NOTE - there are currently two different Mini-WinFE project branches/repositories on GitHub. Some of the features/applications documented in this page may not be present in both branches.
main Branch - forensic focus. A number of applications and settings that could potentially perform disk writes have been removed.
WinPE Branch - includes more applications and options - use with caution as it is possible to use settings that will not write protect disks.
The Mini-WinFE project scripts can currently be divided into seven distinct sections -
A number of configurable options are contained in the main project file. The screenshots below display these options (clicking on the HELP button from within the project displays information about what the individual options do) -
Core Scripts
Please note that only two of the scripts in this section are actually visible to the end user in the PEBakery User Interface - the remainder are hidden from view in an effort to declutter the interface.
Core Files - This script cannot be disabled. Most of the work is carried out in this script, including error checks, file checks, verifying source language/build/processor architecture, and copying and extracting the required files from the selected source. Path - Projects > WinFE > Core > A_core.script
Browse for Folder - used to add Browse for Folder dialog support. This script is hidden and is executed by other scripts to ensure that Browse for Folder support is added as required for individual applications. Path - Projects > WinFE > Core > Browse.For.Folder.script
Common Commands - this script is hidden and is executed by other scripts as required. Supported commands include directory delete (following an error) and creating startmenu shortcuts. Path - Projects > WinFE > Core > common.script
Tweaks - includes a range of tweaks. Click on the ? buttons for information about the available options.
Path - Projects > WinFE > Core > D_Tweaks.script
SysWOW64 - this script is hidden. It contains registry settings required for WoW64 support. Path - Projects > WinFE > Core > syswow64.script
Verification Checks - this script is hidden and is executed by other program scripts for a range of checks including identification of source files. Path - Projects > WinFE > Core > verify.script
Shell Scripts
Shell - select a shell. Current options are WinXShell, bblean, CMD and LaunchBar. The shell script is context sensitive and different options will be visible depending on the selected shell. Click on the HELP buttons for information about the available options. Select a shell using the available tabs. The displayed/selected shell will be used in the build.
Path - Projects > WinFE > Shell > B_shell.script
WinXShell shell options -
LaunchBar shell options -
Default Filemanager - set the default FileExplorer. Either 7-zip, Explorer++, Q-Dir or JustManager can be selected. Path - Projects > WinFE > Shell > D_filemanager.script
Settings Scripts
Network - this script can be enabled without selecting any of the script options to give different results -
No options selected - will add a batch file + a menu entry to run it. The batch file runs the command "wpeutil InitializeNetwork" - this will Initialize network components and drivers, and set the computer name to a randomly chosen value. Running the InitializeNetwork command can cause an unnecessary delay when WinPE boots - adding it as a menu option ensures that the network can be started if required.
Option(s) selected - selecting any combination of script options will add unattend.xml to the build, with a menu entry added to winpeshl.ini to automatically run wpeinit. This will Initialize the network during the boot process. This is useful if an application requires network access - e.g. TightVNC Server.
BootSect - tool used to add NTLDR or BOOTMGR code to a Volume Boot Record. This script adds a batch file to the build as the required program is already included. The batch can be executed by right-clicking on a drive in Explorer.
CMD Here - Start a command prompt from the right-click context menu.
Keyboard Layout - change the keyboard layout in WinPE whilst it's running. Uses wpeutil tool that is already included in the build.
ScreenRes - This will add a menu option for changing the screen resolution. No external programs are used, however a number of xml files are added - this option simply starts a batch file that will run the wpeinit command to change the screen resolution to a value set in the included xml files. A number of screen resolutions are available in the batch file.
Wallpaper - select a custom wallpaper. A project wallpaper can be used. Not working if LaunchBar or CMD are selected as shell. Path - Projects > WinFE > Settings > wallpaper.script
Applications Scripts
The following lists all of the program/application scripts that are included in the Mini-WinFE project download.
LaunchBar - a program launcher created by Peter Lerup. "...LaunchBar is a small Windows freeware program that mimics the behavior of the dockable QuickLaunch toolbar that was available in all Windows versions before Windows 7...". Please refer to the LaunchBar website (see here) for more information.
If LaunchBar is enabled, an option to add shortcuts to the LaunchBar menu can be selected in application scripts. Screenshot of LaunchBar running -
Included in download - YES
Processor Architecture - x86 and x64
Add Custom Batch and run at Start-up - add a custom batch file to the build. Edit the custom batch file via a button embedded in the script.
Included in download - N/A
Processor Architecture - N/A
Add Custom Folders\Files - select a directory and it's contents will be added to the build.
Included in download - N/A
Processor Architecture - N/A
7-Zip (version 19.00) - File archiver. Used to extract contents from .zip/.7z/.iso/.wim files and numerous other file types. Can also create .zip and .7z files. Right click a file in explorer to access menu options for extracting from or creating files. 7-zip website
Included in download - YES
Processor Architecture - x86 and x64
AccessGain (version 1.1) - Used to bypass file system security
checks in order to access folders protected by NTFS security permissions or by
3rd-party software. Right click on a drive in the included File Manager to access the options. This is really useful if you can't delete a file/folder due to restricted security permissions.
Included in download - YES
Processor Architecture - x86 and x64
BOOTICE (version 1.3.3) - "BOOTICE is a boot-related maintenance gadget that is primarily used to install, repair, backup, and restore MBR or partition PBR of disks (images); edit Windows boot configuration files BCD; manage UEFI boot entries; and VHD/VHDX file management. In addition, there are disk sector editing, disk filling..."
Included in download - YES
Processor Architecture - x86 and x64
CloneDisk (version 2.3.6) - backup/restore to/from an imagefile or clone a disk to another. Additional feature are also supported - refer to the CloneDisk website for more information.
Included in download - YES
Processor Architecture - x86 and x64
Disk Management - Disk management console (diskmgmt.msc). Not working in WinPE 2.* (Vista sources). This will add an option to install diskmgmt.msc on demand. Credit to IcemanND on the msfn forum - see here.
Included in download - N/A
Processor Architecture - x86 and x64
DMDE (Version 4.0.0.800) - "...is a powerful software for data searching, editing, and recovery on disks. It may recover directory structure and files in some complicated cases through the use of special algorithms when other software can't help....DMDE has a number of freeware features such as disk editor, simple partition manager (e.g. allows undelete a partition), a tool to create disk images and clones, RAID constructor, file recovery from the current panel....DMDE supports FAT12/16, FAT32, NTFS, Ext2/3/4..." The Free Edition is included in the download - please refer to the License Agreement - here. DMDE website
Included in download - YES
Processor Architecture - x86 and x64
Explorer++ (version 1.3.5) - file manager with multiple pane and tab support. Explorer++ website
Included in download - YES
Processor Architecture - x86 and x64
Forensic Acquisition Utilities (FAU) - "...a collection of utilities and libraries intended for forensic or forensic-related investigative use...". Includes a dd utility for imaging systems. Combined with NetCat (also included) it can image systems over a network. FAU is the property of GMG Systems, Inc. and is being reproduced with the kind permission of the author. GMG Systems, Inc. Please refer to the FAU End User License Agreement - here.
Included in download - YES
Processor Architecture - x86 and x64
Free Shooter (Version 2.0.7) - "...tool for taking screenshots without bloatware features, simple as life, light as air....". Capture fullscreen, active window, or a selected are of the screen. The following file types can be captured using Free Shooter - BMP, JPG, TIFF, PNG and GIF formats. Free Shooter website
Included in download - YES
Processor Architecture - x86 and x64
FTK Imager Lite - Create a physical or logical image of any drive. This program can create an image using the raw, SMART or E01 formats. FTK Imager website
Included in download - NO
Processor Architecture - x86 and x64
HWiNFO (Version 7.24.4770.0) - system diagnostic tool that can be used to check hardware. HWiNFO website
Included in download - YES
Processor Architecture - x86 and x64
HxD (version 2.5.0.0) - "...HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size....". HxD website
Included in download - YES
Processor Architecture - x86 and x64
ImDisk (version 2.0.10) - ImDisk is a virtual disk driver for Windows. It can create virtual hard disk, floppy or CD/DVD drives using image files or system memory. Right click on supported image types (e.g. .iso files) to mount them as virtual drives. Can also be used to create disc images of real drives. ImDisk website
Included in download - YES
Processor Architecture - x86 and x64
IrfanView (version 4.51.0.0) - "...IrfanView is a fast, compact and innovative FREEWARE (for non-commercial use) graphic viewer for Windows XP, Vista, 7, 8 and 10.
...". IrfanView website
Included in download - YES
Processor Architecture - x86 and x64
JkDefrag (Version 3.66) - command-line disk and file defragmentation tool. A batch file with several options can be executed from the right-click context menu. JkDefrag website
Included in download - YES
Processor Architecture - x86 and x64
JustManager (Version 0.1 Alpha 54) - file manager with multiple pane and tab support. JustManager website
Included in download - YES
Processor Architecture - x86 and x64
NT Password Editor (version 0.7) - NT Password Editor. This program can be used to edit passwords on a Windows NT based systems (Windows 2000, XP, Vista, 7, 8). Can be used to reset forgotten passwords and allow access to locked user accounts - it can only change or remove passwords for local system accounts. This program can NOT decrypt passwords or change domain and Active Directory passwords. NT Password Edit website
Included in download - YES
Processor Architecture - x86 and x64
Opera - Web Browser. Opera USB Version 12.18 is included in the download. OperaUSB website
Product Key Scanner (version 1.01) - "...Product Key Scanner is a tool that scans the Registry of Windows Operating system and finds the product keys of Windows and other Microsoft products. You can scan the Registry of your current running system, as well as you can scan the Registry from external hard drive plugged to your computer....". Product Key Scanner website
Included in download - YES
Processor Architecture - x86 and x64
Q-Dir - Quad explorer file manager with multiple pane and tab support. Q-Dir website
Included in download - YES
Processor Architecture - x86 and x64
sDelete - Secure delete application. "...SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk...". sDelete website
Included in download - NO
Processor Architecture - x86 and x64
Drive Snapshot - partition backup tool. Can be used to backup and restore an operating system. This utility is not included in the download, however the script will automatically attempt to download a time limited trial version. If you have a licensed copy then copy it to the "/Project/Cache/Programs/SnapShot" folder. Drive Snapshot website
SwiftSearch (version 7.5.1) - "...SwiftSearch is a lightweight program whose purpose is to help you quickly find the files you need on your Windows machine without ever requiring you to index your drives. Most search utilities that achieve similar speeds do so by indexing drives while the computer is idle, but because idleness detection is so difficult to get right, in practice they end up slowing down the whole system just to speed up search. SwiftSearch works differently: given administrator privileges, it completely bypasses the file system (only NTFS supported) and reads the file table directly every time, which speeds up search by many orders of magnitude....".
SwiftSearch website
Included in download - YES
Processor Architecture - x86 and x64
TightVNC Server (Version 2.8.8.0) - VNC server application. Boot WinPE and create a Remote Desktop - accessing the WinPE system from a VNC client application. Includes an option to run at boot - this is useful if booting WinPE on a remote/headless system. TightVNC website
Included in download - YES
Processor Architecture - x86 and x64
TinyHexer (version 1.7) - Tiny hexer is a hex editor for binary files. It will also allow access and editing of disk sectors.
Included in download - YES
Processor Architecture - x86 only
wimlib - "...wimlib is an open source, cross-platform library for creating, extracting, and modifying Windows Imaging (WIM) archives. WIM is a file archiving format, somewhat comparable to ZIP (and many other file archiving formats); but unlike ZIP, it allows storing various Windows-specific metadata, allows storing multiple "images" in a single archive, automatically deduplicates all file contents, and supports optional solid compression to get a better compression ratio. wimlib and its command-line frontend wimlib-imagex provide a free and cross-platform alternative to Microsoft's WIMGAPI, ImageX, and DISM....". wimlib website
Included in download - YES
Processor Architecture - x86 and x64
WinHex - versatile Hex editor. In addition to the common hex editor functions, this software can be used for computer forensics, data recovery, system imaging and restore and disk editing. WinHex website
Included in download - NO
Processor Architecture - x86 and x64
X-Ways Forensic - X-Ways Forensics is an advanced work environment for computer forensic examiners. X-Ways website
Included in download - NO
Processor Architecture - x86 and x64
Finalise
Subst - add a batch file to locate the boot media (via a unique tag file created during the boot process) and use the subst.exe utility to assign a virtual drive letter. This is useful if using custom scripts/utilities/shortcuts with a hardcoded path.
Path - Projects > WinFE > Finalise > Subst.script
WinFE - Add the registry settings required to create a Windows Forensic Environment. Erwan Labalec's DiskMgr or Colin Ramsden's's Protect.exe (Write Protect Tool) will be added to the build - this provides a User Interface for toggling disk attributes.
Path - Projects > WinFE > Finalise > winfe.script
Shell - Finalise - This script cannot be disabled. Menu entries are configured via this script , winpeshl.ini is created, and files are injected to boot.wim. Path - Projects > WinFE > Finalise > xxxShell.script
Drivers
Only one script is included in this section -
Drivers - Use this script to integrate drivers to the build. Get WAIK Tools is used to download DISM. There are two options in the script -
EXTRACT - the contents of the image selected in boot.wim will be fully extracted and DISM will be used to inject the drivers to the offline image. If this method is selected then setting option 4 in the main project script (METHOD) as EXTRACT is recommended - this will fully extract boot.wim early in the build process.
MOUNT - DISM will be used to mount the image selected in boot.wim > inject drivers to the mounted image > unmount the image.
(NOTE - the MOUNT option has been temporarily removed)
The script in this section can either be selected during the build process, or can be executed independently afterwards - as long as the build completed successfully. Files in the %BaseDir%\WinFE.Files\ISO.ROOT\ directory (where %BaseDir% refers to the directory from which PEBakeryLauncher.exe is running) are added to the .iso file.
Create ISO - this script includes a number of options, the default settings will create a RAM bootable ISO file using MKISOFS - for use on BIOS and UEFI based systems. It's also possible to create a Flat Boot WinPE (WinPE 2.x/3.x only) or even a multiboot ISO file with options for RAM Boot and Flat Boot - bootable on UEFI and BIOS based systems.
To execute the Create ISO script following a build, simply select the script in the directory tree and click on the Run Script button
PEBakery screenshot (the Run Script button is located to the right of the title bar) -
WinBuilder screenshot (the Run Script button is located to the right of the script icon bar) -
PostConfig
The scripts in this section cannot be executed during the build process and is designed for post processing.
Advanced Options - Can be used to mount/unmount the registry hives created when the WinFE project has finished the build process. This script can also be used to inject (add) additional files to boot.wim and carry out some additional tasks.
Add Package - Use this script to add a Mini-WinFE compatible Package to the project (refer to the Packages section for more information) -
Applications not included in the project download
The majority of applications currently supported in Mini-WinFE are included in the project download. The exceptions are -
FTK Imager
sDelete
Drive Snapshot
WinHex
X-Ways Forensic
sDelete - EULA prevents redistribution with the project. This application will be downloaded automatically if selected during the build process and added to a local file cache.
Drive SnapShot - evaluation versions can be downloaded to a local file cache prior to building Mini-WinFE by running "Download automatically (RECOMMENDED)". Alternatively, the application can be added by browsing to the file using the folder button in the "PATH to 32-bit" and "PATH to 64-bit" section and then selecting ADD TO CACHE. Adding the application using ADD TO CACHE option is covered in more detail in the FTK Imager section below.
FTK Imager - The FTK Imager licence prevents redistribution. FTK Imager files will need to be copied from a local source/installation. The application can be added by browsing to the executable file using the folder button in the "PATH to 32-bit" and "PATH to 64-bit" section and browsing/selecting FTK Imager.exe. Do not try to add the installer, the target is FTK Imager.exe extracted from the installer.
Click on the folder icon -
Browse to the executable -
Click on the ADD TO CACHE button -
WinHex - The licence prevents redistribution. An evaluation version can be downloaded by clicking on the Download Evaluation version automatically > ADD TO CACHE button. Alternatively, the application can be added by browsing to the executable file(s) using the folder button in the "PATH to 32-bit" and "PATH to 64-bit" section(s) and browsing/selecting the relevant file (WinHex.exe/WinHex64.exe). Adding the application using the ADD TO CACHE option is covered in more detail in the FTK Imager section above.
X-Ways Forensic - The licence prevents redistribution. The application can be added by browsing to the executable file(s) using the folder button in the "PATH to 32-bit" and "PATH to 64-bit" section(s) and browsing/selecting the relevant file (xwforensics.exe/xwforensics64.exe). Adding the application using the ADD TO CACHE option is covered in more detail in the FTK Imager section above.
