[wue] revert to inserting the bypass registry keys directly where possible

* The use of an unattend.xml to create the TPM/Secure Boot/Disk/RAM bypass keys was prompted by Microsoft restricting the ability of Windows Store app from manipulating offline registry hives. * However, the use of a windowsPE phase in unattend.xml to insert the keys results in a windows command prompt briefly appearing when setup launches, as well as slightly different Windows setup screens from the default. * So we are now reverting to trying to edit the boot.wim registry hive offline (which should work for the non Store version of Rufus) while falling back to using a PE unattend section if that doesn't work. * Closes #1971
2024-08-14 23:57:05 +00:00 · 2022-07-08 18:48:02 +01:00 · 2022-07-08 18:48:02 +01:00 · 14f19e5275
commit 14f19e5275
parent 2be4470bc5
4 changed files with 100 additions and 37 deletions
--- a/src/format.c
+++ b/src/format.c
@ -71,10 +71,12 @@ extern const int nb_steps[FS_MAX];
 extern uint32_t dur_mins, dur_secs;
 extern uint32_t wim_nb_files, wim_proc_files, wim_extra_files;
 static int actual_fs_type, wintogo_index = -1, wininst_index = 0;
+extern int unattend_xml_selection;
 extern BOOL force_large_fat32, enable_ntfs_compression, lock_drive, zero_drive, fast_zeroing, enable_file_indexing;
-extern BOOL write_as_image, use_vds, write_as_esp, is_vds_available, enable_inplace, set_drives_offline;
+extern BOOL write_as_image, use_vds, write_as_esp, is_vds_available;
 extern const grub_patch_t grub_patch[2];
 extern char* unattend_xml_path;
+extern const char* bypass_name[4];
 uint8_t *grub2_buf = NULL, *sec_buf = NULL;
 long grub2_len;

@ -1470,7 +1472,7 @@ static BOOL SetupWinToGo(DWORD DriveIndex, const char* drive_name, BOOL use_esp)
 	// "upgrade" the ReFS version on all drives to v3.7, thereby preventing you from being able to mount
 	// those volumes back on Windows 10 ever again. Yes, I have been stung by this Microsoft bullshit!
 	// See: https://gist.github.com/0xbadfca11/da0598e47dd643d933dc#Mountability
-	if (set_drives_offline) {
+	if (unattend_xml_selection & UNATTEND_OFFLINE_INTERNAL_DRIVES) {
 		uprintf("Setting the target's internal drives offline using command:");
 		// This applies the "offlineServicing" section of the unattend.xml (while ignoring the other sections)
 		static_sprintf(cmd, "dism /Image:%s\\ /Apply-Unattend:%s", drive_name, unattend_xml_path);
@ -1499,12 +1501,17 @@ static BOOL SetupWinToGo(DWORD DriveIndex, const char* drive_name, BOOL use_esp)
 */
 BOOL ApplyWindowsCustomization(char drive_letter, BOOL windows_to_go)
 {
-	BOOL r = FALSE;
+	BOOL r = FALSE, is_hive_mounted = FALSE;
+	int i;
 	const int wim_index = 2;
-	char boot_wim_path[] = "?:\\sources\\boot.wim";
+	const char* offline_hive_name = "RUFUS_OFFLINE_HIVE";
+	char boot_wim_path[] = "?:\\sources\\boot.wim", key_path[64];
 	char appraiserres_dll_src[] = "?:\\sources\\appraiserres.dll";
 	char appraiserres_dll_dst[] = "?:\\sources\\appraiserres.bak";
 	char *mount_path = NULL, path[MAX_PATH];
+	HKEY hKey = NULL, hSubKey = NULL;
+	LSTATUS status;
+	DWORD dwDisp, dwVal = 1;

 	assert(unattend_xml_path != NULL);
 	uprintf("Applying Windows customization:");
@ -1522,7 +1529,7 @@ BOOL ApplyWindowsCustomization(char drive_letter, BOOL windows_to_go)
 		uprintf("Added '%s'", path);
 	} else {
 		boot_wim_path[0] = drive_letter;
-		if (enable_inplace) {
+		if (unattend_xml_selection & UNATTEND_WINPE_SETUP_MASK) {
 			// Create a backup of sources\appraiserres.dll and then create an empty file to
 			// allow in-place upgrades without TPM/SB. Note that we need to create an empty,
 			// appraiserres.dll otherwise setup.exe extracts its own.
@ -1542,6 +1549,53 @@ BOOL ApplyWindowsCustomization(char drive_letter, BOOL windows_to_go)
 		if (mount_path == NULL)
 			goto out;

+		if (unattend_xml_selection & UNATTEND_WINPE_SETUP_MASK) {
+			// Try to create the registry keys directly, and fallback to using unattend
+			// if that fails (which the Windows Store version is expected to do).
+			static_sprintf(path, "%s\\Windows\\System32\\config\\SYSTEM", mount_path);
+			if (!MountRegistryHive(HKEY_LOCAL_MACHINE, offline_hive_name, path)) {
+				uprintf("Falling back to creating the registry keys through unattend.xml");
+				goto copy_unattend;
+			}
+			UpdateProgressWithInfoForce(OP_PATCH, MSG_325, 101, PATCH_PROGRESS_TOTAL);
+			is_hive_mounted = TRUE;
+
+			static_sprintf(key_path, "%s\\Setup", offline_hive_name);
+			status = RegOpenKeyExA(HKEY_LOCAL_MACHINE, key_path, 0, KEY_READ | KEY_CREATE_SUB_KEY, &hKey);
+			if (status != ERROR_SUCCESS) {
+				SetLastError(status);
+				uprintf("Could not open 'HKLM\\SYSTEM\\Setup' registry key: %s", WindowsErrorString());
+				goto copy_unattend;
+			}
+
+			status = RegCreateKeyExA(hKey, "LabConfig", 0, NULL, 0,
+				KEY_SET_VALUE | KEY_QUERY_VALUE | KEY_CREATE_SUB_KEY, NULL, &hSubKey, &dwDisp);
+			if (status != ERROR_SUCCESS) {
+				SetLastError(status);
+				uprintf("Could not create 'HKLM\\SYSTEM\\Setup\\LabConfig' registry key: %s", WindowsErrorString());
+				goto copy_unattend;
+			}
+
+			for (i = 0; i < ARRAYSIZE(bypass_name); i++) {
+				if (!(unattend_xml_selection & (1 << (i / 2))))
+					continue;
+				status = RegSetValueExA(hSubKey, bypass_name[i], 0, REG_DWORD, (LPBYTE)&dwVal, sizeof(DWORD));
+				if (status != ERROR_SUCCESS) {
+					SetLastError(status);
+					uprintf("Could not set 'HKLM\\SYSTEM\\Setup\\LabConfig\\%s' registry key: %s",
+						bypass_name[i], WindowsErrorString());
+					goto copy_unattend;
+				}
+				uprintf("Created 'HKLM\\SYSTEM\\Setup\\LabConfig\\%s' registry key", bypass_name[i]);
+			}
+			// We were successfull in creating the keys so disable the windowsPE section from unattend.xml
+			// We do this by replacing '<settings pass="windowsPE">' with '<settings pass="disabled">'
+			if (replace_in_token_data(unattend_xml_path, "<settings", "windowsPE", "disabled", FALSE) == NULL)
+				uprintf("Warning: Could not disable 'windowsPE' pass from unattend.xml");
+			UpdateProgressWithInfoForce(OP_PATCH, MSG_325, 102, PATCH_PROGRESS_TOTAL);
+		}
+
+copy_unattend:
 		static_sprintf(path, "%s\\Autounattend.xml", mount_path);
 		if (!CopyFileU(unattend_xml_path, path, TRUE)) {
 			uprintf("Could not create boot.wim 'Autounattend.xml': %s", WindowsErrorString());
@ -1553,6 +1607,14 @@ BOOL ApplyWindowsCustomization(char drive_letter, BOOL windows_to_go)
 	r = TRUE;

 out:
+	if (hSubKey != NULL)
+		RegCloseKey(hSubKey);
+	if (hKey != NULL)
+		RegCloseKey(hKey);
+	if (is_hive_mounted) {
+		UnmountRegistryHive(HKEY_LOCAL_MACHINE, offline_hive_name);
+		UpdateProgressWithInfoForce(OP_PATCH, MSG_325, 104, PATCH_PROGRESS_TOTAL);
+	}
 	if (mount_path) {
 		uprintf("Unmounting '%s'...", boot_wim_path, wim_index);
 		WimUnmountImage(boot_wim_path, wim_index);
--- a/src/rufus.c
+++ b/src/rufus.c
@ -60,19 +60,6 @@ enum bootcheck_return {
 	BOOTCHECK_GENERAL_ERROR = -3,
 };

-#define UNATTEND_SECUREBOOT_TPM_MASK        0x01
-#define UNATTEND_MINRAM_MINDISK_MASK        0x02
-#define UNATTEND_NO_ONLINE_ACCOUNT_MASK     0x04
-#define UNATTEND_NO_DATA_COLLECTION_MASK    0x08
-#define UNATTEND_OFFLINE_INTERNAL_DRIVES    0x10
-#define UNATTEND_DEFAULT_MASK               0x1F
-
-#define UNATTEND_WINPE_SETUP_MASK           (UNATTEND_SECUREBOOT_TPM_MASK | UNATTEND_MINRAM_MINDISK_MASK)
-#define UNATTEND_SPECIALIZE_DEPLOYMENT_MASK (UNATTEND_NO_ONLINE_ACCOUNT_MASK)
-#define UNATTEND_OOBE_SHELL_SETUP           (UNATTEND_NO_DATA_COLLECTION_MASK)
-#define UNATTEND_OFFLINE_SERVICING          (UNATTEND_OFFLINE_INTERNAL_DRIVES)
-#define UNATTEND_DEFAULT_SELECTION          (UNATTEND_SECUREBOOT_TPM_MASK | UNATTEND_NO_ONLINE_ACCOUNT_MASK | UNATTEND_OFFLINE_INTERNAL_DRIVES)
-
 static const char* cmdline_hogger = "rufus.com";
 static const char* ep_reg = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
 static const char* vs_reg = "Software\\Microsoft\\VisualStudio";
@ -128,17 +115,17 @@ DWORD MainThreadId;
 HWND hDeviceList, hPartitionScheme, hTargetSystem, hFileSystem, hClusterSize, hLabel, hBootType, hNBPasses, hLog = NULL;
 HWND hImageOption, hLogDialog = NULL, hProgress = NULL, hDiskID;
 HANDLE dialog_handle = NULL;
-BOOL is_x86_32, use_own_c32[NB_OLD_C32] = { FALSE, FALSE }, mbr_selected_by_user = FALSE;
-BOOL op_in_progress = TRUE, right_to_left_mode = FALSE, has_uefi_csm = FALSE, its_a_me_mario = FALSE, enable_inplace = FALSE;
-BOOL enable_HDDs = FALSE, enable_VHDs = TRUE, enable_ntfs_compression = FALSE, no_confirmation_on_cancel = FALSE, lock_drive = TRUE;
-BOOL advanced_mode_device, advanced_mode_format, allow_dual_uefi_bios, detect_fakes, enable_vmdk, force_large_fat32, usb_debug;
-BOOL use_fake_units, preserve_timestamps = FALSE, fast_zeroing = FALSE, app_changed_size = FALSE;
+BOOL is_x86_32, use_own_c32[NB_OLD_C32] = { FALSE, FALSE }, mbr_selected_by_user = FALSE, lock_drive = TRUE;
+BOOL op_in_progress = TRUE, right_to_left_mode = FALSE, has_uefi_csm = FALSE, its_a_me_mario = FALSE;
+BOOL enable_HDDs = FALSE, enable_VHDs = TRUE, enable_ntfs_compression = FALSE, no_confirmation_on_cancel = FALSE;
+BOOL advanced_mode_device, advanced_mode_format, allow_dual_uefi_bios, detect_fakes, enable_vmdk, force_large_fat32;
+BOOL usb_debug, use_fake_units, preserve_timestamps = FALSE, fast_zeroing = FALSE, app_changed_size = FALSE;
 BOOL zero_drive = FALSE, list_non_usb_removable_drives = FALSE, enable_file_indexing, large_drive = FALSE;
 BOOL write_as_image = FALSE, write_as_esp = FALSE, use_vds = FALSE, ignore_boot_marker = FALSE;
-BOOL appstore_version = FALSE, is_vds_available = TRUE, set_drives_offline = FALSE;
+BOOL appstore_version = FALSE, is_vds_available = TRUE;
 float fScale = 1.0f;
 int dialog_showing = 0, selection_default = BT_IMAGE, persistence_unit_selection = -1, imop_win_sel = 0;
-int default_fs, fs_type, boot_type, partition_type, target_type;
+int default_fs, fs_type, boot_type, partition_type, target_type, unattend_xml_selection = 0;
 int force_update = 0, default_thread_priority = THREAD_PRIORITY_ABOVE_NORMAL;
 char szFolderPath[MAX_PATH], app_dir[MAX_PATH], system_dir[MAX_PATH], temp_dir[MAX_PATH], sysnative_dir[MAX_PATH];
 char app_data_dir[MAX_PATH], user_dir[MAX_PATH];
@ -151,6 +138,7 @@ StrArray BlockingProcess, ImageList;
 // Number of steps for each FS for FCC_STRUCTURE_PROGRESS
 const int nb_steps[FS_MAX] = { 5, 5, 12, 1, 10, 1, 1, 1, 1 };
 const char* flash_type[BADLOCKS_PATTERN_TYPES] = { "SLC", "MLC", "TLC" };
+const char* bypass_name[4] = { "BypassTPMCheck", "BypassSecureBootCheck", "BypassRAMCheck", "BypassStorageCheck" };
 RUFUS_DRIVE rufus_drive[MAX_DRIVES] = { 0 };

 // TODO: Remember to update copyright year in stdlg's AboutCallback() WM_INITDIALOG,
@ -1268,7 +1256,7 @@ static char* CreateUnattendXml(int arch, int mask)
 	FILE* fd;
 	int i, order;
 	const char* xml_arch_names[5] = { "x86", "amd64", "arm", "arm64" };
-	const char* bypass_name[4] = { "BypassTPMCheck", "BypassSecureBootCheck", "BypassRAMCheck", "BypassStorageCheck" };
+	unattend_xml_selection = mask;
 	if (arch < ARCH_X86_32 || arch >= ARCH_ARM_64 || mask == 0)
 		return NULL;
 	arch--;
@ -1282,10 +1270,11 @@ static char* CreateUnattendXml(int arch, int mask)
 	fprintf(fd, "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n");
 	fprintf(fd, "<unattend xmlns=\"urn:schemas-microsoft-com:unattend\">\n");

-	// This part produces the unbecoming display of a command prompt window during initial setup, which
-	// may scare users... But the Windows Store version doesn't allow us to edit an offline registry...
+	// This part produces the unbecoming display of a command prompt window during initial setup as well
+	// as alters the layout and options of the initial Windows installer screens, which may scare users.
+	// So, in format.c, we'll try to insert the registry keys directly and drop this section. However,
+	// because Microsoft prevents Store apps from editing an offline registry, we do need this fallback.
 	if (mask & UNATTEND_WINPE_SETUP_MASK) {
-		enable_inplace = TRUE;
 		order = 1;
 		fprintf(fd, "  <settings pass=\"windowsPE\">\n");
 		fprintf(fd, "    <component name=\"Microsoft-Windows-Setup\" processorArchitecture=\"%s\" language=\"neutral\" "
@ -1351,7 +1340,6 @@ static char* CreateUnattendXml(int arch, int mask)
 	if (mask & UNATTEND_OFFLINE_SERVICING) {
 		fprintf(fd, "  <settings pass=\"offlineServicing\">\n");
 		if (mask & UNATTEND_OFFLINE_INTERNAL_DRIVES) {
-			set_drives_offline = TRUE;
 			fprintf(fd, "    <component name=\"Microsoft-Windows-PartitionManager\" processorArchitecture=\"%s\" language=\"neutral\" "
 				"xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
 				"publicKeyToken=\"31bf3856ad364e35\" versionScope=\"nonSxS\">\n", xml_arch_names[arch]);
@ -2768,8 +2756,7 @@ static INT_PTR CALLBACK MainCallback(HWND hDlg, UINT message, WPARAM wParam, LPA
 			fs_type = (int)ComboBox_GetCurItemData(hFileSystem);
 			write_as_image = FALSE;
 			write_as_esp = FALSE;
-			enable_inplace = FALSE;
-			set_drives_offline = FALSE;
+			unattend_xml_selection = 0;
 			// Disable all controls except Cancel
 			EnableControls(FALSE, FALSE);
 			FormatStatus = 0;
--- a/src/rufus.h
+++ b/src/rufus.h
@ -494,6 +494,20 @@ enum ArchType {
 	ARCH_MAX
 };

+// Windows User Experience (unattend.xml) options
+#define UNATTEND_SECUREBOOT_TPM_MASK        0x01
+#define UNATTEND_MINRAM_MINDISK_MASK        0x02
+#define UNATTEND_NO_ONLINE_ACCOUNT_MASK     0x04
+#define UNATTEND_NO_DATA_COLLECTION_MASK    0x08
+#define UNATTEND_OFFLINE_INTERNAL_DRIVES    0x10
+#define UNATTEND_DEFAULT_MASK               0x1F
+
+#define UNATTEND_WINPE_SETUP_MASK           (UNATTEND_SECUREBOOT_TPM_MASK | UNATTEND_MINRAM_MINDISK_MASK)
+#define UNATTEND_SPECIALIZE_DEPLOYMENT_MASK (UNATTEND_NO_ONLINE_ACCOUNT_MASK)
+#define UNATTEND_OOBE_SHELL_SETUP           (UNATTEND_NO_DATA_COLLECTION_MASK)
+#define UNATTEND_OFFLINE_SERVICING          (UNATTEND_OFFLINE_INTERNAL_DRIVES)
+#define UNATTEND_DEFAULT_SELECTION          (UNATTEND_SECUREBOOT_TPM_MASK | UNATTEND_NO_ONLINE_ACCOUNT_MASK | UNATTEND_OFFLINE_INTERNAL_DRIVES)
+
 /*
 * Globals
 */
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 3.20.1916"
+CAPTION "Rufus 3.20.1917"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
    LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -395,8 +395,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,20,1916,0
- PRODUCTVERSION 3,20,1916,0
+ FILEVERSION 3,20,1917,0
+ PRODUCTVERSION 3,20,1917,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -414,13 +414,13 @@ BEGIN
            VALUE "Comments", "https://rufus.ie"
            VALUE "CompanyName", "Akeo Consulting"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "3.20.1916"
+            VALUE "FileVersion", "3.20.1917"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "© 2011-2022 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
            VALUE "OriginalFilename", "rufus-3.20.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "3.20.1916"
+            VALUE "ProductVersion", "3.20.1917"
        END
    END
    BLOCK "VarFileInfo"