Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used for many tasks. It was originally designed as a 32-bit replacement for DOS - for windows deployment, backup and recovery. WinPE is a complete, standalone operating system and will work independently of any other operating systems already installed. See here for more information.
When a computer is running (booted from) a full version of Windows certain files are 'locked' - making it difficult to take a system backup or to remove a virus/malware. Consequently some tasks are best performed when the operating system is offline - this can be achieved by booting to another operating system such as WinPE to access the offline system.
There are two distinct methods for booting WinPE - RAM Boot and Flat Boot. RAM Boot is the most common method and anyone who has installed Windows Vista/7/8/8.1 will already (perhaps unknowingly) have used it. Microsoft recommend a minimum of 512 MB RAM in order to run a RAM booted version of WinPE - in tests it was possible to boot some versions of WinPE with 256 MB RAM. For more details about RAM and Flat boot WinPE and RAM requirements, please see here.
When WinPE is RAM Booted or Flat Booted from read only media it will not save any changes made to it when the system is rebooted. A benefit of this is always having a clean (virus free) WinPE operating system on boot.
WinPE is easy to customise. The builds prior to customisation are very limited and the UI (User Interface) is command line. It is possible to adapt these builds to use a GUI shell and other programs and utilities can be added so that various tasks can be carried out, including but not limited to -
There are a number of different versions of official Microsoft WinPE. The earlier versions used the same codebase as Windows XP/2003 - these are usually referred to as WinPE 1.*.
Earlier versions of WinPE (prior to the introduction of version 2.0) were aimed at enterprise customers and were not available to the general public. As of version 2.0 it was possible for non-enterprise customers to create their own WinPE by using the freely available Windows Automated Installation Kit (WAIK). The WAIK has now been replaced with the Windows Assessment and Deployment Kit (ADK).
Windows Operating Systems use a numbering format for identification purposes - these numbers can be used to identify the codebase from which a particular WinPE was created. Windows builds use the numbering format ‘MajorVersion.MinorVersion.Build’ - e.g. 6.1.7600. Unlike the product names associated with Windows Operating Systems (e.g. Windows 7) these numbers can refer to multiple products - version 6.1.7600 for example refers to both Windows 7 and Windows Server 2008.
WinPE versions include -
|WinPE||Major.Minor.Build||Windows Operating System source|
|2.1||6.0.6001||Windows Vista (SP1) / Server 2008|
|3.0||6.1.7600||Windows 7 / Server 2008 R2|
|3.1||6.1.7601||Windows 7 (SP1) / Server 2008 R2 (SP1)|
|4.0||6.2.9200||Windows 8 / Server 2012|
|5.1||6.3.9600||Windows 8.1 Update|
Following the release of Windows 10, WinPE versions are identifed by MajorVersion.MinorVersion.Build numbers that generally correspond with the Windows 10 build from which they were compiled. WinPE 10.0.16299 for example corresponds with Windows 10.0.16299 (aka Version 1709 / Fall Creators Update).
There are some exceptions to this rule as the WinPE included in Windows 10.0.18362 (May 2019 Update (1903)) and 10.0.18363 (November 2019 Update (1909)) sources are both based on WinPE 10.0.18362.
Another example of the same WinPE version being included in multiple Windows sources is WinPE 10.0.19041. The following Windows 10 sources all include/use WinPE 10.0.19041 -
WinPE 10.* versions include -
|WinPE Build||WinPE Version||Windows Operating System source|
|10.0.16299||1709||Fall Creators Update|
|10.0.17134||1803||April 2018 Update|
|10.0.17763||1809||October 2018 Update|
|10.0.18362||1903||May 2019 Update (Windows 10.0.18362 / 1903)
November 2019 Update (10.0.18363 / 1909)
|10.0.19041||2004||May 2020 Update (10.0.19041 / 2004)
October 2020 Update (10.0.19042 / 20H2)
May 2021 Update (10.0.19043 / 21H1)
November 2021 Update (10.0.19044 / 21H2)
There are 32 bit and 64 bit versions of all of the above WinPE systems. More recent versions of WinPE are likely to better support more recent hardware without the need for injecting drivers. WinPE 3.x builds are very stable and have been well tested, with a large userbase and support for a wide range of third party scripts in other projects. Unfortunately WinPE 3.x based builds do not offer the same level of write protection in forensic environments.
Document date - 18th June 2022