Kamil Gierach-Pacanek
CyberEthical.Me: Hacking for the Security Awareness

CyberEthical.Me: Hacking for the Security Awareness

How to modify the Windows Setup boot image

How to modify the Windows Setup boot image

How to apply changes to ISO file so you can have access to additional files in Windows Preinstallation Environment (WinPE)

Kamil Gierach-Pacanek
ยทSep 26, 2022ยท

3 min read

Subscribe to my newsletter and never miss my upcoming articles

Table of contents

  • Process summary
  • Phase 1
  • Phase 2
  • Phase 3
  • Verify
  • Additional readings

I'm using Windows 11 *.iso, so details can be different on other versions - overall idea should be the same. This is being done for years to older images.

Process summary

This is three-phase process.

  1. Extract ISO content.
  2. Modify boot.wim image.
  3. Build new bootable ISO containing the changes using external software (like ImgBurn.

โ„น It is important that we are creating the bootable media, as not any software can do that correctly.

Phase 1

  1. Prepare files you want to have access to during Windows installation process or note the files you want to change.
  2. Extract the content of the *.iso Windows bootable media (ex. using 7zip).

Phase 2

To modify the content of the environment you are booted to, you have to modify the sources\boot.wim file. This can be done using built-in Deployment Image Servicing and Management tool (dism). Read more about it here.

โ— Mounting images with DISM doesn't look like regular ISO mounting. It is more similar to Unix mounting style. You won't see additional drives, files are extracted to the directory, so it can be easy to forget about unmounting the image and start removing them by hand. Be careful then - some of the files will still be protected by the Windows, but when you accidently apply the changes later, you could break your WIM file.

  1. Prepare empty directory where you will mount the image from boot.wim file.
  2. Open command prompt with Administrator rights and list the available images in *.wim file. image.png

    Windows PE (WinPE) is Windows Preinstallation Environment. Read more here. You can think of this WIM file as a docker image with multiple layers. Here index 1 is the blank layer of WinPE and index 2 (or any last index) is the actual environment that is booted.

  3. Mount the file using dism with last index of image found in boot.wim. image.png
  4. Apply changes to the image. In my example I'm adding the REG file. image.png
  5. Commit changes to the boot.wim. image.png
  6. Close any folders and software that may be using the mounted location. Otherwise, unmounting fails (which is not a failure, you can still correctly apply changes and unmount WIM, see the screens). image.png image.png
  7. Now when you list available images from boot.wim you won't see another index, but you can see the difference in size. If you want to double check, you can mount the image once again, inspect the files and unmount.

Phase 3

  1. Start ImgBurn (or any other software able to create bootable media). image.png
  2. Ensure Build mode is active. Choose source files by adding folder from phase one. image.png image.png
  3. Now select destination (final ISO file). image.png
  4. Go to Advanced -> Bootable Disc settings and set the values as below. image.png
  5. Browse for the boot image (efi\microsoft\boot\efisys.bin) image.png
  6. Now everything is read, so you can press the big image on the bottom left of the window to start creating the image file.

โ„น During process ImgBurn will ask some questions - you can safely assume it is right and agree to changing some modes or adding labels to disc :).

image.png

Verify

  1. Mount the patched ISO in virtual machine (or just live machine).
  2. Boot into Windows Installer.
  3. Launch Windows Setup Command and verify the changes are applied. image.png

Additional readings

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!

See recent sponsors |ย Learn more about Hashnode Sponsors
ย 
Share this