WinNTSetup v5.4.1

[gbh19930406]

Latest Windows Server 2022 20348.2402 cannot run latest WinNTSetup 5.3.4, program said cannot find BCDBoot.exe and cannot keep running. However, WinNTSetup 5.3.4 can run on the Latest Windows 11 Pro 22631.3447. Both of two systems have bcdboot.exe which under /Windows/system32/. Please help to check what's wrong with v5.3.4, thx a lot. Plus, wimlib is upgraded to 1.14.4 (released February 24, 2024), and please add support for Windows Server 2025 thx.

[JFX]

Yes, there were some reports of this with Server 2022.
I can't reproduce it and checking if a file exist, is the most basic feature.

I could only assume something like an antivirus or filter driver that does interfere,
but it does not happen if I install Server 2022 with WinNTSetup. The new system does not show any problem.

The version display of wimlib and wimgapi will be removed, it just leads to wrong assumption and
some people start updating them manually, what only causes problems.

[Antonino]

so does that mean we will have no choice between wimlib and wimgapi? can we at least use the latter if that is the case?

[Atari800XL]

Good day to everybody. I have been out of the loop for a while, sorry about that.

I'm not a big fan of Windows 11, but the new LTSC 2024h2 leaked build 26100 seems to be a decent build.

On Windows 10, I used to run a short install_wim_tweak script on the install.wim before applying, to remove some components like Defender, Search and Cortana. However, this doesn't seem to work anymore with Windows 11.

 

My question to you kind and knowledgeable people on this board:

- Do you guys know of a method to remove Defender from install.wim, or at least some way to (temporarily) turn it off, etc.?

- Do we really have to learn to live with Defender, or there other ways to tame it?

- Does WinNTSetup have any capabilities to assist with this?

 

If this was discussed in this thread before, please excuse my laziness, I will try to read up on the matter.

Thank you!

[Antonino]

yes there is, and it is what alacrán and jfx would probably call "brute force", a deletion of both files from the disk and keys from the registry. just delete all occurrences.  

Edited April 26, 2024 by Antonino

[JFX]

Don't think there is a good way to remove defender. But WinNTSetup's tweak should completely disable it.

This can be reversed later, it needed.

[Antonino]

it has never turned back up again in my case.

of course, I have blocked updates and zerobyted "softwaredistribution"'s as well.

Am I losing sight of anything? if I am, pls do tell me.

of course, if your "good" way in the post above entails that, in addition to losing windefender. with my bad ways I have also lost other useful services, pls do tell me which ones, so that everybody, including me, knows whether to consider such losses or not in relation to their own needs.

Edited April 26, 2024 by Antonino

[Atari800XL]

Thank you for your quick replies!

May I ask how the tweak works in WinNTSetup, I would like to replicate that in a manual apply.

Thanks for the link to last June, when this was discussed, sorry to have missed that. Any other links are welcome, so I can read up on the matter.

I have to admit I was sort of ignoring Windows 11 for a while, but now with the upcoming LTSC 2024 (and the leaked 26100 build) I think we have to learn to live with it (or at least work around it).

 

[EDIT: Aahh, wait it minute, it all seems to be coming back to me now <g>, it's the "File Execution Options", right? --Testing now ---)

Edited April 26, 2024 by Atari800XL

[Atari800XL]

Applying Windows 11 build 26100 with WinNTSetup works fine (of course), the NoDefender tweak works, thank you very much for that. Nice to see that after a successful setup, Defender is off, so my postinstall (with all my programs and settings) is as fast as before (absolutely no need for an antivurs to keep checking these files).

I also have my own little Apply tool, made in AHK (basically scripts with a GUI). Just to learn and experiment. This has also worked very well until now. Even with 26100, the only thing that has changed for me is that Defender was not deactivated.

So now I'm trying to replicate what JFX has done to deactivate Defender in my own scripts. Looks like you do a series of "Image File Execution Option" settings, correct? When I set these for MpCmdRun.exe, MsMpEng.exe and smartscreen.exe, Defender does seem to be deactivated, but the system becomes incredibly unresponsive and slow.

So once again, I feel like I'm so close, yet so far away from the solution :-)

Do you have any tips to nudge me in the right direction?

 

I must have these entries below wrong somehow, this is the only thing I added to an otherwise working .reg file. Without these, apply and setup runs fine, but when I add them back, the system is incredibly slow after Setup finishes.
 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\temp\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe]
"Debugger"="NUL"

[HKEY_LOCAL_MACHINE\temp\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe]
"Debugger"="NUL"

[HKEY_LOCAL_MACHINE\temp\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe]
"Debugger"="NUL"

 

Edited April 26, 2024 by Atari800XL

[JFX]

It does a bit more than just setting IFEO Debuggers.

If Tweaks_NT6_Array(#Tweaks_NT6_Disbale_Defender, 1)
        
        If *Z\Build > 10100
          ORSetDword(*Z\SftHive, "Policies\Microsoft\Windows Defender", "DisableAntiSpyware", 1)
          ORSetDword(*Z\SftHive, "Policies\Microsoft\Windows Defender", "DisableAntiVirus", 1)
          
          ORSetString(*Z\SftHive, "Microsoft\Windows\CurrentVersion\Explorer", "SmartScreenEnabled", "Off")        
          ORSetDword(*Z\SftHive, "Policies\Microsoft\Windows\System", "EnableSmartScreen", 0)
          ORSetDword(*Z\SftHive, "Policies\Microsoft\Windows Defender\SmartScreen", "ConfigureAppInstallControlEnabled", 1)
          ORSetDword(*Z\SftHive, "Policies\Microsoft\Windows Defender\SmartScreen", "ConfigureAppInstallControl", 1)
          
          ORSetDword_USClasses(*Z, *Z\Usr_Classes_Hive, "Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter", "EnabledV9", 0)
          ORSetDword_US(*Z, "Software\Microsoft\Windows\CurrentVersion\AppHost", "EnableWebContentEvaluation", 0)
          
        EndIf
        
        ORSetDword(*Z\SftHive, "Microsoft\Windows Defender\Real-Time Protection", "DisableRealtimeMonitoring", 1)
        ORSetDword(*Z\SftHive, "Microsoft\Windows Defender\Real-Time Protection", "DisableAntiSpywareRealtimeProtection", 1)
        
        ORSetDword(*Z\SftHive, "Microsoft\Windows Defender", "DisableAntiSpyware", 1)
        ORSetDword(*Z\SftHive, "Microsoft\Windows Defender", "DisableAntiVirus", 1)
        
        If *Z\Build > 18300
          ORSetDword(*Z\SftHive, "Microsoft\Windows Defender\Features", "TamperProtection", 0)
        EndIf
        
        If *Z\Build >= 22000
          ORSetDword(*Z\SftHive, "Microsoft\Windows Defender\Real-Time Protection", "DpaDisabled", 1)
          ORSetString(*Z\SftHive, "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe", "Debugger", "NUL")          
          ORSetString(*Z\SftHive, "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe", "Debugger", "NUL")
          ORSetString(*Z\SftHive, "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe", "Debugger", "NUL")
          
          ORSetDword(*Z\SysHive, "ControlSet001\Services\SecurityHealthService", "Start", 0)
          ORDeleteValue(*Z\SftHive, "Microsoft\Windows\CurrentVersion\Run", "SecurityHealth")
          
        EndIf
        
      EndIf

 

[Atari800XL]

Thank you very much for that, great to get a "secret look" in the kitchen :-)

Well, at least you know I'm doing my best, and each time I fail I respect YOUR work that much more.

So you weren't surprised my system went belly-up with my crude attempts?

[JFX]

Nope, I can recall something like this happend to me, first time trying this on some windows 10 or 11 build.

Edited April 26, 2024 by JFX

[Atari800XL]

See, that makes me feel a little better :-)

Just seeing your "reversal" script from June last year (that you linked to a few posts up) made me think it was just as easy as "reversing" them back the other way...

 

 

 

[Atari800XL]

I feel like I'm getting closer, I copied all the settings from your last piece of code to my reg files, still haven't found the single culprit yet, though....

I even set up two partitions, one applied with WinNTSetup (and all the tweaks and settings), didn't actually rebooted to start the setup, but got a list of all the files, and the SOFTWARE and SYSTEM hives.

Second partition has the same install.wim, this time applied with my own scripts. Reg Load'ed the hives and exported them to .reg, then textdiff'd them to find missing stuff in mine.

Still no luck (have to check once more if I really got everything), but I'll keep trying... Not sure when that will be...

Some people actually call this fun :-)

Once again it is proven that WinNTSetup rules!!! [Of course, in the mean time I've been doing 26100 tests using WinNTSetup itself, working just fine and providing great command line options for all its powerful capabilities. Thanks once more, JFX!!!!!!]

Edited April 27, 2024 by Atari800XL

[Atari800XL]

I am happy to say I got it to work finally!!!!

I had to throw in some more settings that somebody sent me from a NTLite forum link, so I'm not sure which one of the settings below finally did the trick, but I thought I'd throw them in here in case somebody might need to use them some day.

Once again: This is just for my own scripts and experiments, WinNTSetup itself was doing it correctly already

(for which I'm giving HUUUGE thanks to JFX!!!)

 

So here are the things I added:

(All are EXTRA things on top of the stuff in JFX's code example)

Software hive:
==============

[HKEY_LOCAL_MACHINE\temp\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001

[HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender]
"DisableRealtimeMonitoring"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"DisableSpecialRunningModes"=dword:00000001
"ServiceKeepAlive"=dword:00000001

[HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\Signature Updates]
"ForceUpdateFromMU"=dword:00000001

[HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000001
"ConfigureAppInstallControl"=dword:00000001

[HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\Spynet]
"DisableBlockAtFirstSeen"=dword:00000001


System hive:
============

[HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdFilter]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdNisDrv]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdNisSvc]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WinDefend]
"Start"=dword:00000004

 

Edited April 28, 2024 by Atari800XL