Best Winpe Tools

[Yogprasad Moneta]

EveryWindows user should have access to at least one Windows system rescue disc. A Windows system rescue disc is a bootable recovery environment. The recovery environment usually has a bunch of handy tools you can use to fix Windows or at least diagnose the issue.

Lots of Windows rescue discs use a Linux environment. But there are also recovery discs that use the Windows Preinstallation Environment (PE) instead. A Windows PE rescue disc has a familiar working environment, excellent hardware support, and the software you need to fix your system.

Windows PE is a lightweight version of the Windows 10 operating system. You can use Windows PE to install, test, and repair a full installation of Windows 10. A Windows PE recovery disc will work with all Windows 10 versions: Home, Pro, Education, Enterprise, and so on.

The base Windows PE version supports all Windows applications, drivers, networking tools, disk partitioning and management, Computer Management tools, Hyper-V, and much more. The Windows PE-based recovery discs step this functionality up, adding in tons of free and open-source tools you can use to recover, restore, and analyze your ailing Windows 10 installation.

While Windows PE is a fully operating version of Windows 10, you cannot use it as your day-to-day operating system. Microsoft prevents the use of Windows PE as a regular operating system with an automatic restart after 72 hours of continuous use. Furthermore, "This period is not configurable." When a Windows PE recovery environment resets, any work or programs are permanently destroyed.

Hiren's BootCD is a legendary Windows rescue disc. It is an all-in-one bootable rescue disc packed with tools to help you recover from drive failures, malware, password recovery, account management, and much more.

The original Hiren's BootCD was a Linux environment. But it stopped receiving updates in 2012. However, Hiren's BootCD was revitalized as a Windows PE rescue disc in 2018. It features loads of open source and free recovery tools, all within a familiar Windows 10 environment. You can check out the full list of tools here.

Bob.Omb's Modified Win10PEx64 rescue disc is a modified Windows Preinstallation Environment. It has a lengthy list of recovery and analysis tools, including Malwarebytes Antimalware, EaseUS Data Recovery, FileZilla, Rufus, and more.

The official build name is "Gandalf's Windows 10PE x64 Redstone 5 Build 17763 Version 04-30-2019." Gandalf's Windows 10PE recovery disc features hundreds of tools you can use to rescue your system in times of need.

Among those programs are disk recovery tools, network analysis apps, hardware and software diagnostic tools, backup programs, malware and firewall apps, and more. Gandalf's recovery disc receives an update every few months, too, meaning most of the recovery apps and tools are running their latest versions.

Sergei Streclec's WinPE is a Russian-developed Windows PE-based rescue disc. WinPE has a decent range of recovery tools, network analysis apps, backup utilities, archive tools, password managers, and more.

The recovery disc name is a slight misnomer. Originally, recovery discs were exactly that: bootable LiveCDs. Nowadays, you can boot most Windows recovery discs from a USB flash drive. For example, you can boot all the Windows recovery discs on this list from a USB flash drive.

Check out the following list of ten bootable USB tools. My tool of choice is Rufus. Once you download the tool, follow the in-tool instructions to burn the ISO to your USB flash drive.

As ever, the best Windows rescue disc is the one that has the tool that fixes your problem. The Windows PE-based recovery discs here cover a similar range of recovery and analysis tools. If there is a specific tool you need, download the relevant recovery disc.

Most of the time, it is better to have a Windows PE-based recovery disc already copied to a USB flash drive. That way, when an issue does appear, you are ready to do battle. Remember, you don't have to stick to one.

In scenarios where recovery may be needed on encrypted drives, using a WinPE disk with the SEE encryption driver embedded is the preferred method.

This article will go over the steps needed to create a WinPE image to be able to do further troubleshooting of systems encrypted with Symantec Endpoint Encryption, including Recovery.

Important Note: When using Symantec Endpoint Encryption to create this WinPE iso, install the "Drive Encryption Only" installation package. Leave out the SEE Removable Media Encryption package with the installer so that only the Drive Encryption packages will be included. This will ensure the proper WinPE iso is created.

When an encrypted system fails to boot to the Windows operating system, recovery of data becomes the primary goal. Creating a customized Windows Preinstallation Environment (Windows PE) CD or UFD (USB flash drive) provides a bootable recovery tool that can be used for recovery purposes.

IMPORTANT TIP 1: Before attempting to fix the system, first attempt to authenticate the disk, and copy any needed data off. Attempting to modify the disk could cause irreversible damage to the filesystem so proceed with caution. If the data on the encrypted disk is important, we recommend first making a sector-by-sector, or 1:1 clone of the disk and work off of the copy. Attempt to copy the data off of the disk, rather than decrypt the drive as the first step. When in doubt, contact Symantec Encryption Support for further guidance.

IMPORTANT TIP 2: Once you have WinPE installed on your machine where you will be building the WinPE Disk, reach out to Symantec Encryption Support to obtain an Automatic WinPE Creation script.

Using this script will speed up the creation time for all your WinPE disks for any version you need to install. Mention this KB when contacting Support to obtain this very useful script.

*Before you create the Windows PE image, you must install Windows Assessment and Deployment Kit (ADK) for your Windows operating system.

*You must *also* make sure you download the WinPE Add-on for the ADK. If you do not, this process will not work.

*The purpose of this is for WinPE, so Symantec recommends Windows ADK for Windows 10 or later.

As a best practice, you must create the customized Windows PE for recovery immediately after installing the client software. A customized Windows PE CD or UFD is the only way to recover your data when you cannot start your operating system. The best practice is to create a Windows PE CD or UFD immediately after the recovery tools have been created. A Windows PE CD or UFD stores the recovery tools away from your system and proves to be an important resource for disaster recovery.

To learn how to create a customized Windows PE CD or UFD, refer to the following Symantec Endpoint Encryption: Technical Note for Recovering Encrypted Disks Using Windows Preinstallation Environment document versions:

Symantec Endpoint Encryption Drive Encryption Administrator Command Line does not generate a detailed log report of errors that occur during a Windows Preinstallation Environment operation. To enable Drive Encryption Administrator Command Line to generate detailed log reports, you must include the EEMALoggerDll.dll file to your Windows Preinstallation Environment. The EEMALoggerDll.dll file is available at the Symantec Endpoint Encryption Management Agent installation directory.

Overview

The Microsoft Windows Preinstallation Environment (PE) is widely used by IT professionals in Windows environments for installation tasks, deployment, maintenance, troubleshooting, diagnosis, recovery, and so on.

When an encrypted disk fails to start the Windows operating system, recovery of data becomes the primary goal. Creating a customized Windows PE CD or UFD (USB Flash Drive) provides a bootable recovery tool that can be used for rescue purposes

To create a bootable Windows PE CD or UFD, you must do the following:

Requirement 1: Download and install the "Visual C++ Redistributable for Visual Studio 2015" on the system you will be building WinPE.

Some of the DLLs in these steps rely on this package to execute properly.

If this step is skipped, the WinPE ISO can still be built, but none of the binaries will execute properly.

Requirement 2: Build the Symantec Endpoint Encryption Drive Encryption driver into WinPE for decrypting the hard disk.

Requirement 3: Build the Symantec Endpoint Encryption Drive Encryption tools into WinPE for authentication.

The steps below provides instructions for creating and using both 32-bit and 64-bit Windows Preinstallation Environment.

Customizing the Windows PE image

Ensure that you have copied the Windows PE image into the Windows folder, c:\winpe, and it is ready for customization.

To copy the Windows PE image into the Windows folder c:\winpe, run the following command:

Installing the Symantec Endpoint Encryption Drive Encryption tools

To install the Symantec Endpoint Encryption Drive Encryption tools run through the following steps:

From a computer running Drive Encryption, copy the following files and transfer them to the c:\eede folder on a computer installed with Windows ADK

Step 1: On the ADK installed computer, open the Deployment and Imaging Tools Environment command prompt.

To open the deployment tools command prompt, search for Deployment, right-click Deployment and Imaging Tools Environment, and then select Run as administrator.

For more information on creating a WinPE bootable USB flash drive, see the article "WinPE: Create USB Bootable drive" available on technet.microsoft.com.

At the time of this writing, the following article could be used:

-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive?view=windows-11

This section includes 10 different scenarios to be able to use a WinPE image for recovery in various ways.

Review each of the below to determine which option may be best for you.

It's always best to attempt to unlock a disk and copy data off before attempting any other scenario.

Scenario 1: Recovering an encrypted disk using the administrator command line

Scenario 2: Unlocking an encrypted disk using the client administrator credentials

Scenario 3: Recovering the preboot screen

Scenario 4: Restoring the old MBR

Scenario 5: Decrypting an encrypted disk using the client administrator credentials

Scenario 6: Decrypting an encrypted disk using the Help Desk Recovery commands

Scenario 7: To decrypt an encrypted disk using Advanced Help Desk Recovery

Scenario 8: Recovering an encrypted disk using the Symantec Disk Recovery Utility

Scenario 9: Decrypting an encrypted disk using the client administrator authentication

Scenario 10: Decrypting an encrypted disk using Help Desk Recovery

3a8082e126