• Hi everyone, i have tried to setup a FOG deploy enviroment for a single machine where malware samples are run. Idea is that after samples are run a fog deploy task is triggered to leave the computer on a clean state.
    My expierence with FOG has been succesfull until i tried to work with real hardware for executing the samples. Here is my setup

    The FOG server is on a ubuntu 18.04 virtual machine under vmware workstation, version 15. The computer where samples are run is a sony vaio model PCG-31111M (from 2010). After configuring the operating system as required i launched a capture task which worked perfectly. Later the deploy task was successfull but when rebooting the computer after the deploy the computer was unable to boot. It just printed the message “Windows failed to start. A recent hardware or software change might be the problem…”.

    I have been looking that there are some issues with windows 7 (https://wiki.fogproject.org/wiki/index.php/Vista_Image_says_0xc000000e_\windows\system32\winload.exe_can_not_be_loaded) but on the message i see there is no trace, not even a file name or dll name. So this makes me doubt whether i have the same problem or not.

    Details about the captured image are:

    • ZTDS with level 6 compression was used
    • Type: Multiple partition single disk not resizable
    • All partitions were selected
    • I didn´t used sysprep before capturing since i am deploying the image on the same computer.

    To recover the computer i need to use the instalation disk since the recovery partition was also overwritten and it is unreadable now. Since after restoring the computer i´ll try again to capture the image with FOG is there something i did incorrectly that is leading me to this error?.

    I am considering that maybe capturing all the partitions including the MBR and the recovery partition is not a good idea, maybe i should run sysprep although i am deploying on the same machine.

    Any help is welcomed, thanks in advance.

  • Senior Developer

    @mapaga said in Windows 7 Deployment Error:

    Just for curiosity, why is it important to caputre all partitions?.

    Because only with all partitions it will also capture and deploy the partition table. If you set this to a single partition, it will only capture/deploy this partition and won’t touch the partition layout. This is ok if you have the correct layout on the destination system already but will fail otherwise.


  • @sebastian-roth Hi Sebastian thank you very much i´ll give it a try with Raw Image capture an see how it goes. Just for curiosity, why is it important to caputre all partitions?.

  • Senior Developer

    @Mapaga While Win 7 is somewhat dated I would still think that FOG should properly capture/deploy Win 7 images. Though I haven’t tried in a long time. Not sure if other people are still using it.

    • ZSTD should be ok. Can’t see why any compression algorithm could break Windows boot.
    • Using image type “Multiple partition single disk not resizable” is a good choice to not get into issues with resizing - just more complex and could produce errors.
    • All partitions is important!
    • Sysprep is not needed if deploying to the same hardware.

    If you have problems with this again I might suggest you use image type “Raw Image (Sector by Sector, DD, Slow)”. That should work in all cases.

244
Online

8.4k
Users

15.2k
Topics

142.6k
Posts