Fully unattended win7 x64 install with integrated (not injected) unsigned drivers...

Discussion in 'Windows 7' started by pOcHa, Oct 31, 2010.

  1. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    #1 pOcHa, Oct 31, 2010
    Last edited by a moderator: Apr 20, 2017
    ...i have a tested and working solution for RTM, but need help with SP1, skip to second post for disabling driver signing checking, and third for my question

    First we integrate drivers so that they can be still used manually or with dpinst tool directly from dvd, in 3 different ways (preferably second):

    METHOD 1 (vista/2008 without sp1 or sp2)

    dism boot critical drivers (chipset, storage and lan) into boot.wim (2nd index), they are passed along to windows too

    injected drivers are automaticaly expanded within image, and duplicates are made if there are more than one .inf files per folder (or .inf contains multiple entries), so if you add too many of them the image may not fit back on a dvd/usb or you can actualy run out of ram when booting from it

    mount image (must be writable first):
    Dism /Mount-Wim /WimFile:C:\boot.wim /Index:2 /MountDir:C:\offline

    remove old drivers (skip if first time):
    Dism /Image:C:\offline /Remove-Driver /Driver:OEM1.inf /Driver:OEM2.inf ... /Driver:OEM99.inf
    (how ever many there are third party drivers in C:\offline\Windows\Inf folder, you cant uninstall default ones)

    inject all the drivers, including subfolders and unsigned ones:
    Dism /Image:C:\offline /Add-Driver /Driver:C:\D /Recurse /ForceUnsigned

    dismount image (and then replace boot.wim in sources folder):
    Dism /Unmount-Wim /MountDir:C:\offline /Commit

    create $OEM$\$$\Inf\D folder INSIDE sources folder and add all drivers there (dvd:\sources\$OEM$\$$\Inf\D), they get automaticaly copied to C:\Windows\Inf\D folder after install.wim expands, but before windows first boots (and it searches for drivers in inf folder on its own, including subfolders) - only needed ones get copied to windows driverstore, so you can safely delete D folder in dvd:\sources\$OEM$\$$\setup\scripts\setupcomplete.cmd batch



    METHOD 2 (vista/2008 with integrated service pack, or 7 and 2008 R2):

    winpe automaticaly searches all available drives for $WinPEDriver$ folder (not $WinPEDriverS$) in their roots, so copy boot critical drivers there (dvd:\$WinPEDriver$), they can be in subfolders too and are passed on to windows

    you can still run out of memory, cause winpe keeps driverstore on ramdisk

    if a driver fails to inject into boot.wim (as in first method) the setup will abort if you put it in $WinPEDriver$ folder, so i suggest that you test all of them with dism first (check C:\Windows\Logs\DISM\dism.log) and move the bad ones with the rest of non-boot critical to dvd:\sources\$OEM$\$$\Inf\D folder

    winpe supports MSZIP/LZX cabbed drivers, but if one fails expand it first and then try again, and make sure you didnt remove any "unnesecary" files from it



    METHOD 3 (takes too much time/space):

    in the answer file for install.wim image, under Microsoft-Windows-Setup in WinPE pass just change UseConfigurationSet to true - now you have a system variable %configsetroot% which always points to the drive containing autounattend.xml in its root (doesnt necesseraly need to be the install drive)

    add the %configsetroot%\your_drivers_path to Microsoft-Windows-PnpCustomizationWinPE as a device driver path, but mind the ram as always

    ALL the files from %configsetroot% drive WILL be automaticaly copied to C:\Windows\configsetroot folder, but which can safely be deleted afterwards



    batch file to makecab (with best compression) all the usual driver files (just not *.exe, for manuall install) left uncompressed in ALL subfolders under it - it deletes originals and writes a log file too (but use wordpad not notepad)

    there must be NO spaces in folder names (files are ok), its a bug in makecab

    Code:
    echo %date% %time% > MakeCab.log
    
    FOR /R %%i IN (*.bin;*.cpl;*.dat;*.dll;*.sys;*.vxd) DO MakeCab.exe /D CompressionType=LZX /D CompressionMemory=21 /L %%~dpi "%%i" >> MakeCab.log& DEL "%%i" /F /Q
    
    batch file to expand all cabbed files in ALL subfolders under it, name them back to their original names and delete temp archives, writes log too

    Code:
    echo %date% %time% > Expand.log
    
    FOR /R %%i IN (*.??_) DO Expand.exe -r "%%i" >> Expand.log& DEL "%%i" /F /Q
    
    dpinst.ex_ file in some nvidia drivers is NOT cabbed but actualy just renamed, and expand just renames it too but not to its original name (so check the logs)
     
  2. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    #2 pOcHa, Oct 31, 2010
    Last edited by a moderator: Apr 20, 2017
    (OP)
    here is a fix for unsigned drivers in win7 x64 RTM ONLY (doesnt work in sp1 rc1, didnt test rc0 and beta), so you dont have to use f8 on every startup anymore AND you dont get test mode message on desktop (without even patching user32.dll or its mui)

    Code:
    fyyre.ivory-tower.de/projects/disable_pg_ds.rar
    all credits go to fyyre, just follow his instructions, or use one of my alternative methods below:

    1.) dont run 1.bat but manualy copy ntoskrnl.exe and winload.exe from windows\system32 to patch_temp folder (create it where you extracted the files), run 2.exe and 3.bat as normal and then this batch below (you skip the new f8 option this way)

    Code:
    SC.exe stop peauth
    SC.exe config peauth start= demand
    
    BCDEdit.exe /set {default} path \Windows\System32\osload.exe
    BCDEdit.exe /set {default} kernel ntkrnlmp.exe
    BCDEdit.exe /set {default} TESTSIGNING ON
    BCDEdit.exe /set {default} NOINTEGRITYCHECKS ON
    BCDEdit.exe /set {default} loadoptions DDISABLE_INTEGRITY_CHECKS
    
    2.) do everything from above BUT dont run 3.bat and rename patched files to their original names, and run this batch instead:

    Code:
    SC.exe stop peauth
    SC.exe config peauth start= demand
    
    BCDEdit.exe /set {default} TESTSIGNING ON
    BCDEdit.exe /set {default} NOINTEGRITYCHECKS ON
    BCDEdit.exe /set {default} loadoptions DDISABLE_INTEGRITY_CHECKS
    
    now overwrite original files with patched ones from dual boot, recovery console, livecd, usb boot... (when they are not in use)



    UNATTENDED INSTALL:

    add patched files from second alternative to dvd:\sources\$OEM$\$$\System32 folder (yes, they overwrite the originals)

    boot store is automatically created during setup from windows\system32\config\bcd-template (no extension, its a registry hive) file inside install.wim (extract it with 7zip), and since {default} entry doesnt exist there yet - you just edit its {globalsettings} so that all new entries (guids, so cant guess) will inherit from that, and add it to dvd:\sources\$OEM$\$$\system32\config folder

    BCDEdit /store C:\BCD-template /set {globalsettings} TestSigning On
    BCDEdit /store C:\BCD-template /set {globalsettings} NoIntegrityChecks On
    BCDEdit /store C:\BCD-template /set {globalsettings} loadoptions DDisable_Integrity_Checks
    (i know the last command is not needed at all, and doesnt even work at that, its just nostalgia)

    boot record must be changed prior to first restart or windows throws an unsigned security error for patched winload.exe so you cant even access f8 anymore, but in winpe pass it doesnt exist yet and offlineservicing pass doesnt support adding commands,
    so this is the only method and we are going to do the same to SYSTEM (no extension, its a registry hive too) file in same folder, cause PEAUTH service needs to be stoped before first reboot also - or you get a BSOD and setup hangs and CANT be continued

    extract it too, mount/open it as a "registry hive" (important) in any registry viewer/editor, go to CurentControlSet001/services/peauth and change "start" from 2 to 3 (hex or dec, nvm), do the same in CurentControlSet002 and now its on manuall (no need to disable it with 4), save SYSTEM back as "registry hive" (important) and put it together with BCD-Template in same folder

    P.S. you can also add a edited bcd file from already installed windows to dvd:\sources\$OEM$\$1\Boot folder, just delete "Windows 7", "Windows Resume Application", "Windows Recovery Environment", "Ramdisk Options" to avoid duplicate entries



    TIP: if you dont want to end up with a 100MB bitlocker partition (boot store is then in c:\boot), first create all the partitions you need in windows setup, then delete the one you wish to be C: and just EXPAND the hidden partition and install windows on it

    i made a tutorial too on how to manually slipstream with dism (not reverse integrate) win7 sp1 rc1:
    Code:
    forums.mydigitallife.net/threads/22807-DVD-with-SP1-integrated-into-Windows-7?p=337159#post337159
     
  3. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    now, i dont want to spam fyyre for a new patch (he's on twitter if somebody else doesnt have a problem with that ;-), but on his site is a very detailed step by step explanation on how he did it (which is beyond my scope), so maybe somebody more knowledgable and experienced here can expand on it?

    but that is not my real question of course, i used microsofts test certificate kit, and made a batch to sign all usual driver files in ALL subdirectories under it (new signature is just added, not replaced, so already signed drivers with .cat files still pass verification - signtool.exe /c file.cat file.sys), with log file too

    all you need then is just the first bcdedit command from batches in previous post to put windows in test signing mode, and a created .cer file for other computers (use ImportCert.bat from my attachement, or right click -> install certificate, but select "Trusted Root Certification Authorities" as store for it)

    for unattended install just do the same with BCD-Template from last post (only first bcdedit command), and sysprep a image with the test certificate installed

    P.S. now you have a working, and most importantly, completely legit workaround for driver signing enforcement - plus, test certificate lasts 30 years, and payed ones are valid for only 1 year ?! (old drivers ARE unsigned)

    what i really want to know is this - how ELSE can you import a .cer file into windows before first reboot during setup? Can you export it as a .reg file? Or in any other way inject it in offline image, and does winpe pass on its certs?

    (MakeCert.bat only once, ImportCert.bat once for that and every other computer, SignTool.bat to sign already EXPANDED usual driver files in all subdirectories under it - edit: removed .bin and .dat extensons from signing)
     

    Attached Files:

  4. urie

    urie Moderator
    Staff Member

    May 21, 2007
    8,726
    3,094
    300
    pOcHa, as reguards to
    bad move found that out ages ago if using dvd it with vista copies whole sources folder to system adding extra GB that are not needed fair enough if using Autounattend.xml file on say usb thumbdrive with drivers located there only that is copied.
     
  5. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    #5 pOcHa, Nov 3, 2010
    Last edited: Nov 3, 2010
    (OP)
    i already implied that in the title AND also the conclusion of the method, and using other drive than the install one is suggested too, so i really do not see the point of your reply - maybe i wasnt concise enough? anyway, here is something i DID forgot the mention about it:

    in %configsetroot%\your_drivers_path keep only boot critical drivers, and in %configsetroot%\your_OTHER_drivers_path all the rest

    now add the %configsetroot%\your_OTHER_drivers_path to Microsoft-Windows-PnpCustomizationNonWinPE as a device driver path, pay attention that Microsoft-Windows-PnpCustomizationWinPE goes in WinPE pass and Microsoft-Windows-PnpCustomizationNonWinPE in offlineServicing pass - also all drivers added to winpe get reflected automatically to windows too so no need for duplicates...
     
  6. urie

    urie Moderator
    Staff Member

    May 21, 2007
    8,726
    3,094
    300
    #6 urie, Nov 3, 2010
    Last edited: Nov 3, 2010
    @ pOcHa, all i was saying is that we tried %configsetroot% method way back when vista came out when testing Autounattend.xml from DVD or should i say trying to understand new xml method over on MSFN and noticed it copied full sources folder :( some members had not noticed this.
     
  7. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    sorry, was little irritated that nobody still posted nothing helpful to me, that method is mentioned mostly for completenes sake anyway...
     
  8. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    so... no one knows how to import a certificate into offline image? at least a reason why it cant be done? anything at all?
     
  9. tco1014

    tco1014 MDL Novice

    Dec 7, 2010
    5
    0
    0
    pOcHa,
    Do you think you could take a look at my answerfile and see what is going on? I added the passes that you said use (pnpcustomization) and my drivers still don't work. Can you help? Thanks for all the work you have done.
     
  10. tco1014

    tco1014 MDL Novice

    Dec 7, 2010
    5
    0
    0
    urie,
    do you have some time to help me out? I am on a deadline and can't get my drivers to install to my machines when I image my machines.
     
  11. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    #11 pOcHa, Dec 7, 2010
    Last edited: Dec 7, 2010
    (OP)
    are you the same guy from driverpacks forum? if so, first check if the ghost image contains your drivers at all in windows\system32\driverstore folder - there is a setting in unattend.xml which deletes all device drivers after generalize pass (cant recall its name)

    btw, do post your unattend.xml if you expect anyone to be able to see it (and be more specific/less vague if you want anyone to invest their time in helping you)...
     
  12. tco1014

    tco1014 MDL Novice

    Dec 7, 2010
    5
    0
    0
    Yes...I see ur post from driverpacks. Here is what you said.

    "forget everything from above and in the answer file for install.wim image, under Microsoft-Windows-Setup in WinPE pass just set UseConfigurationSet to true - now you have a system variable %configsetroot% which always points to the drive containing autounattend.xml in its root (doesnt need to be the install drive)

    add the %configsetroot%\your_drivers_path to Microsoft-Windows-PnpCustomizationWinPE as a device driver path, and they are immediately available from the very start

    but know that ALL the files from %configsetroot% drive WILL be automaticaly copied to C:\Windows\configsetroot folder, which can safely be deleted afterwards"

    I did that...but I never used the pnputility to add the drivers? Is that what is killing me right now?
     
  13. pOcHa

    pOcHa MDL Novice

    Oct 28, 2010
    21
    10
    0
    #13 pOcHa, Dec 7, 2010
    Last edited: Dec 7, 2010
    (OP)
    only drivers for found hardver during setup are added to driverstore, so yes, you should have used pnp utility afterwards - but if you didnt delete windows\configsetroot folder then use ghost explorer and just move it to windows\inf folder inside image, thats it... (or simply add it the same way if you did delete it)
     
  14. tco1014

    tco1014 MDL Novice

    Dec 7, 2010
    5
    0
    0
    Thanks for the quick reply. I actually still have my presysprep image...so I reimaged my machine...ran the pnpuitl.exe command...installed a driver that I know isn't on another machine...took the image...and now it is imaging. I will update success or failure. Thanks again for your help.
     
  15. tco1014

    tco1014 MDL Novice

    Dec 7, 2010
    5
    0
    0
    #15 tco1014, Dec 7, 2010
    Last edited: Dec 7, 2010
    Ok...so I did the above...and now I am getting the "windows could not parse or process the unattended answer file for pass specialize. the settings specified in the answer file cannot be applied. The error was detected while processing settings for component (Microsoft Windows-Shell Setup)" error. My postsysprep image I took without using the pnputil installs but I just don't have the driver.

    Here is my .xml info...
    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
    <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm=
    <SkipAutoActivation>true</SkipAutoActivation>
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm=
    <CopyProfile>true</CopyProfile>
    <TimeZone>Eastern Standard Time</TimeZone>
    <ShowWindowsLive>false</ShowWindowsLive>
    <RegisteredOrganization>Microsoft</RegisteredOrganization>
    <RegisteredOwner>AutoBVT</RegisteredOwner>
    <ComputerName>*PSO</ComputerName>
    </component>
    <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm=
    <RunSynchronous>
    <RunSynchronousCommand wcm:action="add">
    <Path>net user administrator /active:yes</Path>
    <Order>1</Order>
    </RunSynchronousCommand>
    </RunSynchronous>
    </component>
    </settings>
    <settings pass="oobeSystem">
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:>
    <InputLocale>en-us</InputLocale>
    <SystemLocale>en-us</SystemLocale>
    <UILanguage>en-us</UILanguage>
    <UserLocale>en-us</UserLocale>
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:
    <Display>
    <HorizontalResolution>1024</HorizontalResolution>
    <VerticalResolution>768</VerticalResolution>
    </Display>
    <OOBE>
    <HideEULAPage>true</HideEULAPage>
    <NetworkLocation>Work</NetworkLocation>
    <ProtectYourPC>1</ProtectYourPC>
    </OOBE>
    <RegisteredOrganization>PSO</RegisteredOrganization>
    <RegisteredOwner>PSO</RegisteredOwner>
    <UserAccounts>
    <AdministratorPassword>
    <Value>VwBpAG4AZAAwAHcAcwA5ADUAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBQAGEAcwBzAHcAbwByAGQA</Value>
    <PlainText>false</PlainText>
    </AdministratorPassword>
    <LocalAccounts>
    <LocalAccount wcm:action="add">
    <Password>
    <Value>VwBpAG4AZAAwAHcAcwA5ADUAUABhAHMAcwB3AG8AcgBkAA==</Value>
    <PlainText>false</PlainText>
    </Password>
    <DisplayName>Administrator</DisplayName>
    <Name>Administrator</Name>
    <Group>Administrators</Group>
    <Description>Local Administrator</Description>
    </LocalAccount>
    </LocalAccounts>
    </UserAccounts>
    <TimeZone>Eastern Standard Time</TimeZone>
    </component>
    </settings>
    <settings pass="generalize">
    <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:
    <SkipRearm>1</SkipRearm>
    </component>
    </settings>
    <settings pass="windowsPE">
    <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:
    <PageFile>
    <Path>C:\Pagefile.sys</Path>
    <Size>2048</Size>
    </PageFile>
    <UseConfigurationSet>true</UseConfigurationSet>
    </component>
    </settings>
    <settings pass="auditUser">
    <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:
    <RunSynchronous>
    <RunSynchronousCommand wcm:action="add">
    <Path>powercfg -h on</Path>
    <Order>2</Order>
    </RunSynchronousCommand>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg import c:\sysprep\pagefile.reg</Path>
    <Order>1</Order>
    </RunSynchronousCommand>
    </RunSynchronous>
    </component>
    </settings>
    <cpi:eek:fflineImage cpi:source="catalog:D:/sources/install_windows 7 enterprise.clg" xmlns:cpi="urn:i" />
    </unattend>