IMPORTANT Issue to be aware of if you use BitLocker on your OS drive

JustRebootit · Jan 14, 2023

Bree said:
2004 and all versions up to 22H2 share a common set of system files. From 2004 up to 22H2 all new features have been delivered in the cumulative updates, but in a dormant state. Each Feature Update was done by means of installing an Enablement Package that turned on the new features and bumps up the major build number by 1, the 22H2 update taking it to 19045.

The ISO for 19045 contains the 19041 system files, plus the 22H2 Enablement Package which it will install at the same time.

View attachment 50004

I thought it was something along those lines but wanted to get others input on the subject.

Thanks

Bree · Jan 14, 2023

JustRebootit said:
I thought it was something along those lines but wanted to get others input on the subject.

Thanks

Glad to help.

And welcome to Eleven Forum.

JustRebootit · Jan 14, 2023

Bree said:
Glad to help.

And welcome to Eleven Forum.

Just an afterthought, since the WinPE is 2004 because of the file system. Would we need to somehow patch it with the 22H2 feature update? Or just can get away with installing the 22H2 Nov update?

hsehestedt · Jan 14, 2023

JustRebootit said:
Just an afterthought, since the WinPE is 2004 because of the file system. Would we need to somehow patch it with the 22H2 feature update? Or just can get away with installing the 22H2 Nov update?

First, I notice that you reference WinPE. Maybe that's just a typo but don't confuse WinPE and WinRE, they are two different animals. WinRE is what is used in the Recovery Environment and is contained within the install.wim (or install.esd) on your Windows installation media as WinRE.wim. WinPE, on the other hand (Preinstallation Environment) is located on the installation media as boot.wim, but not embedded within another WIM file. That is what you are running during a clean Windows install. The whole GUI during setup is actually WinPE.

Installing a feature update won't upgrade the WinRE version to the version that we need to fix this issue. It will probably (I would have to test) upgrade it to the version on your Windows installation media, but that is still insufficient.

Let me give you an example:

Even if you install Win 11 22H2 completely clean from scratch, that will give you a WinRE ServicePack Build 525. After you apply the January 2023 Patch Tuesday updates, the version of WinRE in the recovery partition remains at 525. That is why this whole silly manual procedure is needed.

The only way around that would be to first update your Windows installation media so that it contains the updated WinRE.wim. In that event, a clean install will install the already updated WinRE.

HOWEVER, if you don't run BitLocker on your OS drive, then this discussion is pretty moot. There is simply no need to upgrade the WinRE in that event.

I hope that this helps!

SIW2 · Jan 14, 2023

winpe is a small version of windows that can be run from ram.

It is used for various tasks when you either dont have windows installed (yet) or you need to perform some functions from outside windows.

The file called boot.wim that comes in the installation media is winpe and has a bunch of setup files in the sources folder, that winRE doesn't have.

winRE.wim is winpe with the recovery environment including the rejuvenation ( reset and refresh ).

It is often just called pe.

If you download waik or wadk or whatever it is now called, winpe.wim is part of that. It would just boot to cmd prompt and it doesn't have setup or recovery files in it. However ms provides packages for wifi and net framework, language packs and more which the end user can integrate

JustRebootit · Jan 15, 2023

hsehestedt said:
First, I notice that you reference WinPE. Maybe that's just a typo but don't confuse WinPE and WinRE, they are two different animals. WinRE is what is used in the Recovery Environment and is contained within the install.wim (or install.esd) on your Windows installation media as WinRE.wim. WinPE, on the other hand (Preinstallation Environment) is located on the installation media as boot.wim, but not embedded within another WIM file. That is what you are running during a clean Windows install. The whole GUI during setup is actually WinPE.

Installing a feature update won't upgrade the WinRE version to the version that we need to fix this issue. It will probably (I would have to test) upgrade it to the version on your Windows installation media, but that is still insufficient.

Let me give you an example:

Even if you install Win 11 22H2 completely clean from scratch, that will give you a WinRE ServicePack Build 525. After you apply the January 2023 Patch Tuesday updates, the version of WinRE in the recovery partition remains at 525. That is why this whole silly manual procedure is needed.

The only way around that would be to first update your Windows installation media so that it contains the updated WinRE.wim. In that event, a clean install will install the already updated WinRE.

HOWEVER, if you don't run BitLocker on your OS drive, then this discussion is pretty moot. There is simply no need to upgrade the WinRE in that event.

I hope that this helps!

Sorry yes, I meant WinRE and not WinPE.

For those who are using Bitlocker and patching WinRE, what update are you applying (Nov 8 22 or Jan 10 23)? The reason I am asking is due to the information that MS provides on the following sites. My guess would be just to patch with the Jan 10th update, but the article makes it seem that the Nov 8 22 patch needs to be applied.

January 10, 2023—KB5022282 (OS Builds 19042.2486, 19044.2486, and 19045.2486) - Microsoft Support

Security Update Guide - Microsoft Security Response Center

msrc.microsoft.com

wingers · Jan 15, 2023

JustRebootit said:
Sorry yes, I meant WinRE and not WinPE.

For those who are using Bitlocker and patching WinRE, what update are you applying (Nov 8 22 or Jan 10 23)? The reason I am asking is due to the information that MS provides on the following sites. My guess would be just to patch with the Jan 10th update, but the article makes it seem that the Nov 8 22 patch needs to be applied.

January 10, 2023—KB5022282 (OS Builds 19042.2486, 19044.2486, and 19045.2486) - Microsoft Support

Security Update Guide - Microsoft Security Response Center

msrc.microsoft.com

I am using the Jan one as that is the latest and as updates are cumulative it would include all changes from Nov anyway.

wingers · Jan 16, 2023

wingers said:
As per previous post the items I removed from my winre.wim to get the size down so it would fit back on my existing 500mb partition after applying updates were as follows:-

1) Deleted

\windows\speech\Engines\tts

2) \windows\winsxs\

Deleted all folders in here with accessed / modified dates older than the date I had applied the updates using DISM /Add-Package - most of these were dated the date the ISO / WIM was originally created and some later ones dated 9/4/21, from hours of painstakingly removing a folder or two at a time and then testing it would still boot into recovery environment each time. This just left it containing folders and 1 file which are dated 13/01/23 which is the date I applied the update.

Finally I found two large folders in here which after much testing / internet research I deemed not needed in a RE environment so I removed them

amd64_microsoft-windows-i..dsetup-rejuvenation_31bf3856ad364e35_10.0.19041.1616_none_c72eb202c611e510
amd64_microsoft-windows-i..dsetup-rejuvenation_31bf3856ad364e35_10.0.19041.2486_none_c74b55c6c5fb5bb6

--

These were all removed by taking ownership / adding permissions to the parent folders by running Explorer as TrustedInstaller with NSudo - couldn't delete them without doing this first.

Amended instructions to get the size of an updated winre.wim down to fit on an existing 500mb partitions:

1) Remove unnecessary features / packages from your mounted WinRE.wim - I have gone through all the features in WinRE to see what can safely be removed, most items e.g. Audio, Narrator, WiFi, WDS can be removed but only take a small amount e.g. 1mb off the size. Others such as Rejuv break it completely.

But removing the below reduced the size by 31mb

DISM /Image:C:\mount /Disable-Feature /FeatureName:Microsoft-Windows-WinPE-Speech-TTS-Package

DISM /Image:C:\mount /Remove-Package /PackageName:WinPE-Speech-TTS-en-GB-Package~31bf3856ad364e35~amd64~~10.0.19041.1 /PackageName:WinPE-Speech-TTS-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1 /PackageName:WinPE-Speech-TTS-Package~31bf3856ad364e35~amd64~~10.0.19041.2364

2) Remove old obsolete files from \windows\winsxs\ - determined after hours of painstakingly removing a folder or two at a time and then testing it would still boot into recovery environment and that the tools would work each time.

Delete all folders in mounted \windows\winsxs\ with accessed / modified dates older than the date you applied the updates using DISM /Add-Package - most of these are dated the date the ISO / WIM was originally created (07/12/19) and some dated a bit later. This leaves it containing 921 folders and 1 file which in my cases were dated 13/01/23 e.g. the date I applied the update.

These were all removed by taking ownership / adding permissions to the parent folders by running Explorer as TrustedInstaller with NSudo - couldn't delete them or change permissions without doing this first using NSudo.

---

Fresh winre.wim from Windows 10 ISO - size = 415Mb

After applying updates as per @hsehestedt instructions here - winre.wim size = 498Mb (was 756Mb before doing the DISM /Export-Image)
In my case I applied (windows10.0-kb5022282-x64_fdb2ea85e921869f0abe1750ac7cee34876a760c.msu -and- windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d04d026bb8c8e76)

After reducing as per my instructions above winre.wim size = 432Mb

Kemikapa · Jan 16, 2023

We use MDT with SCCM and our recovery partition is only 300 MB. I've discovered that the recovery partition on all of our computers is empty and that the winre.wim resides on the OS partition under "C:\Recovery\WindowsRE"

As the OS partition is encrypted is it still necessary to update the winre.wim file?

hsehestedt · Jan 16, 2023

wingers said:
Amended instructions to get the size of an updated winre.wim down to fit on an existing 500mb partitions:

1) Remove unnecessary features / packages from your mounted WinRE.wim - I have gone through all the features in WinRE to see what can safely be removed, most items e.g. Audio, Narrator, WiFi, WDS can be removed but only take a small amount e.g. 1mb off the size. Others such as Rejuv break it completely.

But removing the below reduced the size by 31mb

DISM /Image:C:\mount /Disable-Feature /FeatureName:Microsoft-Windows-WinPE-Speech-TTS-Package

DISM /Image:C:\mount /Remove-Package /PackageName:WinPE-Speech-TTS-en-GB-Package~31bf3856ad364e35~amd64~~10.0.19041.1 /PackageName:WinPE-Speech-TTS-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1 /PackageName:WinPE-Speech-TTS-Package~31bf3856ad364e35~amd64~~10.0.19041.2364

2) Remove old obsolete files from \windows\winsxs\ - determined after hours of painstakingly removing a folder or two at a time and then testing it would still boot into recovery environment and that the tools would work each time.

Delete all folders in mounted \windows\winsxs\ with accessed / modified dates older than the date you applied the updates using DISM /Add-Package - most of these are dated the date the ISO / WIM was originally created (07/12/19) and some dated a bit later. This leaves it containing 921 folders and 1 file which in my cases were dated 13/01/23 e.g. the date I applied the update.

These were all removed by taking ownership / adding permissions to the parent folders by running Explorer as TrustedInstaller with NSudo - couldn't delete them or change permissions without doing this first using NSudo.

---

Fresh winre.wim from Windows 10 ISO - size = 415Mb

After applying updates as per @hsehestedt instructions here - winre.wim size = 498Mb (was 756Mb before doing the DISM /Export-Image)
In my case I applied (windows10.0-kb5022282-x64_fdb2ea85e921869f0abe1750ac7cee34876a760c.msu -and- windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d04d026bb8c8e76)

After reducing as per my instructions above winre.wim size = 432Mb

That is great info, thanks for sharing it!

hsehestedt · Jan 16, 2023

Kemikapa said:
We use MDT with SCCM and our recovery partition is only 300 MB. I've discovered that the recovery partition on all of our computers is empty and that the winre.wim resides on the OS partition under "C:\Recovery\WindowsRE"

As the OS partition is encrypted is it still necessary to update the winre.wim file?

In fact, this whole procedure is only needed when the OS partition is BitLocker encrypted. That's the point - to address a vulnerability where someone with physical access to the machine can get to the encrypted data via the Recovery Environment.

If the OS drive is not BitLocker encrypted, then this whole business is not needed.

wingers · Jan 16, 2023

Simple script below you can use to scan your network to check for computers which need the patch.

You can either scan all computers in AD - filters for computers used in last x days (set to 365) and excluding servers as I was just looking for client machines for now. Or you can specify list of machines in a text file or in an array, just uncomment / comment relevant line.

Script checks machines are online, then checks are accessible remotely before checking service pack level of the winre.wim in the recovery partition.

Only basic, can be improved but works for me so thought I would share.

Powershell:

#$LastUsed = (Get-Date).AddDays(-365).ToString()
#$ADcomputers = Get-ADComputer -Filter "OperatingSystem -notlike '*Server*' -and LastLogonDate -gt '$LastUsed'" | select-object -Expand Name

#$ADcomputers = Get-Content C:\Tmp\computerlist.txt | Foreach {$_.TrimEnd()}

$ADcomputers = @("PC1", "PC2", "PC3","PC4")

$online= @()
$offline = @()
$remoteworking = @()
$remotenotworking = @()
$remotenotworkingwithreason = @()

$tstart = get-date

#Region - Test Connection

$count = 1

Foreach ($ADcomputer in $ADcomputers) {
   
    Write-Progress -Activity "Testing connection" -Status $ADcomputer -PercentComplete (($count / $ADcomputers.Count) * 100)

    If (Test-Connection -ComputerName $ADcomputer -Quiet -Count 1 -ErrorAction SilentlyContinue) {
        $online += $ADcomputer
    }
    Else {
        $offline += $ADcomputer
    }
   
    $count += 1

}

Write-Host("Test Connection Results") -ForegroundColor Black -BackgroundColor White
Write-Host("`r")
Write-Host("Offline: " + $offline.count + "/" + $ADcomputers.count) -ForegroundColor Red
Write-Host("Online: " + $online.count + "/" + $ADcomputers.count) -ForegroundColor Green
Write-Host("`r")

#EndRegion


#Region - Check Remoting

$count = 1

    Foreach ($onlinecomputer in $online) {

        Write-Progress -Activity "Testing remote access" -Status $onlinecomputer -PercentComplete (($count / $online.Count) * 100)

        Try {

            $result = Invoke-Command -ComputerName $onlinecomputer { 1 } -ErrorAction Stop

            If ($result -eq "1") { $remoteworking += $onlinecomputer }

        }
        Catch {

            If ($PSItem.Exception.Message.Contains("Access is denied")) { $remotenotworkingwithreason += $onlinecomputer + " (Remoting not enabled)" } Else { $remotenotworkingwithreason += $onlinecomputer + " (DNS)" }
            $remotenotworking += $onlinecomputer
        }

        $count += 1

    }

Write-Host("Check Remoting Results") -ForegroundColor Black -BackgroundColor White
Write-Host("`r")
Write-Host("Remoting not working: " + $remotenotworking.count + "/" + $online.count) -ForegroundColor Red
Write-Host("Remoting working: " + $remoteworking.count + "/" + $online.count) -ForegroundColor Green
Write-Host("`r")
Write-Host($remotenotworkingwithreason)
Write-Host("`r")

#EndRegion



#Region - Check version of WINRE.WIM

Write-Progress -Activity "Checking if WINRE.WIM is patched"

$WINREpatched = @()

$WINREnotpatched = @()

 Foreach ($remote in $remoteworking) {


#Get current WinRE .wim location
$winre_loc = Invoke-Command -ComputerName $remote {(reagentc /info | findstr '\\?\GLOBALROOT\device').replace('Windows RE location: ', '').TRIM()}

#Get current WinRE build version
$temp = Invoke-Command -ComputerName $remote {param($winre_loc)(Dism /Get-ImageInfo /ImageFile:$winre_loc\winre.wim /index:1).Split([System.Environment]::NewLine)} -ArgumentList $winre_loc

foreach ($line in $temp){
    if ($line -match "ServicePack Build :"){
    $winre_sp_build = $line.Split()[3]
    }
    }

if ($winre_sp_build -gt 1105){
      $WINREpatched += $remote
    }
    Else {
      $WINREnotpatched += $remote
    }

}

Write-Host("WINRE.WIN Check") -ForegroundColor Black -BackgroundColor White
    Write-Host("`r")
    Write-Host("Patched: " + $WINREpatched.count + "/" + $remoteworking.count) -ForegroundColor Red
    Write-Host("`r")
    Write-Host($WINREpatched | Sort-Object)
    Write-Host("`r")
    Write-Host("NOT Patched: " + $WINREnotpatched.count + "/" + $remoteworking.count) -ForegroundColor Green
    Write-Host("`r")
    Write-Host($WINREnotpatched | Sort-Object)
    Write-Host("`r")


#EndRegion

$WINREnotpatched | Out-GridView -Title "WINRE NOT Patched - $($WINREnotpatched.count)"


$tend = get-date
new-timespan -start $tstart -end $tend

SIW2 · Jan 16, 2023

winsxs in my win11 pe looks like this: it is bigger than it was as I have been playing with adding extra things
dont know if you also need the rejuv stuff in there for reset

Code:

\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\CbsCore.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\CbsMsg.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\dpx.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\drupdate.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\drvstore.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\GlobalInstallOrder.xml
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\msdelta.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\mspatcha.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\poqexec.exe
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\ReserveManager.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\smiengine.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\smipi.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\TiFileFetcher.exe
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\TiWorker.exe
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\turbocontainer.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\turbostack.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\updateagent.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\WcmTypes.xsd
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\wcp.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\wdscore.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3\wrpint.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\CbsCore.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\CbsMsg.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\dpx.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\drupdate.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\drvstore.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\GlobalInstallOrder.xml
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\msdelta.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\mspatcha.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\poqexec.exe
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\ReserveManager.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\smiengine.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\smipi.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\TiFileFetcher.exe
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\TiWorker.exe
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\turbocontainer.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\turbostack.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\updateagent.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\WcmTypes.xsd
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\wcp.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\wdscore.dll
\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\wrpint.dll
\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\
\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcm80.dll
\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcp80.dll
\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcr80.dll
\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_08e2c157a83ed5da\
\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_08e2c157a83ed5da\msvcm90.dll
\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_08e2c157a83ed5da\msvcp90.dll
\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_08e2c157a83ed5da\msvcr90.dll
\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.22621.1_en-us_3c4f8d3698b810f4\
\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.22621.1_en-us_3c4f8d3698b810f4\comctl32.dll.mui
\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22621.1_en-us_76f04ba2c79bf0dd\
\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22621.1_en-us_76f04ba2c79bf0dd\comctl32.dll.mui
\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22621.608_none_fb280a3c7926c2cc\
\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22621.608_none_fb280a3c7926c2cc\comctl32.dll
\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22621.608_none_a9444ca7c10bb01d\
\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22621.608_none_a9444ca7c10bb01d\comctl32.dll
\Windows\winsxs\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.22621.819_none_491930ecbf0e8092\
\Windows\winsxs\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.22621.819_none_491930ecbf0e8092\GdiPlus.dll
\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.22621.819_none_eaded49a8297643a\
\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.22621.819_none_eaded49a8297643a\GdiPlus.dll
\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22621.819_none_da30437f1b9d3de1\
\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22621.819_none_da30437f1b9d3de1\GdiPlus.dll
\Windows\winsxs\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.22621.1_none_0ac47fa9e14ed786\
\Windows\winsxs\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.22621.1_none_0ac47fa9e14ed786\sxsoaps.dll
\Windows\winsxs\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.22621.1_none_0ac47fa9e14ed786\sxsoaps.tlb
\Windows\winsxs\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.22621.1_none_614d2e768244bd72\
\Windows\winsxs\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.22621.1_none_614d2e768244bd72\sxsoa.dll

\Windows\winsxs\manifests\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_10.0.22621.1_en-us_cbc14046e790f9e7.manifest
\Windows\winsxs\manifests\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.22621.1_none_4577c1abf37e1918.manifest
\Windows\winsxs\manifests\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.22621.1_en-us_c45f8f7f89a13565.manifest
\Windows\winsxs\manifests\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.22621.1_en-us_4c8bf9ef63ac191b.manifest
\Windows\winsxs\manifests\amd64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.22621.1105_none_95b6cbcb2126951a.manifest
\Windows\winsxs\manifests\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.1_none_6af52cfcbb08aaa3.manifest
\Windows\winsxs\manifests\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29.manifest
\Windows\winsxs\manifests\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222.manifest
\Windows\winsxs\manifests\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_08e2c157a83ed5da.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.22621.1_en-us_3c4f8d3698b810f4.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22621.1_en-us_76f04ba2c79bf0dd.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22621.608_none_fb280a3c7926c2cc.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22621.608_none_a9444ca7c10bb01d.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.22621.819_none_491930ecbf0e8092.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.22621.819_none_eaded49a8297643a.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22621.819_none_da30437f1b9d3de1.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.22621.1_none_0ac47fa9e14ed786.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.22621.1_none_614d2e768244bd72.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.s...smart_card_library_31bf3856ad364e35_10.0.22621.1_none_5b9978abdb75b758.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.s..rt_driver.resources_31bf3856ad364e35_10.0.22621.1_en-us_b295046ae45bb226.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.s..se.scsi_port_driver_31bf3856ad364e35_10.0.22621.1_none_4715f9971ddcfd89.manifest
\Windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.22621.1_none_688145a1578cacf7.manifest
\Windows\winsxs\manifests\amd64_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_09c44565fac9876b.manifest
\Windows\winsxs\manifests\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_acd031d7e1db7c28.manifest

wingers · Jan 16, 2023

Updated version of my script (now on GitHub) - really annoying you can't edit original posts after 60 minutes......

Perhaps mod can delete original post (112)

---

Simple script you can use to scan your network to check for computers which need the patch.

You can either scan all computers in AD - filters for computers used in last x days (set to 365) and excluding servers as I was just looking for client machines for now. Or you can specify list of machines in a text file or in an array, just uncomment / comment relevant line.

Script checks machines are online, then checks are accessible remotely before checking service pack level of the winre.wim in the recovery partition.

Only basic, can be improved but works for me so thought I would share.

Scan_WinRE.ps1

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

Comport Colin · Jan 19, 2023

WHAT IF...
all this WinRE patching was easily reversible by an attacker? As the Recovery partition is unencrypted and writable without authentication by anyone who could access the hard drive, why does MS assume that patching it helps? Modifying WinRE.wim does not trigger Bitlocker recovery, so I

enter your office and take out your hard drive
mount it, exchange WinRE.wim for the unpatched version
put the drive back in, start your computer (which possibly runs Bitlocker without preboot authentication)
having arrived at the logon screen, without needing to know a password, I keep the shift key pressed while clicking on restart to invoke the unpatched WinRE in order to access your bitlocked drive (following a method that MS have not disclosed, yet, but which they say exists).

This is being discussed here:

https://www.reddit.com/r/sysadmin/comments/10atdqe

without result so far.

hsehestedt · Jan 19, 2023

Yikes! I never considered that. Since this issue affects only the recovery environment on a running PC, not an offline recovery environment, maybe this is a good reason to simply get rid of the recovery partition on a PC altogether.

barreleye · Jan 19, 2023

hsehestedt said:
Yikes! I never considered that. Since this issue affects only the recovery environment on a running PC, not an offline recovery environment, maybe this is a good reason to simply get rid of the recovery partition on a PC altogether.

If you do that, among other things, Image for Windows won't be able to create its WinRE-based recovery disk. OTOH, you can still create it in a VM that does have a recovery partition, so all is not lost.

My solution to this situation was simply to use "reagentc /disable". The one lingering concern I have is that while this removes the recovery options that use the resident WinRE, it doesn't remove "Use a Device" from the Troubleshooting screens you can get to even from the Windows lock screen by holding Shift while restarting. I don't know what this involves, as I would simply restore from a backup rather than use any of this nonsense, but if using a "Windows Recovery DVD" in this context doesn't count as an "offline image" and instead has the same vulnerability as the resident WinRE, and Microsoft didn't document it, they are beyond incompetent. I mean, if it is vulnerable, there's zero point in patching or disabling WinRE.

hsehestedt · Jan 20, 2023

Microsoft very specifically states that this affects only the recovery environment on a running PC. So recovery on other media is definitely not affected.

I wish I knew more about the vulnerability, but I can hardly see MS missing this if you could simply hack an old version back onto the recovery partition. Still, I would like to know for sure.

cheaterslick · Jan 20, 2023

I wound up turning BitLocker off. Too much of a hassle here.

barreleye · Jan 20, 2023

I don't know if this has already been posted, but they've updated the FAQ since the last time I looked at it, around the time this thread was started. It now includes the paragraph:

"IMPORTANT: End users and enterprises who are updating Windows devices which are already deployed in their environment can instead use the latest Windows Safe OS Dynamic Updates to update WinRE when the partition is too small to install the full Windows update. You can download the latest Windows Safe OS Dynamic Update from the Microsoft Update Catalog."