Changes behind installation settings ?

Discussion in 'Windows 10' started by Wader8, Dec 11, 2016.

  1. Wader8

    Wader8 MDL Novice

    Sep 2, 2016

    I'm wondering if someone uncovered what exactly are the paths and files or registry keys that are being changed when the user is changing the OS customizations in the first use during the installation procedure, when not selecting "Use Express Settings".

    Currenty I have an old HDD with one of the Win10 preview ISOs installed. But that doesn't help, I hoped I could do some kind of installation background diagnostic trace if possible.

    And I'm testing with VM now on Win7 with VirtualBox. And I can't see other than read/write events for the VDI file in Process Montitor running on the host machine, I'm not sure if the offset info could help me since I heard VDI files are less friendly to raw browsing.

    Or a program that can detect changes and point them out in a block of memory, like CheatEngine maybe?

    Or some remote debugging session, aren't at MS debugging their own OS, don't they have an ability to trace the whole PC via some serial link or something for pretty much anything including the installation process.

    The only other option is to go dig into the ISO directly and try to find where the installation part is, maybe some clues where that is located so it saves me some time?
  2. hydranix

    hydranix MDL Novice

    Apr 4, 2013
    During the intial setup you could always run a program which watches the registry and filesystem activity. The stage of setup you refer to is just a simple .exe running before your user account is setup and logged-in to. It's called the "Out-Of-Box-Experience". Look for the "oobe.exe" process.

    Most of the settings configured in the oobe can be modified with group policy too IIRC.
  3. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    If i remember right, I tried it but the Procmon Session got terminated at some point, therefore my untested improved version how I would do it now.

    install to oobe
    shift f10
    copy procmon from somewhere to the system to systemdrive
    run procmon
    select "enable boot logging"
    close procmon
    (may take a snapshot)
    restart system
    do the oobe thing the one way and than the other way
    start procmon - save the log, compare and fiter for RegSetValue stuff.