Friday, October 31, 2008

Security Tip - Windows PE

Good job on the new look for your blog, Suzanne.

A couple weeks ago my sister-in-law brought me her PC that would no longer boot. These things get dumped on me from time to time with a request to recover all their documents, make it work, and tune it up so that it runs faster than it ever ran before. My sister-in law is a sweetheart, so I figured I would have a go at it.

I started by trying a variety of the boot options provided through the F8 boot menu. Mostly the boots just ended at the same blank screen, but one presented the BSOD, otherwise known as the Blue Screen of Death. The BSOD is an error screen that happens so frequently on MS operating systems that it has its own acronym. The error message on my sister-in-law’s machine suggested some sort of video problem.

So I’m figuring the PC is dead, I’m going to have to do a fresh install of Windows XP and maybe replace the video card, but I want to save whatever I can from the disk so she can get her documents back. So I pull out the Windows PE disk.

The windows PE disk is something I have just started using, but I can already see that it will be a common tool for a variety of tasks managing a Microsoft environment. Have a look at www.windowspe.com or just search “Windows PE” to find out more. It’s an operating system on a CD. You put it in your CD drive, you boot it, and you have a MS environment to work in. It’s just a command line, but there is a lot you can do with this. Here is what I did with this troublesome PC.

I intended just to copy the entire contents of the hard drive to an external drive. I booted Windows PE to the command prompt, plugged in the external drive, and copied the entire hard drive successfully to a folder on the external drive. I was then free to do a fresh install on the PC’s hard drive because I had captured all my sister-in-law’s documents.

But my sister-in-law has kids, and there is a general principle known to people who manage PCs that PCs don’t work for very long in households with kids in them. So I plugged the external drive into my own PC and ran a virus and spyware scan on the folder of files copied from the offending PC. I found a couple dozen hits. I then went back to my sister-in-law’s PC and, using Windows PE, manually deleted all the couple dozen files that my scanner had identified as malware on the external drive. When I booted her PC off the hard drive again, after deleting those couple dozen files, the PC booted just fine. I then updated her virus scanner, installed and ran the Spybot spyware scanner, and presto she has her PC back.

I have been doing some other things with the Windows PE disk as well. Most interesting is that the Windows PE disk has enabled me to stop using Ghost to image and deploy PCs. More on that later.

3 comments:

Dee Ann said...

Jim - This looks like an application I would LOVE to see you talk more about at Offline!

Blaine Fleming said...

If you want a GUI with a handful of tools and countless modules available I recommend using BartPE. In fact, I use a highly modified version of BartPE for our catalog computers that makes them relatively secure kiosks that just work.

Thomas Jones said...

Second on BartPE. You can load a CD with a barrage of anti-virus, malware removal, or backup tools of your choice. It's a more complicated build, but has some great features and is based on the WindowsPE structure.