BootServerReply Hacking

[ubernerd]

I plan to deploy several PXE servers to handle client boots and I would love to be able to identify the server that the client booted from so I can write scripts that work on all servers instead of having to specialize the scripts for each server.

In searching for at solution for this, I came across this key in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PXE

Where there is a value containing what appears to be the BootServerReply, and I have identified the boot server address in at least two locations in the data, both I'm not sure which is which.

Can anyone tell me how to decode these data or am I going down the wrong road here?

Any other good ideas on the subject would be appriciated (<- misspelled ???)

To clarify here is the registry data I have found

I have highlighted the server ip address (0a,1e,01,c8 or 10.30.1.200) , which was found in four different locations.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PXE]"DHCPServerACK"=hex:02,01,06,00,2a,dd,02,ee,00,00,00,00,00,00,00,00,0a,1e,01,\

0a,0a,1e,01,c8,00,00,00,00,00,0c,29,dd,02,ee,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,77,69,6e,70,65,5c,70,78,65,62,6f,\

6f,74,2e,6e,31,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,63,82,53,63,35,01,05,3a,\

04,00,00,a8,c0,3b,04,00,01,27,50,33,04,00,01,51,80,36,04,0a,1e,01,c8,01,04,\

ff,ff,ff,00,05,04,0a,1e,01,c8,06,04,0a,1e,01,c8,43,09,5c,63,69,70,63,63,2e,\

30,00,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

....

[ubernerd]

Well it seems that the correct ip address is the one starting at position hex 107 so that problem is solved

[gadget]

Missed the second post... Forget It.

Edited December 15, 2006 by gadget

[Typewriter]

FYI

After seeing this thread I created an advisory case at Microsoft, in order to get some confermation on where to look inside that binary file.

The place you are finding the IP adress is indeed the correct location, as confirmed by the MS technichian.

But those two keys were never ment to be used for anything other than MS's own debugging, as I have been told directly by one of the engineers behind Windows Deployment Services, so... It's up to you if you wan't to continue to use this information "as is", because it's in the greyzone as to what MS would provide support for, in the event of 'whatnot'.

[Jazkal]

Not to go off on a complete tangent, but . . .

If you have multiple servers, I would assume they are on their own IP segment (if this assumption is wrong, then ignore everything else)

Such as: 10.30.1.200 and maybe a 10.30.2.200

Why not just have a WinPE2 side IP detection script that will tell you what segment your on, and then you know what server it booted off of.

If I'm not understanding what your trying to do, just ignore the the crazy old man.

[p4ntb0y]

Jazkal,

Is a man that thinks outside the box :-)

[pankajtakawale]

Well it seems that the correct ip address is the one starting at position hex 107 so that problem is solved

can u please post the script/code to extract the ip-address?