Booting Windows Defender Online from PXE

A while back I wrote a post about booting Microsoft System Sweeper Beta from PXE. Booting WDO (Windows Defender Online) is pretty simple. The post I wrote on system sweeper will tell you what you need to do to do it. However I’ve wanted to expand that post for a long time now and just haven’t found the time to do it. I’m going to give you the run down on how to do it today though. This posts assumes you have WDS (Windows Deployment Services) running. If you don’t have it running then you’ll need to add a role to your windows server to do this. A quick search on TechNet will tell you how.

You’ll need the following to do this.

1.Install WAIK by extracting, mounting, or burning the ISO. (You need WAIK to modify WIM files with DISM.)
2. Install WDO. Select ISO & Note the path that it’s going to copy the ISO to.
3. Extract the following files: WDO_Media64.ISOmpam-fex64.exe WDO_Media32.ISOmpam-fe.exe WDO_Media64.ISOFilesList64.dll WDO_Media32.ISOFilesList32.dll WDO_Media64.ISOsourcesboot.wim WDO_Media32.ISOsourcesboot.wim
4. Mount the WIM files: Dism /Mount-Wim /WimFile:C:pathtoyourboot.wim /index:1 /MountDir:C:pathtoyourmountdir
5. Add Drivers: Dism /image:C:pathtoyourmount /add-driver /driver:C:PathToYourDrivers /Recurse
6. Copy these files to the mount path - pam-fex64.exe mpam-fe.exe FilesList64.dll FilesList32.dll
7. Umount WIM: Dism /Unmount-Wim /MountDir:C:pathtoyourmount /Commit
8. Add to WDS & Boot your infected systems and blast some malware.

DISM Directions for updating WIM Images are here – http://technet.microsoft.com/en-us/library/dd744355%28v=WS.10%29.aspx#AddDriverDISM

If you run into trouble with commiting the changes and unmounting the wim you’ll need to make sure that nothing is locking the mount folder (Try Unlocker) and then run dism /cleanup-wim to cleanup the bad unmount. You might have to redo your steps if the WIM wasn’t saved.

Have fun and if you have any questions feel free to leave a comment.