Technical Note Creating a Windows PE Recovery CD

(1)

Technical Note

Creating a Windows PE

Recovery CD

(2)

(3)

Copyright

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user.

CenterTools and DriveLock and others are either registered trademarks or trademarks of CenterTools GmbH or its subsidiaries in the United States and/or other countries.

(4)

0 Data Revocery Scenarios

Because of a hardware or software issue you can no longer start Windows on a computer where DriveLock Full Disk Encryption is installed. You need to access important files that are stored on the computer. There are two options for gaining access to the data in such a scenario:

Decrypt the entire disk using the “decdisk” decryption tool. After the disk has been decrypted you can use standard tools to repair Windows, recover inaccessible disk sectors or copy important data from the disk to a different location. This method generally takes a long time to complete.

To get access to data on the drive quickly, start the computer using a customized Windows PE recovery CD. After starting the computer from such a CD you can copy the encrypted data on the computer’s hard disk to a different location. Once you have recovered the critical data you can immediately continue to work with the recovered files on a different computer. You can then decrypt the disk at a later time using the more time-intensive “decdisk” tool and repair Windows. (For information about how to use the “decdisk” tool, refer to the DriveLock FDE manual.)

Note: The Windows PE DriveLock Plugin (available for FDE Version 5.6.0. SP1 and later) only works if DriveLock FDE was installed completely. If required system data on the hard disk is damaged or missing, you have to use the “decdisk” tool instead.

1 Creating a Windows PE Recovery

CD

You must create the recovery CD before an emergency occurs. You cannot create a recovery CD on the affected computer itself. Instead, you need to create the recovery CD on another computer that can run the Windows Automated Installation Kit.

Before creating a recovery CD, ensure that you have access to the following files and data:

- The files that are required to create a Windows PE recovery CD are contained in the file “C:\Program Files\CenterTools\DriveLock\DLFdePEPrep.zip” on any computer where the DriveLock Management Console is installed.

(6)

 6 - You need to have access to the affected computer’s disk recovery key. For information about how to generate the disk recovery key, refer to the chapter “Recovering Encrypted Drives” in the DriveLock FDE manual.

To create the recovery CD, perform the following steps:

1. Extract the contents of the file “DLFdePEPrep.zip“ to the folder C:\Temp\DLFdePEPrep

The folder contains a subfolder for each DriveLock FDE version. As you continue, ensure that you are using the correct folder for the version of DriveLock that is installed on the affected computer.

2. To create a Windows PE CD, install the Microsoft Windows Automated Installation Kit (WAIK) from Microsoft to create a Windows PE CD. You can find additional information about the AIK, including download instructions, on the following Web page:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c7d4bc6d-15f3-4284-9123-679830d629f2&DisplayLang=en

Make sure to use WAIK from Windows Vista (Win PE 2.0). Do not use the WAIK for Windows 7 (Win PE 3.0).

3. Start a Windows PE-Tools command prompt window from Start\All Programs\Microsoft Windows AIK.

4. To create a Windows PE working folder, run the command copype.cmd x86 c:\temp\winpe_x86

5. To mount the Windows PE image that is included with the AIK so you can customize it, run the command imagex /apply c:\temp\winpe_x86\winpe.wim 1 C:\temp\winpe_x86\mount

6. To customize the image for CenterTools DriveLock FDE, run the following command: C:\Temp\DLFdePEPrep\peprep /prep /img c:\temp\winpe_x86\mount /pd

C:\Temp\DLFdePEPrep\version

(Where C:\Temp\DLFdePEPrep\version is the folder to which you extracted the contents of the file “DLFdePEPrep.zip“. Ensure that you specify the correct subfolder for the FDE version to be recovered.)

7. Copy the disk key (DKE file) for the affected computer to the folder “C:\temp\winpe_x86\mount\DriveLock“. (For information about the disk recovery key, refer to the DriveLock FDE manual.)

(If you will inject the driver for the computer’s network adapter into the image, as described in the next step, you can retrieve the disk recovery key from a network share instead. If you will retrieve recovery keys over the network you can skip this step and you will not need to create a unique recovery CD for each computer.)

(7)

 7 8. To access a network share from Windows PE and copy recovered data to it, Windows PE needs to load the driver for the network adapter of the affected computer. If Windows PE does not include the required driver, you need to “inject” the driver into the image. To inject a network driver, run the following command from the Windows PE command prompt:

peimg /inf=<path to NIC Driver INF file> c:\temp\winpe_x86\mount\Windows

9. To prepare the image for generating the CD, run the following command from the Windows PE command prompt:

peimg /prep /image=c:\temp\winpe_x86\mount

10. To create the required WIM image, run the following command from the Windows PE command prompt:

imagex /capture /boot /compress max "c:\temp\winpe_x86\mount" "c:\temp\winpe_x86\iso\sources\boot.wim" "My DLFDE PE Image"

11. To create an ISO image that can you can burn to a CD, run the following command from the Windows PE command prompt:

oscdimg -n c:\temp\winepe_x86\iso c:\temp\winpe_x86\ein_pe_image.iso -n –b“c:\temp\winpe_x86\etfsboot.com“

12. To create the CD, burn a CD from the image file c:\temp\winpe_x86\ein_pe_image.iso.

2 Using a Windows PE Recovery

CD

After starting the computer from the Windows PE CD you created, you need to inject the DKE recovery file to access encrypted data. To do this, perform the following steps:

1. Start the computer from the Windows PE recovery-CD.

2. Change to the folder X:\DriveLock und then run the following command: peprep.exe –inj recovery.dke

3. When prompted, type the password you specified when you generated the recovery key file and then press ENTER.

(8)

 8 Once the file has been injected, you can access data on the computer’s encrypted hard drive and copy files to a network share. To connect to a network share, use the “net use“ command (for example, net use z:

\\192.168.0.30\apps /user:domain\username).

Starting with DriveLock FDE 9.2.0 you can also copy data from the encrypted hard drive to USB-attached removable media. To enable USB support, at the command prompt, type the following commands:

cd \drivelock peprep.exe /usb

Once USB support has been enabled, you can access disk key files (dke) on a USB-connected removable drive. You also can also copy files from the encrypted hard drive to a removable drive.

To determine which drive letter is used by a removable drive, type the following command: