KB5034441 — Windows Recovery Environment (WinRE) successful install

Topic

New Reply

My main disk is for a BIOS/MBR system running Windows 10 Pro Version 22H2 (OS Build 19045.3930).
If you have a GPT/EFI formatted disk that not a plain vanilla basic layout i.e. dynamic, mirrored, or clustered don’t do this!
Either way, while seemingly simple, this is not for the faint of heart; caveat emptor!
Also I expect this to work for Windows 11 equally well.

2024-01 Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5034441)
f​ailed to install twice with error 0x80070643 on my system.

MiB is 1024*1024=1048576

You must use DIR /A to look at hidden and system files.

You must run ReAgentC, diskpart, DIR /A command at an Administrator command prompt.

All partition offsets and sizes used in commands in diskpart are in integer multiples of MiB even if they are shown in bytes.
That is what is meant by disk alignment.

Very important:
When ReAgentC is run an entry is appended to C:\Windows\Logs\ReAgent\ReAgent.log
That log will help you understand what is going on. It is very verbose.

Any recovery partition must be identified as Recovery(id=27) not Primary(id=7) and be large enough to be suitable.
When not in use it should be empty.

ReAgentC /disable moves everything from the recovery partition’s NTFS filesystem under \Recovery\WindowsRE to C:\Windows\system32\Recovery.

ReAgentC /enable moves everything from C:\Windows\system32\Recovery to a suitable recovery partition under \Recovery\WindowsRE.
If there is no suitable recovery partition, everthing is moved into C:\Recovery\WindowsRE.

Successful installation of KB5034441 has happened for me under the following circumstance:

1. ReAgentC /disable was run moving everything into C:\Windows\system32\Recovery
2. The recovery partition was changed from a recovery partition to a primary partition using diskpart set id=7. See log down below. (If you have more than one recovery partition, they all must be changed.)
3. ReAgentC /enable was run moving everything into C:\Recovery\WindowsRE.

I ran ReAgentC /info before and afterwards to confirm this. Note that partition3 changed to partition2.
Also look at C:\Windows\Logs\ReAgent\ReAgent.log for confirmation.

Once KB5034441 has finished installing (click retry) you can run ReAgentC /disable followed by ReAgentC /enable then examine C:\Windows\Logs\ReAgent\ReAgent.log.
What you are looking for is this entry for example:
MeetPartitionRequirements Required free space: 525711190
and the partition information (this one is 750 MiB):
Partition number: 3, offset: 2198235774976, free space: 769089536, total space: 786427904

Since KB5034441 originally failed the size will need to be extended to be able to use it.
However you can just use C:\Recovery\WindowsRE as is without doing anything more.
Verify that Start menu: Power > shift-Restart boots into the Recovery Environment all the way to bringing up a console. Type exit to reboot.
The easiest way to resize is just use delete partition in diskpart after shrinking the previous partition.

I had a 509 MiB recovery partition which I resized to 750 MIB, this is the sequence of commands I used:

diskpart
list disk
select disk 0
list partition
select partition 2
shrink desired=241 minimum=241
select partition 3
delete partition override
create partition primary id=27
format quick fs=ntfs label=”Windows RE tools”
set id=27
list partition
list volume
exit

Beware that the format command changes the id to 7, so it has to be reset to 27.

Here’s the log of changing the recovery partition into a primary partition using the diskpart set id=7 command
(set id=ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 should work for GPT)
detail partition should show Type: 27 (or de94bba4-06d1-4d40-a16a-bfd50179d6ac for GPT):

C:\Windows\system32>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:

Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition3\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier: 83a4c69e-57e7-11ed-8fff-d0cb8a159000
Recovery image location:
Recovery image index: 0
Custom image location:
Custom image index: 0

REAGENTC.EXE: Operation Successful.

C:\Windows\system32>diskpart

Microsoft DiskPart version 10.0.19041.3636

Copyright (C) Microsoft Corporation.

DISKPART> list disk

Disk ### Status Size Free Dyn Gpt
——– ————- ——- ——- — —
Disk 0 Online 2048 GB 0 B
Disk 1 Online 1678 GB 1678 GB
Disk 2 Online 29 GB 3072 KB

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> list partition

Partition ### Type Size Offset
————- —————- ——- ——-
Partition 1 Primary 50 MB 1024 KB
Partition 2 Primary 2047 GB 51 MB
Partition 3 Recovery 750 MB 2047 GB

DISKPART> select part 3

Partition 3 is now the selected partition.

DISKPART> list volume

Volume ### Ltr Label Fs Type Size Status Info
———- — ———– —– ———- ——- ——— ——–
Volume 0 D DVD-ROM 0 B No Media
Volume 1 System Rese NTFS Partition 50 MB Healthy System
Volume 2 C 3C NTFS Partition 2047 GB Healthy Boot
Volume 3 F FAT32 Removable 29 GB Healthy
* Volume 4 Windows RE NTFS Partition 750 MB Healthy Hidden

DISKPART> detail part

Partition 3
Type : 27
Hidden: No
Active: No
Offset in Bytes: 2198235774976

Volume ### Ltr Label Fs Type Size Status Info
———- — ———– —– ———- ——- ——— ——–
* Volume 3 E Windows RE NTFS Partition 750 MB Healthy

DISKPART> set id=7 override

DiskPart successfully set the partition ID.

DISKPART> list partition

Partition ### Type Size Offset
————- —————- ——- ——-
Partition 1 Primary 50 MB 1024 KB
Partition 2 Primary 2047 GB 51 MB
* Partition 3 Primary 750 MB 2047 GB

DISKPART> exit

Leaving DiskPart…

C:\Windows\system32>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:

Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition2\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier: 83a4c6a0-57e7-11ed-8fff-d0cb8a159000
Recovery image location:
Recovery image index: 0
Custom image location:
Custom image index: 0

REAGENTC.EXE: Operation Successful.

To just change the primary partition back into a recovery partition use set id=27 (or for GPT set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac)
See PARTITION_INFORMATION_GPT structure (winioctl.h)

PARTITION_BASIC_DATA_GUID ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
The data partition type that is created and recognized by Windows.
Only partitions of this type can be assigned drive letters, receive volume GUID paths, host mounted folders (also called volume mount points)

PARTITION_MSFT_RECOVERY_GUID de94bba4-06d1-4d40-a16a-bfd50179d6ac
The partition is a Microsoft recovery partition.
This value can be set for basic and dynamic disks.

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

1 user thanked author for this post.

castiel

Reply | Quote

Replies

EyesOnWindows wrote:

Beware that the format command changes the id to 7, so it has to be reset to 27.

Yeah, I found out the hard way about how the format command changes the partition id for a MBR disk. I had followed the command sequence spelled out in MS “KB5028997: Instructions to manually resize your partition to install the WinRE update” and ended up with ID=7 despite having specified ID=27 on the create command.

At first I thought I had mistyped the “ID=27” as “ID=7”. So I ran through the same sequence again ending up with the same result. I then did a detail partition after the create and again after the format and found the format had changed my ID=27 to iD=7. So I finally realized I needed to add a set id=27 after the format.

Not sure why the Microsoft instructions omitted that little tidbit for a MBR disk. Thinking Microsoft could have done better on their instructions.

Reply | Quote

Thanks.

Not worth the trouble especially as most Windows users don’t use Bitlocker and even after the update Bitlocker can be bypassed in 43 seconds .

https://www.askwoody.com/forums/topic/taming-bitlocker-and-other-encryption-methods/#post-2634426

Reply | Quote

Alex5723 wrote:

… even after the update Bitlocker can be bypassed in 43 seconds

After weeks of research and preparation and only if a Bitlocker PIN/password has not been set.

Reply | Quote

A chain is only as strong as its weakest link. The lighter a bicycle is the heavier the chain must be to secure it. So it is a loosing proposition. Even a 440C stainless steel chain would be ineffective because the thief would simply cut through what the chain was anchored to. Better to get a dirty, rusty old bike that nobody would care to steal and would be cheap to replace. There is security in obscurity, don’t put all your eggs in one basket.

However the most important concern with information theft is knowing if something has actually been stolen. What if someone has broken in and cut small circular holes in the bottom of all your company’s laptops in just the right places? You don’t know what data has been stolen do you? Yeah the possibilities are endless…

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

Reply | Quote

b wrote:

Alex5723 wrote:

… even after the update Bitlocker can be bypassed in 43 seconds

After weeks of research and preparation and only if a Bitlocker PIN/password has not been set.

Who uses PIN with Bitlocker ?

Reply | Quote

Alex5723 wrote:

Why do you need weeks of research to bypass an inactive Bitlocker ?

In microsoft’s defence, they can’t second guess everyone so, by covering all the security bases, irrespective of whether bitlocker is in use or not, MSFT provide the security patch via WU as an important/ critical security patch.

However, by not installing kb5034441 ‘as one does not use bitlocker’, as of now, has the potential to create security risks later should bitlocker be activated on that system without kb5034441.

I’m just perplexed as to why kb5034441 isn’t available in the MS update catalog..

Windows - commercial by definition and now function...

1 user thanked author for this post.

Alex5723

Reply | Quote

Go to Susan’s post KB5034441 and KB5034440 and click on CVE-2024-20666 which says:
As an alternative to updates provided above or if your version of Windows is not listed above, you can download the latest Windows Safe OS Dynamic Update from the Microsoft Update Catalog. It also tells you how to apply it to WinRE.

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

Reply | Quote

Alex5723 wrote:

b wrote:

Alex5723 wrote:

… even after the update Bitlocker can be bypassed in 43 seconds

After weeks of research and preparation and only if a Bitlocker PIN/password has not been set.

Who uses PIN with Bitlocker ?

Me and many thousands of employees of large companies I’ve worked for (because Microsoft have recommended it for at least 18 years).

1 user thanked author for this post.

Alex5723

Reply | Quote

EyesOnWindows wrote:

Any recovery partition must be identified as Recovery(id=27) not Primary(id=7) and be large enough to be suitable. When not in use it should be empty.

That only works if your disk uses MBR and legacy boot!

If it uses GPT and UEFI, you have to use set id=”de94bba4-06d1-4d40-a16a-bfd50179d6ac” instead and, to prevent “automatic” drive letter assignment, you should also set gpt attributes=0x8000000000000001.

1 user thanked author for this post.

EyesOnWindows

Reply | Quote

See Moving Windows Recovery Partition Correctly which also works for resizing it.

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

Reply | Quote