Questions about dropwpbt HOT 9 CLOSED

Excellent - that was very helpful, and I'm all setup now. Thanks a ton again, @Jamesits!

For those in a similar situation (i.e., wanting to install Windows 10/11 fresh, and ensuring there is not even a single boot up where WPBT is accessible), I did what @Jamesits above does:

Step 1
create a UEFI bootable USB disk and put dropWPBT-loader.efi in it, which can be done from within Windows admin cmd prompt like so:

diskpart
list disk
select disk X (select your USB drive)
clean
create part primary size=10
select partition 1
assign letter=N
select partiion N
format fs=fat32 quick
active
exit

Then, copy dropWPBT-loader.efi to the USB disk's \EFI\boot\bootx64.efi. That file is what UEFI boots from on a USB disk. dropWPBT-loader.efi is a bootloader. It boots, disables WBPT, and then looks for a Windows boot .efi anywhere on the system (including other drives), and transfers control to it. Congrats, you have a boot disk.

You will use this disk to boot into Windows until you modify your Windows EFS on your hard drive (as shown in the README.md). Do this every time Windows overwrites the EFS (initial installation and major upgrades). To do so, configure your BIOS to not boot to hard drive, but only boot via this USB disk. Alternatively, use your BIOS's one-time boot menu to boot from this disk until it's no longer needed.

Step 2
To perform a fresh W10 or W11 install: when the installer reboots for the first time, it will overwrite the BIOS NVRAM to boot off the hard drive. you'll have to catch this reboot, interrupt it, and disable this in BIOS, and boot off your custom USB disk above. Once Windows boots up, open a cmd prompt, and follow the README.md in tis repo to modify your Windows EFS to point to dropWPBT.efi first.

from dropwpbt.

1. Not possible at all; if you want a similar result try the registry key.
2. Yes, either:
   a) sign dropWPBT-loader.efi yourself and add your certificate to the firmware's secure boot trusted certificate storage
   b) use a shim or similar program to load dropWPBT-loader.efi and enroll its hash

Notes:

• dropWPBT does not implement secure boot explicitly in its code. What it can chain load depends on the firmware's implementation of LoadImage.
• dropWPBT does not explicitly change the values of PCR banks, but a change in the boot path might still introduce PCR value differences.

from dropwpbt.

Terrific, thanks much, most appreciated!

BTW, this info is very helpful, and one idea to consider is to add the above to an FAQ section to the README.md.

from dropwpbt.

Thank you for the suggestion, but I'd avoid documenting things about secure boot, because it is too hard to get right. Security is a systematic thing, not something you can achieve from words in various ad-hoc documentations. Make it boot with secure boot enabled is easy, make it actually align with secure boot's design goal is too complex and not something I'm currently capable of.

Closing as solved.

from dropwpbt.

Got it, that completely makes sense. And yes, closing this ticket is fine.

One other question if it's an easy question to answer: I tried the utilities you mention (NirSoft,
RWEverything), to find the WPBT executable(s) in the firmware. It's not obvious to me as to where in those utilities to go to find this info. Any pointers would be appreciated. This page, (for Linux), seems to imply it's a single .exe.

from dropwpbt.

For example, using RWEverything: First click Access menu -> ACPI Table

Then try to find the WPBT in the sub window:

The table is not a executable, it is a header plus a pointer to the memory area of a executable. Not sure if Linux sysfs will auto convert it to the corresponding memory area though.

from dropwpbt.

Very helpful, thanks much again!

from dropwpbt.

Hi, More questions :)

Hmm, I installed dropWPBT, but eventually, the software from the WPBT came back and got installed. I suspect because after I originally installed Windows 11 (dropWPBT works on W11, right?), the first two boot ups into it were done without dropWPBT. Does this sound right?

Is the idea to install dropWPBT before the first boot? If so, would that have to be done at some point when the Windows installer is running?

For context:

• I had zero other software installed
• I verified that indeed, my BIOS contains the WPBT section (thanks for the info above)
• I erased the hard drive through an erase utility, and installed a fresh copy of Windows
• I used a USB installation disk made via Microsoft's own tool (not my laptop vendor's tool)
  TL;DR: I've followed safe practices to ensure that the unwanted software didn't get installed in any other manner outside WPBT.

from dropwpbt.

dropWPBT works for W8~W11.

There always exists the issue of Windows installer (new install or major version upgrade) overwriting the EFI partition and boot order. Since dropWPBT itself is a standalone bootloader, you can treat it as dual-booting Linux and Windows and there are a lot instructions on how to keep Linux around during a major Windows upgrade.

I myself opt to use a different disk (a few MBs are required, so any USB drive will work) to store the primary EFI partition, where a bootloader (I use rEFInd which is capable of loading multiple different OSes, but dropWPBT-loader should work too) is always installed inside, and the disk is readonly. Choose that bootloader disk as the primary boot device, and Windows overwriting its own EFI partition does not matter at all.

from dropwpbt.