BlackLotus UEFI bootkit: Myth confirmed. Bypasses all Windows 11 securities.

Topic

New Reply

[Alex5723]

https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

(The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Bypassing Secure Boot, Microsoft Defender, VBS, BitLocker).

..In this blogpost we present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022…

Following are the key points about BlackLotus and a timeline summarizing the series of events related to it:

It’s capable of running on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.

It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.

Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.

It’s capable of disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender.

Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.

BlackLotus has been advertised and sold on underground forums since at least October 6th, 2022. In this blogpost, we present evidence that the bootkit is real, and the advertisement is not merely a scam.

Interestingly, some of the BlackLotus installers we have analyzed do not proceed with bootkit installation if the compromised host uses one of the following locales:
Romanian (Moldova), ro-MD
Russian (Moldova), ru-MD
Russian (Russia), ru-RU
Ukrainian (Ukraine) , uk-UA
Belarusian (Belarus), be-BY
Armenian (Armenia), hy-AM
Kazakh (Kazakhstan), kk-KZ…

• This topic was modified 2 years, 1 month ago by Alex5723.

6 users thanked author for this post.

Nibbled To Death By Ducks, BobbyB, Sky, Cybertooth, windbg, Fred

Reply | Quote

Replies

Alex5723 wrote:

The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality

Wow, this realy makes * my day;  [NOT*].
Please follow-up with some good news about this!

* _ ... _ *

Reply | Quote

The Q&A is fascinating :

BlackLotus’s advertisement on hacking forums claims that it features integrated Secure Boot bypass. Adding vulnerable drivers to the UEFI revocation list is currently impossible, as the vulnerability affects hundreds of bootloaders that are still used today. ✅

True: It exploits CVE-2022-21894 in order to break Secure Boot and achieve persistence on UEFI-Secure-Boot-enabled systems. Vulnerable drivers it uses are still not revoked in the latest dbx, at the time of writing.

BlackLotus’s advertisement on hacking forums claims that the bootkit has built-in Ring0/Kernel protection against removal. ✅

True: Its kernel driver protects handles belonging to its files on the EFI System Partition (ESP) against closing. As an additional layer of protection, these handles are continuously monitored and a Blue Screen Of Death (BSOD) triggered if any of these handles are closed, as described in the Protecting bootkit files on the ESP from removal section.

BlackLotus’s advertisement on hacking forums claims that it comes with anti-virtual-machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. ✅

True: It contains various anti-VM, anti-debug, and obfuscation techniques to make it harder to replicate or analyze. However, we are definitely not talking about any breakthrough or advanced anti-analysis techniques here, as they can be easily overcome with little effort.

BlackLotus’s advertisement on hacking forums claims that its purpose is to act as an HTTP downloader. ✅

True: Its final component acts as an HTTP downloader, as described in the HTTP downloader section

BlackLotus’s advertisement on hacking forums claims that the HTTP downloader runs under the SYSTEM account within a legitimate process. ✅

True: Its HTTP downloader runs within the winlogon.exe process context.
BlackLotus’s advertisement on hacking forums claims it is a tiny bootkit with an on-disk size of only 80 kB. ✅

True: Samples we were able to obtain really are around 80 kB.

BlackLotus’s advertisement on hacking forums claims that it can disable built-in Windows security protections such as HVCI, Bitlocker, Windows Defender, and bypass User Account Control (UAC). ✅

True: It can disable HVCI, Windows Defender, BitLocker, and bypass UAC.

4 users thanked author for this post.

Sky, Cybertooth, windbg, Fred

Reply | Quote

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. Though this could impede investigations and threat hunting efforts, several artifacts can still be leveraged to identify affected devices. This document covers:

Techniques to determine if devices in an organization are infected
Recovery and prevention strategies to protect your environment..

1 user thanked author for this post.

windbg

Reply | Quote

Microsoft fixed BlackLotus UEFI Secure Boot in Windows 11 / 10 servers.

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

Summary
This article describes the protection against the public disclosure of a Secure Boot security feature bypass by using the BlackLotus UEFI bootkit tracked by CVE-2023-24932 and how to enable the protections and guidance to update bootable media. A bootkit is a malicious program that is designed to load as early as possible in a device’s sequence, in order to control the operating system start…

The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change. ..

3 users thanked author for this post.

Fred, Steve S., windbg

Reply | Quote

ghacks published an article today: https://www.ghacks.net/2023/05/12/windows-cve-2023-24932-blacklotus-bootkit/  It references a different/new CVE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932

The patch, when it’s enforced, sounds like it could be a major, major headache for users. Reading the “Avoiding issues with your Bootable Media” section of the KB5025885 link provided by Alex5723, it appears that pretty much ALL previously bootable media (USBs, ISOs, DVDs, backup images like Macrium Reflect and more) may cease to be useable. If I’m reading things right, this could be a total mess. Ouch!

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Will someone please explain if this patch will have an effect on the average user?

Will everyone get this patch?

As a consequence, will their backups fail?

Will their bootable devices fail?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

I did encounter weird things with some bootable devices together with the reconstruction the OS or salvation of “normal” data in a small scale. Though when reconstruction fails it’s always a big thing.

Indeed some older usb-flash drives became fairly unuseable because Macrium and Acronis do whish that one re-create the bootmedium with the updated backup software. Problems may differ from how the usbdrive will be identified and how easy and liable the new flash-boot-creation can be done. One thing is to be shure of the backedup iso’s or images is to use a usbdrive of the newest generation (3.2.1 of 3.2.0 the least), and for shure physicly proof that data can be restored on the same machine!

Indeed also, various data-destructive problems can occur with older 64bit pc hardware running 32bit Windows in combination with very little Ram-memory installed on this pc/laptop machine.

And finally, without any notification Microsoft Defender acts differently to the (older) various kinds of usb-flashdrives, and one needs to have a lot of patience before you can use this drive. Microsoft needs! to scan the whole drive every time this drive is inserted, regardles if there is other and more intelligent software is doing this scanning job and that actually rememders the scanning results. Till now Defender does not remember previous scannings (anymore?)  and will be switched on without any notification. Even if Microsoft is told to exclude this drive. All and all, this consumes too much time.

My guess is that it will not take too long before the latest/newest verions of CPU’s and motherboards will be obligatory to use to be on the safer side; and that for how long this time?

(PS: drinking too much coffee is very bad for the nights sleep)

* _ ... _ *

3 users thanked author for this post.

geekdom, PKCano, Cybertooth

Reply | Quote

Backups will not fail.  As I understand it (and doing tests this weekend) that if you install the patch and do not do the scripts, no impact will be seen whatsoever.  You will see impact if you install the script and then attempt to boot from the unfixed original iso media.  So if you pulled down a windows 10 22H2 iso and try to boot from that and repair your secure boot/script fixed system – that will have issues.

I’ll let you know.

 

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Steve S., geekdom, Alex5723

Reply | Quote

Alex5723 wrote:

(The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Bypassing Secure Boot, Microsoft Defender, VBS, BitLocker).

For the BlackLotus UEFI bootkit exploit described in this article to be possible, an attacker must gain administrative privileges on a device or gain physical access to the device. This can be done by accessing the device physically or remotely, such as by using a hypervisor to access VMs/cloud.

I’m not concerned.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

geekdom, satrow

Reply | Quote

^^^what he said.  In a consumer/home/small business setting the attacker wants to go after a bigger target.  Ukraine military info endpoints for example. US Dept of Defense computers.  They won’t use this exploit to go after my Dad’s Windows 10.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

geekdom, satrow

Reply | Quote

My message above was/is very simple, one ought to check and prove the functionality at your own scale! Even big organizations with “I_Know_It_All”  administrators.

Susan asked me for an explanation earlier. Well some weird things did happen and my story is partly and in short written above for what it’s worth to anyone.

* _ ... _ *

1 user thanked author for this post.

geekdom

Reply | Quote

KB5027455: Guidance for blocking vulnerable Windows boot managers

Introduction

Microsoft was made aware of a vulnerability with the Windows boot manager that allows an attacker to bypass Secure Boot. The issue in the boot manager was fixed and released as a security update. The remaining vulnerability is that an attacker with administrative privileges or physical access to the device can roll back the boot manager to a version without the security fix. This roll-back vulnerability is being used by the BlackLotus malware to bypass Secure Boot described by CVE-2023-24932. To resolve this issue, we will revoke the vulnerable boot managers.

Because of the large number of boot managers that must be blocked, we are using an alternative way of blocking the boot managers. This affects non-Windows operating systems in that a fix will have to be provided on those systems to block the Windows boot managers from being used as an attack vector on non-Windows operating systems.

One method of blocking vulnerable EFI application binaries from being loaded by the firmware is to add hashes of the vulnerable applications to the UEFI Forbidden List (DBX)..

The limitation of this blocking method is the limited firmware flash memory available to store the DBX. Because of this limitation and the large number of boot managers that must be blocked (Windows boot managers from the past 10+ years), relying entirely on the DBX for this issue is not possible…

For Windows 10 and later versions, a Windows Defender Application Control (WDAC) policy will be used that blocks vulnerable Windows boot managers..

Reply | Quote

From what I understand so far, Microsoft is planning to initially patch this problem by updating Windows and the hidden EFI System Partition (via the May 2023 Security Updates) on systems that boot Windows using Secure Boot.

So since I do not use Secure Boot on any of my computers and my boot SSDs are partitioned using the old MBR format (no EFI partition), I do not think I will be affected by the fallout of this issue.

And eventually it seems Microsoft is hoping to block the vulnerable boot managers themselves. I think this will require the UEFI firmware on the affected computers be updated in addition to updating Windows (else I don’t see how old bootable media like DVD and previously created USB boot disks can be blocked from booting). If this is so, people like me who uses old UEFI motherboards from at least several years ago will probably never get these “updates”, as the motherboard manufacturers are unlikely to spend resources to “fix” these old motherboards, many of which are already out of warranty (and may not be able to run Windows 11 anyway, haha). UEFI firmware updates will probably be provided by the motherboard manufacturers for the current motherboard products (those that support Intel 12th / 13th generation and AMD Ryzen 7xxx CPUs) in the near future.

I wonder what the computer OEMs will do to respond to this issue. Current and recent computers may be provided with the necessary UEFI firmware updates in the near future, but how about computers from years ago which uses Secure Boot to boot Windows and thus will be vulnerable? Many of those computers are still capable of running Windows 10 22H2 (but maybe not Windows 11).

Hope for the best. Prepare for the worst.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Hey Y’all,

This is what worries me from a KB Article:

Important: All customers should apply the May 9, 2023 Windows security updates. This article applies to customers who should take additional steps to implement security mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit which requires physical or administrative access to the device.

Caution: Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied. Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

wavy

Reply | Quote

In the same KB article :

The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically…

As long as you don’t manually change the settings you are ok up to when Microsoft will force enable them.

Reply | Quote

Yes,

But what about down the line when MS decides it’s time to turn them on by default?

Which they have stated they will do!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

If you/Microsoft do make the changes you will have to re-create new bootable devices or disable secure boot.

I think that Rufus will be out with new boot version.

Reply | Quote

By then you will have updated media.  I already tested to do a repair and didn’t see any impact.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

RetiredGeek wrote:

Hey Y’all,

This is what worries me from a KB Article:

Important: All customers should apply the May 9, 2023 Windows security updates. This article applies to customers who should take additional steps to implement security mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit which requires physical or administrative access to the device.

Caution: Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied. Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.

Reformatting the disk (actually reformatting the Windows partition) will not change anything on the hidden EFI system partition, which as I understand is where the revocations (at least the Code Integrity Boot Policy in Section 3a of the Deployment Guidelines in that article) will be applied. If this is so that explains why reformatting the disk will not remove the revocations.

In this case you will have to destroy the partitions and repartition the disk to remove them. Of course this will destroy everything on the disk.

Hope for the best. Prepare for the worst.

Reply | Quote

I keep finding more and more reasons to put Microsoft completely behind me.

It’s a shame, because I really liked Windows up through Win8.1 (using Open Shell). With Win10/11, I find I have so many tweaks that a new computer setup or install becomes a nightmare. I make a list of the altered settings, but after every update I’m back in there adding to and editing the list (Settings App, Group Policy, Registry, Services, Task Scheduler, Security, – and MS keeps hiding other Administrative Tools in Win11).

Setting up a new Mac is a piece of cake in comparison. And the updates usually don’t break things.

4 users thanked author for this post.

wavy, Cybertooth, Fred, Alex5723

Reply | Quote

Completely agree and why I moved to Linux Mint on two Dell desktop PC’s almost five months ago now. No issues at all in applying updates over that time most of which do not even require a reboot (typically only kernel updates do). Best of all, nothing unexpected ever happens on the system and the configuration never changes unless I specifically make a change myself. Also a lot less worries about any kind of malware such as this BlackLotus. However still need to stay vigilant as the person sitting behind the keyboard is one of the most important layers of security. But the overall peace of mind now is priceless to no longer have to deal with Microsoft’s shenanigans and their lack of respect for the user!

1 user thanked author for this post.

Cybertooth

Reply | Quote

PK,

You should take a look at my StandardSettingsForm.ps1 program available free from my OneDrive. Before running read the Help comments on how to run.

When Win update messes things it’s easy to run the program and restore your stored defaults.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

3 users thanked author for this post.

wavy, Cybertooth, Steve S.

Reply | Quote

Which set of defaults – last month’s or the month before, or the month before that…… ad infinitum. The game is ever changing with Windows.

Reply | Quote

PK,

It saves the settings (not all windows settings) that you select from the menus.
You then get a chance to save your preferences and it saves the information to a file. You can then restore from that file at any time even on a different machine!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

RetiredGeek wrote:

StandardSettingsForm.ps1 program available free from my OneDrive

I do not see it in there.

Reply | Quote

It will have a .zip file extension not a .ps1.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Just like with everything – it depends on what you use.

Apple’s software updates are breaking things — is it time we delayed installing them? | iMore

Secure boot is also a feature of Mac.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

To all it may be very clarifing to explain

1. What and Whatfor is the Secured Boot principle made and used for.

2. What and Whatfor is the Uefi Bootpartition created.

All those ∅Day threats will have effect on various government organisations everywhere; who and whatfor is using this.

Susans Pa and many many others will have nothing to fear, probably. So what’s at steak for society then?

[Moderator edit] please don’t swear – using asterisks is still swearing

* _ ... _ *

Reply | Quote

* 👇

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

* _ ... _ *

Reply | Quote

Plenty of confusion and concern on this topic, so I went through the procedures and set the updated security measures in force. A caveat: I rarely use bootable media. I can accomplish most everything that might become necessary via Settings > Windows Update > Advanced options > Recovery > Advanced startup > Restart now. I have Image For Windows incorporated into my WindowsRE partition (making it TBWinRE), so I can deal with creating/restoring a drive image by booting into TBWinRE, as well as the usual options in the Recovery Environment.

First I used DISKPART to assign drive letters to my EFI partition and my TBWinRE partition, and made drive images of each, then back into DISKPART to remove the drive letters. Then, having Sunday’s fresh drive images available, I jumped into the fray. I opened a Run as administrator Command Prompt and one at a time entered
• mountvol q: /S
• xcopy %systemroot%\System32\SecureBootUpdates\SKUSiPolicy.p7b q:\EFI\Microsoft\Boot
• mountvol q: /D
• reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x10 /f
all of which completed successfully in turn.

Next I rebooted, waited at least five minutes (it was more like ten), then rebooted again. After rebooting the second time, I checked Event Viewer > Windows Logs > System for Event ID 1035. “Event ID 1035 will be logged when the DBX update has been applied to the firmware successfully.” I saw “Secure Boot Dbx update applied successfully”. So far, so good.

Next I went to Settings > Windows Update > Advanced options > Recovery > Advanced startup > Restart now and rebooted into my TBWinRE successfully. First I created a fresh OS drive image, then I restored Sunday’s OS drive image. Both tasks completed successfully, and I booted into Sunday’s restored OS without issue. Then I rebooted back into TBWinRE and restored my freshly created OS drive image, which completed successfully, and booted back into today’s image.

As for booting other devices, I went into UEFI Settings and turned off Secure Boot (in my case, disabling the TPM) and booted TeraByte’s BootIt UEFI partitioning tool via USB without issue. I then rebooted, went back into UEFI Settings, re-enabled the TPM, and booted back into Windows.

Further testing revealed that it is unnecessary to disable Secure Boot when going through the Windows Recovery Environment to boot into a USB device.  Booting the USB device will appear as an option in the Windows Recovery Environment.

No hiccups.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

4 users thanked author for this post.

carpintero, RetiredGeek, zat_so, geekdom

Reply | Quote

bbearren wrote:

Plenty of confusion and concern on this topic, so I went through the procedures and set the updated security measures in force.

Since I recently upgraded my NAS from Windows 10 Pro to Windows 11 Pro using Microsoft’s registry edit found here, I decided to run the Secure Boot Update commands before Microsoft did it in a future Windows Update.  I created a full drive image first, so I could revert if anything went awry, but nothing did.

After the second reboot, I got the “Event ID 1035″ in Event Viewer and saw “Secure Boot Dbx update applied successfully”.  So even though the TPM module in my NAS is v1.2 and not v2.0, the Secure Boot Update worked as it should, no hiccups.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

carpintero, Alex5723

Reply | Quote

bbearren wrote:

I have Image For Windows incorporated into my WindowsRE partition (making it TBWinRE)

This is interesting: how does one go about adding non-Microsoft backup software (TB, Macrium Reflect, etc.) to the Windows recovery environment?

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Fred

Reply | Quote

Cybertooth wrote:

This is interesting: how does one go about adding non-Microsoft backup software (TB, Macrium Reflect, etc.) to the Windows recovery environment?

It is included as a utility in Image For Windows.  “Create/Update TBWinRE WIM used for Reboot”

It uses a script to locate the WindowsRE partition, then uses DISM to open the WIM file and add Image For Windows and some other TeraByte utilities.  Of course, if the WindowsRE is not enabled, the script won’t run.  See WindowsRE for what to do if that occurs.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

3 users thanked author for this post.

wavy, Fred, Cybertooth

Reply | Quote

bbearren wrote:

I have Image For Windows incorporated into my WindowsRE partition (making it TBWinRE), so I can deal with creating/restoring a drive image by booting into TBWinRE

Restoring a drive image won’t restore the changed UEFI secure boot changes.

1 user thanked author for this post.

carpintero

Reply | Quote

Alex5723 wrote:

Restoring a drive image won’t restore the changed UEFI secure boot changes.

bbearren wrote:

Plenty of confusion and concern on this topic

It doesn’t have to.  Those changes are made in the EFI partition, and the DBX update is for the Secure Boot firmware on the motherboard.  “Event ID 1035 will be logged when the DBX update has been applied to the firmware successfully.”

I am posting this reply from an OS drive image restored from prior to the May 9 update.  It booted without issue and is running normally.  When I finish with this topic, I’ll restore the drive image I made previously this morning.  I had already tried Sunday’s drive image, from before I did the BlackLotus mitigation, and had no doubt that previous images would also restore without issue.  I was correct in that regard.

bbearren wrote:

Next I went to Settings > Windows Update > Advanced options > Recovery > Advanced startup > Restart now and rebooted into my TBWinRE successfully. First I created a fresh OS drive image, then I restored Sunday’s OS drive image. Both tasks completed successfully, and I booted into Sunday’s restored OS without issue. Then I rebooted back into TBWinRE and restored my freshly created OS drive image, which completed successfully, and booted back into today’s image.

“The revocation files are available as part of the updates released on or after May 9, 2023. These files include a “Code Integrity Boot Policy” and a “Secure Boot UEFI Forbidden List” update. Applying these revocations files is necessary to be fully protected from the vulnerability described by CVE-2023-24932.”

As far as “Backups of Windows which were imaged before the installation of updates released on or after May 9, 2023. These will not be directly usable to restore your Windows installation after the revocations have been enabled on your device.”  They must be referring to Windows imaging, because it has absolutely no effect on TeraByte’s Image For Windows.

I have applied the revocation files successfully and updated the DBX successfully, and nothing is broken, nothing is unusable.  It all still just works.  It was my original intention to ignore the whole thing, but as this topic grew I kept seeing more and more confusion and seemingly undue concerns.

I can’t speak for any other drive imaging software, because all I have ever used has been from TeraByte, and it has never failed me.

In closing, yes, I can restore an Image For Windows drive image from before the Windows update and prior to applying the revocations, despite all of the hand-wringing.  The big bugaboo is not all that much of a bugaboo for me and my systems.  My dual boot still works just fine, as well.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

5 users thanked author for this post.

geekdom, Cybertooth, Fred, RetiredGeek, Alex5723

Reply | Quote

I’m in a similar boat.  I can’t get my patched and ‘fixed with script’ Windows 11 to blow up on me.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

bbearren

Reply | Quote

bbearren wrote:

In closing, yes, I can restore an Image For Windows drive image from before the Windows update and prior to applying the revocations, despite all of the hand-wringing.

Thank you bbearren for sharing this Most useful experience of yours!. The specifications you give in your footer explains a lot. For the part of expanding manually the needed MB’s for WindowsRE (Recovery Environment) partition: do you think this might be needed for different imaging software? If I read you well enough, neither Windows nor the imaging software (TB) warned that a larger partition was needed.

* _ ... _ *

Reply | Quote

Fred wrote:

If I read you well enough, neither Windows nor the imaging software (TB) warned that a larger partition was needed.

That is correct.  I discovered the need through trial and error, and using another utility from TeraByte, BootIt UEFI partitioning software to increase the size.  I have since moved my Recovery Environment to the first partition (1GB) of a separate SSD.  A major Windows upgrade will try to move it back to the OS drive, behind the Windows partition, but I’m ready for it now, and will put it back where I want it to be.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

carpintero

Reply | Quote

Right. And now some spare time and a view on a boot-system that outruns the ∅Days and let us keep what is ours.

* _ ... _ *

Reply | Quote

Since May 9, 2023 patches are in, I’m rebuilding bootable recovery drives — Microsoft and Macrium Reflect Backup program. From what I’ve read, everyone will eventually get the new Microsoft boot fix.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

bbearren wrote:

I have applied the revocation files successfully and updated the DBX successfully, and nothing is broken, nothing is unusable. It all still just works. It was my original intention to ignore the whole thing, but as this topic grew I kept seeing more and more confusion and seemingly undue concerns.

I have not yet applied revocation files nor updated DBX. I will leave things alone until if and when these steps are necessary.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Hey Y’all,

This thread inspired me to do a little testing and here’s what I came up with. (WARNING THIS IS A LONG POST!)

Hardware: DellXPS8700 i7-4770 CPU @ 3.40GHz (Haswell). It has a TPM but not eligible for Win11. UEFI firmware and Secure Boot Enabled. Full updated with the May patches on W10 22H2 and fully Imaged.

First Pass:

As I’m a proponent of Backup early and often I had deleted the Recovery partition as unnecessary. Since this won’t work with out a Recovery partition (AFAICT) I went about trying to recover it on the drive. After several attempts I managed to accomplish this so on I went.

I downloaded the PatchWinREScript_2004plus.ps1 and Windows11.0-kb5023527-x64….cab file. Then I ran the PowerShell program. This appeared to work..
I started to test with every bootable USB drive in my possession and all worked. Now I knew something was wrong as some were just too darned old to work under the imposed restrictions.

I went back and looked at the output of the PowerShell and there it was basically staring at me.

PS C:\Windows\system32> e:\test\PatchWinREScript_2004plus.ps1

cmdlet PatchWinREScript_2004plus.ps1 at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
packagePath: E:\Test
05/24/2023 20:23:55 - No input for mount directory
05/24/2023 20:23:55 - Use default path from temporary directory
05/24/2023 20:23:55 - Working Dir: C:\Users\Bruce\AppData\Local\Temp\
05/24/2023 20:23:55 - MountDir: C:\Users\Bruce\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
05/24/2023 20:23:55 - Create mount directory C:\Users\Bruce\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount


    Directory: C:\Users\Bruce\AppData\Local\Temp


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         5/24/2023   8:23 PM                CA551926-299B-27A55276EC22_Mount
05/24/2023 20:23:55 - Set ACL for mount directory
processed file: C:\Users\Bruce\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
Successfully processed 1 files; Failed processing 0 files
processed file: C:\Users\Bruce\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
Successfully processed 1 files; Failed processing 0 files
processed file: C:\Users\Bruce\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
Successfully processed 1 files; Failed processing 0 files
05/24/2023 20:23:55 - Mount WinRE:
REAGENTC.EXE: Operation Successful.

05/24/2023 20:24:06 - TargetFile: C:\Users\Bruce\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount\Windows\System32\bootmenuux.dll
05/24/2023 20:24:06 - Target file version: 10.0.19041.1262
05/24/2023 20:24:06 - Windows 10, version 2004
05/24/2023 20:24:06 - Apply package:E:\Test
05/24/2023 20:24:11 - Applying the package failed with exit code: -2146498530
05/24/2023 20:24:11 - TargetFile: C:\Users\Bruce\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount\Windows\System32\bootmenuux.dll
05/24/2023 20:24:11 - Target file version: 10.0.19041.1262
05/24/2023 20:24:11 - Windows 10, version 2004
05/24/2023 20:24:11 - Warning: After applying the patch, unexpected version found for the target file
05/24/2023 20:24:11 - Patch succeed, unmount to commit change

Deployment Image Servicing and Management tool
Version: 10.0.19041.844

Saving image
[==========================100.0%==========================]
Unmounting image
[==========================100.0%==========================]
The operation completed successfully.
05/24/2023 20:24:26 - Delete mount direcotry

I had looked at the next to last line where it said “completed successfully” and didn’t bother with the rest. So back to the drawing board.

Second Pass:

I decided that at this point my best bet was clean install of Win 10 Pro. So I used a copy I had on a USB key, did the reinstall, and ran all the updates to get it up to date.

This time the script complained that the Windows version in the Recovery partition did not match the running version? Ain’t that just peachy!

Third Pass:

Back to the drawing board. So I used the MCT to download a fresh (hopefully latest) version of 22H2 and created a new USB.

Reinstalled Windows and ran the PowerShell script with this result:

PS G:\test> .\PatchWinREScript_2004plus.ps1 -packagepath G:\Test -WorkDir N:\
05/25/2023 18:05:21 - Working Dir: N:\
05/25/2023 18:05:21 - MountDir: N:\CA551926-299B-27A55276EC22_Mount
05/25/2023 18:05:21 - Create mount directory N:\CA551926-299B-27A55276EC22_Mount


    Directory: N:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         5/25/2023   6:05 PM                CA551926-299B-27A55276EC22_Mount
05/25/2023 18:05:22 - Set ACL for mount directory
processed file: N:\CA551926-299B-27A55276EC22_Mount
Successfully processed 1 files; Failed processing 0 files
processed file: N:\CA551926-299B-27A55276EC22_Mount
Successfully processed 1 files; Failed processing 0 files
processed file: N:\CA551926-299B-27A55276EC22_Mount
Successfully processed 1 files; Failed processing 0 files
05/25/2023 18:05:22 - Mount WinRE:
REAGENTC.EXE: Operation Successful.

05/25/2023 18:05:28 - TargetFile: N:\CA551926-299B-27A55276EC22_Mount\Windows\System32\bootmenuux.dll
05/25/2023 18:05:28 - Target file version: 10.0.19041.2247
05/25/2023 18:05:28 - Windows 10, version 2004
05/25/2023 18:05:28 - Windows 10, version 2004 with revision 2247 >= 2247, updates have been applied
05/25/2023 18:05:28 - The update has already been added to WinRE
05/25/2023 18:05:28 - TargetFile: N:\CA551926-299B-27A55276EC22_Mount\Windows\System32\bootmenuux.dll
05/25/2023 18:05:28 - Target file version: 10.0.19041.2247
05/25/2023 18:05:28 - Windows 10, version 2004
05/25/2023 18:05:28 - Windows 10, version 2004 with revision 2247 >= 2247, updates have been applied
05/25/2023 18:05:28 - After patch, find expected version for target file
05/25/2023 18:05:28 - Patch succeed, unmount to commit change

Deployment Image Servicing and Management tool
Version: 10.0.19041.844

Saving image
[==========================100.0%==========================]
Unmounting image
[==========================100.0%==========================]
The operation completed successfully.
05/25/2023 18:05:38 - Checking BitLocker status
05/25/2023 18:05:38 - Unprotected
05/25/2023 18:05:38 - Bitlocker isn’t enabled on the OS
The operation completed successfully.
05/25/2023 18:05:38 - Delete mount direcotry
PS G:\test>

Once again a very interesting line buried in the output. Seems the new versions come with the changes already applied to the Recovery Environment. So all that’s left to do is add the registry key (see bbearren’s post above) and reboot TWICE, don’t forget this like I did, then do your testing as nothing will fail since it isn’t turned on! Don’t forget to check the System Event Log for code 1035 to be sure the remediation is in place.

Test Results:

1. Windows 10.0.19041 (20H1) installation USB created with MCT – BOOTED!
2. Custom WinPE boot disk created with PowerShell using PS Script – BOOTED!
3. Macrium Reflect V6 Free Boot USB Standard Wim file – BOOTED!
4. Macrium Reflect V6 Free Boot USB Custom Wim file – BOOTED!
5. AOMEI Partition Assistant Pro v9-13 – FAILED! Secure Boot Violation
   
6. AOMEI Partition Assistant Pro v10.0 – FAILED! Secure Boot Violation
7. Old Password Reset USB – Did not even show up on the Boot Menu!
   Turned OFF UEFI & Secure Boot – BOOTED!
   Turned OFF Secure Boot Only – BOOTED!
8. Linux Mint USB (Created 6/2/2018) – Failed to BOOT!
   Turned OFF Secure Boot Only – BOOTED!

Conclusions:

• Looks like it is pretty safe to turn on these mitigations.
• Although AOMEI had a new version of their software out it didn’t address this problem!
• You may have to just TEMPORALLY turn off Secure Boot to run your favorite legacy utilities on USB drives.
• However, you may need to do a clean install!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

4 users thanked author for this post.

Steve S., Cybertooth, Just another Forum Poster, Paul T

Reply | Quote

RetiredGeek wrote:

You may have to just TEMPORALLY turn off Secure Boot to run your favorite legacy utilities on USB drives.

FYI: on some motherboards (like my Asus Maximus XI Gene) there won’t be an Enable/Disable option for Secure Boot.

On those systems, you’ll need to change the Secure Boot option (Windows UEFI = ON, Other OS = OFF) to do this.

Reply | Quote

Just another Forum Poster wrote:

FYI: on some motherboards (like my Asus Maximus XI Gene) there won’t be an Enable/Disable option for Secure Boot. On those systems, you’ll need to change the Secure Boot option (Windows UEFI = ON, Other OS = OFF) to do this.

My motherboard is an Asus Z690M.

bbearren wrote:

As for booting other devices, I went into UEFI Settings and turned off Secure Boot (in my case, disabling the TPM) and booted TeraByte’s BootIt UEFI partitioning tool via USB without issue. I then rebooted, went back into UEFI Settings, re-enabled the TPM, and booted back into Windows.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Hey Y’all,

I’ve got my Test machine DellXPS8700 all reconfigured and setup with the Enabled Patches for Secure Boot. I’m renaming that computer to Canary! I’ll keep it up-to-date and test after update to see if things are still working as they should with external boot devices. After all, “Inquiring Minds Want to Know!”

All those PowerShell scripts I’ve been writing sure speed up the reconstituting it from “clean install” to all programs, shortcuts, scheduled tasks, etc. back to normal. Did it in hours vs days!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

3 users thanked author for this post.

Fred, Alex5723, Cybertooth

Reply | Quote

RetiredGeek wrote:

All those PowerShell scripts I’ve been writing sure speed up the reconstituting it from “clean install” to all programs, shortcuts, scheduled tasks, etc. back to normal. Did it in hours vs days!

I skipped Windows Vista and had to clean install Windows 7 Ultimate (early 2010, two PC’s), as there was no upgrade path from XP.  Those were the last clean installs I’ve done.  Instead, I rely on “clean” drive images for restoration of my Windows setups.

My OS is separated (on a 100GB partition) from my Program Files and User files (they have their own partitions on different SSD’s), so restoring Windows is down to ~3 minutes, not days, not even hours.

Getting ready for some deep diving into Windows innards takes ~12 minutes to create a fresh, validated byte-for-byte drive image.  If I’m messing around in ways that might affect the EFI partition, creating a fresh validated image of that partition takes about a minute.  My Windows Recovery Environment also takes about a minute.

I applaud your tenacity and dedication to detail in your PowerShell scripts.  We all have our own reasons for doing the things that we do.  I’ve been hacking and cracking and cutting and splicing Windows for so long that I’m completely comfortable in my reliance on drive imaging to bail myself out of self-inflicted difficulty and things that go bump in the night.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Fred

Reply | Quote

bbearren,

I totally agree! I usually rely entirely on Macrium Reflect Images to bail me out of issues. However, in this case the wound was completely self inflicted by that reliance. Since I was relying on Images I removed the Recovery Partition from the drive many-many moons ago so that even with my 9 rotating backup drives (every two weeks) I no longer had an image with the Recovery Partition on it that was current enough to be usable with my constant tweaking. Finding what was missing would have been a bear.

In order to install the Secure Boot mitigations the Recovery Partition was required or the enabling script wouldn’t run. So I decided for test purposes I’d do a clean install, as documented above, to see if I could get the mitigations running.

Once I had them successfully running I decided that now would be a good chance to test many of my scripts in a real world environment, with much success I might add.

As I type this “Canary” is being imaged as part of my every two week cycle. Now I’ll be back to relying on Images for everything. BTW in the process of rebuilding I took no less than 7 images of C: along the way JIC.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Fred

Reply | Quote

RetiredGeek wrote:

Since I was relying on Images I removed the Recovery Partition from the drive many-many moons ago so that even with my 9 rotating backup drives (every two weeks) I no longer had an image with the Recovery Partition on it that was current enough to be usable with my constant tweaking.

With TeraByte’s utility to incorporate Image For Windows into the Recovery Environment, (and because of my own constant tweaking) I find it quicker to boot into TBWinRE to restore the OS image than to boot with the TBWinRE USB thumb drive.  And from the RE it is just a single click to boot directly back into Windows.

An added bonus to keeping the Recovery Environment around is that the Command Prompt, when booted into the RE, runs at Trusted Installer level, which can come in quite handy from time to time.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Fred

Reply | Quote

Bbearren,

For some reason I’ve always chosen not to use the Macrium Reflect option to implement that function. Looks like it might be something to try out on Canary!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Fred

Reply | Quote

bbearren wrote:

Command Prompt, when booted into the RE, runs at Trusted Installer level

Does native Windows RE always do it, or is it a result of action by Terabyte util?

Reply | Quote

bbearren wrote:

Command Prompt, when booted into the RE, runs at Trusted Installer level

carpintero wrote:

Does native Windows RE always do it, or is it a result of action by Terabyte util?

Native Windows RE always does it.  In the Recovery Environment, if one selects Command Prompt, the prompt is X:\.  X:\ is a virtual drive and is elevated to Trusted Installer level.  After all, one is nominally in the Recovery Environment to do some sort of recovery, and Trusted Installer can cut through all the system-protecting red tape easily.  Which is also why it should be used with care.

For example, after a Feature Update, if one wants to get rid of the Windows.old folder left behind, just Restart into the Recovery Environment, open Command Prompt, change drive letters to get to “C:\” (it won’t necessarily be C, it may well be another letter; you’ll need to check by using the DIR command to see what’s on the drive letter you select).

Once you find the Windows partition, type

rd windows.old /s /q

and Windows.old is gone.  For me, it’s quicker than going through Disk Cleanup in Windows to get it done.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

bbearren wrote:

TeraByte, BootIt UEFI partitioning software to increase the size.

Can it accomplish the increase of existing Windows installation and multiple partitions and everything you want retained? (assuming unallocated spaces somewhere on disk)

 

Reply | Quote

The wording of my question above did not turn out quite right.  Here I rewrite it : Can it accomplish the increase of RE partition in situation of existing Windows installation and multiple partitions, and you want everything to be retained?

Reply | Quote

carpintero wrote:

Can it accomplish the increase of existing Windows installation and multiple partitions and everything you want retained? (assuming unallocated spaces somewhere on disk)

This will be a little long, because I want to be thorough.  BootIt UEFI has a number of significant abilities.  Click on the link (it will open in a new tab) for more information.  Twenty+ years ago I began with BootIt NG (Next Generation) for partitioning, partition resizing and manipulation, and logical drive/partition imaging and restoration.  Next was BootIt Bare Metal, and the latest iteration is BootIt UEFI.  This is the only partitioning multi-purpose tool I have used, other than DISKPART, in all of those twenty+ years.

Unallocated space can be created in a partition.  Every partition on any HDD or SSD has slack, that is, allocated but unused sectors/blocks.  BootIt UEFI can Resize any partition to reclaim some of that slack as unallocated space for use elsewhere on the HDD/SSD for another partition, or to increase the size of an existing partition.  In order to get the unallocated space to a position where it can be used, BootIt UEFI can Slide existing partitions.

Start by creating a full drive image of the HDD/SSD you’ll be working with.  Next, for example, say my fourth partition on a particular SSD has lots of unused space that I don’t really need for that partition, and I want to increase the size of the second partition on that SSD.  I can Resize that fourth partition to be smaller, resulting in unallocated space (in the size that I want) at the end of that partition.  I can then Slide that unallocated space from behind the fourth partition to in front of the fourth partition.  I can then Slide that unallocated space from between the third and fourth partition to in front of the third partition.

Now I have unallocated space behind the second partition (between the third and second partition), which is the one I want to increase in size.  The last step is to Resize the second partition to include the unallocated space, and my second partition is now the larger size I wanted.  This may sound complicated, but it is just a series of simple steps.  BootIt UEFI double-checks the partition file system, before and after every slide.

Should anything go wrong, or should I make a mistake in my selections, I have my full drive image of the HDD/SSD to fall back on, and start over.  And restoring that image can be accomplished by BootIt UEFI, meaning one can just stay in that environment.  The Windows Recovery Environment in the Windows 10/11 installations (it may have started with Windows 8, IDK) is behind the Windows partition.  Microsoft has said that this was done in order to be able to resize the RE partition if necessary.  This would be accomplished by taking a few MB from the Windows partition and increasing the size of the RE partition by that amount, all of which could be accomplished via scripting in a Windows Update.

If one wishes to incorporate Image For Windows into the Recovery Environment, but gets the message that there is insufficient room in the RE partition, one can boot into BootIt UEFI, shrink the Windows partition by a few MB (creating unallocated space), then Slide the RE partition in front of the unallocated space, Resize the RE partition to include the unallocated space, boot back into Windows and run the script to incorporate Image For Windows into the RE once more.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

carpintero

Reply | Quote

The NIST page gives the severity as 4.4, “medium”, the CNA as, natch, MSFT, but that was a while ago.

https://nvd.nist.gov/vuln/detail/CVE-2022-21894

The glance at the countries that it avoids executing in all have one thing in common: they have that guy breathing down their necks named something that rhymes with “Tootin'”

Uh-huh. Guess where THIS little devil came from….

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

Cybertooth

Reply | Quote

bbearren wrote:

Every partition… allocated but unused sectors/blocks.  BootIt UEFI can Resize any partition to reclaim some of that slack as unallocated space for… another partition, or to increase the size of an existing partition.

Probably by means of defragmentation then shrinking?

‘

bbearren wrote:

BootIt UEFI can Slide existing partitions.

That’s great, because it is time-consuming to reposition manually many partions.
Probably does it by means of remappings?  (as opposed to moving data)

Reply | Quote

bbearren wrote:

BootIt UEFI can Resize any partition to reclaim some of that slack as unallocated space…..In order to get the unallocated space to a position where it can be used, BootIt UEFI can Slide existing partitions.

That is great, because otherwise it takes much work to do those things manually to many partitions,
The slidings probably are done by remappings? (as opposed to movements of contents)

Reply | Quote

carpintero wrote:

The slidings probably are done by remappings? (as opposed to movements of contents)

In the Slide option there is a checkbox for data only, but I leave that option unchecked, and Slide the complete partition.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote