Open the Windows PE Deployment Tools command prompt:
Windows XP: Click Start > All Programs > Microsoft Windows AIK > Deployment Tools Command Prompt.
Windows Vista/7: Click Start > All Programs > Microsoft Windows AIK. Right-click Deployment Tools Command Prompt and select Run as administrator.
The command prompt is displayed.
In the Deployment Tools command prompt:
Enter the following command to create the build directory for the Windows PE CD:
copype <architecture> <destination>
Use the following options:
Option |
Details |
---|---|
<architecture> |
Always use x86 for this setting. The x86 setting works for both 32-bit and 64-bit operating systems. |
<destination> |
The build directory to which the Windows PE files will be copied |
For example:
copype x86 c:\winpe
This example creates the following build directory structure:
c:\winpe: Contains the Windows PE bootstrap loader (ETFSBoot.com) and a Windows PE image file (winpe.wim) that has all of the files for a basic Windows PE CD.
c:\winpe\ISO: Contains the files needed to create the base Windows PE ISO image.
c:\winpe\mount: An empty folder that will be used to mount the Windows PE image file (winpe.wim) so that changes can be made to it.
Enter the following command to mount the winpe.wim image in the c:\winpe\mount directory:
imagex /mountrw c:\winpe\winpe.wim 1 c:\winpe\mount
This command (and all commands in the next steps) assumes that you specified c:\winpe as your build directory when running the copype command. If you used another directory, substitute that directory in the commands.
Create the following directory structure:
c:\winpe\mount\program files\FinallySecure\eri
You can create the directories at the Deployment Tools command prompt or in another tool such as Windows Explorer.
The Emergency Recovery application, as well as the encryption drivers, are provided by SECUDE AG. The application, files, and directories have not been renamed. As you prepare and use the application, you will see directory names such as FinallySecure and registry keys such as fsesys.
Copy the Emergency Recovery application files to the FinallySecure directory created in the previous step:
xcopy c:\winpe_plugin\EN\files\*.* "c:\winpe\mount\program files\FinallySecure" /s /e
These paths assume that you extracted the application files to the c:\winpe_plugin directory (see Prerequisites). If you used a different directory, copy the files from that directory.
Copy the encryption drivers to the Windows PE system drivers directory:
xcopy c:\winpe_plugin\EN\files\*.sys c:\winpe\mount\windows\system32\drivers /s /e /y
Copy the Microsoft OLE User Interface Support file from the device’s system directory to the Windows PE system directory:
xcopy c:\windows\system32\oledlg.dll c:\winpe\mount\windows\system32 /I /e /Y
Open a standard command prompt and do the following:
Enter the following command to load the FinallySecure registry hive:
REG LOAD "HKLM\fsesys" c:\winpe\mount\windows\system32\config\system
Add the following registry entries for the plug-in by typing each line at the command prompt and then pressing Enter.
REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v DisplayName /t REG_SZ /d NBFDENC REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v ErrorControl /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Type /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Start /t REG_DWORD /d 0x0 REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Group /t REG_SZ /d "System Bus Extender" REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Tag /t REG_DWORD /d 0x2 REG ADD HKLM\fsesys\ControlSet001\Services\AES /v DisplayName /t REG_SZ /d AES REG ADD HKLM\fsesys\ControlSet001\Services\AES /v ErrorControl /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\AES /v Type /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\AES /v Start /t REG_DWORD /d 0x0 REG ADD HKLM\fsesys\ControlSet001\Services\AES /v Group /t REG_SZ /d "Primary Disk" REG ADD HKLM\fsesys\ControlSet001\Services\DES /v DisplayName /t REG_SZ /d DES REG ADD HKLM\fsesys\ControlSet001\Services\DES /v ErrorControl /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\DES /v Type /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\DES /v Start /t REG_DWORD /d 0x0 REG ADD HKLM\fsesys\ControlSet001\Services\DES /v Group /t REG_SZ /d "Primary Disk" REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v DisplayName /t REG_SZ /d DESX REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v ErrorControl /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v Type /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v Start /t REG_DWORD /d 0x0 REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v Group /t REG_SZ /d "Primary Disk" REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v DisplayName /t REG_SZ /d BLOWFISH REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v ErrorControl /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v Type /t REG_DWORD /d 0x1 REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v Start /t REG_DWORD /d 0x0 REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v Group /t REG_SZ /d "Primary Disk" REG ADD "HKLM\fsesys\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}" /v LowerFilters /t REG_MULTI_SZ /d nbfdenc\0fvevol /f REG ADD "HKLM\fsesys\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}" /v UpperFilters /t REG_MULTI_SZ /d PartMgr\0nbfdenc /f
Enter the following command to unload the FinallySecure registry hive:
REG Unload "HKLM\fsesys"
(Optional) Copy ERI files to the following directory:
c:\winpe\mount\program files\FinallySecure\ERI
In order to recover a device, the Emergency Recovery application must have access to the device’s ERI file.
If you are creating the ERD to recover a specific device, you might want to add the ERI file to the ERD so that everything required to recover the device is on the ERD. If you are creating a generic ERD for use with any device, you might want to wait until a recovery situation arises with a device and then add the device’s ERI file to a USB device that can be distributed with the ERD.
For information about accessing ERI files, see Section 3.0, Retrieving ERI Files and Passwords.
Configure the Emergency Recovery application to autostart in the desired language:
In a text editor (run as Administrator), open the c:\winpe\mount\windows\system32\startnet.cmd file.
Under wpeinit add the following line:
"X:\Program Files\FinallySecure\pe_erd_w32.exe"
(Optional) Add the following lines to change the input language and keyboard layout from the default (EN-US):
wpeutil SetKeyboardLayout <keyboard layout ID> wpeutil SetUserLocale <language name>-<language name>
For a list of <keyboard layout ID> values, see the Microsoft Go Global Development Center. The <language-name> values are in standard international language code format (en-US, de-DE, es-ES, and so forth). For example, a German keyboard layout and locale would be:
wpeutil SetKeyboardLayout 0407:0000407 wpeutil SetUserLocale de-DE
Verify that the final changes are similar to the following:
wpeinit "X:\Program Files\FinallySecure\pe_erd_w32.exe" wpeutil SetKeyboardLayout 0407:0000407 wpeutil SetUserLocale de-DE
Save the changes.
At the Deployment Tools command prompt:
Enter the following command to unmount the image and commit the changes to the original image file (winpe.wim):
imagex /unmount /commit c:\winpe\mount
Enter the following command to replace the image in the ISO directory with the newly updated image file (winpe.wim):
copy c:\winpe\winpe.wim c:\winpe\iso\sources\boot.wim
Enter the following command to create the ISO image file:
oscdimg -n -h -bc:\winpe\etfsboot.com c:\winpe\iso c:\winpe\winpe.iso
Burn the winpe.iso image to a DVD.
or
Use the winpe.iso image to create a bootable USB device. See Section 6.0, Creating a Windows PE Emergency Recovery USB Drive.
The ERD is ready to use.