* This is required because, even though it's easy to change a local account name
post install, doing so does not change the directory name in C:\Users\
* These are reserved usernames that are created by default, so we should not use them.
* Also fix missing format specifier in ApplyWindowsCustomization() and make sure we
print wim_index for both mount and unmount.
* Closes#2067 (with thanks to marcosfrm)
* This reverts most of 3528ca773d in order to download 'core.img' from our server instead of patching it.
* Also solve the issue of downloading a custom 'core.img' for Fedora 37, that introduced
a new 'grub_debug_is_enabled' symbol without altering their GRUB version string.
* This is accomplished by doing what the distro maintainers should have done on their
own, by appending a custom suffix to the GRUB version string.
* Pick the version and build number directly from the install[.wim|.esd] XML index.
This forces us to mount the ISO during scan, but it's the only way to get an accurate Build number...
* Also drop linking to version.dll (along with the whole version.dll delay-loading shenanigans).
* Remove last ditch effort on systems that are clearly broken for localization
and always report an explicit error to the user.
* Also update GitHub Actions actions/checkout (Closes#2036).
* Existing code was trying to detect if GRUB patching was needed for GRUB bootloaders
even if they were using standard prefixes, and as a result dropped GRUB support for
any versions that wasn't 2.04 or 2.06, since we don't have a patch for those.
* This patch restores the expected behaviour to ensure that we don't disable GRUB if
a standard prefix is being used, regardless of the version being reported.
* Note that this issue only affected BIOS GRUB boot. UEFI GRUB boot was unaffected.
* Also set rufus-next to 3.21.
* sr-SR is not a country code that Microsoft accepts (and from what I can see
is not valid, because it should be sr-RS).
* This has the unfortunate effect of preventing the installation of Rufus from
the Windows Store, which fails with error 0x80070057 (Invalid parameter).
* Fix this by using a country code for Serbia that Microsoft does accept: sr-Latn-RS
* Closes#2015
* First thing I'm gonna say is that, if your app validation process is unable to catch universal
installation errors like the one above, then your app validation process *SUCKS*, Microsoft!
* Hopefully, this has to do with the additional languages not being passed to MakePri's /dq
option. And there I also have to say thanks to Microsoft for *NOT* documenting how the heck
one is supposed to pass multiple languages with /dq, so that you actually end up with
<qualifier name="Language" value="en-US;ar-SA;bg-BG;..."> in priconfig.xml.
* What's that quote again? "Show me an App Store than only triples my work, and I will happily
let it take a third of my revenue"...?
* Some "unofficial" Windows ISOs use a custom boot.wim that only includes the Setup
image at index 1, rather than at index 2, after the PE image, for official ISOs.
* Also refactor to add a long needed vhd.h header.
* Also fix a MinGW warning.
* How nice of "Open Source proponent" IBM/Red-Hat/Fedora to fix double space typos while making sure the
provenance of the software they are using is hidden:
https://src.fedoraproject.org/rpms/grub2/blob/rawhide/f/0024-Don-t-say-GNU-Linux-in-generated-menus.patch
* Long story short: Fedora fixed the double space in "GRUB version", but of course they didn't upstream
this change since it is part of a patch that removes every possible mention of GNU. This made our GRUB
version detection break, since it relies on finding a "GRUB version" string.
* Fix this by looking for both "GRUB version" and "GRUB version".
* This, however, does not fix Fedora Rawhide BIOS boot, since they also added custom GRUB calls such as
'grub_debug_is_enabled', which we don't have in our vanilla produced GRUB binary.
* Closes#2002.
* Local account is created with the same name as the current user along with an *empty* password
(which we force the user to change on next logon). This is done to assuage users who might be
weary of entering a password in a third party application, and has the benefit of enabling
autologon when the install is complete.
* Note that the creation of a local account through an answer file prevents Windows 11 22H2
from bugging users about MSA *even with an active network connection*.
* For convenience reasons, only duplication of the current username is enabled. We *may* add a
dialog to enter any random username in a future version, but for 3.20, this is all you get.
* Likewise, the locale duplication is only carried out during OOBE and *not* WinPE (which means
that you still get the initial "Windows setup language and user preferences" prompt). This is
intentional as otherwise the default screen and "Repair Windows" options are not presented.
* It's not my fault that the Windows password change screen is super ill conceived, whereas it
doesn't hide the current password field as it should when the current password is blank, and
one needs to click on a very small arrow to get the changes applied, instead of a PROMINENT
button that should intuitively have been positioned right next to "Cancel".
* If you want to complain that we should just "present the user with XYZ and be done with it",
please bear in mind that we can't add new dialogs to Rufus as willy-nilly as you believe we
can. *ANY* new UI interface requires major planning, which is the reason why, for the time
being, we are limited to reusing a simple dissociated list of checkboxes for all WUE options.
* In a manner that defies logic, Microsoft designed Windows setup to parse Autounattend.xml
for windowsPE tasks in the PE environment, but only carry out the copying of that file
to %WINDIR%\Panther for subsequent processing with the other passes *IF* there exist an
actual windowsPE section.
* In short, when using the Autounattend.xml method, Microsoft have made all passes there
dependent on the existence of a windowsPE pass, regardless of whether that pass has any
use or not.
* Working around this would be fine and all (just add an empty windowsPE pass so that the
later passes get executed) if the absence of a windowsPE pass didn't also determine
whether the user will be presented with the default Windows setup screens that include
the "Repair your computer" option or a completely different set of screens (c.f. #1971).
* This means that, to keep users happy, we need to add yet another method to carry out
tasks that should have remained the realm of boot.wim's Autounattend.xml, and instead
create a \sources\$OEM$\$$\Panther\unattend.xml when there are no windowsPE tasks (on
account that setup copies anything found under \sources\$OEM$\$$\ to %WINDIR%\).
Only through this can we have the specialize and oobeSystem tasks actually carried out
(for bypassing MSA requirements of skipping the data collection screens) while keeping
the original Windows Setup look and feel.
* Closes#1981
* The use of an unattend.xml to create the TPM/Secure Boot/Disk/RAM bypass keys was
prompted by Microsoft restricting the ability of Windows Store app from manipulating
offline registry hives.
* However, the use of a windowsPE phase in unattend.xml to insert the keys results in
a windows command prompt briefly appearing when setup launches, as well as slightly
different Windows setup screens from the default.
* So we are now reverting to trying to edit the boot.wim registry hive offline (which
should work for the non Store version of Rufus) while falling back to using a PE
unattend section if that doesn't work.
* Closes#1971
* This is for Knoppix images that have a /boot/syslinux that links to /boot/isolinux/
with EFI Syslinux trying to use /boot/syslinux/syslnx[32|64].cfg as its config file.
* Note to Knoppix devs, you could have ensured EFI File System transposition by using
the same approach as we do here, which is to create non-symlinked /boot/syslinux
config files that point back to the isolinux ones.
* This should produce the same output while improving compatibility with systems that have a broken VGA implementation.
* Also fix an LD error with newer gcc toolchains.
* See https://lists.gnu.org/archive/html/libcdio-devel/2022-06/msg00000.html
* This partially fixes ISO mode support for Gentoo Live, though, since the Gentoo
maintainers appear not to have a kernel NTFS driver in the current images, the
installer still fails to mount the installation media.
* This is enabled by default for Windows 11 images and is done to prevent the
annoying behaviour of Windows 11 *automatically* upgrading all ReFS drives
it sees to latest version, thereby instantly preventing you from accessing
these drives ever again with Windows 10.
* See: https://gist.github.com/0xbadfca11/da0598e47dd643d933dc#Mountability.
* I've never seen that watermark in the first place, therefore can't test if the option is
working, and, as opposed to the other options, users can deal with it post install anyway.
* Also ensure that we prompt for customization when selecting an install.wim.
* This moves the extended Windows 11 options (bypass TPM & Secure Boot) away from
"Image options" into a new explicit dialog, along with supplementary customization
such as enabling offline account (for Windows 11 22H2) and skipping all data
collection questions.
* This customization is now enacted through an unattend.xml file rather than offline
registry manipulation, so that this *should* also work with the Windows Store version.
* Also update arch detection and rework/reorganize upcoming translation changes.
* Note: The 'Remove "unsupported hardware" desktop watermark' option is *UNTESTED*.
* Now uses read-only NTFS drivers v1.3 from https://github.com/pbatard/ntfs-3g.
* Like previous ones, aa64, ia32 and x64 versions are Secure Boot signed (but not arm).
* Fixes the recent potential vulnerabilities found in https://github.com/tuxera/ntfs-3g.
* Note that we have asked Microsoft to add the previous signed NTFS drivers to the UEFI
Revocation List, even as we believe that the ntfs-3g vulnerabilities are not exploitable
in the limited context of UEFI:NTFS.
* This enables the provision of Registry/Settings key IgnoreUsb01 to IgnoreUsb08 where
one can specify a USB device to ignore by providing its VID:PID as a 32-bit hex value.
* Closes#1879.
* Also update rufus.ini sample for current Rufus version.
* Also fix status display for Alt-Q.
* This reverts 3194a4dac4 on account that MinGW's delay loading of
wininet.dll causes the application to prematurely close.
* Yet another episode of the never ending #1877 saga...
* Now that we can delay-load DLLs for both MinGW and MSVC, we can also remove
the direct DLL hook that was added into dwmapi.dll due to side loading and
revert to using a direct API call instead.
* This reverts part of e1d864f755.
* Also attempt to silence that damn Coverity warning.
* Now that we can delay-load DLLs for both MinGW and MSVC, we can remove the
cumbersome direct DLL hooks into wininet.dll (which is vulnerable to side
loading when not delay-loaded) and revert to using direct API calls instead.
* This reverts part of e1d864f755.
* Also attempt to silence a Coverity warning.
* This reverts much of commits f6ac559f4d and 1947266837
so that we call the Windows APIs directly again, while ensuring that, by the time we load the DLLs,
sideloading mitigation has already been applied by the application.
* This is a continuation of #1877, and should help prevent re-introducing side-loading issues when we
link against new libraries, as well as allow us to drop some of the manual DLL hooking we've been
doing to prevent it, to clean up the code.
* Note that this is a bit more complex than what the stackoverflow post suggests, because we need to
create delayloaded libs for both 32-bit and 64-bit, which use a different calling convention and
therefore need to use different .def files. So there's a lot of gymkhana involved, with Makefiles
and whatnot, to get us there.
* Also simplify the use of CM_Get_DevNode_Registry_PropertyA() in dev.c since recent versions of
MinGW now have support for it.
* Also fix 2 small issues in net.c (potential overflow) and format.c (memory leak).
* This should help with the CoreELEC usage case described in #1842
* Also add MBR handling for ESP ↔ FAT cheat mode (Alt-P)
* Also set rufus-next to 3.19
* WinTrust.lib is responsible for the MSASN1.dll sideloading issue described in #1877,
so, since we only use it for WinVerifyTrustEx(), hook into that function manually.
* Closes#1877 for the MinGW side.
* Note that we will probably try to use the method suggested by @assarbad and documented at
https://stackoverflow.com/questions/1851267/mingw-gcc-delay-loaded-dll-equivalent/70416894#70416894
to try to put an end to the problem of DLL side loading.
* ef2ff7179d was supposed to apply delay loading to our DLLs, for all MSVC builds,
thereby preventing sideloading attacks, but the patch actually only set the DelayLoadDLLs
property for Debug builds and not Release builds, with the result that side loading could
still be triggered for the Release executables, as demonstrated in #1877.
* This patch therefore properly sets the DelayLoadDLLs for all builds, which should take care
of the side loading vulnerability at least for MSVC executables.
* A subsequent patch will still be needed for MinGW, since there is no equivalent to DelayLoadDLLs.
* This addresses part of #1877.
* INetworkListManager appears to depend on specific services to be able to work,
which one can actually disable while still getting full Internet connectivity.
* If that is the case, HRESULT_FROM_WIN32(ERROR_SERVICE_DEPENDENCY_FAIL) will be
returned, therefore we add a fallback to using InternetGetConnectedState(), which
does not have such dependencies (but has other limitations per b2492908be)
when we detect a dependency error.
* Also take this opportunity to switch to using INetworkListManager::get_IsConnectedToInternet().
* Also fix Coverity breakage due to Synopsys having upgraded their toolchain.
* Closes#1801
* MIRACLE LINUX is a Red Hat derivative, so it needs the same special
treatment as Red Hat, CentOS, etc to work around issues in anaconda.
* This commit adds MIRACLE LINUX to the list of Red Hat derivatives.
* Closes#1866
* This fixes the regression introduced in c28f9bc491.
* 'if ((a && !b) || (!a && b))' can not always be simplified as 'if (a != b)' when the types for 'a' and 'b' are not straight booleans.
* Closes#1862
* Also drop the use of '%C' in printf() expression, as it is intended to print wide characters and not turn a char to uppercase.
* In their great "wisdom", Microsoft made it even harder to access ESPs on Windows 11,
meaning that we have to use even more convoluted ways of providing the ISO→ESP feature.
* Closes#1855
* Hypothetically if the user's current directory contains a malicious DLL that DLL
could be loaded instead of the one in System32.
* Whereas the previous patch should have taken care of the one DLL referenced by
Rufus that may be vulnerable to this attack (version.dll), we nonetheless add
delay loading for all the libraries we reference as a precautionary measure.
* One can confirm that this works by using dumpbin.exe /IMPORTS to make sure
a specific DLL is delay loaded. Then putting a breakpoint in the delay load
hook should also confirm that the hook is used.
* Closes#1838
* This is part of #1838, where we need to sort the version.dll sideloading problem for MinGW.
* A subsequent patch will be applied to MSVC, to more generally delay the loading of DLLs.
* Also fix a typo with an assert expression.
* Since CentOS Stream does not use the 'CentOS-8.*' labelling scheme.
* This is a follow up to #1777.
* Also fix Windows Kit location for signing scripts.
* I don't have time for this bullshit. Of course the irony is that a Microsoft product (CodeQL)
hosted on a Microsoft platform (GitHub) hasn't been updated to work with the latest Microsoft
compiler (VS2022).
* Also removed the stuff CodeQL complains about and updated README badges.
* Having two separate Visual Studio solution files, while more convenient, was a major
pain in the ass and it also required us to update versioning in the .appxmanifest for
each commit.
* Also, this new AppStore build process enables us to use the GitHub Actions executables
to further foster the complete transparency of our build process.
* This is a follow up to 1c2884ceba where the error code returned by Windows 7 platforms
that don't have KB2533623 is expected to be ERROR_INVALID_PARAMETER rather than ERROR_PROC_NOT_FOUND.
* Also update the Windows 11 'Extended' installation mode translations.
* Per 2a3e82fa96, it looks like some Windows 7 system have trouble with
LoadLibraryEx() if they don't have KB2533623 installed (which fixes a MAJOR Windows
vulnerability. Some people sure want to leave their system open to hackers...).
* Work around this by adding a fallback to LoadLibrary() in GetLibraryHandle()
* Also switch to using GetLibraryHandle() in dos.c and using LoadLibrary() in sections
where we have the full path (since these calls are not vulnerable).
* Commit 9dc045a701 introduced a regression on account that we didn't set the
file pointer to 0 before clearing the disk.
* This leads to the MBR not being properly cleared, with the result that Windows may in turn
produce errors when trying to repartition the disk.
* Fix this by making sure we do invoke SetFilePointerEx() before calling WriteFileWithRetry().
* Also set rufus-next to 3.17
* Also fix a MinGW warning
* Remove BypassRAMCheck from Extended Windows 11 installation since the minimum
RAM requirements for Windows 11 are 4 GB and not 8 GB as pointed out in #1791.
* Display Windows edition code when we can't resolve it.
* VS2019 wants us to have PackageOptionalProjectsInIdeBuilds enabled? So be it.
* If 'Extended Windows 11 Installation' mode is selected, the system registry hive of
'sources\boot.wim' is patched to add the Setup\LabConfig registry keys that bypass
the TPM 2.0/Secure Boot/8GB+ RAM Windows 11 system requirements.
* Use sources/compatresources.dll, when available, to try to detect the Windows ISO version and build.
* Also report what facility we use for formatting.
* Since version 8.2, and rhinstaller/anaconda@a766101954,
Red Hat derivatives have changed their CD-ROM detection policy which leads to
the installation source not being found when writing the media in ISO mode.
* Replace 'inst.stage2' by 'inst.repo' in the kernel options.
* Closes#1777 (See also rhinstaller/anaconda#rhinstaller/anaconda#3529).
* Note that this reverts part of 9c8fa40995.
* Windows 11 appears to be a lot more proactive in locking system partitions (ESPs, MSRs)
than previous versions of Windows were, resulting in format or access errors.
* Try to work around these by disabling exclusive drive locking as needed.
* Also use build number to detect Windows Server 2019 and Windows 11
since Microsoft are COMPLETE ASSES about their version reporting.
* Also fix a compilation warning.
* In replace_in_token_data() when looking for lines starting with a specific
token but finding lines containing a larger version of the token (e.g. looking
for 'linux' but finding 'linux16') we would forget to output the non matching
line as we rejected it.
* This produced issues such as the one described at:
https://ubuntuforums.org/showthread.php?t=2465291&page=10&p=14052629#post14052629
* Fix this by ensuring that we always output the lines that we reject.
* write_sector() should really only be used when writing single sectors as it
is way to slow for anything else => Switch to using WriteFileWithRetry().
* Also revert an unwarranted change from f0047986e7.
* ...that didn't get the memo about using UPPERCASE 11-chars max ISO labels.
* There's a reason why Arch labels its ISOs 'ARCH_YYYYMM', people!
* Anyway, EndeavourOS should now work in ISO mode when booted from UEFI.
* In their great wisdom, the openSUSE maintainers added a 'set linux=linux'
line to their grub.cfg, which means that their kernel option token is no
longer 'linux' but '$linux'... and we have to add a workaround for that.
* If users set the persistent size to max, we may run into a situation
where projected size (which is always a rough estimation) is too low.
* When persistence is in use, we increase the projected size by 10%, to
ensure that the above scenario cannot happen.
* Also work around potential issues with Windows APIs when the application
is launched from the root of a drive.
* While this is intended to solve the issue of saving GRUB/Syslinux files for the
App Store version, we apply this change globally, as it allows the user to move
the Rufus executable around while preserving access to existing downloads.
* Closes#1744
* This basically means that the script is validate *TWICE*, using two
completely independent signatures, before it is allowed to run, which
should add another mitigation layer against TOCTOU (which we already
friggin' mitigated against anyway) and other potential vectors of
attack.
* Also remove -DisableFirstRunCustomize option and the associated cookie
prompt monitoring, which the latest version of Fido no longer requires.
* Also update WDK version for signtool and flesh out PKI error messages.
* Trying to mount accessible partitions after writing an image may lead to the
creation of the infamous 'System Volume Information' folder on ESPs, which in
turn leads to checksum errors for Ubuntu's boot/grub/efi.img (that maps to the
Ubuntu ESP). So comment out that code.
* Also fix a missing CRLFs in the log after displaying write progress.
* Anaconda broke ISO compatibility, most likely with the following commit:
84529204fe
* However, Ret Hat, and its followers, have drunk the "DD only" kool aid, and
appear to be blissfully unaware of the very real drawbacks that enforcing a
"DD only" mode for ISOHybrid can actually place on distro users.
* Rather than spend another wasted effort trying get people, who appear to be
impervious to even remotely consider the idea that DD imaging can have flaws,
to look into the possibility that Red Hat might indeed have introduced a
regression, and given the downright hostility I have been subjected to from
trying to state this *very verifiable* fact, we'll just force DD mode for the
affected Red Hat and derivatives, whilst trusting that users will be smart
enough to compare their more limited installation experience against the ones
from other distros (such as Arch, Debian or Ubuntu, which, unlike Red Hat and
co., appear to fully understand that the whole ISOHybrid vs DD mode situation
is not all black and white), and see for themselves which distros do actually
place *their* interests first, rather than just the interests of the distro
maintainers...
* GRUB 2.0 maintainer think they're doing a fine job, even when there are
CRITICAL SECURITY FIXES that should warrant an immediate out of bound
release, and instead consider that waiting MONTHS or YEARS to release
anything is not a big deal at all.
* Ergo, distros, such as Ubuntu, start to pick whatever security patches
they see fit, since they can simply not RELY on the upstream project to
produce security releases in a timely manner. One such patch is:
https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00012.html
* But since there is no new GRUB release per se, they still call their GRUB
version, onto which they applied patches that have come into existence
more than 2 years after the actual 2.04 release, "GRUB 2.04".
* Obviously, since GRUB 2.04 + literally hundreds of cherry picked patches
does deviate a lot from the last release, THINGS BREAK IN SPECTACULAR
FASHION, such as the recently released Ubuntu 21.04 failing to boot with
the error: grub_register_command_lockdown not found.
* Oh, and of course, regardless of all the above, if you ask anyone, they'll
tell you that there's nothing fundamentally wrong with the GRUB release
process (even if they should long have released 2.05, 2.05-1 and 2.05-2,
were their maintainer ready to acknowledge that delaying releases DOES
CREATES MAJOR ISSUES DOWSTREAM, as many people REPEATEDLY pointed to them
on the GRUB mailing list) or with the Ubuntu GRUB versioning process (that
really shouldn't be calling their version of GRUB "grub-2.04" but instead
something like "grub-2.04_ubuntu"). Oh no siree! Instead, the problem must
all be with Rufus and its maintainer, who should either spend their lives
pre-emptively figuring which breaking patch every other distro applied out
there, or limit media creation to DD mode, like any "sensible" person
would do, since DD mode is the ultimate panacea (Narrator: "It wasn't").
* So, once again, a massive thanks to all the people who have been involved
in the current GRUB 2.0 shit show, whose DIRECT result is to make end
users' lives miserable, while GRUB maintainers are hell bent on continuing
to pretend that everything's just peachy and are busy patting themselves
on the back on account that "Fedora recently dropped more than 100 of the
custom patches they had to apply to their GRUB fork" (sic). Nothing to see
here, it's just GRUB maintainer's Jedi business as usual. Besides, who the
hell cares about Windows users trying to transition to Linux in a friendly
manner anyway. I mean, as long as something doesn't affect existing Linux
users, it isn't a REAL problem, right?...
* Combined with the increase in buffer size from previous commits, this
should help us get close to a device's maximum write speed.
* Also add async write support to winio.h
* Also increase the buffer size for bad blocks check operations
* This is in preparation for async reads
* Also move open/close image operations to WriteDrive()
* Also increase DD buffer size to 32 MB to improve performance
* 2e1833e91e introduced issues with VDS since, despite what
Microsoft's documentation says, balancing CoInitialize with CoUninitialize
leads to VDS not properly relinquishing disk access.
* Of course, since Grub4DOS's grldr.mbr hasn't changed from previous releases
there's not much to update there, but then again, people like version bumps.