Winfe : the forensic winpe made in windows 8 , windows 7 and vista

Just another WordPress.com weblog

Posts Tagged ‘WINPE ON WINDOWS 8

Winfe for beginners in Vista and Windows 7 and Windows 8 + 8.1

with 4 comments

Latest update : April 9th, 2014 :
*section 51000 :
install ADK for windows 8.1 update 1. Go to Section 50000 to make a winfe.
*section 50000 :
 how to make a winfe 5.0 and winpe 5.0 for deploying windows 8.1
with the ADK for win 8.1 (WAIK has been renamed to ADK)
*section 40000 : how to make a winpe 4.0 and winfe 4.0 for deploying Windows 8
with the ADK for win 8.
*section 30000 : How to make an ordinary winpe or winfe 3.0 (forensic winpe)  32 bit (tip 3)
A. for deploying Windows 7 with the WAIK (=winpe 3.0)
B. for deploying Win 7 sp1 with the WAIK + SUPPLEMENT (=winpe 3.1)
*section 20000 : make a forensic winpe for deploying Vista – 32 bit (winpe 2.0 / 2.1) (tip 8)
*section 10000 : edit a boot.wim
*section 0 : find out version numbers of Windows, of ADK, of Winpe ; find out if winpe is 32 bit or 64 bit ;
find out if you’re booted in uefi or legacy bios ; make screenshots in UEFI.

Support for 4k advanced format drives
4k advanced format drives are supported from winpe 3.1 (= Waik + Supplement iso), and higher
(winpe 4.0, etc)

Support for usb3

There are driverpacks available with usb3-drivers as torrents, downloadable with Utorrent
http://www.utorrent.com/intl/us/utorrent-free
Be vigilant not to install the adware it contains nowadays.
32 bit : http://driverpacks.net/driverpacks/windows/7/x86/chipset/12.12
64 bit : http://driverpacks.net/driverpacks/windows/7/x64/chipset/12.12

In this thread of Wilderssecurity http://www.wilderssecurity.com/showthread.php?t=315679
you can find intel usb3 drivers for Renesas :
https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=19880&keyword=usb+3.0&lang=eng

With winbuilder with a Windows 7 sp1 DVD, you can also integrate usb3 drivers :
http://w7pese.cwcodes.net/Compressed/

I have several laptops with only usb2-ports. Integrating usb3-drivers in a winpe to communicate with a new
external usb3-drive did not work. I could not complete an image of my internal drive.
Under Windows however I can perfectly use usb3 flash drives with a huge speed gain.

So, if you have usb2 laptops in which you can insert expresscards with e-sata (sata II) , you are probable
better off buying a  case with usb + e-sata for external drives. I obtained a copying speed of 500 gb in
2 hours after I integrated in my winpe the e-sata drivers that came with the expresscard .
(this is dependent on the speed of the external drive, and the speed of the internal drive).
////////////////////////////////////////////////////////////////////////////////////////////////////
IMPORTANT REMARK 0 :  I know that the files I uploaded to my dropbox or skydrive account (renamed to
Onedrive recently) are clean.
If you have doubts however, you can upload them (file may be max 32 mb) to https://www.virustotal.com/
to have them controlled by 40 anti-virus-scanners.

IMPORTANT REMARK 1 : Read tip 1 for more explanations if  you are new at this. Always make a winpe
on a clean  new system, of which you’re sure it’s not infected.

IMPORTANT REMARK 2 : if you have a 64 bit computer with UEFI instead of BIOS, you will need to make a 64 bit winpe !!!And if you want to execute some programs in a 64-bit  winpe, such as mspaint.exe or calc.exe, beware that the ordinary hand-made 64 bit winpe  (64-bit is named amd64 in winpe, term which is also used for 64-bit Intel processors) often complains that it does not have the necessary subsystem to execute these programs.

That’s why Winbuilder ( a fully GUI pe ) is often very useful ; it includes the subsystem needed
to execute simple 32-bit programs on the 64-bit build.
Added bonus : you will have a graphical desktop with Windows Explorer, instead of an ordinary command prompt.
Section 40000 tip 004 will show you the download location of Winbuilder Win8PeSe, and some info on how to use it.

What is winpe ?
WIN
dows Preinstallation Environment is actually a super-small variant of Windows, which contains only
a command prompt. You can  put GUI-programs on it, but it will not be a fully-fledged graphical
environment like Winbuilder win7pese, win8pese or win81pese, which look a lot more like the Windows
we know, but also fits on a boot cd or usb.
(section 40000 tip 004 for more on Winbuilder)
Winpe fits on a boot cd of 700 mb, or a bootable flash drive. With it you have full access to
all the files on the underlying windows operating system (if this os is not encrypted).
But if you have the Bitlocker encryption password, you can decrypt the underlying os.

In winpe you are “nt authority/system”, which is the highest level on a local system, above Administrator.
You can check this if you integrated whoami.exe in your winpe.
When  a diskpart clean-all command on a usb-stick within Windows is failing, sometimes it is sufficient
to execute this command from within a winpe where you have higher rights.

What is winfe ?
WIN
dows Forensic Environment : it’s a winpe but altered in such a way that it does not
affect in any way the underlying Windows operating system. It does not mount the
hard drives, and does not write to them.

Use of winfe for professionals : it’s a boot cd or a boot usb with which you can make  an image
of a computer hard drive (without altering the latter in any way) to another hard drive. This clone
is then searched for evidence of criminal activities, and if that is the case, it will serve as evidence if
there is a trial.
Further use : if you have a master image of a computer operating system, you can use winpe to
deploy this image to different computers in an enterprise environment.

You will find a different approach for making winfe’s here on the reference site for professionals :
http://winfe.wordpress.com/2014/01/01/natural-progression-for-new-users-of-winfe/

Use of winpe for non-professionals : you can put other programs such as firefox, etc. on a winpe/winfe
boot cd. I use winfe as an internet banking system on a cd. So I always have a clean system, which starts
with my particular settings, and can’t be compromised (unless of course your router is compromised,
and then your clean boot cd won’t help you very much.)
And I also clone my hard drives with a winpe, with dd (chrysocome.net)
only 32-bit, or with fau dd (forensic acquisition utilities , 32 bit
and 64 bit).
And a winpe can be useful if you want to rescue some files from a compromised computer.

Forensic image of a usb-stick
You can do this with Winfe Lite, which makes a 32 bit winfe 3.0.

Winfe lite contains the write-protect script by Colin Ramsden.
With it you can toggle drives to read-write, mount them. This is ideal for the
forensic imaging of a usb stick. You need to make this on a system with
the Waik (+ eventually the supplement iso)
See section 30000.

It does NOT work with the ADK

You download the Full Package here :
http://www.ramsdens.org.uk/download.html

Click on the tab “information” to read the explanation on how to use winfe Lite.

You can also download the WinProtect Script, which you can use in Winbuilder Win7PESE ;
put the script under “Tweaks” in the Winbuilder folder.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
SECTION 51000

Winpe 5.1
Download the ADK for Windows 8.1 update 1 here :
http://www.microsoft.com/en-us/download/details.aspx?id=39982

Windows 8.1 update changes :

http://technet.microsoft.com/en-us/library/dn247001.aspx#Win81_update1

New : wimboot : ability to boot from a wim directly : smaller file for solid state drives in tablets.
http://technet.microsoft.com/en-us/library/dn594399.aspx
http://forums.mydigitallife.info/threads/52931-Windows-8-1-Update-1-WimBOOT-discussion

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

SECTION 50000

Winpe 5.o (is a winpe built with the ADK for deploying windows 8.1)


Waik for Windows 8/8.1 has been renamed to ADK for windows 8/8.1. Download the new ADK for deployment of Windows 8.1 here as of october 17th, 2013.

http://www.microsoft.com/en-us/download/details.aspx?id=39982
The download consists of one small adksetup.exe.
If you already have the ADK for Windows 8, it will not download, unless you  issue the following command in  a command prompt :
adksetup.exe /layout “C:\OfflineADK” (thanks, mr Diagg)
However, you won’t be able to install it as long as the earlier ADK is on your computer.
Tip from this site:
http://www.deploymentresearch.com/Research/tabid/62/EntryId/90/What-s-new-in-ADK-for-Windows-8-1.aspx

You only need the deployment tools and  the windows preinstallation environment from the ADK.

Manually making the winpe 5.0 – 32 bit version on a 32 bit system step by step with commands in command prompt.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IF HOWEVER YOU MAKE A 32-BIT WINPE ON A 64 BIT SYSTEM, REPLACE ALL INSTANCES OF

C:\Program Files\Windows Kits\

WITH :

C:\Program Files (x86)\Windows Kits\

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Under the section PREPARATION, you can read how to activate the
hidden administrator account in Windows 8.

I’ll give the commands here ; an asterisk * precedes every command. Make sure you don’t copy it as well,
or it won’t work.
In Windows 7, type : “deployment” in the search box, and soon you will see the command prompt with
the title “Deployment and Imaging Tools Environment”. Right click it, and choose “run as administrator”.
In Windows 8  :
Use Windowskey to go to Metro ;
Type anywhere :    deploy…

As soon as you see the command prompt window “Deployment and Imaging Tools Environment”
right click on it, and choose “run as administrator”
A Windows Deployment and Imaging Tools Environment Command Prompt window opens with
environment variables automatically set to point to all the necessary tools.

1* Dism /Cleanup-Wim 
2* rmdir c:\winpe_x86 /s  
If you're asked if you are sure , type :    y  (for yes)

3* copype x86 c:\winpe_x86 
4* Dism /mount-image /imagefile:C:\winpe_x86\media\sources\boot.wim /index:1 /mountdir:C:\winpe_x86\mount

Put all your drivers in one folder (here in the folder : “c:\users\Your_username\downloads\drivers ” ; dism will also look in all the subfolders for inf-files with /recurse ). Adapt “your username” so it reflects the real path on your computer.

5* DISM /image:c:\winpe_x86\Mount /Add-Driver /driver:C:\Users\Your_username\Downloads\Drivers\ /recurse

———————————————————————————————————————————-
IMPORTANT REMARK before you begin installing packages :
A. Always install the package with the correspondent language package
B. Some packages depend on the installation of other packages.
http://technet.microsoft.com/en-us/library/hh824926.aspx (e.g. winpe securestartup)
Some optional components have dependencies, as follows.

First Install Winpe-scripting to use winpe-HTA

First install WinPE-WMI and Winpe-scripting before you use the .NET Framework

Install WinPE-WMI before you use WinPE-SecureStartup.

Install WinPE-WMI, WinPE-NetFX, and WinPE-Scripting before you use WinPE-PowerShell.

Install WinPE-PowerShell before you use the Windows PowerShell® cmdlets (respectively
WinPE-DismCmdlets and WinPE-StorageWMI).

Install WinPE-Setup before you use WinPE-Setup-Client and WinPE-Setup-Server.

You will find all the possible packages you wish to install in the folder :

C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs

With each package, you will have to install  the language package as you can see in command  6 and 7.
—————————————————————————————————————————————————–

6* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-Scripting.cab"
* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab"
7* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\winpe-wmi.cab" 
* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\en-us\winpe-wmi_en-us.cab" 
* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-MDAC.cab" 
* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\en-us\WinPE-MDAC_en-us.cab"  
8* Dism /image:C:\winpe_x86\mount /Set-ScratchSpace:256

-The above command of Set-Scratchspace  (maximum is 512 – but this requires a pc with minimum 1 gb ram) makes sure you will not run out of working memory when installing programs during the use of the  winpe

To make the winpe a forensic one that does not mount internal hard drives
(in winpe 5.0 and 4.0 it will mount external usb drives), you need to edit the registry :

* REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\SYSTEM
* REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f
* REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 4 /f
* REG ADD HKLM\WINFE2\ControlSet001\Control\FileSystem /v DisableDeleteNotification /t REG_DWORD /d 1 /f
* REG UNLOAD HKLM\WINFE2
Under section 40000, you can find other registry edits which can be useful.

Before you continue, you can copy the contents of a firefoxportable folder on a flash disk to the system32 folder 
(this is also the case if you're making a 64-bit winpe) of the mount folder :
c:\winpe_x86\Mount\Windows\system32

you will then be able to use Firefox. Or you could copy the contents of the Fau-utilities-dd- folder to the system32-folder in order to make disk images.
Always close Windows explorer before dismounting.

CUSTOMISE BACKGROUND WALLPAPER IN WINPE 4.0 AND WINPE 5.0

You must be logged in as administrator when making the winpe.
First you take ownership of winpe.jpg, then you modify the
permissions of it, and lastly you copy your own winpe.jpg to
the mount folder.

If you’re making a 64 bit winpe, you will find the file in :
C:\WinPE_amd64\mount\windows\system32
If you’re making a 32 bit winpe, you will find it in :
C:\WinPE_x86\mount\windows\system32

1. Take ownership

Now if you’re on Windows 7, go to this website to add “take ownership” to the context menu:
http://www.blogsdna.com/2173/add-take-ownership-option-in-right-click-context-menu-of-windows-7.htm
and download “TakeOwnership.zip”. Read the explanations and execute
the reg file.
You right-click on C:\WinPE_x86\mount\windows\system32\winpe.jpg,
and you click on the entry “Take ownership” in the context menu.

If you’re on windows 8, go to the this website :
http://www.eightforums.com/tutorials/2814-take-ownership-add-context-menu-windows-8-a.html
It’s the same procedure as above under Windows 7.
Here you can download for both :
https://dl.dropboxusercontent.com/u/11315464/takeown.zip

2.Modify the permissions to grant full access

Next modify the permissions for Administrators to allow full access.
In an administrator command prompt on windows 7 or 8, issue the command, while adapting the mount folder name to your particular case :

icacls C:\winpe_x86\mount\Windows\System32\winpe.jpg /grant Administrators:F


3 Copy your own winpe.jpg to the mount folder

Delete the winpe.jpg in the mount folder, and rename your own background jpg file to “winpe.jpg”, and
copy it to “C:\winpe_x86\mount\Windows\System32\”
Always close Windows explorer before dismounting.

REGISTRY EDITS

Look in section 40000 to change your winpe with registry edits.

Now we unmount the image :

9* Dism /unmount-image /mountdir:C:\winpe_x86\mount\ /commit

Make an iso :
10* Makewinpemedia /iso C:\winpe_x86 C:\winpe_x86\winpe_x86.iso

——————————————————————————-
Preparations to make a bootable usb with Makewinpemedia -
creating a usb drive with windows 8.1 adk

Clean the drive with diskpart , clean all.
In a command prompt, type : diskpart (+ press Enter key  after each command you type)
Then type : list disk
You need to know how large your usb stick is, suppose 2 gb (it never has the full capacity, so you
will see 1.9 gb for instance).
If this usb-stick is disk 1, you type : select disk 1
Then type : clean all
If this is finished, type : exit

Then we format the drive to fat32 with hpusbwf.exe, it’s 96 kb large.
http://cid-eabc6ce1aad35979.onedrive.live.com/embedicon.aspx/Openbaar/dosusb.zip

——————————————————————————————————————————
Make the bootable usb if F: is the drive letter of your usb which you inserted before

10A* Makewinpemedia /ufd C:\winpe_x86 F:

It is possible that  - due to erratic support for usb3 ports – that your winpe will only boot from an usb 2 port.
Similarly it is possible that – if you put winpe on an usb3-stick – it will not boot  whether on an usb3-port or an usb2-port if your motherboard does not support it yet. You could always try ; a simple diskpart command “clean all” will erase your stick again.
It might also be necessary to include your specific usb3-drivers in your winpe-build.

_____________________________________________________________________________
MAKE A 64-BIT WINPE 5.0 ON A 64 BIT SYSTEM (Windows 7 or win 8)

If you want to type much less in making a 64 bit winpe on a 64 bit system with an installed ADK for
windows 8, then Tip 002 in section 40000 will help you, and the download “64.zip” includes several
interesting utilities.
If however you have the ADK for windows 8.1, first download 64.zip,
and then download WIN81.zip, which contains some replacement files for 64.zip.
NECESSARY for executing the commands in 64.zip :
* install xxcopy.exe (  http://www.xxcopy.com/xcpydnld.htm ) before you begin. There’s a free version
* read the text file named “important..” before you begin.
https://dl.dropboxusercontent.com/u/11315464/64.zip
https://dl.dropboxusercontent.com/u/11315464/WIN81.zip

BUT, you can’t execute a simple mspaint.exe on an exclusive 64-bit build. It lacks the necessary subsystem.
Here you are saved by Winbuilder Win8pese (see section 40000, tip 004)  which DOES CONTAIN the subsystem for small 32-bit utilities!!

The hand-made naked 64-bit winpe 5.0 is build without programs for reference only.

1* Dism /Cleanup-Wim 
2* rmdir c:\winpe_amd64 /s  
If you're asked if you are sure , type :    y  (for yes)

3* copype amd64 c:\winpe_amd64
4* Dism /mount-image /imagefile:C:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
5* DISM /image:c:\winpe_amd64\Mount /Add-Driver /driver:C:\Users\Your_username\Downloads\Drivers\ /recurse

Beware: you need 64-bit drivers in the folder C:\Users\Your_username\Downloads\Drivers\
“Your_username” has to be adapted to your situation.
Here I give one example of a package to install in a 64-bit build, with the correspondent language pack. I’m on a 64-bit computer [where Windows Kits is in "Program Files (86)" instead of in "Program Files"] I refer to the 32-bit section above for other packages. Adapt the commands for the 64-bit version on a 64-bit system, as you can see here, where I adapted the MDAC-
package command.

6* Dism /image:C:\winpe_amd64\mount /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-MDAC.cab"
7* Dism /image:C:\winpe_amd64\mount /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-MDAC_en-us.cab"
8* Dism /image:C:\winpe_amd64\mount /Set-ScratchSpace:256

You can set a maximum of 512 mb scratchspace (but you will need at least 1 gb of ram in your computer)

In order to set the highest resolution possible – IF you integrated the drivers for your video card – I refer to the topic :
“RESOLUTION IN WINPE 4.0″ under section 40000.

Edit the registry to make the winpe a forensic one that does not mount internal hard drives
(under section 40000 you find other useful registry edits) :

* REG LOAD HKLM\WINFE2 C:\winpe_amd64\mount\Windows\System32\config\SYSTEM
* REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f
* REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 4 /f
* REG ADD HKLM\WINFE2\ControlSet001\Control\FileSystem /v DisableDeleteNotification /t REG_DWORD /d 1 /f
* REG UNLOAD HKLM\WINFE2

Unmount the winpe :

9* Dism /unmount-image /mountdir:C:\winpe_amd64\mount\ /commit


Make an iso (Makewinpemedia will automatically add a bootsector bootable in UEFI) :

10* Makewinpemedia /iso C:\winpe_amd64 C:\winpe_amd64\winpe_amd64.iso

Make a bootable usb (first consult the section : “preparations to make a bootable usb with Makewinpemedia” above )
if F: is the drive letter of your usb which you inserted before
(the usb drive or stick will be automatically formatted to fat 32 and this format has a 4-gigabyte (GB) file size limit and a 32-GB partition size limit.:
10A* Makewinpemedia /ufd C:\winpe_amd64 F:

Makewinpemedia with a 64-bit winpe will automatically add a bootsector bootable in UEFI

-You could use an external usb drive (a normal hard drive of 500 gb in an external enclosure), and
use two partitions, one bootable fat32, and the other as an NTFS data partition which can hold an
image of your 320 gb hard drive. Here is how you can do this :
http://technet.microsoft.com/en-US/library/hh825109.aspx
———————————————————————————————————————————–
You can also make a bootable usb with multiple iso’s on
it with Yumi (explanation below on this page)
_____________________________________________________________________________

Some references here :

-what’s new in winpe 5.0
http://technet.microsoft.com/en-us/library/dn293271.aspx

-Set up the Storage Area Network (SAN) Policy in Windows PE
(for forensic winpe)
http://technet.microsoft.com/en-us/library/hh825063.aspx

-dism commands
http://technet.microsoft.com/en-us/library/hh824971.aspx

-oscdimg commands
http://technet.microsoft.com/en-us/library/hh824847.aspx

- MAKEWINPEmedia COMMANDS
http://technet.microsoft.com/en-us/library/hh825232.aspx

- Customize winpe
http://technet.microsoft.com/en-us/library/hh824972.aspx

- Create Media to Run Push-Button Reset Features :
http://technet.microsoft.com/en-us/library/hh824894.aspx

- Windows PE USB: Install Windows PE to a USB drive :
http://technet.microsoft.com/en-US/library/hh825109.aspx

-If you have to prepare a general install image of Windows 8  , these are the explanations
on how to do this :
http://technet.microsoft.com/en-us/library/hh825212.aspx

-You can put winpe on a hard drive.

Read the instructions here :
http://technet.microsoft.com/en-us/library/hh825045.aspx

-Make a bootable cd for bios or UEFI
http://technet.microsoft.com/en-US/library/hh824847.aspx#bootOptions
http://technet.microsoft.com/en-us/library/hh824847.aspx#examples_multi_boot

Tip 1 GENERAL INFORMATION AND EXTENSIVE EXPLANATIONS :

Permanent link for this blog :
http://gverswijvel.wordpress.com/2009/08/09/winfe/
As I’m an amateur, professionals  may find more specialized advice here
by the likes of Troy Larson (Microsoft) and such : http://winfe.wordpress.com

 FOR A WINPE TO BE ABLE TO BOOT ON A COMPUTER,

THIS COMPUTER NEEDS A MINIMUM OF 512 MB RAM

How to paste a command in the command prompt.

If you have copied something with CTRL + C, you can paste it in a command prompt by right-clicking in the command prompt window, and choosing “paste”.

Unblock downloaded executable files in Windows 8 and windows 7

When you download an executable file, an extra security measure has been added : with a right-click on the file while you choose “properties”, you will have to click “unblock”
to be able to use the file.

PREPARATION
A. Activate the administrator account in Windows 8 and Windows 7

In Windows 7 : Start , All Programs, Accessories
Right click on the “Command prompt” and choose “run as
administrator”. Then type :
net user administrator /active:yes
At the next restart you will be able to log in as administrator

In windows 8, you will first have to set a password for your ordinary account.
In control panel, USER ACCOUNTS, you can set a password.
In Windows 8, press Windowskey + Q.        In the search bar you type : command prompt

You’ll see the command prompt in the start menu now. Right click on it, and
choose : “pin to the task bar”
With WindowsKey + D we go to the desktop environment. Right click on it again and choose “properties”,
then choose “Advanced”. Mark “execute as administrator”, and click on Ok, and/or “Apply”
Click on the icon of the command prompt in the taskbar. Control the title of the
command prompt : it will be named : “Administrator : Command Prompt”

In order to activate the hidden Administrator account, you type in this admin-command-prompt :
net user administrator /active:yes

Now restart the computer, and by clicking on the arrow to the left of your usual
user account, you can see the Administrator account and you can log into it.
Then go to “Control Panel”, “User accounts”, manage another user account” : the administrator account will show up, and you attribute a password for it (be careful : you’ll need this password to log in)

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
SECTION 40000 – winpe 4.0 is built with the ADK for deployment of Windows 8

You will need to be administrator to easily make a winpe.

The new waik for windows 8 is now called “assessment and deployment kit” (ADK),
and it can be installed in windows Vista, windows 7 and in the new Windows 8 .

If you are installing the Assessment and Deployment Kit on windows 7 , you will be asked to first install Net Framework 4.
Assessment and deployment kit (ADK) for Windows 8 ( is Waik for windows 8 – they renamed it to ADK)
http://www.microsoft.com/en-us/download/details.aspx?id=30652

Changes :
- when you want a forensic winpe which starts with all the internal hard disks unmounted , the san policy is set to 4 in Windows 8 and the latest ADK for windows 8 and windows 8.1 ( in previous winpe’s, sanpolicy was being set to 3)
http://technet.microsoft.com/library/hh825063
http://technet.microsoft.com/en-us/library/jj592679.aspx
http://winfe.wordpress.com/2012/08/22/windows-8-and-winfe/
- you can now do a webinstall of the ADK with only those packages you need
- and there is a new option in the ADK to put your winpe on a usb-stick. The command “Makewinpemedia”     makes this possible. 

http://msdn.microsoft.com/en-us/library/hh825494.aspx

On a computer that has Internet access, run Windows ADK Setup from this Microsoft website.
http://go.microsoft.com/fwlink/?LinkId=232339

The easiest thing is the webinstall directly into Windows 8 .

http://technet.microsoft.com/en-us/library/hh824972.aspx

In addition, be aware of the following precautions before you start this walkthrough:

An x64-based Unified Extensible Firmware Interface (UEFI) computer can boot only a 64-bit winpe. This differs from BIOS. In BIOS, an x64-based computer can boot a 32-bit winpe.

On some UEFI computers, you cannot install Windows in BIOS-compatibility mode, and you might have to switch to UEFI-compatibility mode. For more information, see UEFI Firmware.

When you boot from RAM disk, Windows PE boots directly into memory and is assigned the drive letter X, which does not correspond to the media that you booted the computer from. Whenever you reboot, use Diskpart List volume to identify drive letters.

The FAT32 file system format has a 4-gigabyte (GB) file size limit and a 32-GB partition size limit.

Manually making the winpe 4.0 – 32 bit ON A 32 BIT SYSTEM step by step with commands in command prompt

!!! If you’re on a 64 bit system, replace all instances of “program files\windows kits” with “program files (x86)\windows kits”

I’ll give the commands here ; an asterisk * precedes every command. Make sure you don’t copy it as well,
or it won’t work.
In Windows 7, type : “deployment” in the search box, and soon you will see the command prompt with
the title “Deployment and Imaging Tools Environment”. Right click it, and choose “run as administrator”.
In Windows 8  :
Use Windowskey to go to Metro ;
Type anywhere :    deploy…

As soon as you see the command prompt window “Deployment and Imaging Tools Environment”
right click on it, and choose “run as administrator”
A Windows Deployment and Imaging Tools Environment Command Prompt window opens with
environment variables automatically set to point to all the necessary tools.

1* Dism /Cleanup-Wim 
2* rmdir c:\winpe_x86 /s
If you're asked if you are sure , type :    y  (for yes)

3* copype x86 c:\winpe_x86
4* Dism /mount-image /imagefile:C:\winpe_x86\media\sources\boot.wim /index:1 /mountdir:C:\winpe_x86\mount

Put all your drivers in one folder (here in the folder : “c:\users\Your_username\downloads\drivers ” ; dism will also look in all the subfolders for inf-files with /recurse ).

5* DISM /image:c:\winpe_x86\Mount /Add-Driver /driver:C:\Users\Your_username\Downloads\Drivers\ /recurse

————————————————————————————————————————————————
FOR CHANGING THE WINPE BACKGROUND WALLPAPER, SEE SECTION 50000 ABOVE
—————————————————————————————————————————————————
Manually adding packages to winpe
IMPORTANT REMARK before you begin installing packages :
A. Always install the package with the correspondent language package
B. Some packages depend on the installation of other packages.
http://technet.microsoft.com/en-us/library/hh824926.aspx (e.g. winpe securestartup)
Some optional components have dependencies, as follows.

To use winpe-HTA
Install Winpe-scripting

To use the .NET Framework
Install WinPE-WMI and Winpe-scripting before you use WinPE-NetFX4.

To use secure startup
Install WinPE-WMI before you use WinPE-SecureStartup.

To use Windows PowerShell
Install WinPE-WMI, WinPE-NetFX4, and WinPE-Scripting before you use WinPE-PowerShell3.

To use Windows PowerShell cmdlets (including WinPE-StorageWMI)

Install WinPE-WMI, WinPE-NetFX4, and WinPE-Scripting before you use WinPE-PowerShell3.
Install WinPE-PowerShell3 before you use the Windows PowerShell® cmdlets (WinPE-DismCmdlets and WinPE-StorageWMI).

To use Setup
Install WinPE-Setup before you use WinPE-Setup-Client and WinPE-Setup-Server.

You will find all the possible packages you wish to install in the folder :

C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs

With each package, you will have to install  the language package as you can see in command  6 and 7.
—————————————————————————————————————————————————–

6* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\winpe-wmi.cab"
7* Dism /image:C:\winpe_x86\mount /add-package /packagepath:"C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\en-us\winpe-wmi_en-us.cab"
8* Dism /image:C:\winpe_x86\mount /Set-ScratchSpace:256

-The above command of Set-Scratchspace  makes sure you will not run out of working memory when installing programs during the use of the  winpe (maximum is 512 ; obviously you need more than 1 gb physical ram memory then)

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Accessories to add to your winpe just before you unmount with Dism

RESOLUTION IN WINPE 4.0

With the standard vga-driver contained in the ADK, I got a resolution of
1024x768x32 when winpe was started.
If you install the specific drivers of your video-card, you can probably set
higher resolutions.
The old setres.exe – which could be used in Winpe 3.0 – does not work in winpe 4.0
or winpe 5.0.

This is the way to do it.
The startnet.cmd  - if you’re making a 32-bit winpe  - has to be in :

C:\winpe_x86\mount\Windows\system32

and if you’re making a 64 bit winpe in :

C:\winpe_amd64\mount\Windows\system32

and the first sentence in this startnet.cmd is :
wpeinit
You leave the contents of this startnet.cmd as they are.

This wpeinit  looks automatically for a file called unattend.xml,
which must be placed in the same folder as the startnet.cmd

 

Due to formatting errors, I have put the file unattend.xml  in a zip you can download:
https://dl.dropboxusercontent.com/u/11315464/unattend.zip

——————————————————————————————–
With a rightclick on unattend.xml , you can edit the file.
If your processor Architecture is 64-bit, then you change x86 in amd64
If you have installed the proper video-drivers, you can change for instance the horizontal resolution to 1366, and the vertical to 800, all depends on the capacities of the video-card.

In winpe 4.0 and winpe 5.0 you must keep the color depth at 32.
Now save this file as unattend.xml  in the folder : c:\winpe_x86\mount\windows\system32
When making a 64 bit winpe, you copy it to c:\winpe_amd64\mount\windows\system32

With thanks to :
http://www.deploymentresearch.com/Blog/tabid/62/EntryId/51/Setting-screen-resolution-in-WinPE-4-0.aspx
I
Suppose the startnet.cmd contains the 3 sentences :
wpeinit
start /WAIT lang.cmd
diskpart /S FILE.txt

Then the unattend.xml will be executed first, and after that  the command “lang.cmd”
will be executed ; when lang.cmd is finished, you close that command prompt and the question will come :
do you want to terminate the batch ?
You type  n for NO
Then the diskpart command will be executed, following the
content of FILE.txt.
When making the winpe, you will place the file “FILE.txt” in c:\winpe_x86\mount\windows\system32
When making a 64 bit winpe, you copy it to c:\winpe_amd64\mount\windows\system32

The following contents of this example FILE.txt  will automatically execute diskpart which formats a single
internal disk to NTFS in one single partition and give it the name “Windows XP” and drive letter c: ,
after which diskpart will exit :

SELECT DISK 0
CLEAN
CREATE PARTITION PRIMARY
FORMAT FS=NTFS LABEL=”Windows XP” QUICK
SELECT PARTITION 1
ASSIGN LETTER=C
ACTIVE
EXIT

—————————————————————————————————–
Copy imagex in your winpe

If you need imagex, copy it to the mount folder :

* cd "C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Deployment and Imaging Tools\x86\Imaging"
* copy imagex.exe c:\winpe_x86\mount\Windows\system32
Replace x86 with amd64 if you are making a 64-bit winpe.

Another program I copy in the C:\winpe_x86\mount\windows\system32  directory is :

Explorer++.exe, downloadable here (choose 32-bit or 64-bit)
http://www.explorerplusplus.com/download

Rename Explorer++.exe  to  ex.exe
At the start of the winpe-boot-cd, you type :
ex          (and press Enter-key)
and you will have a Windows Explorer-like graphical navigation program.

Another must-have is a portable Firefox, which I first installed to a usb-stick
(on a NEW and CLEAN VIRUS-FREE system). I rename the file “firefox.exe”
to “go.exe”.
I copy the contents of the folder “Firefoxportable” directly to the folder
C:\winpe_x86\mount\windows\system32

At the start of the winpe, I only have to type :
go
to be able to surf the net (That is if your winpe contains the ethernet  drivers your computer needs to establish an internet connection).
Wireless is rather complicated, so I have not included the procedure here.

If your Windows PE environment becomes unresponsive when running an application,
you may have run out of memory. By default, Windows PE allocates 32 megabytes (MB)
of writeable memory, known as scratch space. This has changed as of Windows Pe 5.0 with a bigger scratchspace.
To be sure, you can set the scratchspace yourself.
The following command looks at how much scratchspace you have.
* Dism /image:C:\winpe_x86\mount /Get-ScratchSpace
And now we set the scratchspace we want with :
* Dism /image:C:\winpe_x86\mount /set-ScratchSpace:128     ( has to be a multiple of 32, but maximum 512)

————————————————————————————————————————
While making your winpe , open Notepad, and copy the following into it :
@ECHO OFF
wpeutil shutdown
Now save this as stop.bat

Tip : Do you get annoyed when you want to save something in Windows Notepad with an extension
other than .txt (like .sh or .bat) and you have to use up an extra two clicks selecting ‘All files’?
Just type in your filename and extension surrounded by quotes e.g. “stop.bat” You don’t need to
hit the combo box and change it and you won’t get stop.bat.txt when you go looking for the file.

Thanks Lifehacker (http://lifehacker.com/5883860/save-files-with-any-extension-from-windows-save-as-menu?tag=Windows-Tips)

Put   stop.bat    in the folder C:\winpe_x86\Mount\Windows\System32
Whenever you want to shutdown your winpe, type   :            stop  (press Enter-key)
Of course, you can always type the full command :  wpeutil shutdown

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

OPTIONAL : Edit the registry of your future winpe 4.0 for adjustments

This has to be done while you are making your winpe.

(This is outside the scope of this article, but it’s useful to know :
if you want to execute regedit from within a winpe boot cd, you only have to type  :
regedit
in the command prompt  you see after winpe has started , and press Enter)

1. MAKE A FORENSIC WINPE (internal hard disks not mounted, external disks are mounted in winpe 4.0 and 5.0) -
RESTRICT HARD DRIVE ACCESS IN THE REGISTRY

Start – run
Type :
regedit
and OK

Put the cursor on :

HKEY_LOCAL_MACHINE

Choose “File”, and then “load hive”, navigate to (this depends on the folder name your winpe is mounted to !!!!) :
“C:\winpe_x86\mount\Windows\System32\config\”

and put your cursor on “SYSTEM”   and click “Open”

Now you will have to give a key name :
type :      WINFE2
Click “OK”

Now, in the registry, navigate to
HKEY_LOCAL_MACHINE\WINFE2\ControlSet001\Services\MountMgr
Rightclick MountMgr
Choose “new”  – “dword 32BIT value” (if your winpe is 32bit)
Type the name :
NoAutoMount
Doubleclick “NoAutoMount”, en change the value  0  to  1

Now, in the registry, navigate to
HKEY_LOCAL_MACHINE\WINFE2\ControlSet001\Services\partmgr\
Click on “Parameters”
In the right panel, choose “SanPolicy”, doubleclick it,
and change the value to   4
(in Winpe 3 SANPOLICY  used to be set to 3)

Now, in the registry, navigate to
HKEY_LOCAL_MACHINE\WINFE2\ControlSet001\Control\
Click on Filesystem
In the right panel, choose DisableDeleteNotifiction, doubleclick it
and change the value to 1

Click OK

In the left pane, click “WINFE2″
Choose “File”, and then “unload hive”
Click “Yes”

Close regedit

If you do not want to get your hands dirty, these are the commands you have to type in the command prompt. type one sentence at a time, and press ENTER after each sentence:

—————————————————————————————————————————————————–

REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\SYSTEM
REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f
REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 4 /f
REG ADD HKLM\WINFE2\ControlSet001\Control\FileSystem /v DisableDeleteNotification /t REG_DWORD /d 1 /f
REG UNLOAD HKLM\WINFE2

_______________________________________________________________________________

2 CHANGE PRELOADED KEYBOARD LAYOUT OF YOUR WINPE IN THE REGISTRY

If you have an exotic keyboard layout, you may want to adapt your winpe.

When you want your winpe to have a certain keyboard layout preloaded at start :
Start – run   (or WINDOWS KEY and R)
Type :
regedit
and OK

Put the cursor on :

HKEY_LOCAL_MACHINE

Choose “File”, and then “load hive”
navigate to (it is possible your winpe is mounted in another directory !!) :

“C:\winpe_x86\mount\Windows\System32\config\”
and open “DEFAULT”
Now you will have to give a key name :
type :      WINFE2
Click “OK”

Now, in the registry, navigate to
HKEY_LOCAL_MACHINE\WINFE2\Keyboard Layout\Preload

I change the value 1 from     00000813 (Belgian point)  to   0001080c (is Belgian comma,
to have a comma on the numeric keypad of my laptop)

In the left pane, click “WINFE2″
Choose “File”, and then “unload hive”
Click “Yes”

Close regedit
IMPORTANT REMARK : At the end of this page you’ll find the keyboard layouts per country
name ; your country may have different layouts.
Once you have found the right one, look at the last section in this
sentence :
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001080c]
Right before the last bracket you see a 7 digit long number.
Precede it with a zero  because you always need a number of EXACTLY 8 digits long if you want
to edit the registry for a correct preloading keyboard layout.

The shorter version : enter these sentences one at a time, and pressing Enter key after each one :

REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
REG DELETE "HKLM\WINFE2\Keyboard Layout\Preload" /f
REG ADD "HKLM\WINFE2\Keyboard Layout\Preload" /v 1 /t REG_MULTI_SZ /D "0001080c" /f
REG UNLOAD HKLM\WINFE2

____________________________________________________________________________________________

3 EDIT THE REGISTRY TO TURN OFF CAPSLOCK WITH THE SHIFT KEY

Start – run   (or WINDOWS KEY and R)
Type :
regedit
and OK

A. Put the cursor on :

HKEY_LOCAL_MACHINE

Choose “File”, and then “load hive”
navigate to

“C:\winpe_x86\mount\Windows\System32\config\”
and open “DEFAULT”
Now you will have to give a key name :
type :      WINFE2
Click OK

B. Now, in the registry, navigate to

HKEY LOCAL MACHINE\WINFE2\Keyboard Layout
Rightclick on “Keyboard Layout”, choose NEW, “Dword value (32 bit)”, name it “Attributes”.
Double-Click the DWORD value you just made and enter: 00010000
(in hexadecimal, but this is already marked by default ; in decimal it’s 65536)
Click OK
C. Navigate to HKEY_LOCAL_MACHINE\  and put the mouse cursor on “WINFE2″
From the menu above, you choose “File”, and then “unload hive”
This will remove the temporarily added winpe-registry from the windows 7-registry.

Short version as commands in a command prompt : each sentence followed by Enter key
(/d 65536 is the decimal value, while 00010000 is the hexadecimal value)

REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
REG ADD "HKLM\WINFE2\Keyboard Layout" /v Attributes /t REG_DWORD /d 65536 /f
REG UNLOAD HKLM\WINFE2

___

______________________________________________________________________________________

4 EDIT THE REGISTRY TO HAVE NUMLOCK ON AT STARTUP

If you have a laptop with a seperate numeric keypad, you might want it
to be enabled at the start of your winpe.

Beware : on an EEE PC  (which has no seperate numeric keyboard, but one placed on the letters
U, I, O, P, etc) when booting to your winfe, you will not be able to type the letters
U, I, O, P  etc, as they will have been replaced by numerals.
You will have to press the keys FN + Numlck to have letters again.

These are the commands in the command prompt :

REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
REG ADD "HKLM\WINFE2\Control Panel\Keyboard" /v Initialkeyboardindicators /t REG_MULTI_SZ /D "2" /f

REG UNLOAD HKLM\WINFE2

How to do this manually.

f you have a laptop with a seperate numeric keypad, you might want it
to be enabled at the start of your winpe.
Type this first sentence in the command prompt :

REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
Now  use Windowskey + R, and type : regedit
Navigate in the left panel to the key : HKEY_LOCAL_MACHINE\WINFE2\Control Panel\Keyboard

In the right panel, double-click on “Initialkeyboardindicators” and change the value from 2147483648  to  2  and click on OK.
Now close regedit, and type the following sentence in the command prompt :

REG UNLOAD HKLM\WINFE2

___
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

After you edited the registry and added the accessories, you are going to unmount the image :

9* Dism /unmount-image /mountdir:C:\winpe_x86\mount\ /commit

Make an iso :
10* Makewinpemedia /iso C:\winpe_x86 C:\winpe_x86\winpe_x86.iso

Make a bootable usb (first consult the section : “Preparations to make a bootable usb with Makewinpemedia” above)
if F: is the drive letter of your usb which you inserted before :
10A* Makewinpemedia /ufd C:\winpe_x86 F:

This will format the usb, write a bootsector to it, and copy the contents of the winpe
_____________________________________________________________________________________

Adding drivers on-the-fly with drvload.exe, once you booted the winpe boot cd -
injecting drivers after you booted the winpe boot cd

You can do this with drvload
Type this :
drvload “F:\drivers\win7driver.inf”
and the drivers will be loaded.
http://technet.microsoft.com/en-us/library/hh824933.aspx

-Mounting drives

Normally, if you make a forensic winpe, it does not mount drives. As of Winpe 4.0, this behaviour has
changed : internal drives will not be mounted, but external ones will.

In case you would have problems with a winpe 3.0 with externally attached drives, there is a program called
mountvol.exe

Suppose you want to attach an external hard drive of 1 terabyte to make a forensic backup of your internal drive.
Mountvol.exe will help you to mount this external drive
read/writable.
Type in a command prompt :
mountvol
and all the volumes + their GUIDs will be listed

All the mounted volumes will show a drive letter, while
the unmounted ones will not have a drive letter (you will need
to copy the guid of the unmounted one (= rightclick on the title of the
command prompt, choose “edit”, and choose “mark”, then you mark
the line with the GUID, en press Enter key, thus copying the selected line to the clipboard)).
Example of a GUID
\\?\Volume{b4e69eb6-2200-11e2-af9c-0019b961ba2d}\
E:\
Underneath it you will find the drive letter if the volume
is mounted to E: for instance

You can create a volume mount point and mount a volume read/write ,
so it gets  drive letter M in the following manner , by typing in a command prompt :
mountvol M: \\?\Volume{GUID}\
EXAMPLE :
mountvol M: \\?\Volume{b4e69eb6-2200-11e2 af9c-0019b961ba2d}\

Removing a volume mount point (where you don’t need the GUID, only the drive letter):
mountvol M: /D
/D Removes the volume mount point from the specified directory

mountvol M: /P
/P Removes the volume mount point from the specified directory,
dismounts the volume, and makes the volume not mountable.
You can make the volume mountable again (for which you need the GUID) by creating a volume mount point.

Section 40000 Tip 001  An automatic way to make a 32 bit (!) winfe 4.0 (forensic) or a
winpe 4.0 with a choice of 20 different keyboard layouts. 

But you need to have installed the ADK assessment and deployment Kit for Windows 8.
(the Waik should not be installed together with the ADK, or Multipe.zip gets confused).
You can use the program on a 32- or a 64-bit Windows-system.
Also, this is different from the multipe-project you find on the site reboot.pro, and has
nothing to do with it.

Download the file multipe.zip here :
https://dl.dropboxusercontent.com/u/11315464/MultiPE.zip

and read the instructions very carefully. There are three text files you should read in order
to change the things you want.

The unzipped folder multipe must be in the root of the c: drive.Right click on pe.exe, and choose “run as administrator”.
You will have a winpe iso (32 bit) in no time. You can even insert your own background as winpecust.jpg.

A pause of 10 minutes should give you enough time to copy some files in Explorer to the mount folder
(you cannot type anything in the command prompt, or the pause will stop, and the original batch will continue
being executed)

What you can do in these 10 minutes :

If you would like to start Windows Explorer in the middle of the process,
press Ctrl + shift + ESC
Taskplanner starts.
Choose in the menu :
FILE
NEW TASK
type: explorer.exe
Click OK
Explorer restarts.

The mounting directory is :
“C:\MultiPE\Tools\win8_pe\workdir\mount” in case you would want to add some things you forgot
but you must do this before the 10 minutes are up.
And you should close all explorer-windows, because the dismounting could fail otherwise. (details are in the text file : “Important_making_the_winpe.txe”)

Odin, Selfimage and dd.exe (chrysocome.net) are in x:\windows\system32 to make
images of hard drives. Selfimage gives an identical result as dd when a raw image of
a drive is made. To make a raw image of all the sectors of a hard drive with Selfimage :

Under Edit, Preferences, Read you will see Options
remove mark before : “automatically skip free space”
and click on OK. This will copy all the sectors of the hard drive. Thus you will need an external drive that
is bigger to put the image on.
As input you mark “drive” (not file), and then you choose the entry with (entire drive) next to it.
This makes sure that a raw copy of the whole drive will be done.
Then below you mark “file” ; you will have to browse to the external drive, and give a name to the file.
You may experience problems with the 4k advanced format with drives above 1 terabyte.
I have never tested with advanced format drives.

Paint.exe is in the same directory.
You can burn it, or make a usb from it (tip 4). When the winfe starts from the boot cd/usb, you can choose from
different keyboard layouts, and you’ll see Pstart, where you can choose Mozilla Firefox, notepad ++, Explorer ++, and make screenshots.

.
Put your drivers in subfolders in the folder C:\Driver, to install supplementary drivers.
They must be in .inf format
Section 40000 TIP 002 Altenative way to create a winpe 4.0

64 BIT WINPE : important remarks

If you  have a 64-bit motherboard with  a bios, then you can make a 32bit winpe,
A 64 bit  motherboard with UEFI will only boot a 64 bit winpe.

The advantage : programs you install in the winpe (preferably portable installs) such as you can find on :
http://portableapps.com/apps/internet/firefox_portable
will work flawlessly, while this is rarely the case in a 64-bit winpe.
In the beginning of this page I have described a possibility for a 64-bit winpe with GUI : winbuilder.

An easy way to make a winpe 4.0
PREREQUISITES :
HAS TO BE MADE ON AN ENGLISH WINDOWS 7 sp1 64-bit, or windows 8
64-bit WITH this ADK for deployment of Windows 8 :
http://www.microsoft.com/en-us/download/details.aspx?id=30652

Here a batch file + a few essential 64-bit programs to make a winpe 4.0 64 bit :
https://dl.dropboxusercontent.com/u/11315464/64.zip
 If however you’re on a 64 bit system with an installed
ADK for windows 8.1, here is a download which contains the files to replace in 64.zip :https://dl.dropboxusercontent.com/u/11315464/WIN81.zip

NECESSARY for executing the commands in 64.zip :
* install xxcopy.exe (  http://www.xxcopy.com/xcpydnld.htm ) before you begin. There’s a free version
* read the text file named “important..” before you begin.There is no 1-click-solution for complicated things.

For a batch to find certain things, they have to be in the path where the batch expects them,
or it will fail to execute.
Suppose the batch breaks after the wim is already mounted, you first dismount with :

Dism /unmount-image /mountdir:C:\WinPE_amd64\mount\ /commit
or if you made a 32 bit winpe :
Dism /unmount-image /mountdir:C:\WinPE_x86\mount\ /commit

Once the iso is made, you burn it as an image on cd.

You boot the cd, and the first command you type is :
lang (+ push enter key)
You will see 10 keyboard layouts, where you can choose one.
Or you can take your own command (if it’s a latin keyboard layout)
You can read all about it in “IMPORTANT.txt”

I have included the latest FAU dd.exe  (forensic acquisition utilities of AUGUST 2013) in 64-bit.
In the included folder, you will find how to use this. Preferably from a winpe cd or usb.
First you execute volume_dump.exe in a command prompt to identify disk0, disk1, etc.
The most relevant information of the output of volume_dump.exe is completely below, where you
can find how big disk0 is , for an exact identification of the drive
you want to image.
Suppose disk 0 is the 160 gb internal drive, which you will image to a file on
the external  disk 2, which always has to be larger, and which is 1 terabyte here .
Obviously, you will have the drive letter of this external disk (to be seen if you open an explorer window).
Suppose this is D: , then the command will be :
dd.exe if=\\.\PhysicalDrive0 of=d:\internal160.bin conv=noerror –localwrt
conv=noerror means “continue reading after errors”
–localwert  means “Enables writing output to a local fixed drive”
Afterwards you want to put the image back to the internal drive.
You can erase the internal disk with diskpart.exe (make sure you type:
select disk 0 (if that is the drive to be erased)) and then type : clean all
Or in case of an ssd, you can use hdderase.
Then we use volume_dump.exe again to see if the erased drive is
indeed drive 0.
Write back the image with :
dd.exe if=d:\internal160.bin of=\\.\PhysicalDrive0 conv=noerror –localwrt
The internal disk on which you write back the image, has to be at least
160 gb, or larger. If it is larger , you will have to use a partition program such
as the free Partition wizard home edition  afterwards in order to resize the 160 gb partition
to the full size of the disk.

The test.zip  is for those with two left hands.
https://dl.dropboxusercontent.com/u/11315464/test.zip

There is a 64 bit disk imager with a gui for winpe, named Odin ; i have included it as well.

HOW TO BACKUP A HARD DRIVE WITH ODIN
If you want to make an image of a complete disk , choose
in the listing of the hard drives the sentence with “(entire disk)” at the end.

Under “store/load…” , you see “browse”

Browse to the external drive you want to save the image to,
and type the name of the image.

Under “options” you can choose :
Disk options :
-save all blocks (which copies bit per bit)
-save only used blocks
-or “save only used blocks and take snapshot”
Compression options :
-no compression
-gzip compression
-bzip2 compression
File Size :
-store image in one size
-split image in chunks of …

I always take :
-save all blocks
-no compression
-store image in one size (obviously you need
an NTFS -formatted external larger drive to
save such an image)

For a restore do the reverse process.

Here is a batch file + essential 32-bit programs to make a 32 bit winpe 4.0 on a 32-bit system
with the ADK for Windows 8
https://dl.dropboxusercontent.com/u/11315464/32_BIT_WINPE_4.0.zip

 Be sure to read the included text file in the zip with the name “important…” to know how this works.

In case you want to make this 32-bit winpe on a 64-bit system, change c:\program files\ to this :
c:\program files (86)\  in the text file “Important….” and in the file aanext.cmd

Once you have made the iso, and burnt it as an image to a cd, here’s how to use this winpe :

Make sure your computer is set to boot from cd in Bios
The winpe starts with a command prompt in the directory X:\Windows\System32

you have to type everything from within this directory, and press Enter-key after every command :

Type :   ex           and Explorer++ (a windows explorer-clone) will open

Type : go            and Firefox will open (“pa”   if you have the palemoon browser and  ” op”  if you have opera browser

Type :  stop       if you want to shut down the winpe

Suppose you want a different keyboard (e.g. belgian azerty),
Then type the two following sentences without asterisks ; press Enter after each one :
* wpeutil SetKeyboardLayout 1080c:0001080c
* start cmd.exe
Completely below on this webpage you will find all the
other codes you might need to change the keyboard.

Suppose you want to load drivers while you’re using the winpe , put the drivers for Windows 7
on a usb-stick (named F: for instance)  , like so F:\drivers\win7driver.inf
This is for a non-forensic winpe
Type this :
drvload “F:\drivers\win7driver.inf”
and the drivers will be loaded.

Section 40000 Tip 003 Another alternative way to make a forensic winpe

The fast way to make a winfe on a bootable usb

For those of you who want a fast way to make a 32-bit winfe automatically on a 64 bit windows, go to http://winfe.wordpress.com/ and download the build_windowsFE.cmd here : https://www.box.com/s/8aeb8f4abcc30c9095fb to put a winfe on a usb-stick of minimum 1 gb (500 mb might do it if you don’t install too much drivers).
This script was made by Troy Larson from Microsoft.

Prerequisites : you have installed the English ADK
http://www.microsoft.com/en-us/download/details.aspx?id=30652
on  a 64-bit win 8 computer.
(if you have installed the ADK on an exclusively 32bit computer, replace all the instances of
“C:\Program Files (x86)\Windows Kits” with “C:\Program Files\Windows Kits” to make the script work, and save the script as build_windowsFE32on32bit.cmd).
Important : if you edit the script in Notepad, make sure “wordwrap” (under Format in the above tabs) is off, as it could damage the script by unwanted sentence-breaks.

Create the folder c:\tools and the folder c:\drivers\x86  in which you put your drivers as .inf files in subfolders.

You put the build_windowsFE.cmd in this directory on a 64-bit computer :
C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools
(or if you’re on a 32-bit computer , in this directory :C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools).
Execute – as an administrator -  the command prompt with the title “Deployment and Imaging Tools Environment”

On a 64-bit windows, you will be in the folder : “C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment tools”
(or if you’re on a 32-bit computer , in this directory :C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools).
Run the command on a 64 bit windows AS AN ADMINISTRATOR – like this :
build_windowsFE.cmd c:\tools c:\drivers\x86
(where c:\tools  will contain your building folder, and where c:\drivers\x86  contains all your 32-bit drivers
as .inf and .sys  files, etc  in subfolders) and see the magic.

On a 32 bit windows run the command AS AN ADMINISTRATOR like this (you have renamed the altered script, yes?) :
build_windowsFE32on32bit.cmd c:\tools c:\drivers\x86

If you want an ordinary winpe instead of a non-disk-mounting winfe, add REM and a space in front of each sentence which begins with REG LOAD, REG ADD and REG UNLOAD, and save the script. That way, the forensic commands will be skipped.
In this zip you’ll find two text files, one with all references you may need, and the  other contains all the commands to make a 32 and 64-bit winfe . Make sure “wordwrap” is disabled in Notepad to be able to fully copy the sentences.
https://dl.dropboxusercontent.com/u/11315464/winpe_adk_june2012.zip

 

 

——————————————————————————————
Section 40000 Tip 004 Build a graphical winpe 4.0 with Winbuilder ( Winbuilder with a Windows 8 install dvd, not 8.1)
(See section 40000 tip 005 if you want to build with win 8.1)

Homepage of Win8PE_SE
http://w8pese.cwcodes.net/
More info :
http://theoven.org/index.php?topic=438.0
http://theoven.org/index.php?board=29.0

Downloads page (take the complete full zip) : http://w8pese.cwcodes.net/Compressed/

I will not give a complete explanation on how to use winbuilder, only some basic rules on how to use
the program. I have used this winbuilder on a 64 bit Windows 7 home premium and on a 64 bit
windows 8 pro, with  Windows ADK for windows 8, and windows 8 dvd as source (you can’t use
the 8.1 dvd).
(Remark : for those who would like to make a live boot cd based on a windows 7 dvd ,
get winbuilder here : http://w7pese.cwcodes.net/Compressed/ and look under section 30000)
To make a 32-bit boot disk, you need a Windows 8 32-bit install dvd as source.
To make a 64-bit boot disk, you need a Windows 8 64-bit install dvd as source.
.
Right-click on the downloaded zip, choose “properties” and “unblock”.
Extract the zip, rename the folder to “Win8_64″ without the quotation marks, and copy the folder directly to
drive C:, so its path is : c:\win8_64.
Make sure the ADK for Windows 8 is installed
Put the Windows 8 dvd in the dvd-drive (it does not work with a windows 8.1 dvd !!!!).
Then execute – as administrator – the file “Win8PESE82_Builder.exe” you find in the folder c:\win8_64.

To be sure your Winbuilder winpe will be bootable on a UEFI computer ,  there are a few things you should do in Winbuilder :

A. – Obviously you need a 64 bit windows 8 dvd as a source. See tip 004 BIS if you bought the windows 8 upgrade in the store and burned the iso to dvd, because you will need to convert install.esd to install.wim first via a lengthy process to be able to use it in winbuilder.
Or you can download the Win 8 enterprise 64 bit evaluation iso , which you can use 90 days for free, and use it as source by clicking on the following link :
hw
For a 32 bit win8 enterprise iso, go to this site, and read carefully the text under the video (you will have to expand the text by clicking on “read more”) in which you will find the download link :
http://www.youtube.com/watch?v=bQUMDLuMAhI

In the win8pese window, in the left panel, you choose “win8pese”, in the right panel you click
on the tab “Source” above, and – under “Source Directory”, you browse to the dvd-reader which contains the windows 8 dvd, and point
to it. You can leave “target directory” or “iso file” as it is.
B.   – if you open Winbuilder – you choose in the left panel : “main configuration”, and in the right panel
(when you have selected the tab above , named “script”) , you choose as “Boot manager”  :
“Standard”
C.   In the left panel, you cannot choose “Other Os” or one of its subkeys, because then you will create a multiboot cd, which uses a    grub4dos boot menu, which may not be bootable on UEFI.
D.   If you choose in the left panel under “Finals” to make an iso, then this iso will have a standard winpe bootsector, which can be used on    an UEFI-computer.
E.   In the  left panel, choose Shell loader and Explorer shell (not BS explorer)
F.   In the left panel, under Apps, File Tasks, make sure that Q-dir Nenad is not marked.
G.  If you want a forensic winpe which does not mount local hard drives : in the left panel, you choose “Finals” and “Optimisations”,
in the right panel, you click on the tab “script”, and you mark  “don’t mount local harddrives”
H. In order to be sure the winpe starts with your own keyboard layout, click on “main configuration” in the left panel , choose the tab      “script” above, and in the right panel next to Keyboard you choose “import HostOs”
I.   And if you frequently need to switch keyboards, in the left panel you choose “apps” and under “system tools” you mark “switch    keyboards”
After you have reviewed all items on the left, and their options on the right which you see under the tab “Script”
you click on the blue arrow above to begin the creation process. All files from the dvd will be copied, so this can take a long time.
After the build is finished, you will find the iso in the folder c:\win8_64\ISO
Suppose you wanted a bootable usb, but you did not succeed (as in my case), you still have the iso, and
you can put it to usb, following Tip 4 on this site (that is IF YOU HAVE CHOSEN THE STANDARD
BOOTLOADER under B).

During this process you can format to fat32 or NTFS if you choose so.
Now you have a bootable Win8PESE usb.
———————————————————————————————————————————————————-
Screen resolution
Now if afterwards, you boot into your newly made winpe, you can control the actual video resolution IF YOU HAVE INSTALLED
THE WMI- package into your winpe.
Issue the following commands in the command prompt of the winpe :
wmic desktopmonitor get screenheight (+ push ENTER)
wmic desktopmonitor get screenwidth ( + push ENTER)
It should be exactly what you have stipulated into the unattend.xml-file, that is IF YOUR VIDEO-DRIVERS WERE
FULLY INTEGRATED IN THE WINPE.
(There can be a problem with the i5 or i7 cores, which may have an integrated intel Video-cards + an accessory AMD or GFORCE
video card that kicks in when playing Games.)
—————————————————————————————————————————————————–
Suppose you realise there is something missing, some drivers or programs, then there is a way to edit the
boot.wim you find on this usb in the folder “sources”. This you fill find as Tip 1 in section 10000

Section 40000 Tip 004 BIS
Convert install.esd to install.wim – convert esd to wim

If you bought a Windows 8 upgrade as a download with Microsoft, and burned the iso to dvd,
it contains an install.esd instead of an install.wim. If you want to use this iso or dvd
with winbuilder, you will have to convert the install.esd to an install.wim. It’s a rather long process. The same process is used for a downloaded
upgrade to win 8.1 from the Windows Store.

Preparations :
Be sure to be logged in as administrator
Needed :
1 a processor with intel virtualisation (enable it in bios)
2. your windows 8 upgrade iso with install.esd
3. VMware-player
Vmware player will need a processor that supports intel Virtualisation in bios and
you preferably install it on a 64-bit system
Here, you can download the latest version of Vmware Player :
http://www.filehippo.com/download_vmware_player/
4. Vmdk2Vhd-1.0.13
5. Win Toolkit 1.4.1.27
or download version 1.4.31.7  from Softpedia :
http://www.softpedia.com/get/System/OS-Enhancements/Windows-7-Toolkit.shtml

6. On Windows 8 and Windows 7, you will need the windows 8 ADK :
http://www.microsoft.com/en-us/download/details.aspx?id=30652
You only need the deployment tools.

Here you will find a zip which contains most of the programs, not the ADK  though ; I have used Win Toolkit 1.4.1.27 , which you find in the zip,
for converting the install.esd.
IntelVirtualisation.msi is a program by Intel which enumerates all the characteristics of your processor. Right-click on the downloaded files, choose “properties” and “unblock” if the files come from another computer :
https://dl.dropboxusercontent.com/u/11315464/esd_to_wim.zip

Let’s start
Install dotnet.3.5 sp1 (= net framework 3.5 SP1) on Windows 7, or activate it in Windows 8, by putting the win 8 upgrade iso in the dvd-rom, and typing the following comand IF your dvd-player has drive letter D:

Dism.exe /online /enable-feature /featurename:NetFX3 /All /Source:D:\sources\sxs /LimitAccess
Push ENTER

Now we install VMware-player.

Open Vmware player and click on “create a new virtual machine”.
Vmware player automatically recognizes the win 8 dvd ; accept the options
and click on NEXT.
Now you need a key.

This is a trial key for Windows 8 professional retail which you downloaded from Microsoft :
XKY4K-2NRWR-8F6P2-448RF-CRYQH

For Windows 8.1 professional use this trial key:
XHQ8N-C3MCJ-RQXB6-WCHYG-C9WKB

You cannot activate with it though.
Or you can input your real key, or give no key at all.

The item “personalize Windows” shows “administrator” in the field.
You can leave it that way.

Click NEXT

Now you see the location of the virtual drive that will be created ; click NEXT
26 gb is necessary for a 64 bit install, 20 gb will be enough for 32 bit
Choose “store virtual disk as single file”.
Click on NEXT and then on FINISH;
“Power on this virtual machine after creation” is already marked.

When you get the question if you want to install Vmware tools, do this.

CTRL + G or a click in the virtual machine to use a mouse in it.
CTRL + ALT to get outside of the virtual machine.
After the virtual machine restarted, go – in this machine – to the folder :
C:\Windows\System32\Sysprep and execute sysprep.exe ;
Choose “Generalize” and Shutdown
Click on OK and wait till the process is completed and the virtual machine
is closed.

Now we need to convert windows 8.vmdk (you find it in the folder
“C:\Users\Administrator\Documents\Virtual Machines\Windows 8\”)
to a .vhd file : win8.vhd

Click on Vmdk2Vhd.exe to convert windows 8.vmdk to win8.vhd ;
mark “windows 8.vmdk” , and click on OPEN . Under “destination vhd” you click on “save as” and navigate to the folder you want to save the new win8.vhd in.
Type: “win8.vhd” and click on SAVE.
This can take a while.
When the process is finished, close vmdk2VHD.exe

Now we have to mount win8.vhd.
Pushing Windowskey + R , you see the Run command ;
type :
diskmgmt.msc
and push OK;
There you see all the drives.
Click in the menu above on “Action” and choose “mount virtual drive”
IMPORTANT : mark “read-only”

You see that a drive letter has been added, suppose it is F:

When you use Wintoolkit , you might want to disable your antivirus, as it makes
the capture process a lot longer.
Open Wintoolkit.exe, select “Tools” in the menu above, then choose “CAPTURE IMAGE” , and choose: “new wim”,
Click on “Save”, navigate to drive C:, and type “install.wim” (without quotation marks),
and the install.wim will be saved to drive C [ in Wintoolkit you see : WIM: C:\install.wim ]
Next to “Folder to capture” you click on “Browse” and navigate to the drive letter of your mounted vhd disk (suppose it’s F:).In Wintoolkit you see : Folder: F:

The following things will be inserted automatically. If not, you have to insert the following :
Image Name : Professional x86
Image Description: Professional x86
Flags : None

“Compression method” : leave it at “Maximum”

Click on “Start”, and wait till the install.wim is complete. This takes up to 45 minutes.
Then close Wintoolkit.
Now we need to unmount the vhd

Now we have to mount win8.vhd mounten.
Pushing Windowskey + R , you see the Run command ;
type :
diskmgmt.msc
and push OK;

Suppose your virtual drive F: is drive 1. Rightclick in the grey area of drive 1, and click on
“unmount virtual hard drive”. The path will show win8.vhd ; click OK.

Apart from Poweriso and Ultraiso – the trial of which only saves up to 300 mb -
there is a 30-day trial of Gburner, which is fully functional and will save the whole iso.
However, before you use Gburner, be sure to make a copy of the iso you want to change,
because Gburner insists on saving the changed iso in the same place as the original iso, thus
replacing it.
http://download.cnet.com/gBurner/3000-2646_4-10834317.html

Gburner works roughly the same as Poweriso, so for its usage I refer to the explanations
under Poweriso
Poweriso
http://www.poweriso.com/download.htm

Open Poweriso, choose “tools” en then “make cd/dvd image”choose the drive letter of the dvd-player in which you put the upgrade dvd, make sure you save as an iso, and push OK.

For Gburner : put the dvd or cd in the dvd-writer, in the left pane, you choose “copy”, and then “make an image”.

It will be saved as an iso. Make a copy of this iso before you begin the following step.
Edit the iso by opening Poweriso or Gburner, choose OPEN in the menu above, and point to the iso
you just made ; navigate in the left panel to the folder “sources”, and in the right panel
mark install.esd.
With the red cross in the menu, you delete install.esd.
In the menu you see an icon of a cd drive with a green plus sign. Click on the arrow next to it to choose : add files or folders, navigate to the c:-drive where you previously saved the new install.wim and mark “install.wim” ; choose : ADD.
In Gburner you choose “add files”
Now click above on “FILE” and “SAVE AS” ; and save as a new iso.
In Gburner, you can only click “save”, and it will overwrite the original iso !
This can now serve as a normal windows 8 install dvd  in winbuilder.

section 40000 tip 005  Winbuilder built with an install dvd of Windows 8.1

For a short summary of how to use this, read section 40000 tip 004 about win8pese,
which uses an intall dvd of Windows 8.0

Home page of Winbuilder Win8.1 SE RELEASE, made with an install dvd of windows 8.1

http://theoven.org/index.php?topic=774.0

http://theoven.org/index.php?board=33.0
http://win81se.cwcodes.net/
Download the files here :
http://win81se.cwcodes.net/Compressed/

————————————
Tip 2  Extracting an iso with Gburner or poweriso, and editing the boot.wim.

Suppose you have burnt the iso but it contains no network drivers.
For the usage of Gburner , see tip 004 BIS . It’s fully functional during the trial of 30 days.

You have a winpe on a cd that needs changing (always change a 64 bit winpe on a 64 bit windows)
download poweriso (you can use it indefinitely if your iso is less than 300 mb) or Gburner.
open winpe.iso
navigate to /sources
rightclick on boot.wim
and choose : extract ( extract to the root of drive c: ; for mounting you need the path : c:\boot.wim)

If you have put your winpe on a usb, then you can find boot.wim in the folder “sources” in the
root of the usb ; copy it in the root of the c: drive
First create the folder winpe_x86 in C: (C:\winpe_x86)
Then create the folder “mount” in C:\winpe_x86 , so you get this path C:\winpe_x86\mount

Now you can mount this boot.wim  to C:\winpe_x86\mount
(On a 64 bit system – if you’re editing a 64-bit boot.wim – replace all instances of x86 by amd64)

To mount a boot.wim from a winpe :

In a command prompt, navigate to :
cd C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools\x86\DISM

and type :

dism /mount-wim /wimfile:C:\boot.wim /index:1 /mountdir:C:\winpe_x86\mount

Dism /image:C:\winpe_x86\mount /Get-Intl
will give you all details of the language settings

Dism /image:C:\winpe_x86\mount /Set-InputLocale:1080c:0001080c

Numlock active at startup
REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
REG ADD “HKLM\WINFE2\Control Panel\Keyboard” /v Initialkeyboardindicators /t REG_MULTI_SZ /D “2″ /f
REG UNLOAD HKLM\WINFE2

How to do this manually.
If you have a laptop with a seperate numeric keypad, you might want it
to be enabled at the start of your winpe.
Type this first sentence in the command prompt :

REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
Now use Windowskey + R, and type : regedit
Navigate in the left panel to the key : HKEY_LOCAL_MACHINE\WINFE2\Control Panel\Keyboard
In the right panel, double-click on “Initialkeyboardindicators” and change the value from 2147483648 to 2 and click on OK.
Now close regedit, and type the following sentence in the command prompt :
REG UNLOAD HKLM\WINFE2:

INTEGRATE MISSING DRIVERS IN YOUR WINPE

You can integrate missing drivers. Installation of multiple drivers :

Dism /image:C:\winpe_x86\mount /Add-Driver /driver:C:\your_DRIVERS_in_A_subfolder_OF_this_ONE\ /recurse /ForceUnsigned

Put your ati drivers in c:\yourdriversinasubfolder\ati\ ; there has to be an .inf installation file.
Installation of one single driver :

Dism /Add-Driver /Image:"C:\winpe_x86\mount" /Driver:"C:\SampleDriver\driver.inf"

When finished, you can unmount with :

dism /unmount-wim /mountdir:C:\winpe_x86\mount /commit

This will write the changes to c:\boot.wim

Now we will have to integrate the boot.wim in the iso. First make sure you
have two copies of winpe.iso, to be on the safe side.

Open winpe.iso with poweriso or Gburner (usage of Gburner : see tip 004 BIS )
navigate to /sources
choose boot.wim, and click on the red cross above to delete.

Now choose “add”, “add files”, and navigate to the file “c:\boot.wim”
Then “file”, “save as”, choose “.iso”.
In Gburner you can only save and overwrite the original winpe.

If your winpe is on a usb, copy the new c:\boot.wim in the folder “sources” on the usb.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 SECTION 30000
winpe 3.0 is made with the Waik for deployment of Windows 7
winpe 3.1 is made with the Waik + supplementary iso for deployment of Windows 7.1

 

TIP 3 MAKE  A WINPE 3.1 (= non-graphical boot cd with only a command prompt, and standalone programs
which do have a graphical interface, such as Mozilla firefox)

First install the Windows AIK (Waik)
Now download the Waik , and install it.
You’ll need  to be in Vista sp1 or Windows 7 (or windows 7 sp 1) to intall the Windows AIK (waik) for Windows 7 which you can find here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34
Then you can install the supplement iso which you can find here :
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0aee2b4b-494b-4adc-b174-33bc62f02c5d

The Windows PE 3.1 base image contains fixes that are related to 4k/512e drive support (= advanced format )
(http://go.microsoft.com/fwlink/?LinkId=206679).
It involves a special procedure to install this supplement iso.
Burn the iso as an image to dvd with Imgburn, and put the dvd in the drive (here it has drive letter E: ).
Or mount it to a virtual cd if  your notebook doesn’t have a dvd drive ; you can do this with Poweriso even after
the trial has ended.
You open an administrator command prompt, and type the following command :

xcopy E:\ "C:\Program Files\Windows AIK\Tools\PETools" /ERUY  

——————————————————————————————–
These fixes are also available for Windows PE 3.0 as a hotfix. For more information, see Knowledge Base Article ID: 982018

Visit : http://www.minasi.com/forum/pop_printer_friendly.asp?TOPIC_ID=37252
How to integrate this hotfix or a .msu file into an existing winpe 3.0 ?

REMARK : all the commands in bold black text are ONE sentence in the
command promt

Install hotfix 982018 in winpe 3.0
Download the winPE HOTFIX TO YOUR DRIVE

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=982018&kbln=en-us

unzip download by double clicking
you see this file (32 bit !):
Windows6.1-KB982018-x86.msu
Put it in the root of the c: drive.

Make a folder  c:\winpe_x86\ISO\sources  in which you place boot.wim (if you have extracted
it from an iso) and a folder c:\winpe_x86\mount
launch a command prompt with administrator rights
to expand the file thus :
expand.exe c:\Windows6.1-KB982018-x86.msu -f:*.* c:\
Then, select START – ALL PROGRAMS-  WINDOWS AIK
Right click “deployment tools command prompt”, and select ‘run as
admin”
At the prompt, expand the winpe image by mounting boot.wim to c:\winpe_x86\mount :
imagex /mountrw c:\winpe_x86\ISO\sources\boot.wim 1 c:\winpe_x86\mount
Create a scratch directory : mkdir c:\winpe_x86\sandbox
Apply the hotfix to your boot.wim image:
Dism.exe /image=c:\winpe_x86\mount /ScratchDir=c:\winpe_x86\sandbox /Apply-Unattend=c:\Windows6.1-KB982018-x86.xml
Commit the image :
imagex.exe /unmount /commit c:\winpe_x86\mount

—————————–
 !!!  64-BIT winpe or  graphical winpe : make it with winbuilder

Important remark : Those of you who want a graphical option instead of a spartan non-gui winfe,
and an easy way to make a 64-bit live-cd look at the bottom of
http://windowspowershell.wordpress.com
There is a description in English on how to use winbuilder + a download.
In order to have a forensic iso  :
Click “finalize” and then “optimisations” in the left pane
In the right pane, (after you have clicked on the tab “script” above) you will see the option “don’t mount harddrives”
And you can set the option “firewall enable” at start  instead of “disabled”

Or you can download winfe.zip on http://winfe.wordpress.com, which contains the latest script
from Colin Ramsden “wp.script”, which takes care of  starting a winpe with internal hard disks unmounted,
while you’re able at the same time to mount eventual attached usb-hard-drives and make them writable  for
imaging.
This script has to be put in the folder “tweaks” of winbuilder

A graphical winpe or winfe with winbuilder
A forum that is discussing all things forensic and the automatic creation of winfe with winbuilder (which gives
a graphical winpe based on Windows 7  is here :
http://reboot.pro/forum/109-winfe/

win7pe_se
http://reboot.pro/topic/12427-win7pe-se-release/
http://theoven.org/index.php?board=20.0
http://www.msfn.org/board/topic/149758-win7pe-se/
http://w7pese.cwcodes.net/projectindex.php

 

Download winbuilder win7pe_se (the complete package of 130 mb zipped) here :
http://w7pese.cwcodes.net/Compressed/

—————————————————————————————————————————–

MORE PREPARATIONS FOR A NON-GRAPHICAL WINPE

Make a folder C:\keyboard\, in which you put the file keyboard.exe. (With this file in your winpe you can change from qwerty to belgian azerty (or other keyboard layouts), only giving the command (from command prompt) :

keyboard.exe
and the command (be is Belgian azerty, nl  is the qwerty of the Netherlands) :
be
Hit ENTER, and there is your azerty. It will only be applied when you open a second command prompt, which you can do by typing :
start cmd.exe
In order for this to work , you will need  the dll file of your localized layout in the /mount/windows/system32 folder (in my case, it’s kbdbene.dll for Belgian azerty)

Make a folder c:\programs\, in which you put all your programs, preferably standalone apps. [I have zipped the extra files you'll need in the folder c:\programs, and the file keyboard.exe in a file named "PROGSnew.zip".  Caution : use at your own risk ; the version of dd contained in this zip contains already the necessary files for use in vista and windows 7, and if you want dd.exe for specific use within a Windows xp, or Windows 2000 environment, download from the original site :  http://www.chrysocome.net/dd

!!! You'll need at least google chrome version 12.0.742.112, Opera browser version 11.50 or Firefox 5 to download from microsoft live skydrive
(click on the file ; in the next windows where you will see all the files, but only one is marked, you will have to rightclick on the file to choose "download")
http://cid-eabc6ce1aad35979.onedrive.live.com/embedicon.aspx/Openbaar/PROGSnew.zip

 

-folder c:\programs\DD\ contains the program dd.exe for windows from John Newbigin, a program that has always worked flawlessly when putting the image of a hard drive back to an identical disk  or one that is larger, after zero-filling that disk  or taking a brand new one.[Hiren's boot cd contains all the hard drive tools from every hard disk manufacturer on the planet, in order to wipe or zero-fill your drives http://www.hiren.info/
Google  with the search terms  "hiren's boot cd 10.0" . ]

In the download you’ll find a text file, in which I describe how to image a hard drive with the dd.exe from John Newbigin. Be very careful when using this program. Read other user manuals on the web to be sure how to do this, because the nickname for this thing is DATA DESTROYER (and I already made an unfortunate acquaintance with its evil impersonation) Consider this : you have two internal drives. You first make an image of the first internal drive to an external drive (that is bigger and is formatted NTFS). Then you wipe the first internal drive (fill it with zeroes), or you put a bigger one in, that is equally blank. After this procedure,  your internal drives may have changed names. The following command is your friend :

dd --list output to txt-file : dd --list 2> output.txt 

-folder c:\programs\FAU\ contains the dd.exe from the “forensic acquisition utilities” In the download you’ll find a text file on how to use this dd.exe

-folder c:\programs\Odin\ contains a gui-program to better identify your hard drives if you have any doubts about the output of the two dd-versions

-folder c:\programs\filemanager\ contains  the browser Opera oneuse and the filemanager Explorer++.exe
(you can always copy “Explorer++.exe”  to        C:\winpe_x86\mount\windows\system32       when making
your winpe ; thus it’s immediately available when winpe starts)

Optionally you can download Unreal Commander on      http://x-diesel.com/download.php?
It is a free twin- pane file-manager that is almost a copy of TotalCommander  (if you extract the setup file with Uniextract, you’ll have a standalone app).
To view hidden files in Unreal Commander, click on “Show”, and then mark “show hidden files”.The unreal commander has a very performing file search, which can work with regular expressions. It”s free, however, you’ll need to create a key, to have all the options of the program. You can find it here :

http://x-diesel.com/

http://x-diesel.com/download.php?

Commands in the administrator command prompt to make a winpe 3.1

Now we start making our winpe via : Start, All programs, Microsoft windows AIK, rightclick on “deployment tools command prompt”, and choose : run as administrator.

You can copy the sentences with ctrl + C , and then paste it in the command prompt with a rightclick choosing "paste".

Important note :  make sure that whenever you open an explorer window to copy the contents of   c:\Programs\   to   c:\winpe_x86\mount\Program Files, be sure to close it again.
If an explorer-window remains open within one of the mounted folders, the process of dismounting will fail.

Remark : give each command enough time. Some commands take a long time to complete.
Each command is preceded by an asterisk

Type one sentence at a time + press Enter  at the end of each sentence :

* Dism /Cleanup-Wim
* rmdir c:\winpe_x86 /s
If you're asked if you are sure , type :    y  (for yes)

Then type :

* copype.cmd x86 c:\winpe_x86

Now type :

* copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim

If when booting from your winpe – you don’t want a choice between booting from cd or booting from hard disk (and you don’t want this in winfe), then you’ll want to remove the file “bootfix.bin” in the directory : c:\winpe_x86\ISO\boot
If you navigated there with windows explorer, then close explorer again.

Mounting with :
* Dism /Mount-Wim /WimFile:C:\winpe_x86\winpe.wim /index:1 /MountDir:C:\winpe_x86\mount


Copy your own standalone apps to the winpe. I use Unreal commander to copy the folders in “C:\programs” to the folder “C:\winpe_x86\mount\Program Files”. Copy “keyboard.exe”  and Explorer++.exe  (which is now in  “C:\programs”)  to  “C:\winpe_x86\mount\windows\system32″. Be sure to close Unreal commander.

Editing registry for a forensic boot cd
When you want to make a forensic boot cd, that will not automatically mount the hard drives when booting, you will have to edit the registry. From c:\windows\system32   you copy the following files into a new folder c:\reg\   :
reg.exe, regedt32.exe, regini.exe, registeriepkeys.exe , regsvc.dll, regsvr32.exe.  Then type :

* cd c:\winpe_x86
Now type :
* copy C:\reg


(this will copy the needed files to c:\winpe_x86) .Now, change the registry (Enter one sentence at a time)
The registry of the winpe will be temporarily loaded into the windows 7 registry.
Afterwards the winpe-registry will be unloaded again. The san-policy within the winpe-registry will be to
NOT mount drives by default :
* REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\SYSTEM
Now type :

* REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f


Now you type:

* REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 3 /f

Now  type :

* REG UNLOAD HKLM\WINFE2

Turn off Caps-lock with the Shift key.
* REG LOAD HKEY_USERS\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
Now – in Windows 7 – open regedit with Windows-key + R  and by typing :
regedit
Navigate to HKEY_USERS\WINFE2\Keyboard Layout
Rightclick on “Keyboard Layout”, choose NEW, “Dword value”, name it “Attributes”.
Double-Click the DWORD value you just made and enter: 00010000 ( hexadecimal  is already
marked by default)
Click OK
Navigate to HKEY_USERS\  and put the mouse cursor on “WINFE2″
From the menu above, you choose “File”, and then “unload hive”
This will remove the temporarily added winpe-registry from the windows 7-registry.
(this action is the same as “REG UNLOAD…”)

If you want to start your winpe with your keyboard layout (Belgian azerty) preloaded :

* REG LOAD HKLM\WINFE2 C:\winpe_x86\mount\Windows\System32\config\DEFAULT
* reg add "HKLM\WINFE2\Keyboard Layout\Preload" /v 1 /t REG_SZ /d 00000813 /f

* REG UNLOAD HKLM\WINFE2

Installing packages

To view available packages, that can be installed with Dism, you navigate to the folder c:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs.  There you have the name and path of the package to install.
Here
http://technet.microsoft.com/en-us/library/dd799244%28WS.10%29.aspx you can see that
the XML-package is already included in the base boot.wim of a winpe 3.0.

In this folder, you can see which packages can be installed :
“C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs”

WinPE-WMI.cab                  Installs Windows Management Instrumentation (WMI) support
WinPE-HTA.cab                  Installs HTML application support
WinPE-Scripting.cab         Installs Windows Script Host support
WinPE-MDAC.cab               Installs Microsoft Data Access Component support
WinPE-LegacySetup.cab Installs the legacy setup package
WinPE-Setup.cab                Installs the main setup package
WinPE-Setup-Client.cab  Installs the client setup package (as long as you have already installed the main setup package)
WinPE-Setup-Server.cab  Installs the server setup package (as long as you have already installed the main setup package)
WinPE-WDS-Tools.cab      Installs the Windows Deployment Services tools package
WinPE-FONTSupport-Language.cab        Installs fonts for the specified language: ja-jp, ko-kr, zh-cn, zh-hk, or zh-tw

Add packages, and language packs when needed, by using the Dism command with the /Add-Package  option. For example, to add the HTA package you must add both the language neutral package (WinPE-HTA.cab) along with the language specific package

* Dism /image:C:\winpe_x86\mount /Add-Package /PackagePath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\WinPE-HTA.cab"

Then type:

* Dism /image:C:\winpe_x86\mount /Add-Package /PackagePath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\WinPE-HTA_en-us.cab"

Then

* Dism /image:C:\winpe_x86\mount /Add-Package /PackagePath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\WinPE-wmi.cab"


The following language-specific package may give you an error ; you can leave it out

* Dism /image:C:\winpe_x86\mount /Add-Package /PackagePath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\en-us\WinPE-wmi_en-us.cab"


Adding Drivers to WinPE

* DISM /image:c:\winpe_x86\mount /Add-Driver /driver:C:\YOUR_FOLDER_OF_INF_DRIVERS\ /recurse

Adapt the name of the folder “YOUR_FOLDER_OF_INF_DRIVERS” to your folder name.
Add drivers with the /recurse command. The /recurse command now allows us to simply have all of our drivers in their own directory and tell DISM to scan the root folder and everything beneath it.The number of subdirectories doesn’t matter. You need the network and vga drivers for every computer you boot up to in the WinPE environment.

PROBLEMS WITH DRVLOAD UNDER WINPE 3.0 : Solution !

In order to use drvload.exe in a Winpe 3.0- session, you  need minimum 512 mb ram (read the details for “drvload”  beneath in  the
winpe 2.1-section) ; to be able to load drivers  on the fly from a usb stick, there is a hotfix (august 12th 2010)
which will reduce  the long loading time of drivers within winpe 3.0 :

http://support.microsoft.com/kb/2276755

Copy  Drvstore.dll and Setupapi.dll files to the following directory
C:\winpe_x86\mount\windows\System32\drivers).
I have made a zip for you with the 32- and 64-bit-versions, you can download here :
!!! You’ll need at least google chrome version 12.0.742.112, Opera browser version 11.50 or Firefox 5 to download from microsoft live skydrive
(click on the file ; in the next windows where you will see all the files, but only one is marked, you will have to rightclick on the file to choose “download”)
http://cid-eabc6ce1aad35979.onedrive.live.com/embedicon.aspx/Openbaar/loaddrivers.zip

Screen resolution in winpe

Winpe starts default with a resolution of 800×600. There is a program, called setres.exe, that will give you the
optimal resolution, if the drivers for your graphic card are installed.
http://www.iansharpe.com/downloads.php
Someone made a batch file, setres.bat.
http://www.msfn.org/board/topic/14669-screen-resolution-in-winpe/
Setres.bat will usually be your first command in the command prompt in
a winpe-session. You’ll see a list of possible resolutions. My Dell inspiron 6400 ideally needs 1280X800,
but  – as that option was not included – I have to choose  1024×768 by typing   3, the number corresponding
to that option.
During the process of making a winpe, copy the files setres.exe and setres.bat to :
C:\winpe_x86\mount\windows\System32\
You can download setres.exe v2.1 and setres.bat (version optimised for winpe)  in a zip file here :
!!! You’ll need at least google chrome version 12.0.742.112, Opera browser version 11.50 or Firefox 5 to download from microsoft live skydrive
(click on the file ; in the next windows where you will see all the files, but only one is marked, you will have to rightclick on the file to choose “download”)
http://cid-eabc6ce1aad35979.onedrive.live.com/embedicon.aspx/Openbaar/setres.zip

Allocating scratch space.

http://grandstreamdreams.blogspot.com/2010/03/winpe-and-dismpeimg-to-boost-scratch.html

If your Windows PE environment becomes unresponsive when running an application, you may have run out of memory. By default, Windows PE allocates 32 megabytes (MB) of writeable memory, known as scratch space.

In order to be able to set the maximum of scratch space (512 mb), your computer must have preferably 1 gb of ram.
You can also choose 64, 128, 256.

* dism /image:C:\winpe_x86\mount /Set-ScratchSpace:512

Use Rocketdock as a would-be shell
With Thinstall you can make a standalone package to install to a usb.
You take care to make sure the ini file is stored locally  on the usb
Then you can use this portable rocketdock from within a winpe, to
make sure all the shortcuts to the programs are in the right place
on the dock, before incorporating Rocketdock in the final winpe.

http://4sysops.com/archives/free-rocketdock-a-mac-os-x-dock-clone-for-windows/

Adding Custom Files

Tip : copy keyboard.exe and Explorer++.exe to C:\winpe_x86\mount\Windows\System32\ with the twin-pane file manager Unreal Commander, and be sure to close unreal commander again.
Of course, you’d rather start your winpe with an already localized keyboard layout (here is an example for belgian azerty – on one of my computers  the dutch version of the Belgian retail Windows 7 Home Premium is installed). Do not expect the winpe to be completely in dutch. Big parts of it will still be in English, but at least you have a familiar keyboard layout
* cd c:\program files\Windows AIK\Tools\x86

Next type :

* intlcfg.exe -syslocale:nl-be -image:c:\winpe_x86\mount

Now type:

* intlcfg.exe -inputlocale:nl-be -image:c:\winpe_x86\mount

Then type :

* intlcfg.exe -userlocale:nl-be -image:c:\winpe_x86\mount

 


Check with :
* intlcfg -report -image:c:\winpe_x86\mount


Unmounting your finished .WIM

* Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount\ /Commit

This commits the final changes to your .WIM file and anything you added to it. Keep waiting, even if the cursor keeps blinking as if it will do so eternally.  It is very important to unmount your .WIM file when you have finished.

Copy your .WIM to Boot ISO

* copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim /Y

Create bootable .ISO of WinPE 3.0

* oscdimg -n -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso

Burn your iso

Imgburn is a free program that does this job perfectly.

Automation of a winpe with winbuilder.

If you know how to work with winbuilder, you’ll find winbuilder.zip here to make
a forensic winpe with scripts for special forensic programs :

http://winfe.wordpress.com/downloads-2/winbuilder/

Automation of the process with batch files
In order to create a winfe automatically via batch files.The one with dism will be winfe 3.0 (windows 7)

Here is the link  :

!!! You’ll need at least google chrome version 12.0.742.112, Opera browser version 11.50 or Firefox 5 to download from microsoft live skydrive.
(click on the file ; in the next windows where you will see all the files, but only one is marked, you will have to rightclick on the file to choose “download”)
http://cid-eabc6ce1aad35979.onedrive.live.com/embedicon.aspx/Openbaar/CreatewinFEE.zip


You download : CreatewinFEE. It’s a zip file. Extract it, and you’ll see “createwinFEE.txt”
By changing the extension .txt to .bat, you’ll have an executable batch file, made by Mauritz Botha
On drive C: create the following folders :
-drivers  (in which you put your drivers ( the .inf files) in their respective folders)
-WinFEtools , which contains the following 3 sub-folders :
-  Applications (contains all the programs in their respective folder)
-  Desktop (which contains your customized background winfe.bmp)
-  tools , which contains the following 2 subfolders :
+  + + + + bootside  (with the programs in their respective folders)
+  + + + + winfe (this contains the programs (in their respective folders) which you’ll want to use without booting the cd or usb. You can even add things to this folder on the usb while in windows, and it will
be available to you after booting winfe : yes, you can have it both ways.

While executing the batch, I quickly copy keyboard.exe and Explorer++.exe to the
/mount/windows/system32    folder, and the newest drvload drivers , setupapi.dll and drvstore.dll,
to   /mount/windows/system32/drivers
You can give yourself a little bit more time, by changing this line in the batch :
timeout /T 30       to something like        timeout /T  190
The beauty of this batch file is that you can immediately create a usb-stick
with it , but it lacks one essential sentence to do so.
At the end of the batch , you see :
ECHO list disk

Beneath this line,AND BEFORE the line ” ECHO   clean”, you will have to add the complete following sentence :
ECHO select disk 1  (or  -VERY IMPORTANT IF YOURS is disk 2   :         ECHO select disk 2
*always identify your drives by size, so you can determine which is the intended usb stick ) and save the batch file.

If you want to speed things up, you may also want to change  “ECHO format fs=fat32″  to
ECHO format fs=fat32 quick
When making the usb, all these sentences will be typed by hand,
and this batch is by far the easiest one to create a winfe cd and
usb.
You booted a forensic winfe cd or usb, and you plug in another usb-stick
and want to bring it online, and make it writable. Beware that
this process is still hit-and-miss. But at http://winfe.wordpress.com
someone is creating a program to do this successfully.
An external harddisk will work most of the time ; it’s only the usb-sticks
that are a bit recalcitrant.

Whenever you want to reuse the usb-stick for something else,
and you get “permission denied” to do so,
use diskpart, and     clean all      to completely wipe the stick
You can do this process  from a non-forensic winpe-cd, as you are not administrator,
but SYSTEM. This means you have even more rights than an administrator,
and you won’t get  “permission denied” this time.

You can always use the HP usb disk format tool version 2.2.3 , 96 kb, downloadable here : hpusbfw.exe
You can execute hpusbfw.exe on a 32-bit and a 64-bit Windows (not Windows RT however)
http://forum.corsair.com/v3/showthread.php?p=432257
http://forum.corsair.com/v3/attachment.php?s=b6679db64ebd41db15cd04e103f1ff5f&attachmentid=6279&d=1261565536
http://www.softpedia.com/get/System/Hard-Disk-Utils/HP-USB-Disk-Storage-Format-Tool.shtml
http://www.softpedia.com/progDownload/HP-USB-Disk-Storage-Format-Tool-Download-123786.html
Still no luck ? It is in this zip-file (click in the upper right corner on “download”) :
http://cid-eabc6ce1aad35979.onedrive.live.com/embedicon.aspx/Openbaar/dosusb.zip

Automation with a powershell script

There is a magical powershell script that will create a winpe for you, except burning the iso
http://www.gregorystrike.com/?p=269

Afterwards, you will find the finished winpe.iso in the folder “C:\temp\WinPE”
Powershell (the command prompt on steroids) is included in windows 7.
Copy the contents of the script in a text-file , that you save with the extension  .ps1
Rightclick on it , and choose “run in powershell” (you must be administrator for this).

PREPARATION:
-To execute Powershell with admin rights : Start ->
type ‘powershell” in the search bar ; rightclick “windows powershell”, en choose “pin to start menu”.
Rightclick the Powershell in your start menu, choose PROPERTIES, choose ADVANCED,
and put a mark before : execute as administrator. Click “apply”, and “OK”.
To be able to execute a powershell script (.ps1) change the policy
Open Powershell (= rightclick on the item in the startmenu), and type :
* Get-ExecutionPolicy
It will be “Restricted”
Type :
* Set-ExecutionPolicy Unrestricted
Confirm with Y (yes)
(after the execution of the script, set back to ” Restricted”)

-make a folder on your desktop, named  WinPE_Files , within this folder you create the following  folders : Drivers,   Program Files, Registry and Windows). In the folder “Program Files” you create the folder :
System
The path must be “”C:\Documents and Settings\Administrator\Desktop\WinPE_Files”; (which is identical to :
“C:\Users\Administrator\Desktop\WinPE_Files” because the script executed beautifully) ;  copy the path with a shift + rightclick on the folder “WinPE_Files”, and edit the powershell script to be identical to your path. The script will then
scroll through this folder and the folders underneath.
In the folder “System” you place  autostart.cmd  and winpe.bmp, if you want your screen to look different (under Customizing the background of your winpe you’ll find the specifications for the winpe.bmp) .
My autostart.cmd (a textfile you save with the name autostart.cmd) looks like this ( it sets my keyboard automatically to Belgian azerty)
@ECHO OFF
cd x:\windows\system32
start /WAIT wpeutil EnableFirewall
start /WAIT wpeutil SetKeyboardLayout 1080c:0001080c
start /WAIT cmd.exe
EXIT

(the line “start /WAIT cmd.exe” will start another command prompt with the new keyboard layout)

Tip 4 Put your winpe on a usb-stick – winpe to usb

1. Plug in an empty flash drive

2. Open a Command Prompt with admin rights.

Go to Start menu > All programs > Accessories, right click on Command Prompt
and select Run as administrator.

3. Now you’ll need to identify your usb stick

type :
* DISKPART
and hit enter

Next type :
* LIST DISK
and identify – be very careful -  the Disk number (for example : Disk 1) of your
USB flash drive (You should be able to tell by the size)

4. Next type all the below commands one by one (press ENTER after each one)
Here I assume that your usb stick is “Disk 1”. If  your USB flash drive is Disk 2,
then use Disk 2.

* SELECT DISK 1

* CLEAN

* CREATE PARTITION PRIMARY

* SELECT PARTITION 1

* ACTIVE

* FORMAT FS=NTFS QUICK

(you can also choose :  FORMAT FS=FAT32 QUICK  ),
as it seems there is more write activity on an ntfs-formatted stick
(not confirmed)

* ASSIGN

* EXIT
(this exits diskpart)

Don’t close the command prompt as we need to execute one more command at the
next step. Just minimize it.

5. Non-EFI motherboards will not be able to boot a drive without a bootloader

Next we will have to install a bootsector on the usb stick
In this guide I will assume that your dvd has drive letter D: and your  USB drive
letter is “H” (important : control what drive letter your usb-stick has, because a bootsector will
be written to it).

FIRST METHOD : you have a windows 7 or Vista install dvd

6. Maximize the – in step 4 – minimized Command Prompt.Type the following command now, in order
to go to your win7 or vista dvd (if your cdrom is drive letter D:) :
D:

Then type :
CD BOOT

——————————————————————————————————–
SECOND METHOD  for those who don’t have a win7 or vista dvd :

A. Skip step 6 if you have made a 32-bit winpe, and if you’re on a 32-bit system and if you have installed the WAIK, you find  bootsect.exe here :
C:\Program Files\Windows AIK\Tools\PETools\x86\bootsect.exe
Type :

cd /d "C:\Program Files\Windows AIK\Tools\PETools\x86"
 

B1. Skip step 6 if  you have installed the ADK for Windows 8 (32 bit) on a 32-bit system and made a 32bit winpe ; bootsect.exe will be in this folder :

C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools\x86\BCDBoot\
Type this command :

cd /d "C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools\x86\BCDBoot"
 

B2. If you made a 64-bit winpe, and you have ADK 64 bit for Windows 8  on a 64 bit system, type :

cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools\amd64\BCDBoot"
 

C. skip step 6  if you have the ADK for Windows 8.1

If you have made a 64-bit winpe, and you have ADK 64 bit for
Windows 8.1 on a 64-bit system, type :

cd /d "C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\amd64\BCDBoot"

—————————————————————————————————-

7. Now we’ll give the usb-stick a bootsector, and type (if H: is your usb drive letter !) :

BOOTSECT.EXE /NT60 H:

8. Close the command prompt

9. now  insert your ready-made winpe cd. If you have Poweriso you can mount the winpe.iso to a virtual cd-drive-letter,
even after the trial period has ended.

Now copy the contents of the winpe onto the usb drive with robocopy or xcopy.

Use Robocopy or xcopy  in an administrator command prompt, and if your cd-drive (or virtual cd-drive) which contains the winpe is D:  and if your usb-stick is  H:

robocopy D: H: /MIR /V /FP

With xcopy :

xcopy D:\*.* /s /e /f H:\

9. Your USB drive is ready to boot. The only thing you need to change is
the boot priority in the BIOS to USB . Beware that older motherboards (before 2002 or so) may not be able
to boot from usb. Even on recent motherboards, you may have to try different
usb settings in order to make it work.
Credit goes to :
http://grandstreamdreams.blogspot.com/2009/11/sexy-usb-boots-win-pe-style.html

Tip 4A  Put multiple bootable iso’s on ONE bootable usb-stick with Yumi

You hate to put only one winpe of  approximately 300 mb on a 4 gb stick ?
Maximize the space on your usb by putting as many iso’s on it as you like with Yumi.
You want one usb-stick with all the relevant iso’s on it , like Kaspersky antivirus rescue cd,
gparted, Parted magic, ubuntu, winpe or winfe, windows 8 enterprise installation dvd iso,
etc ? Then you will need Yumi.
I’m not affiliated with them ; just think it’s a wonderful concept.
If your motherboard supports booting from usb (all motherboards since 2002 do normally)

Download Yumi here :
http://www.pendrivelinux.com/downloads/YUMI/YUMI-0.1.1.0.exe

You need a usb-stick that is formatted in fat32

Yumi is able to download most Linux cd’s, and antivirus rescue cd’s.
You will have to provide the Windows variants and the winpe iso’s yourself.

REMARK : once you have put iso’s on the stick, do not delete any of them to replace them with other iso’s.
Even keeping the same name of the old iso is not going to help you.
Some iso’s need to be in one contiguous space on the disk. If you delete a small iso, and put a larger iso
in its place, chances are that the larger iso will be split into several chunks.
If one of the iso’s can’t boot your only option is to remake the whole usb
with Yumi.

Step 1 : select the drive letter of the usb-stick

You can then choose to format the stick

Next , choose an iso to put on your yumi-stick.
For the windows 8 install dvd and for winpe, I chose the latest entry in the list : “Bootable iso’s” – Try an unlisted iso.

Click on “browse” to choose your iso, click on it, then on “Open” in the explorer window.
Now click on “Create”, and if you’re ok with what Yumi proposes, click OK.
When you see “all finished, process complete”, click on “next”.
Yumi asks if you want to create more iso’s, click YES
If possible, give your iso’s a meaningful name ; when booting the Yumi stick, and choosing
the  item : bootable iso’s, it will be helpful to see a name you recognize.

I was not able to put some exotic linux iso’s on a usb with Yumi.

A good alternative in this case is : Xboot, but you can’t put
install dvd’s of win 7 or win 8 on usb with this one.

You use a fat32 formatted usb flash drive.
http://www.pendrivelinux.com/xboot-multiboot-iso-usb-creator/
https://sites.google.com/site/shamurxboot/

https://sites.google.com/site/shamurxboot/tipsntrick

For xboot you need Net framework 4.0.

Start the program, and drag the iso/iso’s in the
program’s window.You will have to point to the drive
letter of the usb.
I used syslinux as a bootloader for the usb.

You can immediately test your usb in Qemu (something
like Virtualbox or Vmware player) ; it is included
in xboot. (It may be that it does not work ; to
be on the safe side, try on a real computer.)

And if this does not work out, here are other usb-creators :
http://www.pendrivelinux.com/category/usb-creator/

Tip 5 Use a winpe and boot from it as a bootable vhd

Windows 7 and Windows 8 can boot from a vhd

This is a must-see video, if you want to
boot from the wim of a winpe – as a virtual hard disk file (VHD) -
on a windows 7 computer, and if my explanation is
not clear enough
http://www.youtube.com/watch?v=zZeSLH8DBT0

This works with a windows 7 and windows 8 boot sector.

As a wim is a compressed format, for a wim of 400 mb I make a partition
of 1.5 gb to be on the safe side.

Type:

diskpart
type:
create vdisk file=C:\VHD\winpewaik.vhd type=fixed maximum=1500
type:
exit
Open control panel – administrative tools
computer management
Click in the left panel on disk management
choose ATTACH VHD
BROWSE TO THE VHD C:\VHD\winpewaik.vhd
Do not put a mark before “readonly”

Now you’ll see that a new disk is being created of 1.5 gb
Rightclick on the grey area that says DISK 2 (of course in your case your
1.5 gb disk may be DISK 1 or even Disk 3)
Choose “initialize disk”
mbr is marked
Create new single volume
format as NTFS
assign drive letter U

The Windows aik must be installed.
You can use the default winpe.wim in the folder :
“C:\Program Files\Windows AIK\Tools\PETools\x86″
Copy this winpe.wim to C:\WIM\

Or you can take a boot.wim, which you can find in the
folder “sources” from an old winpe iso . You can extract this boot.wim with
Poweriso or Gburner (for usage of Gburner , read tip 004 BIS ). Rename this boot.wim to winpe.wim, and put it
in C:\WIM

Open a command prompt and
navigate to : C:\Program Files\Windows AIK\tools\x86

type:
imagex /apply c:\WIM\winpe.wim 1 U:\ /verify

type :

bcdedit /copy {current} /d “Boot_winpe_as_vhd”

You will see the text : succesfully copied to …
and there you will see a number like
{cedcef7b-7ab1-11e2-93f0-705ab673fa9f}

Copy this number by rightclicking on the title of the command prompt,
and choosing “edit” and mark
Mark this long number sequence and copy it.
Type:

bcdedit /set {paste the number here} device vhd=[C:]\VHD\winpewaik.vhd

type :

bcdedit /set {paste the newly copied number here} osdevice vhd=[C:]\VHD\winpewaik.vhd

type :

bcdedit /set {paste the newly copied number here} winpe yes

http://msdn.microsoft.com/en-us/library/windows/hardware/ff541231(v=vs.85).aspx#adding_a_new_boot_entry_in_windows_vista_and_later

http://msdn.microsoft.com/en-us/library/windows/hardware/ff542202(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/hardware/ff543429(v=vs.85).aspx

 

Tip 6 USING THIS BOOT CD

Possible problem : numlock activated (eee pc / acer)

You want to type k, and you see  2 (or J and you see 1).
Laptops may have integrated numeric keypads on the letters
U, I,O,J,K,L,etc.
A winpe cd (that does not give me any problems on a Dell) boots
on my eee pc and on my Acer with Numlock activated, so I
can’t type  U, I, O, J, K, L.
Holding down the key FN while pressing the Num lk key does the trick;
it deactivates Numlock.
However, different laptops may use other key combinations.
Sometimes the above combination needs to be pressed down simultaneously.
Other key combinations :
press FN + Numlock key (Num lk)
press Numlock key (Num lk)
press FN + F11
press FN + F11 + Num lk
Press left Shift + Num lk
Some HP laptops need FN + F8
press Alt + Num lk on Sony Vaio
press FN + F11 + Scroll lk
FN + Scroll lk
right Shift + Num lk
FN + Shift + Num lk
FOR DELL MINI NETBOOKS that have function keys ( FN key) locked or stuck:
You need to press FN and the key that is next to your “space” key (between “space key” and “alt gr”) simultaneously!

I always use a cable instead of wireless for security’s sake.

If you have integrated the drivers of the ethernet card , winpe will automatically establish an
internet connection via DHCP with the startnet command. By default , it contains already a lot of drivers.

When booting (you’ll have to change the boot order in the bios, so that you boot from cd first), you’ll be presented with a command prompt starting in  X:\windows\system32.
It seems that the firewall is enabled by default. If you are not sure, however, type :
wpeutil EnableFirewall
Everything you copied during the making of your winpe to   C:\winpe_x86\mount\windows\System32\   will be readily available now.
Winpe copies everything to ram. The advantage of this cd is that – even if it starts with a command window – you can use all the gui apps in gui-mode. When you close the command window, the computer shuts down. Leave at least one command window open, if you are using other applications.

A clean shutdown is executed from the command prompt with the command : wpeutil shutdown (Other interesting commands : wpeutil EnableFirewall, or wpeutil DisableFirewall)

In the command window I type :

keyboard.exe

then I choose Belgian azerty, and type

be

Hit Enter, and you have your Belgian azerty.  However, you will only see the changes when you start a second command window by typing :
start cmd.exe

Now we type :
Explorer++.exe
(Explorer++  is an alternative to the windows explorer)
In this explorer window, you’ll see all the mounted hard drives (unless you have edited the registry to start with the fixed drives unmounted for forensic use)
Double click on X: (you can read and write to this drive)
Double click on “Program Files” And there you’ll see all your own programs. In Explorer++.exe, you can open a second command prompt, from which you can use dd.exe, to make images of your hard drive.

For the time being, you’ll use the us keyboard layout.  Then type :

cd.. 

(+ ENTER  : means pressing the Enter key)

cd..
+ ENTER ; then type:

cd "Program Files" 

+ ENTER ; then:

cd dd 

Simple programs , that don’t need the NET framework for instance, can be installed in the live cd. Try it.
The use of portable programs on a usb-stick is even better. Beware that – if you made a forensic winfe – your usb stick will not be mounted. You will have to mount it with diskpart.
In the winfe I have integrated flash and firefoxportable ; this is used as my live-cd for internet banking. Although I have to admit that pclinuxos 2010 live cd – openbox edition , Lubuntu (based on ubuntu 10.04), Linuxmint xfce (which contains a firewall- you have to start it yourself), or peppermint one live cd (also based on ubuntu) start way faster (2 min.), so for internet banking these are now my preferred live-cd’s
It seems you can leave a winpe running for 72 hours, after which it will automatically shut down.
There is a script in winbuilder that will disable this 72-hour-limitation. You will have a graphical winpe  with winbuilder.

Tip 6 Customizing the background of your winpe
Make your best photo the default background of your winpe.
First, make sure you have a photo or a picture with the following characteristics :
1024×768 pixels, 24-bit color, 72 DPI resolution
(you can do so by using the resize/resample feature in Irfanview, and save as a bitmap)
Change its name to winpe.bmp.

When you have mounted the winpe, copy this winpe.bmp to c:\winpe_x86\mount\windows\system32
overwriting the original one.

Tip 7 Making your winpe a basis for a future winpe + get information about your winpe.

Download poweriso or Gburner ( for usage of gburner , see tip 004 BIS ) , and open your winpe.iso ; in the left pane navigate to “sources”, there you’ll find “boot.wim”.
In the menu  choose “extract”, you will then be able to save the file in a folder of your choice.
Copy this boot.wim to “C:\Program Files\Windows AIK\Tools\PETools\x86″. Rename winpe.wim to originalwinpe.wim ,and rename the copied boot.wim to winpe.wim.
Mounting with :
Dism /Mount-Wim /WimFile:C:\winpe_x86\winpe.wim /index:1 /MountDir:C:\winpe_x86\mount

When you have mounted your winpe.wim, you probably won’t remember which packages you installed. Check with :
dism /image:C:\winpe_x86\mount /get-packages
Control how much scratch space you have with :
Dism /image:C:\winpe_x86\mount /Get-ScratchSpace
you can change with :
Dism /image:C:\winpe_x86\mount /set-ScratchSpace:xxx     (xxx may be  256 or so)
Normally, your winpe is mounted under the drive letter x:            Control with :
Dism /image:C:\winpe_x86\mount /Get-TargetPath
Change the target path  to drive letter T :
Dism /image:C:\winpe_x86\mount /Set-TargetPath:T:
Unmount with :

Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount\ /Commit

You’ll find the changed winpe here : C:\winpe_x86\winpe.wim
Rename this winpe.wim to boot.wim
With Poweriso, open the old winpe.iso.
If you’re using Gburner, make sure you have two copies of the old winpe.iso.
in the left pane navigate to “sources”, there you’ll find “boot.wim”
Now delete it.
Then from the menu of Poweriso/Gburner, you choose “Add files”
Now navigate to :C:\winpe_x86\
Choose the  boot.wim , and insert it into winpe.iso
Save as iso.

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
SECTION 20000

Tip 8 WINFE or WINFE built with waik for deployment of Vista SP1 or SP2

The easiest way is to activate the administrator account : Start, Run, enter the command:

net user administrator /active:yes       Then go to “Control Panel”, “User accounts”,
“manage another user account” : the administrator account will show up, and you
attribute a password for it (be careful : you’ll need this password to log in

Restart your computer, and log on into the Administrator account Now download the Waik , and install it. Necessary: vista sp1, with the “Windows AIK” (waik) for Vista sp1, which you can download from Microsoft. http://www.microsoft.com/downloads/details.aspx?FamilyID=94BB6E34-D890-4932-81A5-5B50C657DE08&displaylang=en

Update : I have installed service pack 2 for Vista, and the instructions  remain the same (there is no special waik for vista sp2)
Attention : a different version of windows, or a different version of the WAIK may give other results than the ones i’m describing here.

Those with windows xp , you can make a simple winpe , not a forensic one ; read the following between the lines
———————————————————————————————————————————————

If you use windows xp service pack 2 or 3, and if you only want to make an ordinare winpe , without the forensic registry editing  (that was only introduced in later versions of windows), you can download the waik to install in windows xp from here : (you’ll have to undergo the genuine validation procedure that checks if your winxp is genuine)

http://www.microsoft.com/downloads/details.aspx?familyid=C7D4BC6D-15F3-4284-9123-679830D629F2&displaylang=en

The download is an image with the extension .img. You can burn this with the free  tool Imgburn to a dvd.
Making the winpe : be sure to be logged on as administrator on win xp
Start
Programs
Microsoft Windows AIK

Now click on “windows petools command prompt”

Now look beneath under “the steps for making a winfe disk”, and
follow everything beneath “Enter the commands :”

Skip everything that has to do with registry editing. You can’t
make a forensic winpe within winxp and the waik for winxp.
You may delete however “bootfix.bin” if you want.

Whatever may happen : always unmount (so be sure your laptop
is not working on a battery that may give up during the process),
and remove the folder c:\WinFEx86, before starting another
building process.

————————————————————————————————————————————–

The steps for making a winfe disk : Preparations
If you want to edit the registry in order to make sure that winfe starts with the fixed disks unmounted, I have found this workaround
Make a folder in C: called “reg” The folder “reg” must contain the following files you can get from c:\windows\system32  : reg.exe, regedt32.exe, regini.exe, registeriepkeys.exe , regsvc.dll, regsvr32.exe

I have made a folder “c:\programs” with subfolders, in which I put all my standalone programs. Subfolders :

-FILEMANAGER, with the browser Opera Oneuse, and the filemanager  Explorer++.exe.
Optionally you can download Unreal Commander on      http://x-diesel.com/download.php?
It is a free twin- pane file-manager that is almost a copy of TotalCommander  (if you extract the setup file with Uniextract, you’ll have a standalone app).
To view hidden files in Unreal Commander, click on “Show”, and then mark “show hidden files”.The unreal commander has a very performing file search, which can work with regular expressions. It”s free, however, you’ll need to create a key, which will only last for 25 days, to have all the options of the program. So, it will be outdated on the winpe the 26th day.
You could however put it on a usb-stick, and update the key regularly. You can find it here :

http://x-diesel.com/

http://x-diesel.com/download.php?

-FAU with dd from the Forensic Acquisition utilities. In the download PROGSnew.zip, I have included a text file with
a detailed description on how to use this. Attention , if you download the FAU-utils of september 2013, there is
a slight change in syntax in the commands. Progsnew.zip contains an older version.

-DD with the dd.exe from John Newbigin (in the download you’ll find a text file on how to use this program)

-Odin (to have a clearer view on your hard disks)
Download “PROGSnew.zip” here :
!!! You’ll need at least google chrome version 12.0.742.112, Opera browser version 11.50 or Firefox 5 to download from microsoft live skydrive.
(click on the file ; in the next windows where you will see all the files, but only one is marked, you will have to rightclick on the file to choose “download”)

http://cid-eabc6ce1aad35979.onedrive.live.com/embedicon.aspx/Openbaar/PROGSnew.zip

Open  a command prompt as admin : start, All programs, Microsoft Windows AIK, rightclick “Deployment Tools command prompt”, and select “‘run as administrator”

When you run as Administrator, the command prompt title will show as “Administrator: Command Prompt” instead of the regular “C:\Windows\system32\cmd.exe” making it easier to tell when multiple command prompt windows are running)

You can copy the sentences with ctrl + C , and then paste it in the command prompt with a rightclick choosing "paste".

Enter the commands :

cd c:\Program Files\Windows AIK\Tools\PETools\ 

Now type :

cmd /k copype.cmd x86 c:\WinFEx86

Before you mount everything, you’ll have to remove the file “bootfix.bin”  in c:\WinFEx86\ISO\boot. This bootfix.bin gives you the choice : start from cd or not, and this is not desirable in a winfe. You navigate to

cd c:\program files\windows AIK\Tools\Petools\

Now we will mount everything with the following command :

imagex /mountrw C:\WinFEx86\ISO\sources\boot.wim 1 C:\WinFEx86\mount

If you want to change keyboards easily, you’ll need the file “keyboard.exe”, which you can download here (see link above to download “PROGSnew.zip) and you’ll need to copy it  (with unreal commander) to C:\WinFEx86\mount\windows\system32
Copy “Explorer++.exe” which is now in “C:\programs”  to the folder “C:\WinFEx86\mount\windows\system32″

With WinFe mounted, you can copy all the programs you have collected in the folder” C:\programs” to the folder “C:\WinFEx86\mount\Program Files”  Be sure to always close the Windows explorer window afterwards. You don’t want it to be open, when you unmount everything.
Navigate to this directory :

cd c:\program files\windows AIK\Tools\Petools

In order to install  a special driver you’ll need, you’ll have to do commands like this :

peimg.exe /inf="C:\Windows\System32\SATADRIVER\WINXP\fast.inf" C:\WinFEx86\mount\Windows

Or with the last part between parentheses :

peimg.exe /inf="C:\Windows\System32\SATADRIVER\WINXP\fast.inf" "C:\WinFEx86\mount\Windows" 

Sometimes drivers are downloaded as an .exe. You could use winrar or 7-zip to extract, in order to view the .inf-files you need.
Now suppose the structure of your extracted drivers looks like this :
C:\winpedrivers\massstorage\satadriver\winxp\*.inf
C:\winpedrivers\massstorage\idedriver\winxp\*.inf
c:\winpedrivers\graphical\nvidiadriver\winxp\*.inf
c:\winpedrivers\graphical\atidriver\winxp\*.inf
(you might want to search the appropriate Vista-drivers instead of the winxp ones)
and you want to install all the drivers from the folder c:\winpedrivers and its subfolders in one go.
Issue the following command :

for /R c:\winpedrivers %i in (*.inf) do peimg /inf=%i c:\WinFEx86\mount\windows

You’ll see the message : installing inf package. In order to add additional packages :

cd c:\program files\windows AIK\Tools\Petools 

Now type :

peimg /list /image=c:\WinFEx86\mount

The packages will be listed, with a minus sign to the left of the package name. We are going to add 3 Packages to the Windows directory in the WinPE image. Type the following:

cd c:\program files\windows AIK\Tools\Petools\    

Now type :

peimg /Install=WinPE-XML-Package C:\WinFEx86\mount\Windows

Now type:

peimg /install=WinPE-Scripting-Package C:\WinFEx86\mount\Windows

Next type:

peimg /install=WinPE-WMI-Package C:\WinFEx86\mount\Windows 

Next type:

peimg /install=WinPE-HTA-Package C:\WinFEx86\mount\Windows

Then type :

peimg /list /image=C:\WinFEx86\mount\

You will see a + sign next to the WinPE scripting, wmi, hta and XML packages. If you want to be sure your hard disks are not mounted, when you image them (in a forensic environment), then be sure to edit the registry .
Navigate to :

cd c:\WinFEx86 

and execute the command:

copy C:\reg 

six files, called reg.exe, etcetera, that I had you put in the folder “c:\reg”, will now be in C:\WinFEx86 Now we’ll change the registry (one sentence at a time + press Enter-key)

REG LOAD HKLM\WINFE2 .\mount\Windows\System32\config\SYSTEM   

Now you type:

REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f

you type:

REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 3 /f

Now type:

REG UNLOAD HKLM\WINFE2

Now you copy the contents of your “C:\programs”, where you have put all your necessary standalones, to  c:\WinFEx86\mount\Program Files  .Close windows explorer again.

You’d rather start your winpe with an already localized keyboard layout (here is an example for belgian azerty – on my computer  the dutch version  is installed). Do not expect the winpe to be completely in dutch. Big parts of it will still be in English, but at least you have a familiar keyboard layout

cd c:\program files\Windows AIK\Tools\x86 
intlcfg.exe -inputlocale:nl-be -image:c:\winFEx86\mount
intlcfg.exe -syslocale:nl-be -image:c:\winFEx86\mount
intlcfg.exe -userlocale:nl-be -image:c:\winFEx86\mount
Check with :
intlcfg -report -image:c:\winFEx86\mount

Now we can unmount:

cd c:\Program Files\Windows AIK\Tools\x86 

Then:

imagex.exe /unmount /commit C:\WinFEx86\mount

This takes quite a while .We can make the iso

cd c:\program files\windows AIK\tools\x86 

Then type :

oscdimg -n -m -o -bC:\WinFEx86\etfsboot.com C:\WinFEx86\ISO C:\WinFEx86\WinFEX86.iso

You can then burn the iso with Imgburn.

Customizing the background of your winpe
Make your best photo the default background of your winpe.
First, make sure you have a photo or a picture with the following characteristics :
1024×768 pixels, 24-bit color, 72 DPI resolution
(you can do so by using the resize/resample feature in Irfanview, and save as a bitmap)
Change its name to winpe.bmp.

When you have mounted the winpe, copy this winpe.bmp to c:\winfFEx86\mount\windows\system32
overwriting the original one.

Use of diskpart.exe in mounting of hard disks with a winfe

This is the procedure : in order to learn how to mount disks readonly and such, you will have to learn all the commands of diskpart.exe
—————————————————————————————————————————————————–
Use of diskpart.exe in mounting of hard disks with a winfe
bootdisk (which boots with hard drives unmounted)

If you don’t know if you’re using a forensic winpe or a normal one, just issue the following commands :
diskpart

next command :
DISKPART > SAN
(this will give the actual san policy of the drives ; if the result is OfflineAll, then it’s a forensic winfe)

DISKPART > SAN POLICY=OnlineAll
is the command you want to use to be able to mount the drives (not a good idea in forensic imaging !!!!)

When you boot this winfe, the hard disks will be unmounted. However : to image a hard drive to another ,the latter should be mounted read-write, and the volume (or partition) should be read-write too.
You should use the Diskpart utility to add and mount hard disks. In
order to save an image to an external drive you have to put it online,
assign a drive letter and remove its read only attribute. A number of
Diskpart commands are required to achieve this.
( http://www.thinktankforensics.com/index.php/forensicsf?start=25 )

Windows FE boots up to a shell. You will have an admin command prompt
on the X drive which is a RAM disk. To launch the Diskpart utility , navigate to

X:\windows\system32 (actually , the boot disk starts in this folder) and type :
diskpart

To establish which disks can be seen, type:

DISKPART >List Disk

If you have not yet attached your collection disk, do it now, and type:

DISKPART > Rescan
then type :
List Disk
Now you have to identify your disk (look at the size).
If you see two disks, and number 1 is the drive you want to make writable,
use the following command

DISKPART >Select Disk 1

and put it online:

DISKPART >online disk

rescan
this is the command so you can verify if the disk is indeed online)

To view the actual attributes, type :
attributes disk

and then clear any readonly attributes with the following command :

DISKPART >Attributes disk clear readonly

attributes disk (this command controls if the readonly attribute is indeed removed)

Then identify the volume you wish to image to:

DISKPART >List Volume
and then select the volume ; if it’s volume 1, type :
DISKPART >Select Volume 1

online volume  (to bring the volume online)

and then clear any readonly attributes (with an ordinary small usb-stick, this command may
be superfluous) :

DISKPART >Attributes volume clear readonly

Next – assign a drive letter:

DISKPART >assign letter=k

You should now be able to write an image to your collection disk. If
you are getting the error “your disk is write protected” or similar the
problem most likely lies with the read only attribute.

Now you can make an image with dd.exe
After you made your image, you have to remove the disks again(unmounting)
With Explorer++.exe, navigate to x:\windows\system32\, open a command
prompt, and type :
diskpart
list disk       (identify your disk by size)
select disk 1
list volume
select volume 1        (if this was the volume you used)
remove all dismount       (this removes the drive letter, and dismounts the volume)
list disk
(disk 1 is still selected)
offline disk

(this brings the disk offline)

—————————————————————————————————————————————–

I have made this disk  in order to be able to image my hard disks with my favorite program : dd.exe  for windows from John Newbigin.

http://www.chrysocome.net/dd

dd --list output to txt-file : dd --list 2> output.txt

It takes a long time to image a disk, but the result is flawless.

I’ve imaged Vista, windows 7, dualboot disks, etc.
When you re-image back to another disk, be sure that this one
is zero-filled. You could use diskpart on the winpe for this ( in a command prompt) :
diskpart
list disk
select disk 0    ((or 1, or 2) be sure to identify the right disk)
clean all       (this zerofills the drive : it takes 30 minutes per 60 gb)
exit
You can use Darik’s boot and nuke.iso, and type “autonuke”, which will
overwrite the drive 3 times with random signs instead of zero-filling.

To zero-fill I always use Hiren’s boot cd, which contains
all the Hard disk tools from every hard disk manufacturer on the
planet, or almost. (but then you’ll have to know the manufacturer and the make of the drive)
Google the following search terms “hiren’s boot cd 10.0″, and
hirensbootcd.net will be your saviour.

For zero-filling, the following terms can be found :
“erase disk”, “low level format”, or “fill drive with zeroes”

Use of the winpe disk to back up your hard drive to an external
hard drive

I have a laptop with two hard drives, and want to back up the
first hard drive to an external hard drive.

preparations :

be sure your external drive is formatted NTFS.
Then there’s no need for splitting the backup in chunks of 2 gb,
because NTFS can handle large files.

You attach the hard drive (via a hard disk enclosure (icybox) , or
via an usb-atapi cable) to an usb-port.

You change the boot order in the bios, so the cd boots first.
The first thing you’ll see when the cd boots up, is a command prompt
window.
Attention : once you close the command prompt,  the computer shuts down.

Once you see the command window(this can take a while) , type :

keyboard.exe

This will give you the option to choose a localized keyboard, like belgian
You type :
be
Then hit ENTER twice.

You will have to open a second command window to use your
belgian azerty keyboard, by typing :
start cmd

Now you type :
Explorer++.exe
(Explorer++ is an alternative to Windows Explorer)
In this explorer window, you’ll see all the mounted hard drives
(unless you have edited the registry to start with the fixed drives
unmounted)
Double click on X: (you can read an write to this drive)
Double click on “Program Files”
And there you’ll see all your own programs.
In Explorer++.exe, you can open a second command prompt,
which will now give you the belgian azerty keyboard layout, and from
which you can use dd.exe, to make images of your hard drive.

For the time being, you’ll use the us keyboard layout
Type :

cd.. 

+ press Enter key ; then type:

cd..
+ ENTER key ; then type:

cd "Program Files" 

+ ENTER key ; then type:

cd dd 

There is another way (besides using keyboard.exe)  to change the keyboard layout on the fly in
your winpe.
You boot your computer with the winpe-cd.

But first you’ll have to copy your localized keyboard.dll to
x:\windows\system32. In my case (belgian (flemish) azerty keyboard), I
need to copy KBDBENE.dll (that I put on a usb-stick) to the folder
mentioned above, and verify that the files wpeutil.exe and wpeutil.dll
are already in this folder.

The cd boots to the folder : x:\windows\system32

Then I issue the command  (leave the asterisks out) :

* wpeutil SetKeyboardLayout 1080c:0001080c
(this is Belgian azerty comma, the next one is Belgian point)
* wpeutil SetKeyboardLayout 0813:00000813
and – VERY IMPORTANT – the command :
* start cmd.exe
as you will only  find the changed keyboard layout in the new command prompt !!!!

How do you find code 1080c:0001080c

For the first sequence of digits : use the last digits of
the
code, leaving out the zeroes that precede it,  (if there are
only
three, put a zero in front of it, because you need minimum four digits)
For the  sequence of 8 digits that form the last part :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001080c]
the first sequence is 1080c (we got rid of the preceding zeroes ; however, we need at least 4 digits)
the second sequence is 0001080c (we put one more zero in front of 001080c because we
need 8 digits) ; the result is this :
wpeutil SetKeyboardLayout 1080c:0001080c

Use the last numbers of the code, and put one zero – or more
if necessary, because you need 8 numerals -  in front of it.

If you want to know what keyboard.dll you need, and which code
to use,
you’ll find the codes below on my page .

http://technet.microsoft.com/en-us/library/cc766503(WS.10).aspx

Install your winpe to a flash drive or usb stick

In Tip 4 at the beginning of this webpage, you will find the necessary info.


Tip 9 Using drvload : install drivers on the fly within an active winpe-session

Important : you’ll need 512 mb ram to install drivers on the fly.
I’m using winpe 3.0 here (should work with winpe 2 or 2.1 as well)
Sometimes it’s easier to put additional drivers on a usb-stick in a folder
(winpedrivers\dellbroadcom\b44win.inf  and also a sys-file, eventually a dll-file) , so you
can integrate them when needed. I also put Explorer++.exe and operaoneuse.exe
in the root of the usb drive.
I have managed to use winxp ethernet drivers in a winpe 3.0 this way.

Problems you can come across : you can’t see your usb stick.
Colin Ramsden at winfe.wordpress.com is busy working on
a solution for this.
Normally there should be no problems with usb drives, as they
are seen as disks.

Booting up the winpe, you’re in x:\windows\system32

You type :
diskpart
and then you type :
list disk
Normally you should see your usb disk online (identify by gigabyte or mb)
Try re-plugging it in a second time if you don’t see it. Repeat the commands above
and eventually also the command         rescan
Type :
select disk 1  (if you know that this is your usb device)
list volume
now you should see the drive letter the usb has. Type “exit” to leave diskpart.
We’re in c:\windows\system32.
With the command       cd..
you move to x:\windows
Repeat        cd..
we have moved to  x:
type the drive-letter for your usb-stick you have retrieved via the diskpart command.
Now you’re in the root of the usb-stick
Typing Explorer++.exe   will give you a graphical  explorer-window in which you shall see
your usb-stick.
Problem solved ; now we can access the network drivers on the usb-stick.

When you boot up your winpe cd, you’ll find drvload.exe in the folder x:\windows\system32.

Assuming we can”t get an internet connection, we’ll control first if the network
drivers are installed.
Type IPCONFIG or ipconfig /all. If the command lists the IP addresses for your network,
you’re good to go.
However, we don”t get an IP-address. Now we will install the ethernet driver with drvload.exe.
If a reboot is specified in the inf  or sys , as may be the case with graphical drivers,
you’re out of luck.Then you’ll have to integrate these before, when building  your winpe.
Either with DISM in a winpe 3.0 , or with peimg in a winpe 2.0 or 2.1.
The drive letter of my usb-stick is f:
drvload f:\winpedrivers\dellbroadcom\b44win.inf
If all goes well, you’ll see : “drivers successfully loaded”
Update  August 12th, 2010 : :hotfix for drvload with winpe 3.0

http://support.microsoft.com/kb/2276755

Copy the updated Drvstore.dll and Setupapi.dll files to the following directory
C:\winpe_x86\mount\windows\System32\drivers)

REMARK : You have now found the correct INF file, however you may also need to identify any additional files (eg .SYS and .DLL files). You can use Notepad to look at the text in the INF file to determine which files are used. Typically ‘doris.inf’ will use a .SYS file called ‘doris.sys’.
Repeat the test above but ensure you only have the set of files that you wish to test on the USB flash memory drive (you can simply move the unwanted files. END OF REMARK

Type :
NETCFG -WINPE
This will initialize the network connection.

Type :
IPCONFIG or ipconfig /all
If you see an ip-address, then you can launch f:\operaoneuse.exe, and
surf the net.

Network connection (this one is not tested by me, but it might be of use) :
net use g: \\192.168.200.4\sh /USER:Li587\ad A1234567
This is a command for connecting a remote shared folder. The folder will be connected as the disk g:, is located in a PC with the IP address 192.168.200.4 and sharing name sh. Domain or name of the computer is Li587, user ad, password A1234567.
Error 3775 The user context supplied is invalid. – this will appear if credentials of the user is required (the following is not sufficient: net use g: \\192.168.200.4\sh)

________________________________________________________________________________________________
SECTION 10000

Tip 1   Edit the existing boot.wim on a winpe disk.

A Winpe on a cd

If you have already burnt the iso to a cd, then you will need Gburner (see tip 004 BIS ), Ultraiso or Poweriso
to make a new iso of this cd, then you will need to extract the boot.wim from the folder “sources”, edit the
boot.wim (see below under B) , and in Gburner or Poweriso ( see tip 004 bis ) , you can delete the
old boot.wim of the iso, and insert the new one.
Then you can save this iso with new boot.wim, and burn it.

B Winpe on a usb stick

It is important to know how you made the winpe. If you made it on a 64 bit system with the ADK for
Windows 8, then you preferably edit the boot wim with that same ADK.
You can find this out with the information under “Section 0″

 Here is how to edit the boot.wim.

Put the winpe usb-stick in the computer and copy the boot.wim from the folder “sources” to drive
c: on the computer (path is c:\boot.wim)
IMPORTANT : Right-click on this boot.wim, and remove the mark before “read-only”.
On C: make a folder “wi”, and in this folder “wi” make a folder “mount” (path is c:\wi\mount)

To mount a boot.wim from a winpe : open the command prompt of the “Deployment” as administrator.

- with the ADK for windows 8 :

Dism /mount-image /imagefile:C:\boot.wim /index:1 /mountdir:C:\wi\mount

- with the WAIK for windows 7 :
dism /mount-wim /wimfile:C:\boot.wim /index:1 /mountdir:C:\wi\mount

You want to change the winpe to a forensic one :
To make the winpe a forensic one that does not mount internal hard drives
, you need to edit the registry, here with the ADK for
windows 8 . You type in the command prompt  line by line, and push Enter after each line :

* REG LOAD HKLM\WINFE2 C:\wi\mount\Windows\System32\config\SYSTEM
* REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f
* REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 4 /f
* REG ADD HKLM\WINFE2\ControlSet001\Control\FileSystem /v DisableDeleteNotification /t REG_DWORD /d 1 /f
* REG UNLOAD HKLM\WINFE2

You can integrate missing drivers. Installation of multiple drivers, whereby drivers will be
searched in subfolders, and  unsigned drivers will be forcibly installed – edit the line according to
your own folder names :

Dism /image:C:\wi\mount /Add-Driver /driver:C:\your_DRIVERS_in_A_subfolder_OF_this_ONE\ /recurse /ForceUnsigned

Add one single driver – edit the next line according to your own folder names :

Dism /Image:"C:\wi\mount" /Add-Driver /Driver:"C:\your_DRIVER_in_this_folder\driver.inf"


Add packages you forgot

You need to know it was a 64 bit winpe (if you used win 8 – 64 bit dvd in winbuilder win8pese),
and if you’re doing this on a 64 bit system, because then the following lines should be as follows :

Dism /image:C:\wi\mount /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-MDAC.cab"
Dism /image:C:\wi\mount /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-MDAC_en-us.cab"

-
You can copy missing files or programs in the \windows\system32 folder.

If you have finished editing the boot.wim, unmount like this with the dism.exe of the ADK for win8 :

Dism /unmount-image /mountdir:C:\wi\mount\ /commit

The command with the waik for windows 7 is :
dism /unmount-wim /mountdir:C:\wi\mount /commit
The following step is to copy c:\boot.wim to the folder “sources” of your winpe ,
On a usb you can have multiple boot.wims ; after having renamed the old one to “nonforensicboot.wim”,
boot.wim will obviously be the forensic, non-mounting one; rename both if you want the ordinary
mounting one. The one that has to be booted must always have the name boot.wim.
If you want to make a cd, insert the new boot.wim in the iso with Gburner (see tip 004 BIS ), or Ultraiso or Poweriso, and burn to cd.
As a cd is not as versatile as a usb, you will be limited to one boot.wim only.

————————————————————————————-
Section 0

Version numbers of WINDOWS, ADK, and WINPE

6.1.7600 : Windows 7
6.2.7601 : Windows 7 SP 1
6.2.9200 : Windows 8
6.3.9600 : Windows 8.1

8.59.25584   : ADK for windows 8 (winpe 4.0)
8.100.25984 : ADK for windows 8.1 till October 18th, 2013 (winpe 5.0)
8.100.26020 : ADK for windows 8.1 after October 18th, 2013 (winpe 5.0)
8.100.26629  : ADK for windows 8.1 update 1 from april 8th 2014

Checking the version of the installed ADK in Windows.

If you are unsure of the version of Windows ADK installed on a system, you can verify it.
On Windows Vista and Windows 2008:
Open the Control Panel of your operating system.
If you are in the Control Panel Home view, select Programs, otherwise skip this step.
Select Programs and Features.
Select Assessment and Deployment Kit in the list.
If you cannot view the version number in the selected line, you can add a column with this information.
Select View and then Choose Details….
Select Version and click OK.
Check that the version number is 8.59.25584, which corresponds to
Windows Assessment and Deployment Kit (ADK) for Windows 8 in English.

On Windows 2008 R2, Windows 7, Windows 8, Windows 2012:
Open the Control Panel of your operating system.
If you are in the Control Panel Home view, select Programs, otherwise skip this step.
Select Programs and Features.
Select Assessment and Deployment Kit in the list.
If you cannot view the version number at the bottom of the screen, select Organize >
Layout > Details pane to make it visible.
Check that the version number is 8.59.25584, which corresponds to Windows
Assessment and Deployment Kit (ADK) for Windows 8 in English.


Finding the version from within winpe after you booted it.

To identify the Windows PE release that you are running :
1. At a Windows PE command prompt, type regedit
2. Locate this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE
The Version registry value shows the Windows PE version

Is the winpe 32 bit or 64 bit ?

-You don’t remember if you made 32 bit winpe or a 64 bit one.

If you included the WMI- package in your winpe, then you can find out by typing :
wmic OS get OSArchitecture
and press Enter key.

A 64-bit winpe contains the syswow64 directory,
a 32-bit one does not contain it.
c:\Windows\System32
C:\Windows\Syswow64

Find out – from within the winpe for win 8.0 or win 8.1 – if you are booted in uefi or legacy bios mode.

Suppose you restarted with advanced options to troubleshoot your pc, and chose the command prompt.

Open a command prompt at boot :
http://www.eightforums.com/tutorials/2755-command-prompt-boot-startup-windows-8-a.html

see option four here :
http://www.eightforums.com/tutorials/29504-bios-mode-see-if-windows-boot-uefi-legacy-mode.html
In cmd promt type :

wpeutil UpdateBootInfo
+ push Enter ; then type :
reg query HKLM\System\CurrentControlSet\Control /v PEFirmwareType
+ press Enter ;
if the REG DWORD IS 0×1 then it’s : legacy bios
if the reg dword is 0×2 then it’s uefi

Find out if you’re booted in UEFI or in legacy bios under Windows

Press the Windows key + R  to open the Run dialog, type diskmgmt.msc, click/tap on OK, and go to step 4 below.

4. If prompted by UAC, then click/tap on Yes.

5. If your Windows disk shows having an EFI partition like below, then it’s installed with UEFI. If not, then it’s Legacy BIOS.
http://www.eightforums.com/tutorials/29504-bios-mode-see-if-windows-boot-uefi-legacy-mode.html

or click winkey + run , and type :
msinfo32
Under system summary , you will see “legacy” or “uefi” next to “Bios Mode”

Another method is executing diskpart in a command prompt.
If disk 0 (your internal windows system drive) shows an asterisk under GPT, then the drive has a GPT partition tabel,
and is installed in UEFI.
Suppose you installed it in bios-mode, then you would not see the GPT-asterisk.

Make screenshots in UEFI

Asus and Asrock have added a useful option to their UEFI motherboards (I don’t think you will find this on the much smaller uefi’s in the laptops) which you will find in the “advanced options” :
F12 makes a screenshot and writes it to an inserted (before boot !) usb stick, that is formatted FAT32.
Provided the usb-stick is recognized. Try all ports.
You could have a text printout of a bios screen, if you used the printscreen key, whilst a printer was
attached via a parallel printer port.
_______________________________________________________________________________________

_______________________________________________________________________________________

All the instructions I gathered on this page are collected from
the following websites , with sincere thanks to all these people :

http://www.slideshare.net/ctin/ctin-windows-fe-1256287
http://www.twine.com/item/113421dk0-g99/windows-fe
http://forensicsfromthesausagefactory.blogspot.com/2008/07/windows-fe.html
http://multidisciplinary.wordpress.com/2009/01/27/create-a-custom-windows-pe-30-beta-image-useful-for-imagex-imagingbackup/
http://blog.brianleejackson.com/deployment-image-servicing-and-management-dism-winpe-3-0-boot-environment/comment-page-1#comment-459
———————————————————————————-
Wpeutil SetKeyboardLayout (howto)
The keyboard dlls and the codes, sorted by country
In the winpe command prompt, these will be the 2 commands you will
have to type to change your keyboard layout :

example for Albanian :

wpeutil SetKeyboardLayout 041c:0000041c
start cmd.exe  (start cmd.exe will start a new command prompt with the changed keyboard layout)

example for Belgian comma :

wpeutil SetKeyboardLayout 1080c:0001080c
start cmd.exe   (start cmd.exe will start a new command prompt with the changed keyboard layout)

In the following keyboard codes, you can extract the patterns you need,
based on the above examples.

How do you find code 1080c:0001080c

For the first sequence of digits : use the last digits of
the
code, leaving out the zeroes that precede it,  (if there are
only
three, put a zero in front of it, because you need minimum four digits)
For the  sequence of 8 digits that form the last part :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001080c]
the first sequence is 1080c (we got rid of the preceding zeroes ; however, we need at least 4 digits)
the second sequence is 0001080c (we put one more zero in front of 001080c because we
need 8 digits) ; the result is this :
wpeutil SetKeyboardLayout 1080c:0001080c

Use the last numbers of the code, and put one zero – or more
if necessary, because you need 8 numerals -  in front of it.

If you want to know what keyboard.dll you need, and which code
to use, you’ll find the codes below

Afghanistan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000463]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5159″
“Layout File”=”KBDPASH.DLL”
“Layout Text”=”Pashto (Afganistan)”
wpeutil SetKeyboardLayout 0463:00000463
start cmd.exe

Albania

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000041c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5029″
“Layout File”=”KBDAL.DLL”
“Layout Text”=”Albanian”

wpeutil SetKeyboardLayout 041c:0000041c
start cmd.exe

Arab emirates

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000401]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5084″
“Layout File”=”KBDA1.DLL”
“Layout Text”=”Arabic (101)”
wpeutil SetKeyboardLayout 0401:00000401
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020401]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5086″
“Layout File”=”KBDA3.DLL”
“Layout Id”=”0029″
“Layout Text”=”Arabic (102) AZERTY”
wpeutil SetKeyboardLayout 20401:00020401
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010401]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5085″
“Layout File”=”KBDA2.DLL”
“Layout Id”=”0028″
“Layout Text”=”Arabic (102)”
wpeutil SetKeyboardLayout 10401:00010401
start cmd.exe

armenia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001042b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5121″
“Layout File”=”kbdarmw.dll”
“Layout Id”=”0025″
“Layout Text”=”Armenian Western”
wpeutil SetKeyboardLayout 1042b:0001042b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000042b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5120″
“Layout File”=”kbdarme.dll”
“Layout Text”=”Armenian Eastern”
wpeutil SetKeyboardLayout 042b:0000042b
start cmd.exe

Azerbeidjan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000082c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5115″
“Layout File”=”KBDAZE.DLL”
“Layout Text”=”Azeri Cyrillic”
wpeutil SetKeyboardLayout 082c:0000082c
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000042c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5117″
“Layout File”=”KBDAZEL.DLL”
“Layout Text”=”Azeri Latin”
wpeutil SetKeyboardLayout 042c:0000042c
start cmd.exe

belgium
________________________________________________________________________

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000080c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5002″
“Layout File”=”KBDBE.DLL”
“Layout Text”=”Belgian French”
wpeutil SetKeyboardLayout 080c:0000080c
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000813]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5001″
“Layout File”=”KBDBE.DLL”
“Layout Text”=”Belgian (Period)”
wpeutil SetKeyboardLayout 0813:00000813
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001080c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5089″
“Layout File”=”KBDBENE.DLL”
“Layout Id”=”001E”
“Layout Text”=”Belgian (Comma)”
wpeutil SetKeyboardLayout 1080c:0001080c
start cmd.exe
_______________________________________________________________________

belorussia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000423]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5052″
“Layout File”=”KBDBLR.DLL”
“Layout Text”=”Belarusian”
wpeutil SetKeyboardLayout 0423:00000423
start cmd.exe

bosnia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts  000201a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5155″
“Layout File”=”KBDBHC.DLL”
“Layout Text”=”Bosnian (Cyrillic)”
wpeutil SetKeyboardLayout 201a:0000201a
start cmd.exe

Brazil

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000416]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5003″
“Layout File”=”KBDBR.DLL”
“Layout Text”=”Portuguese (Brazilian ABNT)”
wpeutil SetKeyboardLayout 0416:00000416
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010416]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5126″
“Layout File”=”KBDBR.DLL”
“Layout Id”=”0010″
“Layout Text”=”Portuguese (Brazilian ABNT2)”
wpeutil SetKeyboardLayout 10416:00010416
start cmd.exe

Bulgaria

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000402]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5053″
“Layout File”=”KBDBU.DLL”
“Layout Text”=”Bulgarian”
wpeutil SetKeyboardLayout 0402:00000402
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0030402]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5180″
“Layout File”=”KBDBULG.DLL”
“Layout Id”=”00AA”
“Layout Text”=”Bulgarian (phonetic layout)”
wpeutil SetKeyboardLayout 30402:00030402
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010402]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5054″
“Layout File”=”KBDUS.DLL”
“Layout Id”=”0004″
“Layout Text”=”Bulgarian (Latin)”
wpeutil SetKeyboardLayout 10402:00010402
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020402]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5173″
“Layout File”=”KBDBGPH.DLL”
“Layout Id”=”00A3″
“Layout Text”=”Bulgarian (phonetic layout)”
wpeutil SetKeyboardLayout 20402:00020402
start cmd.exe

Canada

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0011009]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5110″
“Layout File”=”KBDCAN.DLL”
“Layout Id”=”0020″
“Layout Text”=”Canadian Multilingual Standard”
wpeutil SetKeyboardLayout 11009:00011009
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000c0c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5005″
“Layout File”=”KBDFC.DLL”
“Layout Text”=”Canadian French (Legacy)”
wpeutil SetKeyboardLayout 0c0c:00000c0c
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0001009]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5004″
“Layout File”=”KBDCA.DLL”
“Layout Text”=”Canadian French”
wpeutil SetKeyboardLayout 1009:00001009
start cmd.exe

China

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000404]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5065″
“Layout File”=”KBDUS.DLL”
“Layout Text”=”Chinese (Traditional) – US Keyboard”
wpeutil SetKeyboardLayout 0404:00000404
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000804]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5072″
“Layout File”=”KBDUS.DLL”
“Layout Text”=”Chinese (Simplified) – US Keyboard”
wpeutil SetKeyboardLayout 0804:00000804
start cmd.exe
————————————————————————

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010405]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5032″
“Layout File”=”KBDCZ1.DLL”
“Layout Id”=”0005″
“Layout Text”=”Czech (QWERTY)”
wpeutil SetKeyboardLayout 10405:00010405
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000405]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5031″
“Layout File”=”KBDCZ.DLL”
“Layout Text”=”Czech”
wpeutil SetKeyboardLayout 0405:00000405
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020405]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5087″
“Layout File”=”KBDCZ2.DLL”
“Layout Id”=”000A”
“Layout Text”=”Czech Programmers”
wpeutil SetKeyboardLayout 20405:00020405
start cmd.exe
————————————————————————

croatia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000041a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5030″
“Layout File”=”KBDCR.DLL”
“Layout Text”=”Croatian”
wpeutil SetKeyboardLayout 041a:0000041a
start cmd.exe

Danmark

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000406]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5007″
“Layout File”=”KBDDA.DLL”
“Layout Text”=”Danish”
wpeutil SetKeyboardLayout 0406:00000406
start cmd.exe

Estonia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000425]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5042″
“Layout File”=”KBDEST.DLL”
“Layout Text”=”Estonian”
wpeutil SetKeyboardLayout 0425:00000425
start cmd.exe

faroer islands

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000438]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5108″
“Layout File”=”KBDFO.DLL”
“Layout Text”=”Faeroese”
wpeutil SetKeyboardLayout 0438:00000438
start cmd.exe

Finland

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 002083b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5142″
“Layout File”=”KBDSMSFI.DLL”
“Layout Id”=”002e”
“Layout Text”=”Sami Extended Finland-Sweden”
wpeutil SetKeyboardLayout 2083b:0002083b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001083b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5137″
“Layout File”=”KBDFI1.DLL”
“Layout Id”=”002d”
“Layout Text”=”Finnish with Sami”
wpeutil SetKeyboardLayout 1083b:0001083b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000040b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5009″
“Layout File”=”KBDFI.DLL”
“Layout Text”=”Finnish”
wpeutil SetKeyboardLayout 040b:0000040b
start cmd.exe

France

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000040c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5010″
“Layout File”=”KBDFR.DLL”
“Layout Text”=”French”
wpeutil SetKeyboardLayout 040c:0000040c
start cmd.exe

Georgia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000437]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5119″
“Layout File”=”kbdgeo.dll”
“Layout Text”=”Georgian”
wpeutil SetKeyboardLayout 0437:00000437
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020437]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5181″
“Layout File”=”kbdgeoer.dll”
“Layout Id”=”00ac”
“Layout Text”=”Georgian (Ergonomic)”
wpeutil SetKeyboardLayout 20437:00020437
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010437]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5182″
“Layout File”=”kbdgeoqw.dll”
“Layout Id”=”00ab”
“Layout Text”=”Georgian (QWERTY)”
wpeutil SetKeyboardLayout 10437:00010437
start cmd.exe

Germany

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000407]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5011″
“Layout File”=”KBDGR.DLL”
“Layout Text”=”German”
wpeutil SetKeyboardLayout 0407:00000407
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010407]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5012″
“Layout File”=”KBDGR1.DLL”
“Layout Id”=”0012″
“Layout Text”=”German (IBM)”
wpeutil SetKeyboardLayout 10407:00010407
start cmd.exe

Greece

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000408]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5046″
“Layout File”=”KBDHE.DLL”
“Layout Text”=”Greek”
wpeutil SetKeyboardLayout 0408:00000408
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020408]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5049″
“Layout File”=”KBDHE319.DLL”
“Layout Id”=”0018″
“Layout Text”=”Greek (319)”
wpeutil SetKeyboardLayout 20408:00020408
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010408]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5048″
“Layout File”=”KBDHE220.DLL”
“Layout Id”=”0016″
“Layout Text”=”Greek (220)”
wpeutil SetKeyboardLayout 10408:00010408
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0040408]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5051″
“Layout File”=”KBDHELA3.DLL”
“Layout Id”=”0011″
“Layout Text”=”Greek (319) Latin”
wpeutil SetKeyboardLayout 40408:00040408
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0050408]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5047″
“Layout File”=”KBDGKL.DLL”
“Layout Id”=”0019″
“Layout Text”=”Greek Latin”
wpeutil SetKeyboardLayout 50408:00050408
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0030408]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5050″
“Layout File”=”KBDHELA2.DLL”
“Layout Id”=”0017″
“Layout Text”=”Greek (220) Latin”
wpeutil SetKeyboardLayout 30408:00030408
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0060408]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5122″
“Layout File”=”KBDHEPT.DLL”
“Layout Id”=”001F”
“Layout Text”=”Greek Polytonic”
wpeutil SetKeyboardLayout 60408:00060408
start cmd.exe

Greenland

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000046f]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5170″
“Layout File”=”KBDGRLND.DLL”
“Layout Text”=”Greenlandic”
wpeutil SetKeyboardLayout 046f:0000046f
start cmd.exe

Ireland

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0001809]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5014″
“Layout File”=”KBDIR.DLL”
“Layout Text”=”Irish”
wpeutil SetKeyboardLayout 1809:00001809
start cmd.exe

Hungary

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000040e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5033″
“Layout File”=”KBDHU.DLL”
“Layout Text”=”Hungarian”
wpeutil SetKeyboardLayout 040e:0000040e
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001040e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5034″
“Layout File”=”KBDHU1.DLL”
“Layout Id”=”0006″
“Layout Text”=”Hungarian 101-key”
wpeutil SetKeyboardLayout 1040e:0001040e
start cmd.exe

Iceland

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000040f]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5013″
“Layout File”=”KBDIC.DLL”
“Layout Text”=”Icelandic”
wpeutil SetKeyboardLayout 040f:0000040f
start cmd.exe

india

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010439]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5105″
“Layout File”=”KBDINHIN.DLL”
“Layout Id”=”000c”
“Layout Text”=”Hindi Traditional”
wpeutil SetKeyboardLayout 10439:00010439
start cmd.exe

Iran

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000429]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5124″
“Layout File”=”KBDFA.DLL”
“Layout Text”=”Persian”
wpeutil SetKeyboardLayout 0429:00000429
start cmd.exe

Israel

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000040d]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5083″
“Layout File”=”KBDHEB.DLL”
“Layout Text”=”Hebrew”
wpeutil SetKeyboardLayout 040d:0000040d
start cmd.exe

Italy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000410]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5015″
“Layout File”=”KBDIT.DLL”
“Layout Text”=”Italian”
wpeutil SetKeyboardLayout 0410:00000410
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010410]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5016″
“Layout File”=”KBDIT142.DLL”
“Layout Id”=”0003″
“Layout Text”=”Italian (142)”
wpeutil SetKeyboardLayout 10410:00010410
start cmd.exe

Japan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000411]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5061″
“Layout File”=”KBDJPN.DLL”
“Layout Text”=”Japanese”
wpeutil SetKeyboardLayout 0411:00000411
start cmd.exe

Kazakhstan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000043f]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5113″
“Layout File”=”KBDKAZ.DLL”
“Layout Text”=”Kazakh”
wpeutil SetKeyboardLayout 043f:0000043f
start cmd.exe

Korea

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000412]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5063″
“Layout File”=”KBDKOR.DLL”
“Layout Text”=”Korean”
wpeutil SetKeyboardLayout 0412:00000412
start cmd.exe

Kyrgyzia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000440]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5128″
“Layout File”=”KBDKYR.DLL”
“Layout Text”=”Kyrgyz Cyrillic”
wpeutil SetKeyboardLayout 0440:00000440
start cmd.exe

Laos

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000454]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5162″
“Layout File”=”KBDLAO.DLL”
“Layout Text”=”Lao”
wpeutil SetKeyboardLayout 0454:00000454
start cmd.exe

Latvia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000426]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5043″
“Layout File”=”KBDLV.DLL”
“Layout Text”=”Latvian”
wpeutil SetKeyboardLayout 0426:00000426
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010426]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5044″
“Layout File”=”KBDLV1.DLL”
“Layout Id”=”0015″
“Layout Text”=”Latvian (QWERTY)”
wpeutil SetKeyboardLayout 10426:00010426
start cmd.exe

Lithuania

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000427]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5045″
“Layout File”=”KBDLT.DLL”
“Layout Text”=”Lithuanian IBM”
wpeutil SetKeyboardLayout 0427:00000427
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010427]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5088″
“Layout File”=”KBDLT1.DLL”
“Layout Id”=”0027″
“Layout Text”=”Lithuanian”
wpeutil SetKeyboardLayout 10427:00010427
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020427]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5172″
“Layout File”=”KBDLT2.DLL”
“Layout Id”=”00a1″
“Layout Text”=”Lithuanian New”
wpeutil SetKeyboardLayout 20427:00020427
start cmd.exe

Luxemburg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000046e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5168″
“Layout File”=”KBDSF.DLL”
“Layout Text”=”Luxembourgish”
Luxemburg uses the Swiss-French keyboard. qwertz
Their banks however use Belgian azerty
wpeutil SetKeyboardLayout 046e:0000046e
start cmd.exe

Macedonia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000042f]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5109″
“Layout File”=”KBDMAC.DLL”
“Layout Text”=”Macedonian (FYROM)”
wpeutil SetKeyboardLayout 042f:0000042f
start cmd.exe

Malaysia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000044c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5139″
“Layout File”=”KBDINMAL.DLL”
“Layout Text”=”Malayalam”
wpeutil SetKeyboardLayout 044c:0000044c
start cmd.exe

Malta

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000043a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5140″
“Layout File”=”KBDMLT47.DLL”
“Layout Text”=”Maltese 47-Key”
wpeutil SetKeyboardLayout 043a:0000043a
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001043a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5141″
“Layout File”=”KBDMLT48.DLL”
“Layout Id”=”002b”
“Layout Text”=”Maltese 48-key”
wpeutil SetKeyboardLayout 1043a:0001043a
start cmd.exe

Mongolia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000450]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5127″
“Layout File”=”KBDMON.DLL”
“Layout Text”=”Mongolian Cyrillic”
wpeutil SetKeyboardLayout 0450:00000450
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000850]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5158″
“Layout File”=”KBDMONMO.DLL”
“Layout Text”=”Mongolian (Mongolian Script)”

wpeutil SetKeyboardLayout 0850:00000850
start cmd.exe

the Netherlands : querty

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000413]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5008″
“Layout File”=”KBDNE.DLL”
“Layout Text”=”Dutch”
wpeutil SetKeyboardLayout 0413:00000413
start cmd.exe

Nnorway

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000414]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5018″
“Layout File”=”KBDNO.DLL”
“Layout Text”=”Norwegian”
wpeutil SetKeyboardLayout 0414:00000414
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001043b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5143″
“Layout File”=”KBDSMSNO.DLL”
“Layout Id”=”002c”
“Layout Text”=”Sami Extended Norway”
wpeutil SetKeyboardLayout 1043b:0001043b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000043b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5138″
“Layout File”=”KBDNO1.DLL”
“Layout Text”=”Norwegian with Sami”
wpeutil SetKeyboardLayout 043b:0000043b
start cmd.exe

Poland

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000415]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5035″
“Layout File”=”KBDPL1.DLL”
“Layout Text”=”Polish (Programmers)”
wpeutil SetKeyboardLayout 0415:00000415
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010415]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5036″
“Layout File”=”KBDPL.DLL”
“Layout Id”=”0007″
“Layout Text”=”Polish (214)”
wpeutil SetKeyboardLayout 10415:00010415
start cmd.exe

portugal

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000816]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5019″
“Layout File”=”KBDPO.DLL”
“Layout Text”=”Portuguese”

wpeutil SetKeyboardLayout 0816:00000816
start cmd.exe

Romania – rumania

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000418]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5037″
“Layout File”=”KBDRO.DLL”
“Layout Text”=”Romanian (Legacy)”
wpeutil SetKeyboardLayout 0418:00000418
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010418]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5175″
“Layout File”=”KBDROST.DLL”
“Layout Id”=”00a5″
“Layout Text”=”Romanian (Standard)”
wpeutil SetKeyboardLayout 10418:00010418
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020418]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5176″
“Layout File”=”KBDROPR.DLL”
“Layout Id”=”00a6″
“Layout Text”=”Romanian (Programmers)”
wpeutil SetKeyboardLayout 20418:00020418
start cmd.exe

russia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000419]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5055″
“Layout File”=”KBDRU.DLL”
“Layout Text”=”Russian”
wpeutil SetKeyboardLayout 0419:00000419
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010419]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5056″
“Layout File”=”KBDRU1.DLL”
“Layout Id”=”0008″
“Layout Text”=”Russian (Typewriter)”
wpeutil SetKeyboardLayout 10419:00010419
start cmd.exe

Serbia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000c1a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5057″
“Layout File”=”KBDYCC.DLL”
“Layout Text”=”Serbian (Cyrillic)”
wpeutil SetKeyboardLayout 0c1a:00000c1a
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000081a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5038″
“Layout File”=”KBDYCL.DLL”
“Layout Text”=”Serbian (Latin)”
wpeutil SetKeyboardLayout 081a:0000081a
start cmd.exe

Slovakia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000041b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5039″
“Layout File”=”KBDSL.DLL”
“Layout Text”=”Slovak”
wpeutil SetKeyboardLayout 041b:0000041b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001041b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5040″
“Layout File”=”KBDSL1.DLL”
“Layout Id”=”0013″
“Layout Text”=”Slovak (QWERTY)”
wpeutil SetKeyboardLayout 1041b:0001041b
start cmd.exe

Slovenia

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000424]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5041″
“Layout File”=”KBDCR.DLL”
“Layout Text”=”Slovenian”
wpeutil SetKeyboardLayout 0424:00000424
start cmd.exe

Spain

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000040a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5020″
“Layout File”=”KBDSP.DLL”
“Layout Text”=”Spanish”
wpeutil SetKeyboardLayout 040a:0000040a
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001040a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5021″
“Layout File”=”KBDES.DLL”
“Layout Id”=”0086″
“Layout Text”=”Spanish Variation”
wpeutil SetKeyboardLayout 1040a:0001040a
start cmd.exe

Sweden

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000041d]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5022″
“Layout File”=”KBDSW.DLL”
“Layout Text”=”Swedish”
wpeutil SetKeyboardLayout 041d:0000041d
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000083b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5144″
“Layout File”=”KBDFI1.DLL”
“Layout Text”=”Swedish with Sami”
wpeutil SetKeyboardLayout 083b:0000083b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 002083b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5142″
“Layout File”=”KBDSMSFI.DLL”
“Layout Id”=”002e”
“Layout Text”=”Sami Extended Finland-Sweden”
wpeutil SetKeyboardLayout 2083b:0002083b
start cmd.exe

Switzerland

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000807]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5024″
“Layout File”=”KBDSG.DLL”
“Layout Text”=”Swiss German”
wpeutil SetKeyboardLayout 0807:00000807
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000100c]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5023″
“Layout File”=”KBDSF.DLL”
“Layout Text”=”Swiss French”
wpeutil SetKeyboardLayout 100c:0000100c
start cmd.exe

Syria

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000045a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5130″
“Layout File”=”KBDSYR1.DLL”
“Layout Text”=”Syriac”
wpeutil SetKeyboardLayout 045a:0000045a
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001045a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5131″
“Layout File”=”KBDSYR2.DLL”
“Layout Id”=”000E”
“Layout Text”=”Syriac Phonetic”
wpeutil SetKeyboardLayout 1045a:0001045a
start cmd.exe

Tadjikistan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000428]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5151″
“Layout File”=”KBDTAJIK.DLL”
“Layout Text”=”Tajik”
wpeutil SetKeyboardLayout 0428:00000428
start cmd.exe

Thailand

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000041e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5079″
“Layout File”=”KBDTH0.DLL”
“Layout Text”=”Thai Kedmanee”
wpeutil SetKeyboardLayout 041e:0000041e
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 002041e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5081″
“Layout File”=”KBDTH2.DLL”
“Layout Id”=”0022″
“Layout Text”=”Thai Kedmanee (non-ShiftLock)”
wpeutil SetKeyboardLayout 2041e:0002041e
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001041e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5080″
“Layout File”=”KBDTH1.DLL”
“Layout Id”=”0021″
“Layout Text”=”Thai Pattachote”

wpeutil SetKeyboardLayout 1041e:0001041e
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 003041e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5082″
“Layout File”=”KBDTH3.DLL”
“Layout Id”=”0023″
“Layout Text”=”Thai Pattachote (non-ShiftLock)”
wpeutil SetKeyboardLayout 3041e:0003041e
start cmd.exe

Tibet

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000451]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5154″
“Layout File”=”KBDTIPRC.DLL”
“Layout Text”=”Tibetan (People’s Republic of China)”
wpeutil SetKeyboardLayout 0451:00000451
start cmd.exe

Turkey

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000041f]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5060″
“Layout File”=”KBDTUQ.DLL”
“Layout Text”=”Turkish Q”
wpeutil SetKeyboardLayout 041f:0000041f
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001041f]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5059″
“Layout File”=”KBDTUF.DLL”
“Layout Id”=”0014″
“Layout Text”=”Turkish F”
wpeutil SetKeyboardLayout 1041f:0001041f
start cmd.exe

turkmenistan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000442]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5150″
“Layout File”=”KBDTURME.DLL”
“Layout Text”=”Turkmen”
wpeutil SetKeyboardLayout 0442:000000442
start cmd.exe

Ukraine

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000422]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5058″
“Layout File”=”KBDUR.DLL”
“Layout Text”=”Ukrainian”
wpeutil SetKeyboardLayout 0422:00000422
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020422]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5179″
“Layout File”=”KBDUR1.DLL”
“Layout Id”=”00a8″
“Layout Text”=”Ukrainian (Enhanced)”
wpeutil SetKeyboardLayout 20422:00020422
start cmd.exe

————————————————————————

United kingdom

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000452]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5145″
“Layout File”=”KBDUKX.DLL”
“Layout Text”=”United Kingdom Extended”
wpeutil SetKeyboardLayout 0452:00000452
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000809]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5025″
“Layout File”=”KBDUK.DLL”
“Layout Text”=”United Kingdom”
wpeutil SetKeyboardLayout 0809:00000809
start cmd.exe

————————————————————————
United states of america

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0030409]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5027″
“Layout File”=”KBDUSL.DLL”
“Layout Id”=”001A”
“Layout Text”=”United States-Dvorak for left hand”
wpeutil SetKeyboardLayout 30409:00030409
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000409]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5000″
“Layout File”=”KBDUS.DLL”
“Layout Text”=”US”
wpeutil SetKeyboardLayout 0409:00000409
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010409]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5092″
“Layout File”=”KBDDV.DLL”
“Layout Id”=”0002″
“Layout Text”=”United States-Dvorak”
wpeutil SetKeyboardLayout 10409:00010409
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020409]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5026″
“Layout File”=”KBDUSX.DLL”
“Layout Id”=”0001″
“Layout Text”=”United States-International”
wpeutil SetKeyboardLayout 20409:00020409
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0050409]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5123″
“Layout File”=”KBDUSA.DLL”
“Layout Id”=”000B”
“Layout Text”=”US English Table for IBM Arabic 238_L”
wpeutil SetKeyboardLayout 50409:00050409
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0040409]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5028″
“Layout File”=”KBDUSR.DLL”
“Layout Id”=”001B”
“Layout Text”=”United States-Dvorak for right hand”
wpeutil SetKeyboardLayout 40409:00040409
start cmd.exe
————————————————————————

Uzbekhistan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000843]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5114″
“Layout File”=”KBDUZB.DLL”
“Layout Text”=”Uzbek Cyrillic”
wpeutil SetKeyboardLayout 0843:00000843
start cmd.exe

Vietnam

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000042a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5118″
“Layout File”=”KBDVNTC.DLL”
“Layout Text”=”Vietnamese”
wpeutil SetKeyboardLayout 042a:0000042a
start cmd.exe

———————————————–

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000420]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5129″
“Layout File”=”KBDURDU.DLL”
“Layout Text”=”Urdu”
wpeutil SetKeyboardLayout 0420:00000420
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000042e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5163″
“Layout File”=”KBDSORST.DLL”
“Layout Text”=”Sorbian Standard”
wpeutil SetKeyboardLayout 042e:0000042e
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000439]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5096″
“Layout File”=”KBDINDEV.DLL”
“Layout Text”=”Devanagari – INSCRIPT”
wpeutil SetKeyboardLayout 0439:00000439
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000444]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5116″
“Layout File”=”KBDTAT.DLL”
“Layout Text”=”Tatar”
wpeutil SetKeyboardLayout 0444:00000444
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000446]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5101″
“Layout File”=”KBDINPUN.DLL”
“Layout Text”=”Punjabi”
wpeutil SetKeyboardLayout 0446:00000446
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000447]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5097″
“Layout File”=”KBDINGUJ.DLL”
“Layout Text”=”Gujarati”
wpeutil SetKeyboardLayout 0447:00000447
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000448]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5100″
“Layout File”=”KBDINORI.DLL”
“Layout Text”=”Oriya”
wpeutil SetKeyboardLayout 0448:00000448
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000449]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5102″
“Layout File”=”KBDINTAM.DLL”
“Layout Text”=”Tamil”
wpeutil SetKeyboardLayout 0449:00000449
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000044a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5103″
“Layout File”=”KBDINTEL.DLL”
“Layout Text”=”Telugu”
wpeutil SetKeyboardLayout 044a:0000044a
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000044b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5098″
“Layout File”=”KBDINKAN.DLL”
“Layout Text”=”Kannada”
wpeutil SetKeyboardLayout 044b:0000044b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000044d]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5177″
“Layout File”=”KBDINASA.DLL”
“Layout Text”=”ASSAMESE – INSCRIPT”
wpeutil SetKeyboardLayout 044d:0000044d
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000044e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5104″
“Layout File”=”KBDINMAR.DLL”
“Layout Text”=”Marathi”
wpeutil SetKeyboardLayout 044e:0000044e
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000453]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5161″
“Layout File”=”KBDKHMR.DLL”
“Layout Text”=”Khmer”
wpeutil SetKeyboardLayout 0453:00000453
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000045b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5166″
“Layout File”=”KBDSN1.DLL”
“Layout Text”=”Sinhala”
wpeutil SetKeyboardLayout 045b:0000045b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000461]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5169″
“Layout File”=”KBDNEPR.DLL”
“Layout Text”=”Nepali”
wpeutil SetKeyboardLayout 0461:00000461
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000465]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5132″
“Layout File”=”KBDDIV1.DLL”
“Layout Text”=”Divehi Phonetic”
wpeutil SetKeyboardLayout 0465:00000465
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000046d]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5148″
“Layout File”=”KBDBASH.DLL”
“Layout Text”=”Bashkir”
wpeutil SetKeyboardLayout 046d:0000046d
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000480]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5165″
“Layout File”=”KBDUGHR.DLL”
“Layout Text”=”Uighur”
wpeutil SetKeyboardLayout 0480:00000480
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000481]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5146″
“Layout File”=”KBDMAORI.DLL”
“Layout Text”=”Maori”
wpeutil SetKeyboardLayout 0481:00000481
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000485]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5160″
“Layout File”=”KBDYAK.DLL”
“Layout Text”=”Yakut”
wpeutil SetKeyboardLayout 0485:00000485
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000080a]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5017″
“Layout File”=”KBDLA.DLL”
“Layout Text”=”Latin American”
wpeutil SetKeyboardLayout 080a:0000080a
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 000085d]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5156″
“Layout File”=”KBDIULAT.DLL”
“Layout Text”=”Inuktitut – Latin”
wpeutil SetKeyboardLayout 085d:0000085d
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001042e]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5164″
“Layout File”=”KBDSOREX.DLL”
“Layout Id”=”009f”
“Layout Text”=”Sorbian Extended”
wpeutil SetKeyboardLayout 1042e:0001042e
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001042f]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5174″
“Layout File”=”KBDMACST.DLL”
“Layout Id”=”00A4″
“Layout Text”=”FYRO Macedonian”
wpeutil SetKeyboardLayout 1042f:0001042f
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010445]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5136″
“Layout File”=”KBDINBE1.DLL”
“Layout Id”=”002a”
“Layout Text”=”Bengali – INSCRIPT (Legacy)”
wpeutil SetKeyboardLayout 10445:00010445
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0020445]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5178″
“Layout File”=”KBDINBE2.DLL”
“Layout Id”=”00a9″
“Layout Text”=”Bengali – INSCRIPT”
wpeutil SetKeyboardLayout 20445:00020445
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0000445]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5135″
“Layout File”=”KBDINBEN.DLL”
“Layout Text”=”Bengali”
wpeutil SetKeyboardLayout 0445:00000445
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001045b]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5167″
“Layout File”=”KBDSW09.DLL”
“Layout Id”=”00a0″
“Layout Text”=”Sinhala – wij 9″
wpeutil SetKeyboardLayout 1045b:0001045b
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 001045d]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5171″
“Layout File”=”KBDINUK2.DLL”
“Layout Id”=”00a7″
“Layout Text”=”Inuktitut – Naqittaut”
wpeutil SetKeyboardLayout 1045d:0001045d
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0010465]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5133″
“Layout File”=”KBDDIV2.DLL”
“Layout Id”=”000D”
“Layout Text”=”Divehi Typewriter”
wpeutil SetKeyboardLayout 10465:00010465
start cmd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard
Layouts 0011809]
“Layout Display Name”=”@C:\\Windows\\system32\\input.dll,-5125″
“Layout File”=”KBDGAE.DLL”
“Layout Id”=”0026″
“Layout Text”=”Gaelic”
wpeutil SetKeyboardLayout 11809:00011809
start cmd.exe

11th of November 2011

Written by gverswijvel

August 9,
2009 at 4:18 pm

reg add “HKLM\FE_DEFAULT\Keyboard Layout\Preload” /v 1 /t REG_SZ /d 00000813 /f

gverswijvely3q&rQqJXMj52

Follow

Get every new post delivered to your Inbox.