JoDad

Sorry, I did not intend for this to be a Bart version VS MS version debate. I have to say though that I do not think MS will mind to much if the Bart build is used/created the way Bart post says it is supposed to be used. I mean if you buy a new copy of the XP or 2003 license for each cd you generate then I think you are proving intent is not to defraud MS but to expand the utility or usage of their products.

The fact that it makes a new hive each time does explain why the file resets. I see where it pulls some inf files in but was hoping to find where I could set the initial changes so it would pull them in. Oh well, I'll turn my change log into a script to run whenever I need to run mkimg.cmd. Thanks for the information.

I figured I'd have to do something along those lines. I am just kind of curious about where it pulls it from or if anyone knew why they would reset the source like that.

I have been stepping through the excellent tutorial by Mark Melanson (AKA Jericho Jones) http://tjb.xgameservers.com/WindowsPE.html and have a question on the setupreg.hiv file. During the mkimg.cmd process this file is overwritten in the winpe and in the winpe_cdrom directories. I would expect the winpe_cdrom directory to be replaced as it recreates this total directory but why does the setupreg.hiv file in the source area get changed? The reason I am thinking this is that I load the hive in regedit and make a change. I then unload the hive. If I go back and reload the hive my changes are still there. When I run mkimg.cmd neither the destination directory nor the iso get the changes. When I load the setupreg.hiv file in regedit it has reset to original (at least my changes are gone) I know I am supposed to edit the hive file in the cdrom build directory and then just create an image and this works, but, everytime I want to make a change at the source level I have to remember and redo everything I manually did at the destination level. I read through the mkimg.cmd file and it has one spot it pulls the setupreg.hiv file from the original cd. I am working with ISO's in virtualpc so just edited the xp2 iso and changed the hive file to the one I created. This still did not change the result. So my question becomes - where does the final setupreg.hiv file come from and why does the original on the winpe directory get changed? or if not changed then how do the alterations get removed? Thanks

Thanks for the feedback. I will be staying with MS Winpe to avoid even approaching the line of quasi legal since it is for company use. On my original question I think I will try the dual appraoch in which we will 1. run a local scan on the pc using the desktop OS 2. Run the dir to text from the desktop os (rootkit check step 1) 3. boot into winpe and run the scans again 4. Run the dir to text from WInPE (rootkit check step 2) 5. Compare the two result files using windiff (rootkit check step3) I appreciate the tips on different scanners and will be checking them out to see what will work best for our environment. I am hoping that if I run into snags on implementation I can look at how people solved it using BArts and see the processes used as well as the excellent assistance on this forum.

Hi Soulin, Thanks for input. I have gathered that Barts has more people writing to it so it will do more at this time but the licensing is totally different if I am reading it correctly. We are licensed for Winpe and I am trying to add tool functionality along with installations. Kind of a one stop shop thing. It seems that others are doing this also for various reasons so I am assuming that it can all be done on both platforms. It seems Barts took off because MS gave their version a very small target market and gave it a much smaller functional OS base in the earliest versions. I readily admit my ignorance though so If I am mistaken please let me know. If I try to deploy a tools disk to my helpdesk using BartsPE do I need a seperate XP license for each cd I create? I already have most of the tool licenses I see plug ins for that I would be using. My question was more on the lines of theory vs reality. For example, a scan for viruses is better done offline so all files can be accessed and any viruses cannot mask through OS. Do the spy ware scans work the same way or do they perform better within the OS? Knowing this would help me target my research and development towards the better path.

Quick newbie question on best way (and products) to check and clean spyware. From previous postings I see ad aware and spybot worked for Barts but does it also work for MS WinPE? Does it make the best sense to run these from WINPE or from within the Desktop OS where they can access live registry? Or is best approach a combination? I am thinking about running anti-spyware programs then running first step to check for root hacks on Desk OS then restarting with WINPE to check again and run second step of root hack check comparing results. Input from anyone else that's done/doing/researching would be appreciated. Thanks, Jodad