FE = Forensic environment
Let’s say you come across into situations where you’re not allowed to open the computer, you don’t have the right tools to acquire a ZIF hard drive, warranty issues, raid problems etc. The best choice would be Helix or raptor. If you don’t feel comfortable with Linux/Unix tools, and you’re more of windows guy then Windows FE is your weapon of choice.
It is a Windows PE based custom build created by Microsoft for computer forensic examiners!
In another words, it’s basically a Windows PE Live CD that allows you to run forensic tools and other programs you install/embed!! And it’s all command line based!! Yay!!
Lets start off by downloading and install Windows Automated Installation Kit (AIK) from MicroSoft.com (I personally downloaded the windows 7 version)
Once you install AIK, run “Deployment Tools Command Prompt” as admin. And copy the WinPe files to your local machine. (i personally created a Virtual hard drive for this little project)
type of the following command:
Windows FE uses a .wim file to store the OS used to booted at run time. Mount the winpe.wim file to configure it for Windows FE. use imagex.exe to mount the base Windows PE image
OR!! If your a GUI person, download Gimagex which does the same thing as the Dos version.
Make sure “Read and Write” is checked before mounting!!!!
After you finish mounting WinPE, this will be displayed:
Now click START, RUN, and type in REGEDIT. We will modify the registry. This will help us operate without modifying
Click FILE, then Load Hive.
Then browse to:
Y:\winFE\mount\Windows\System32\config and select the system hive file. It will be the file named “system” that has no extension. Open it!!
Then name it whatever you like, for example “WINFE”
The following registry will be modified
and if the NoAutoMount does not exist, right click and create “dword” name it “NoAutoMount” with a setting of 1.
Next, go to
and change the SanPolicy setting to 3
Click file, and Unload Hive!
IF you have any forensic tools, for example encase, FTK imager etc, install them to “Y:\WinFE\mount\Program Files”. Include dll files, dongle drives etc.
Delete bootfix.bin (when winfe disk is inserted, this will pop a message ”press any key to boot from cd”, once deleted, the WinFE will boot right away!)
Delete boot.wim in Y:\winFE\ISO\sources. Copy the modified winpe.wim to Y:\winFE\ISO\sources and rename it boot.wim.
time to unmount your winFE
Open Deployment Tools Command Prompt and type
imagex.exe /unmount /commit C:\winFE\mount