XP booting direct from USB Options

[Dietmar]

Hi all,

I have now Windows Vista on a 4 GByte Buffalo USB stick.
It is shown as a harddrive with the Hitachifilter and EWF is enabled, so the write protect swich can be set.

I am now surfing through the internet, looking what Viruses will do with this Vista.
I have no VirusScanner on that stick.

Nice to hear from you all
Dietmar

PS: The boottime is longer than 2 minutes.

EDIT: I notice, that Windows Vista is much less vulnerable for Viruses than XP with all its updates!

[Dietmar]

Hi all,

I downloaded from http://www.dependencywalker.com/
the program Dependency Walker, that works also on Vista. This program simply shows, which file
depends on which others. This program is very good to have a deeper look what is going on.

It shows me, that Vista sometimes uses, at the same time, two different versions of a DLL with the same name but different build states brrr...

I think, that is the meaning of the folder winsxs.

ONE DLL with a lot of different build states stays there.

They try to overcome the problem, that a program is only tested with one and only special version of a DLL and works perfect with that version but with no other.

So, if you delete most of the content of the folder winsxs with its 3.4 Gbyte, make sure, that you keep all the DLLs that you need. This way I put 3 more x86_ folders into winsxs.

Nice to hear from you
Dietmar

[Dietmar]

Hi all,

the EWF filter increases the boot time from Vista from 2 minutes to about 5 minutes.
I have no idea why. I deleted now some entries in EWF.reg. But this does not help.

Nice to hear from you
Dietmar

PS: this is the minimal contend of EWF.reg , to make EWF work


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]

"ErrorControl"=dword:00000001

"Group"="System Bus Extender"

"Start"=dword:00000000

"Type"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

"UpperFilters"="Ewf"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]

"Type"=dword:00000001

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000


EDIT: With the help of msconfig.exe on Vista I can see , that it is indeed the driver
ewf.sys, which needs 210 seconds to be loaded.

[Dietmar]

Hi all,

today I got my 8 GByte Transcend JetFlash2A 8192MB, USB 2.0 (TS8GJF2A)
USB stick. I will test some progams, whether they run without any problems on the stick under Vista.
I also get the new version Build 5492.

Lets see,

Nice to hear from you all
Dietmar

EDIT:The Transcend USB stick is slow, compared with those from Buffalo.
But the people from Transcend gave him an MBR structure exact as a harddisk.
But the removable Bit shows it as a removable device.
Also, I get an exemplar with no switch to make it writeprotect...grrr.
Examples with the writeprotect switch and without have exact the same number TS8GJF2A.
So you have to SEE the USB stick, which kind it is.

To jaclaz: Do you know a productionstool or something like to set the removable bit to nonremovable for that controller that CheckUDisk shows me as 0151?

[Dietmar]

Hi all,

bad news.

The new Vista version 5472 (and newer ?) cant be installed direct to an USB device.
Hihi, Microsoft seems to read this forum frequently.

There comes a message: "Windows cannot be installed to this disk.
Setup does not support configuration of or installation to disks connected through a USB or IEEE 1394 port."

But this does not impress me much .

I am just installing it as normal and copying it after to a USB device with Fat32 .

You will soon hear from me.

>Dietmar

[Dietmar]

Windows Vista boots from USB

Author: Dietmar Stölting, 19. August 2006
dietmar.stoelting@t-online.de
Germany


Tutorial (Version 8 for Windows Vista Build 5472 or newer)

1.) Format your IDE harddisk with Partition Magic 8 with NTFS (about 20 GByte) and set it aktiv.

2.) Install Vista there as normal.

3.) Make a Bit by Bit copy of this partition with a Hexeditor ( I use Winhex 11.9) to your USB harddisk from
an external XP.
The 63 sectors with the MBR copy also. You do not need to format your USB device, because all that
partitions information is still there by a Bit to Bit copy.

4.) Continue with step 7.) in the Tutorial 8.

Perhaps it is also possible to copy the files and folders to a Fat32 partition as described on
http://www.911cd.net/forums//index.php?s=&...st&p=119093


Will be continued...

YEAAHHH this works...

[Dietmar]

Hi all,

I try to put the newest Vista Version
on my Buffalo 4 GByte USB stick with Fat32.

I send you a picture , when I succeed.

Nice to hear from you
Dietmar

PS: The newest version of Vista seems to be much faster than Build 5384.
And until now it seems to be resistent against the viruses of today.

[Dietmar]

Hi all,

the newest Vista version (hihi )
stays now on a Fat32 partition.

Ok, one step away from staying on a USB stick,
you will hear from me soon...

EDIT: Shrinking of Vista below 4 GByte works.
But the boottime increases now to 20 minutes .
Seems, as if Vista is looking after some missing (?) files.

I am working on this.

Nice to hear from you
Dietmar

[caligula]

Hi,

Dietmar wrote "... EWF is enabled, so the write protect swich can be set."

I installed XP SP2 on a 4GB USB-Stick also using EWF. It's working fine and the EWF
also seems to work, as the last modification date of the files doesn't change, but when
I set the the write protect switch, then I receive a BSOD with stopcode
0x00000073 (0x00000001 0xc000017d 0x00000002 0x...)

I also run XP SP1 on an SD-Card with set write protect switch without any problem.
I copied this installation to another 1GB USB-Stick and have the same result.
Without write protect switch set it's ok, with the switch set, the same stopcode.

I disabled EWF and set the write protect switch and then received a slightly different stopcode
0x00000073 (0x00000001 0xc000017d 0x00000001 0x...)
So in this case it's already failing at hive #1 as to be expected, but why it's failing on hive #2
with EWF enabled I don't understand.

Can anybody give me an hint, what might be causing the problem ?

[bilou_gateux]

Release: EWFTool by Dan

readme.txt

Description
-----------

This tool helps install and configure the Enhanced Write Filter driver and it's associated tools. This tool ONLY works with Windows XP Home, Windows XP Professional, or Media Center Edition 2005.


IMPORTANT NOTES
---------------

This package DOES NOT INCLUDE the actual filter driver files! Due to copyright restrictions, distribution of the EWF driver files with this package is not possible, so you must therefore obtain the files yourself. See the section below for how to obtain the driver files.


Obtaining the EWF Drivers
-------------------------

You can get the files you require from the Windows XP Embedded SP2 Trial, which is available for download from the following site:

http://www.microsoft.com/windows/embedded/eval/default.mspx

When you install the evaluation software, it will create a new folder called Repositories. Search the Repositories folder for the following three files:

ewf.sys
ewfmgr.exe
ewfntldr

The Repositories folder contains multiple versions of the files, so you must make sure you get the newest versions of the files (version 2.0.927.0 or above). Simply copy the correct files to the same directory as the EWFTool (the program included in this package) and then run EWFTool.


Warning!
--------

This tool makes some fairly low level changes to your system, including replacing your ntldr boot loader, and installing low level filter drivers. If anything goes wrong, your system could be left in a state where you are no longer able to boot. You should make a full backup of your system, and have a boot disk ready just in case. I recommend using using BartPE to create a recovery boot CD, especially if you are using the NTFS file system:

http://www.nu2.nu/pebuilder/

NB:
I'm not the author of this tool.
To avoid replacement of ntldr boot loader by ewfntldr, simply copy normal ntldr and rename it to ewfntldr in the same directory as the EWFTool.

[Dietmar]

Hi caligula,

dont use the EWFntldr.
Use your normal ntldr.

Type then after reboot in Command Prompt ewfmgr c:

Then you should get a message, whether EWF works.

If there comes the message, that EWF is enabled, you can switch to write protect.

Good luck
Dietmar

PS: What is the name of your USB stick?

[TheHive]

Pictures of Vista working please.

[caligula]

Hi Dietmar,

I tried your suggestion but it didn't work out.
I even received the
0x00000073 (0x00000001 0xc000017d 0x00000001 0x...)
meaning already the loading of the first hive fails.

What puzzles me most, is that I have a working version using a SD/SD-CF/CF-IDE adapter-chain
with the lock switch set. Meaning EWF is working with ntldr from ewf. Only when I'm trying to
use a clone of the SD-Card on the USB-stick it fails when the switch is set to write protect,
whereas ewfmgr c: is reporting "enabled" and it also seems no files are modified.

Some more information on my procedure:
- normal install of XP Pro SP 1 on internal hdd
- compressing the filesystem (NTFS)
- installation of ewf (including ntldr)
- modification of USB-Services as stated in your tutorial, no other changes (CriticalDevice,...)
- cloning to SD in external HD-Case using Acronis Partition Expert
- twice booting from SD in internal IDE slot without EWF enabled
one for windows to recognize the new hardware (SD/...), the second one to enable ewf
- enabling ewf (ewfmgr) and setting writelock on SD-Card => working without any problem
- cloning from SD to USB using ntfsclone from KNOPPIX as no other
tool listed the USB-stick as possible target
- using diskprobe from MS support Tools to "repair" NT-bootcode
(different geometry between SD and USB-stick)
- setting ewf off using regedit from running XP
- booting twice from USB-stick (same as from SD) and then enabling ewf (ewfmgr),
filesystem still compressed NTFS of course
- boot with write protection switch to off seems to work ok
- when setting write protection switch, boot gives BSOD on second hive-load

It seems there must be a critical difference for windows between an usb-stick and an
usb-stick with write protect switch. Perhaps it's somehow a different device and so ewf
is not enabled to "this" device ?

USB-Sticks I'm using:
- TrekStor USB 2.0 1GB
- Intenso USB-Stick 4GB

@bilou_gateux
Thanks for the hint to this tool, I didn't know of it. But as I have a working EWF on my SD-Card
and the author being not too communicative about what the tool is doing exactly, I didn't give it
a try (yet).

Caligula

[Dietmar]

Hi all, here it is.

[Dietmar]

Hi caligula,

to myself EWF makes some very astonishing things.
To put the new Vista version to the USB stick is only possible, when you make a bit to bit copy
with EWF set as enabled. Then you can set the write protect switch with no problem.

But if you disable EWF on that stick after with ewfmgr c: -commitanddisable -live
the data are committed to the stick. All seems ok. But on next reboot you got BSOD on Vista.
I never saw such a behavior on XP. Even if you enable EWF from outside again, you got BSOD.
I make a compare between working config and BSOD config. There are differences.
It seems, that an disabled or enabled EWF has still the possibility to change the
geometry of the USB device.
But this is impossible with the write protect switch set.

So EWF only keeps the data on your partition, but you can resize for example the partitionssize
with Partition Magic 8 with the working EFW on it, because EWF does not protect the bootsector, only the partition contend.

I have no idea what happens to you. But it is nearly impossible to say for me what might have happen to you, because there are so many steps that you have done with programs, I do not know enough.

Nice to hear from you
Dietmar

PS: A lot of things have changed with this new Vista version. Now EWF works without any problems
and there is no bootdelay anymore. You can use the XP SP1 USB*.sys drivers to bring Vista to desktop. 2 minutes is now the delay when booting from USB. This depends not on the USB device
or the loadorder. I booted Vista up with Group = Base in Usbstor. You can SEE , that in this case the driver usbstor.sys is loaded after the other USB*.sys drivers. But the 2 minutes delay stays.

I would say, that this a BUG in Vista Build 5472 in ntoskrnl.exe (I think).

It lasts one whole day, to shrink this Vista version below 4 Gbyte and putting it on my Buffalo USB stick
with the Hitachi filter and EWF enabled. One thing is very funny: Vista does not like to give a removable device a working bootsector. So copy the image of a harddisk to the USB stick byte by byte and voila,
Vista gives you the wished bootsector for Fat32 .

I disabled the pagefile and hibernation via Comand Prompt with powercfg -h off .
You must do this in Accessoires with rightclick on Comand Prompt and than click " run as Administrator".

[Dietmar]

Hi all,

I "solved" the mystery of suddenly BSOD with EWF after (some) reboot:

Sometimes EWF induces a write to (new subkey in Volume)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\STORAGE

This new entry causes the BSOD.

I found this by comparing two folders SYSTEM (exported as *.reg files because only than they can be edited direct)
one working and the other direct after this BSOD with Beyond Compare 2 (wonderful tool).

So I reanimated a compi that, with EWF, always gives BSOD.

This type of BSOD happens through switching from EWF enabled (writeprotect) to EWF disabled.

If you enable EWF after from outside, it is too late, because this extra entry in

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\STORAGE\Volume

has been written. But you can give new live to your compi, deleting by hand this extra entry.
I noticed, that you cant delete the whole key STORAGE by importing it into another registry.
This is very strange to me. So you only can delete all values in the wrong key.

You have all permissions to do everything in any registry, if you build a minlogon macrocomponent from
Windows Embedded with component regedit.exe included, because this minlogon doesnt know anything
about any permissions...hihi.

Nice to hear from you
Dietmar

PS: This behavior of XP, Vista... is reproduceible.
You see BSOD and BSOD gone with my methode.
I think it happens, because a wrong geometry of the protected Volume is written there.

[Dietmar]

Hi all ,

very good news!

I converted my USB Vista back from FAT32 to NTFS.

For this, I convert my FAT32 partition with Partition Magic 8 to NTFS.
But while booting from USB appears the message: No ntldr found.
This is correct, because there isnt any ntldr anymore, but Partition Magic 8 does not know this .

So I use the Vista DVD and type there in commandline in D:\boot bootsect /nt60 C: /force
(this is for me the folder on the Vista DVD). A message says, that a new bootsector for NTFS is written.

But now follows the best:

The USB boottime for Vista to Desktop is now exact as from IDE harddisk!!!

When I said in my former post, that there is a bug in ntoskrnl.exe with usbstor.sys, then this
belongs only to booting on a FAT32 partition.

In this moment I am cloning this USB harddisk to my Buffalo stick.
I will tell you the exact boottime...hihi,


Dietmar

[Dietmar]

Hi caligula,

I do now understand, why you got this BSOD when setting the switch to write protect.

It is the fault of the NTFS filesystem...brrr.

Even with EWF enabled, NTFS wants always to write to the MBR, I have tested this.

Because EWF does NOT protect the MBR, this is on a normal IDE hardisk no problem.

NTFS simply writes its data to the MBR. But when you set the write protect switch, NTFS cant write anylonger
to the MBR. That gives you the seen BSOD.

Now I am looking, whether there is a switch in Registry, to say to NTFS, not to write to MBR.

If there is such a switch, your problem is solved.

Has anyone heard about such a switch for NTFS?

In all other cases you have to use FAT32.
I test, whether I can set the write protect switch on NTFS after boot to desktop. This works but is no good
solution.


Nice to hear from you

Dietmar

PS: The boottime for my Buffalo stick to Desktop with full Vista is 140 seconds.
The bootime for my IDE harddisk and also my WD160BB USB harddisk is each 135 seconds.
I make now a test with NTFS compressed ...hihi.

[Dietmar]

Hi all,

it seems, that there isnt a switch in registry to prevent NTFS to write to an USB device or harddisk or whatever. This means, that NTFS will kill your USB flash, even with the EWF filter enabled, but it may lasts
years.

So, the only idea that I have for NTFS is, to tweak the Write Protect flag in disk.sys driver and the "HDD" will become read only medium like CD.

Perhaps it is enough to achieve Fake

Fail IOCTL_DISK_IS_WRITABLE with STATUS_MEDIA_WRITE_PROTECTED

I have 1 week holydays. I dont know anybody, who succeeds with that. This is a nice task and not to
difficult, because you have the Source Code in the DDK. The same is with Vista.

I am right: 20 writes are done from NTFS to the USB stick even with EWF enabled...grr.
If the modified driver works, those writes have to go without BSOD.


But I am not sure, whether this will work. I booted XP from a DVD, but there is no NTFS filesystem
on that DVD.


Nice to hear from you
Dietmar

PS: When you compare the content of a USB harddisk simply connected as memory medium
to the same USB harddisk 1 minute later and you have done nothing with that USB HDD, with FAT32
you got no differences between them. But under NTFS there are thousands...

EDIT: Here are the differences for NTFS on a EWF protected USB stick

Überprüfung auf Unterschiede

1. Wechselmedium 3: 4.026.531.328 Bytes
2. C:\testbuff.dat: 4.026.531.328 Bytes
Offsets: dezimal

10944016: 2C A4
10944017: 26 4B
10944018: 00 01
10944060: 16 15
10944062: 02 17
10944064: 2A 22
10944066: 33 1F
10944080: 2E A6
10944081: 26 4B
10944082: 00 01
943474192: 31 A8
943474193: 26 4B
943474194: 00 01
943474236: 16 15
943474238: 02 17
943474240: 2A 22
943474242: 38 24
943474256: 5D D4
943474257: 26 4B
943474258: 00 01

20 Abweichung(en) gefunden.

I run it once more, yeahh this is reproducible

Überprüfung auf Unterschiede

1. Wechselmedium 3: 4.026.531.328 Bytes
2. C:\testbuff.dat: 4.026.531.328 Bytes
Offsets: dezimal

10944016: 4A A4
10944017: 2A 4B
10944018: 00 01
10944060: 16 15
10944062: 03 17
10944064: 00 22
10944066: 17 1F
10944080: 4C A6
10944081: 2A 4B
10944082: 00 01
943474192: 4E A8
943474193: 2A 4B
943474194: 00 01
943474236: 16 15
943474238: 03 17
943474240: 00 22
943474242: 1C 24
943474256: 7F D4
943474257: 2A 4B
943474258: 00 01

20 Abweichung(en) gefunden.

[elmin]

Hi everyone,


I know this have been asked a lot of times already, but then I am in need of it to try out on booting USB Win XP HD. Therefore, can someone email me the needed modified file ntdetect ?

Thanks,

My email address is wotlews@yahoo.com


@@ Elmin