Windows Preinstallation Environment

Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used for many tasks. It was originally designed as a 32-bit replacement for DOS - for windows deployment, backup and recovery. WinPE is a complete, standalone operating system and will work independently of any other operating systems already installed. See here for more information.

When a computer is running (booted from) a full version of Windows certain files are 'locked' - making it difficult to take a system backup or to remove a virus/malware. Consequently some tasks are best performed when the operating system is offline - this can be achieved by booting to another operating system such as WinPE to access the offline system.

There are two distinct methods for booting WinPE - RAM Boot and Flat Boot. RAM Boot is the most common method and anyone who has installed Windows Vista/7/8/8.1 will already (perhaps unknowingly) have used it. Microsoft recommend a minimum of 512 MB RAM in order to run a RAM booted version of WinPE - in tests it was possible to boot some versions of WinPE with 256 MB RAM. For more details about RAM and Flat boot WinPE and RAM requirements, please see here.

When WinPE is RAM Booted or Flat Booted from read only media it will not save any changes made to it when the system is rebooted. A benefit of this is always having a clean (virus free) WinPE operating system on boot.

WinPE is easy to customise. The builds prior to customisation are very limited and the UI (User Interface) is command line. It is possible to adapt these builds to use a GUI shell and other programs and utilities can be added so that various tasks can be carried out, including but not limited to -

WinPE Versions

There are a number of different versions of official Microsoft WinPE. The earlier versions used the same codebase as Windows XP/2003 - these are usually referred to as WinPE 1.*.

Earlier versions of WinPE (prior to the introduction of version 2.0) were aimed at enterprise customers and were not available to the general public. As of version 2.0 it was possible for non-enterprise customers to create their own WinPE by using the freely available Windows Automated Installation Kit (WAIK). The WAIK has now been replaced with the Windows Assessment and Deployment Kit (ADK).

Windows Operating Systems use a numbering format for identification purposes - these numbers can be used to identify the codebase from which a particular WinPE was created. Windows builds use the numbering format ‘MajorVersion.MinorVersion.Build’ - e.g. 6.1.7600. Unlike the product names associated with Windows Operating Systems (e.g. Windows 7) these numbers can refer to multiple products - version 6.1.7600 for example refers to both Windows 7 and Windows Server 2008.

WinPE versions include -

WinPE Major.Minor.Build Windows Operating System source
2.0 6.0.6000 Windows Vista
2.1 6.0.6001 Windows Vista (SP1) / Server 2008
3.0 6.1.7600 Windows 7 / Server 2008 R2
3.1 6.1.7601 Windows 7 (SP1) / Server 2008 R2 (SP1)
4.0 6.2.9200 Windows 8 / Server 2012
5.0 6.3.9600 Windows 8.1
5.1 6.3.9600 Windows 8.1 Update

Following the release of Windows 10, WinPE versions are identifed by MajorVersion.MinorVersion.Build numbers that generally correspond with the Windows 10 build from which they were compiled. WinPE 10.0.16299 for example corresponds with Windows 10.0.16299 (aka Version 1709 / Fall Creators Update).

There are some exceptions to this rule as the WinPE included in Windows 10.0.18362 (May 2019 Update (1903)) and 10.0.18363 (November 2019 Update (1909)) sources are both based on WinPE 10.0.18362.

Another example of the same WinPE version being included in multiple Windows sources is WinPE 10.0.19041. The following Windows 10 sources all include/use WinPE 10.0.19041 -

WinPE 10.* versions include -

WinPE Build WinPE Version Windows Operating System source
10.0.10240 1507 -
10.0.10586 1511 November Update
10.0.14393 1607 Anniversary Update
10.0.15063 1703 Creators Update
10.0.16299 1709 Fall Creators Update
10.0.17134 1803 April 2018 Update
10.0.17763 1809 October 2018 Update
10.0.18362 1903 May 2019 Update (Windows 10.0.18362 / 1903)
November 2019 Update (10.0.18363 / 1909)
10.0.19041 2004 May 2020 Update (10.0.19041 / 2004)
October 2020 Update (10.0.19042 / 20H2)
May 2021 Update (10.0.19043 / 21H1)
November 2021 Update (10.0.19044 / 21H2)

There are 32 bit and 64 bit versions of all of the above WinPE systems. More recent versions of WinPE are likely to better support more recent hardware without the need for injecting drivers. WinPE 3.x builds are very stable and have been well tested, with a large userbase and support for a wide range of third party scripts in other projects. Unfortunately WinPE 3.x based builds do not offer the same level of write protection in forensic environments.

Document date - 18th June 2022