Macrium Reflect WinPE - remove networking

Discussion in 'backup, imaging & disk mgmt' started by wild4sec, Mar 5, 2023.

  1. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    I want to remove the net capability from the Macrium Reflect bootable WinPE ISO, so that it can't reach any network, even with a cable plugged in.
    Does anyone have an idea on how to do it?

    What I tried so far:
    1. extract the iso
    2. mount the boot.wim with dism
    3. in the mounted folders, change ownership of Windows to Users (default is Trusted Installer)
    4. inside System32 and SysWOW64 deleted all files that start with net
    5. unmount commit boot.wim
    6. rebuild the iso

    The result is that the iso starts booting, but doesn't reach the recovery environment, the "wheel" just keeps spinning.
     
  2. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    I found this, which looks like it's exactly what I want, but I'm stuck. I edited the startnet.cmd and added the Unattend.xml, but it made no difference.

    I think the problem is that this boot.wim doesn't contain the 'Microsoft-Windows-Setup' component and I don't know how to add it. I know how to add these, but that component is not there.
     
  3. Raza0007

    Raza0007 Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    1,680
    Location:
    USA
    I read your post and had some inputs that may be useful to you.

    First, I don't have a lot of experience with customizing WinPE or WinRE based recovery environments, so I might not be much help to you. Saying that I have noticed that whenever I build a WinRE based Macrium recovery environment, it always asks me if I want to add drivers for both my ethernet card and Wifi card to the build. I always select yes, but I was wondering if one selects no, most probably the network ability of the RE will not work.

    According to Microsoft, by default, networking is actually disabled in WinRE for security reasons and must be enabled before it can be used. See the attached link
    https://learn.microsoft.com/en-us/w...rence?view=windows-11#security-considerations

    I know this is about WinRE based Macrium RE, and your question was about WinPE based RE, but if the above resolves your issue, maybe you can switch to WinRE based Macrium recovery environment. I personally have not built a WinPE based Macrium RE in many years and I have not had a single issue.
     
  4. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    Thank you for the suggestion. Unfortunately the WinRE Macrium image also includes standard Windows network drivers and therefore networking works, even if you don't add those drivers when making a rescue image.
     
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    In boot.wim\Windows\System32\DriverStore\FileRepository\ you need to remove the folders netvf63a.inf_******** and rt640x64.inf_********, sometimes one of them is already missing. Use GImageX to mount boot.wim, delete folders with FAR.
    After deleting the folders unmount the wim and save the editing results. Return edited wim to iso and to real machine in C:\Boot\macrium\WA10KFiles\media\sources (MR WinPE integration in Windows boot menu).
    The result is always excellent, the network does not work. WinRE is much bigger, takes longer to boot, I did not see any advantages, so I use only WinPE.
     
  6. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    @aldist : Thanks for that and for showing where the driver files are located. However, just deleting those two folders doesn't work for me. The result is that the recovery ISO gets stuck on the loading screen. And if I press Esc a couple of times it boots successfully, but the networking is still there. Could it be because I'm doing it on Windows 11?

    What does work for me, is if I delete all of the Network drivers folders, as listed here by DISM++:
    dism++.png

    It's about 50 or so folders, quite a lot to do by hand. DISM++ should be able to delete them all in one go, but it throws an error ("No such interface supported") for some reason. NTLite can do it too, but not with the free version.

    If I delete those then it boots normally and there is no networking. I'll experiment a bit more and see if there's a faster way.
     
  7. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Maybe because Windows 11, I don't know. But those two folders do not affect WinPE booting. Try to find a way to determine which drivers belong to your physical network adapters and remove their folders. If you have two adapters, there should be two folders to uninstall, not 50.
    My editing is easy, in one go.
     
  8. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    Noted. But I would like to have a solution that works on every system, with any hardware. Ideally with just some core networking component to delete... if such a thing exists and it if doesn't break other things.
     
  9. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Your WinPE includes network drivers for your computer on which it was created. If they are removed, then there will be no network when you boot on any other computer, because there are no other network drivers running in WinPE.
    My understanding is this, maybe I'm wrong. I tested my flash drive on three computers, there was no network everywhere.
    But now you're on the right track, I'm sure you'll make it work. I would try editing your WinPE, but if there is any sensitive data on there, maybe a serial number, of course not.
    Keep us informed, please.
     
  10. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Took the iso WinPE11 created in Windows 11, removed the two folders mentioned above. The computer with the iso boots quickly, the network is no longer detected. Checking the modified iso on the Windows 10 computer, it boots fast, networking is also not working. We can assume that you are making a mistake in the editing process.
     
  11. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    I'll run some more tests later, but I don't think I made a mistake. I double checked your method of only deleting those two folders with both WinRE and WinPE in Macrium, both produced the same result.

    Just to avoid misunderstanding: the boot.wim that you're modifying is from the Macrium rescue media or from somewhere else? And when you're done editing it, you add it with Macrium's "Custom base WIM" feature or in some other way?

    I'm pretty sure that the boot.wim created by Macrium includes a bunch of generic network drivers, it's in those 50+ 'network adapter' entries in the DISM++ screenshot I posted earlier. They're probably the same drivers already included in Windows out of the box.
    But it's definitely possible that some other WinPE/WinRE sources don't include them or have networking disabled.
     
  12. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    Update: tested in a clean Windows 10 22H2 setup in a VM. Same result: deleting just those two folders doesn't kill networking and booting is erratic. I tried using WinRE and WinPE11 with Reflect Free 8.0.7279.
    Deleting all 50+ network drivers-folders works great, however. And I've noted them all and put them in a batch file, so deleting them is fast now. If anyone wants that batch file let me know.
    I think this (having to delete more drivers) is expected, unless we were talking about different WIM files all along.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Please do it here, I see no harm doing it publicly. TIA
     
  14. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    Sure. Just to recap: this file contains all 57 entries that I found using Reflect Free 8.0.7279 in W1022H2 and W1122H2, with WinRE and WinPE11. It's a list of the 'Network adapters > Microsoft' entries from DISM++ (see screenshot from a few posts ago). Depending on your WinRE/WinPE version, your WIM might be missing an entry or two, but that's okay. Wildcards were needed, because the folders are sometimes named differently after amd64_.

    Changing ownership and write permissions of the parent folder first is required (you can change it to Everyone). And there are other steps in the whole process, of course. But it can all be done without any third party software (besides Reflect).

    Let me know if you encounter any issues or something. This has not been extensively tested yet.
     

    Attached Files:

    Last edited: Mar 8, 2023
  15. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    You created Macrium WinPE RescueMedia.iso and integrated MR into the Windows boot menu. Macrium boot.wim is in two places, inside the iso and in the path C:\Boot\macrium\WA10KFiles\media\sources, as I wrote above, these two boot.wim are exactly the same.
    Copy the boot.wim from this path to your desktop and edit.
    Copy the edited boot.wim with replacements to C:\Boot\macrium\WA10KFiles\media\sources and to iso. That's it, the network is disabled there and there.
    I described both options (iso and integration), but you can use only one of them, either one. There is no need to repeat the creation of the iso or repeat the integration.
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    While creating a TBWinPE (Terabyte Unlimited) I see these two folders though there are more net*****.inf_******** folders alongside.
    Why not delete these folders too?
     
  17. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    @aldist : All right, thanks. I wanted to make sure we're editing the same wim. So nothing new then.
    Well, I tested this stuff on another system. And here are the results:
    1. The initial boot process being kinda stuck (have to press Esc), when only those two folders are removed from the wim, doesn't happen on this system, like it does on the other. But I then noticed that on the other system it gets stuck even with the default wim. With all the 50+ entries removed it doesn't get stuck on either system.
    2. The NIC is still recognized with the two folders removed method, same as with the default wim. But it isn't recognized with the 50+ entries removed. By the way, it also isn't recognized with a slightly older W10 rescue ISO which I never modified at all.

    What I get from all this is that there are probably several variables involved in whether a rescue medium will see a NIC or not. I believe you when you say that deleting those two entries worked for you with your PCs. But it looks like it's safer to remove all those 50+ entries. And in the future, with Windows/PE/RE updates there will probably be new ones to remove...
     
  18. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    NTLite easily removes all 50+ folders, but cannot remove user-installed network adapter drivers, they are grayed out. When booting from such a WinPE, the network remains functional. You need to click the Compatibility button and uncheck the "Host machine" checkbox, and the network will not work.
    compatibility_1.png
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Just to let you know these lines in the batch file work in the creation of a TBWinPe too. Thanks.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    @wild4sec or @aldist
    What you do to know when a nic adapter is recognized or not?
     
  21. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    I'm not sure I understand the question correctly, are you asking how to tell if a network is available or unavailable? If the network is unavailable, the network icon at the bottom right will be gray, not blue. Additionally, from the command line, I run ping -t 8.8.8.8
    Added
    Using NTLite is a good way not only to remove network drivers, I liked it.
     
  22. wild4sec

    wild4sec Registered Member

    Joined:
    Mar 5, 2023
    Posts:
    12
    Location:
    SA
    Expanding on what aldist said... the easiest way is to just check the icon in the bottom right corner.
    If it's blue, there's an active connection (not necessarily to the internet).
    If it's gray, there is no connection, but a NIC could still be detected (for example, when the network cable is unplugged). If you click on it, it should show an empty list:
    winpe.png

    Another way is to enter these commands in the command prompt:
    netsh interface ipv4 show interfaces
    netsh interface ipv6 show interfaces

    Without the NICs, it should only list the Loopback Pseudo-Interface 1.

    And without network drivers, the PE starts faster.
    Booting from a flash drive I measured ~45 seconds without the drivers and ~55 seconds with them.
     
  23. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    I usually remove the NetCfg.exe file from the boot.wim when removing network drivers, although this is not necessary.
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    LOL I asked a n00b question.
    Thing is I am removing network drivers to accomplish what it's discussed here but on a TBWinPE. These winpes lack of a gui as opposed to, I assume don't know for sure haven't tried before, Macrium Reflect winpes.
     
  25. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    It was clear that you are using TeraByte WinPE. There is another way to boot with the network disconnected, is to use the unattend.xml "answer file".
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.