Category: Security

Posted on

PXE Windows PE under UEFI and Secure Boot Enabled

1. Download Windows PE add-on for the Windows ADK for Windows 11, version 22H2 and install.

In this example, Windows ADK Folder (default, C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment) is %PEFOLDER% and the TFTP Server Root is %TFTPROOT%

2. Patch BCD in %PEFOLDER%\amd64\Media\EFI\Microsoft\Boot\

  • Change the path of Boot Manager to our file, \bootx64.efi 
    > bcdedit /store BCD /set {bootmgr} path \bootx64.efi
  • Disable Integritycheck and Change Bootmenupolicy to Legacy 
    > bcdedit /store BCD /set {bootmgr} nointegritychecks Yes
> bcdedit /store BCD /set {default} bootmenupolicy Legacy
  • Since linux file system treats file and directory names as case-sensitive, ramdisksdipath need to be modified in case that PXE is served on linux server 
    > bcdedit /store BCD /set {7619dcc8-fafe-11d9-b411-000476eba25f} ramdisksdipath \Boot\boot.sdi
  • Entries of patched BCD should be identical to: 
    > bcdedit /store BCD /enum all

Windows Boot Manager
--------------------
identifier              {bootmgr}
path                    \bootx64.efi
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
nointegritychecks       Yes
flightsigning           Yes
default                 {default}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
path                    \windows\system32\boot\winload.efi
description             Windows Setup
locale                  en-US
inherit                 {bootloadersettings}
isolatedcontext         Yes
osdevice                ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
systemroot              \windows
bootmenupolicy          Legacy
detecthal               Yes
winpe                   Yes
ems                     No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  boot
path                    \efi\microsoft\boot\memtest.efi
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}

EMS Settings
------------
identifier              {emssettings}
bootems                 No

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
description             Hypervisor Settings
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Device options
--------------
identifier              {7619dcc8-fafe-11d9-b411-000476eba25f}
ramdisksdidevice        boot
ramdisksdipath          \Boot\boot.sdi

3. Upload required files to TFTP server (For linux servers, capitalization DOES matter)

  • %PEFOLDER%\amd64\Media\EFI\Boot\bootx64.efi to %TFTPROOT%\bootx64.efi
  • %PEFOLDER%\amd64\Media\Boot\boot.sdi to %TFTPROOT%\Boot\boot.sdi
  • %PEFOLDER%\amd64\en-us\winpe.wim to %TFTPROOT%\sources\boot.wim
    Or customized windows 11 based .wim file can be used, depending on the purposes
  • patched BCD to %TFTPROOT%\Boot\BCD


PXE would fail if TFTP directory and file structures are not properly set (e.g. capitalization mismatch on linux server)

4. Verify with hyper V

Posted on

Windows Defender Credential Guard Prevents RDP from Using Saved Credentials

After recent windows update, Windows Defender Credential Guard blocks Saved Credentials when connecting to remote desktop.

CredentialUIBroker
AutomationId and ClassName of Fields

I modified my previous codes, and it now works for both types of RDP credential window.

CredentialAutoInput class can be used as following simple codes.

namespace UI
{
    internal class Uimain
    {
        static void Main(string[] args)
        {
            var u = new CredentialAutoInput();
            switch(u.GetId())
            {
                case "myid1":
                    u.Connect("myid1", "mypass1");
                    break;

                case "myid2":
                    u.Connect("myid2", "mypass2");
                    break;
            }
        }
    }
}
Posted on

BitLocker with CMD

To lock the volume,
C:\>manage-bde -lock [volume]

To unlock the volume,
C:\>manage-bde -unlock -pw [volume]

Posted on

Windows Equivalents for Chown and Chmod

TAKEOWN [/S system [/U username [/P [password]]]] /F filename [/A] [/R [/D prompt]]

Description:
This tool allows an administrator to recover access to a file that
was denied by re-assigning file ownership.

Parameter List:
/F – Specifies the filename or directory name pattern.
/A – Gives ownership to the administrators group instead of the current user.
/R – Recurse: instructs tool to operate on files in specified directory and all subdirectories.

Examples:
TAKEOWN /?
TAKEOWN /F * /R /A

ICACLS name [/grant[:r] Sid:perm[…]]

Description:
Sid:perm grants the specified user access rights.

Parameter List:
/T  – Recurse

Permission List:
N – no access
F – full access
M – modify access
RX – read and execute access
R – read-only access
W – write-only access
D – delete access

Examples:
ICACLS /?
ICACLS * /grant “Administrators:(F)” /T