win10 normal

It's true, i never use teamviewer.
Actually (v1709), "tscon 1" is broken (return to system from adm). Perhaps other features in the futur.
I wonder if it is not easier to look for a workaround for each point blocking
In conclusion, yes, it's a big work to understand the security mecanism in winpe.
I'm not sure i can bring some new things.

Best regards

Ps : are you waiting soon for a baby or an other time i misunderstood
you can use my email noelblanc.winpe (at) free.fr, i think your PM messenger here is disabled

Why do you like the system account better than admin?

I personally use admin session even with broken tscon 1 in 1709

I use NSudo to run as system and everything else runs as admin therefore everything works.

I cant think of a good reason to use system account at all.....

Hello,
slore seems to prefere system account.
Personnaly, i have no need of winpe because i'm retired. I play with it to add feature and try to understant how....
So, i play with the two accounts.
For my "game", i prefere system account because open adm session is more longer than system session.

I take this moment to say that when I was working in a large company with more than 60000 PCs, it was unthinkable to bring in a program downloaded from the Internet to avoid any risk of infection. Also, we only use MS or pay products in order to be able to take legal action if necessary. Note in the last years, we use WTG (windows togo). Full, rich and efficace.  And I guess it's also that reason that pushes "newbies" from the Forum to build/edit them even their WinPE to add one or two features. And it's hard to find rapidely the right information. That's why I tried to provide it with my pdf but I know I failed
But i continue....

Hi,
I managed to find the difference between my "full-flat" environment and my WinPE which prevented the operation of Logman.
Logman uses the Schedule service for its schedules. And Schedule uses the TIMEBROKERSVC service. This is this last service that was missing in my WinPE.

-->> AFTER MORE TESTING : "logman create trace ..." is ok but "logman start.." is not ok !!! Why?

My observation: This "full-flat" environment in a large VHD has an advantage because it allows to have a fairly accurate idea of the maximum of features that can be added and run in a WinPE.
But I am aware of its limitations!

So i can return to debug my termservice (port 3389)  in my winpe