Search Brett's Ramblings

Windows 8 and WinFE

Just when you thought WinFE development was done....

Troy Larson (developer of WinFE) has created a cmd script to create a WinFE from Windows 8 RTM.  It is available for download in the widget to the right of this post, "Build_WindowsFE.cmd".

From Troy,

"Why use Windows 8 FE?

It will provide access to Windows 8 features, such as StorageSpaces.

It works well with X-Ways Forensics 16.7. It natively supports 4 KB sector hard drives.

It has support for other sorts of Windows 8 storage features, such as encrypted drives.

SAN Policy 4 (Offline internal)!"

Colin Ramsden's write protect script (for Winbuilder) and his Lite build of WinFE both work on Windows 8 machines too.  Windows (8) FE uses a new SAN Policy 4 registry setting.

Thanks to Troy, again.
  1059 Hits

X-Ways Forensics Practitioner's Guide is coming!

Eric Zimmerman and Brett Shavers have started writing the "X-Ways Forensics Practitioner's Guide", due out toward the end of year 2013.

Check back as to when the guide will be available.   This guide intends to be the source of using X-Ways Forensics.

  1282 Hits

Colin's Final Version of his write protect application

This posting is copied from, posted by Colin Ramsden on his final version of the WinFE write protect tool.  My thanks to Colin for his countless hours of work for which all of us will benefit.

As to the future development of WinFE, maybe this is it for some time to come.   Anyone can now build a Windows based, forensically sound bootable operating system.  Choices of a having simple, shell based system or a full-fledged Windows 7 visual experience as your forensic environment gives plenty of flexibility.  What more could you ask?

"I’ve just released WProtect version (available on, which as far as I am concerned is no longer a Release Candidate, but the final version (less any new bug fixes or code optimisations).

I actually think that WinFE is the best free Forensic Boot CD that is available, I used it in anger (V1.0.0.151) for the first time today, the Ubuntu based Raptor disk would not work on a particular Acer machine where the drive appeared to be somehow locked to the machine (did not even register with the Tableau T35i when removed). WinFE along with FTK Imager Lite imaged the drive in the host machine flawlessly.

The latest update includes some suggestions from forum member ‘EM’ (a.k.a Boot_Monkey) which include a slightly longer forced delay between disk actions, a text change to the ‘close’ button (now ‘continue’) during the initial run and ‘greyed out’ buttons when the application is busy dealing with disks.

It’s been a long and sometimes hard project, which has involved loads of code being written and binaries that have had to be reverse engineered (over 2 years since inception), there have been many hurdles that have been encountered and overcome along the journey, the main of which, was the initial patching of the VDS.EXE binary which did not prove too popular with Microsoft that pretty much left WinFE dead in the water until some new API calls were exposed.

Anyway, we got here in the end. I would like to take this opportunity to thank the following individuals for their support, both past and present:

Troy Larson (Microsoft) for his assistance with the initial registry settings, which are still used for the initial write protection, without these, the disks would be touched before my tool got the chance to execute.

Brett Shavers for being the driving force behind WinFE, Brett has taken time out of his very busy schedule and strived to promote WinFE and keep it in the public eye through his presentations, user guides, testing and the WinFE web site on WordPress.

Karl Morton, a very good friend of mine who is an exceptionally talented individual, in fact he was one of the lead programmers on the Team17 game ‘Worms’. Karl was responsible for writing the initial backend code in the form of a DLL which was his own rendition of Diskpart, a brilliant tool, however, this was eventually defunct due to the VDS.EXE patch issue, nevertheless, Karl has still been a great contributor by helping me with converting undocumented C++ code to assembly language. Karl is also responsible for attempting to write the filter driver which I hope will eventually replace my WProtect tool, I will still code the front end though.

There has been other help along the way, by people such as Royal Mayer and Nuno Brito who initially helped me with adding my application binaries to the WinBuilder script language.

So all that I have left to say is hats off to the guys that I have mentioned and anyone else that has contributed along the way.


  1762 Hits

A little reminder about 'write protection'

If you try hard enough, you can circumvent just about anything.  That includes hard drive write protection, whether you are booting to a Linux forensic OS, WinFE, and sometimes, even when using a physical hardware write protection device.  There have also been many instances where write protection methods have unknowingly failed only to be discovered later.  This has occurred with several Linux forensics boot systems and at least with one commonly used hardware write protection bridge.

WinFE is not different in that it provides write protection when used appropriately.  Perhaps the most important word of advice when touching original evidence with any method of write protection is;

1)  don't mess with the hard drives

2)  don't mess with the hard drives

Particularly in WinFE, as has been discussed before, don't touch any other disk management tool besides the write protection tool to toggle your drives on/offline.

The safest bet is to not install any disk management tool in your WinFE builds, whether through Winbuilder or any other method. You don't need them anyway as Colin's write protect app manages disks much better anyway.  As long as you protect the hard drives, you have a great forensic tool, one of many that are in your forensic toolbox.
  851 Hits

Mounting Shadow Volumes

We’ve built our SEAT VM and added our target image to it as a virtual disk.  The first thing that I do is verify that all of the shadow volumes are present.  My first post presented a screen shot from the image file (MyImage) and depicted the shadow volumes.  We can compare the shadow volumes from the image file with those in our VM.  The following video presents the steps we use to enumerate the shadow volumes with the native vssadmin command run from our administrative command prompt.


The screen populates quite quickly, but the point is that we can identify the number of shadow volumes and their respective creation dates.  To make it easy to copy, here’s the syntax: vssadmin list shadows /for=[your target volume letter followed by a colon].  Note, too, that your beginning shadow volume number will be different from mine and does not necessarily start with the number one.  Another trick is to re-run the command and export the output to a text file, by adding a space at the end followed by >[path to your text file] [name of text file]. Creating a text file is handy for documenting your findings and for copying the shadow volume names, which we’ll do later.

Now we can mount any or all of our shadow volumes for examination.  We’re going to use VSS, which is a free, command line tool written by Dan Mares, who is a creative, long-time forensic software developer and examiner.  Dan also has developed free tools that are adjuncts to X-Ways Forensics and which help users customize certain reports.  You can pick up a copy of VSS at  Be sure to check for updates, as Dan is great about implementing suggestions.  You’ll also want to check out his other tools.  Thanks, Dan!

There are a few of ways in which we can use VSS.  We can mount one shadow volume; multiple shadow volumes that are numbered consecutively; or multiple, non-consecutive shadow volumes.  The following screenshot displays the syntax.

We already have a list of shadow volumes produced by vssadmin.  It’s now a matter of selecting the correct volume to provide to VSS.  Let’s go back to an abbreviated view of vssadmin’s output.  

The screenshot identifies one shadow volume.  It may not be terribly clear, but the shadow volume path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5. We’ll feed that path to VSS and mount the shadow volume.  We need only choose an unused volume letter, and we’ll pick H:

After executing the command, VSS will prompt us to hit <Return> one more time and then present what the screenshot depicts.  It includes the root directory listing.  Our shadow volume (#5) now is mounted as Volume H:  You can repeat that process and mount any, or as many, shadow volumes as remaining drive letters permit.

Hint: to repeat the process, use your up-arrow and simply replace the volume letter and shadow volume number (#), i.e., ShadowCopy[#].  There is no need to copy/paste the entire path repeatedly.

Next, we’ll mount a range of shadow volumes.  First, let’s look at the syntax, which is provided in VSS’ on-screen help.

We can start with a given shadow volume and mount every shadow volume that follows, up to our choice of the last shadow volume number.  In our case, there are 19 shadow volumes and the first is #5.  (I haven’t researched the question of why shadow volume numbers often start at a number greater than #1, but it doesn’t appear that it’s because there were X previous ones.  Windows authority Troy Larson probably knows!)  Before we go forth, I want to point out that you should study the dates of the shadow volumes in relation to your case.  Several restore points can be created on the same day, perhaps within hours of one another.  You’ll cut your exam and VM overhead if you exercise some judgment in picking the shadow volumes to mount and examine.

For demonstration purposes, let’s mount them all. I’ll start with no shadow volumes mounted and enter, vss h: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5 23 AUTO.  Note that AUTO is upper case.  The first shadow volume is #5, and the last is #23.  Watch:


Actually, it was coincidental that I happened to have 19 shadow volumes and 19 open, consecutive drive letters 🙂  To unmap any or all of our shadow volumes, we proceed as in the following screenshot.  I’ll unmap them all.

Following the VSS command, you enter every volume letter, followed by a colon, which you want to unmap.  If unmapping seems to hang, just refresh your screen in Explorer with F5.

That’s it for this post.  Next time, I’ll demonstrate one or two exam approaches with X-Ways Forensics. In the meantime, if you get bored, you’re all set to examine your shadow volumes with any tools that you wish to install in your SEAT workstation.


  1. Working with Shadow Volumes

    January 21, 2016 at 1:26 am

    […] shared it.  In fact, I initially used information from his 13 Jul 2012 blog post entitled Mounting Shadow Volumes to mount the VSC of interest as a RAM disk on my analysis system.  At the time that I did […]


  2. Doing Analysis

    January 21, 2016 at 1:16 am

    […] where Jimmy’s blog post on mounting shadow volumes can into play.  Using vss.exe, I added the VSC in question to my analysis system as X:, which […]


  3. Windows forensics (A.Carvey) | Jacques DALBERA's IT world

    December 3, 2015 at 1:48 pm

    […] where Jimmy’s blog post on mounting shadow volumes can into play.  Using vss.exe, I added the VSC in question to my analysis system as X:, which […]


  4. Raffael

    August 23, 2012 at 4:17 am

    How do you examine VSS on deleted/recovered partitions?


    • jimmyweg

      August 23, 2012 at 8:34 am

      I’ll have to guess, as I haven’t done that. First, I’ll say that you can’t examine deleted shadow volumes, AFAIK, and I tried. For example, you can recover a deleted SV and copy it into the Sys Vol Info directory. That doesn’t work, and may screw up the shadow volume service. Remember that the SVs are difference files, and the “index” has to track the SVs as a whole to rebuild things. Throwing in a “foreign” SV seems to mess up the system.

      If you can recover a deleted, intact partition, I suspect that you can image it and create a VM or VMware virtual disk from the image. If you can do that, you can probaly add it to your SEAT workstation and see whether the VSS can rebuild the SVs. You also may be able to rebuild the entire physical disk (image) and boot the previously deleted partition.


      • Cal

        May 8, 2016 at 2:53 pm

        Hi, nice blog!
        What about an old snapshot of the same, working partition? I mean, every once an older shadow copy is deleted to create a newer one, due to space constraints to the VS service; however, sometimes a deleted snapshot can be recovered with a raw access to the disc, and .LOG# files in Sys Vol Info dir should hold some infos on syscache.hve changes.

        I wonder if there is a mean to verify integrity of such a recovered shadow and to access it.


        • jimmyweg

          May 9, 2016 at 8:43 pm

          The snapshots depend on linking. After deleting snapshots within a VM, VMware typically has no problem with running the VM from any given snapshots. Forensic tools, however, may be unable to mount the successive snapshots because of linking issues, I suspect. I’ve found it rather difficult to gather much any data from deleted (recovered) VSC, because the dependencies are lost.


  5. Ken Pryor

    July 15, 2012 at 6:10 pm

    I’m really enjoying and learning a lot these tutorials, Jimmy. Thanks for sharing!


  6. Raffael

    July 15, 2012 at 12:28 am

    Hi Jimmy
    Thanks for your work!
    I usually mount disks with Encase PE. This allows to access VSC directly in my workstation (no vm). This approach does not work if you use Ftk Imager or Mount Image Pro .

    Looking forward to reading more of your posts!


    • jimmyweg

      July 15, 2012 at 4:37 pm

      Thanks very much, Raffael. Correct, mounting with FTKI or MIP will not provide access to the SVs. I don’t use EnCase, so I can’t speak to this feature, but it does seem handy. Another approach, which I’ll describe in a leter post, is mounting a VHD image. The drawback is that you have to create a VHD. If you do, however, you can access the SVs right from your host system.


      • Harlan Carvey

        July 16, 2012 at 4:20 am


        I’m not sure how I follow that creating a VHD is a “drawback”, per se. Analysts work on a copy of the acquired image, and not the original “evidence”, and the free tool available from MS simply appends a footer (less than 1K) to the image in order to turn it into a VHD. Once you’ve done that, you can still access the acquired image via FTK Imager, etc.

        Thanks for posting this information…it’s great to see more of this sort of thing making it into the public view. Keep it up…


        • jimmyweg

          July 16, 2012 at 10:19 am

          Thanks, Harlan. Yes, converting the dd to VHD actually is quite simple with VhdTool. In my approach, I use the original image, which is not altered. If I want to convert the image to VHD, I guess that I would make a copy for that purpose, unless you can convert the VHD back to dd, but then you’d want to hash the original again. So, although I do have one or two backups of every dd (as E01) image, having to make another to convert to VHD is something I’d rather avoid. You can build your VMware device in less than one minute. Perhaps someone may develop a tool to image a medium directly to VHD with the approriate verification, something like E01. AFAIK, that’s not do-able at the moment.


  2169 Hits

"Remote" Collections with WinFE, a neat trick

In civil litigation, the procedures for data collection are a little more relaxed as compared to criminal investigations, but cost is a huge factor.  Typically, criminal suspects lose custody of their seized systems and won't necessarily cooperate with the seizure of electronic evidence.  Civil litigants on the other hand, will usually maintain custody of their systems and cooperate with the data collection.   With the costs of travel to simply image a hard drive or copy a folder, one hard drive can cost a client thousands of dollars in expenses.

But here is a neat trick.

1)  Ship the custodian a customized WinFE CD and an external drive.

2)  Over a phone call, walk the custodian (or IT staff) in booting the system to WinFE and plugging in the external USB hard drive.

3) Access the forensically booted drive remotely to image directly to the supplied USB external drive.

The external drive can be shipped back to you overnight. You can accomplish in minutes what would take hours and thousands of dollars (air-ground travel, meals, lodging), all without leaving the office.

There is more than one method of accessing the booted WinFE system remotely, either through Remote Desktop, VNC, or any number of commercial applications such as TeamViewer.   Any of these methods allow for you to take control of the custodian system (in the WinFE OS), and run just about any Windows based forensic application to forensically image the custodian hard drive to the USB external drive.  Or you could create containers of targeted files/folders.  Or you can triage the computer to determine if it needs to be collected.

Should you decide to save your client or company thousands of dollars per case, here are some tips when using this WinFE "remote" collections method:

1)  Build your WinFE with the forensic apps you need (FTK Imager, Encase, etc..).

2)  Have a one-click connect icon on the desktop for the custodian to start the remote connection.

3)  Run a system information application on the custodian machine (WinAudit) to identify the hardware in the system.  Maybe even have the custodian or IT email you a photo of the system being imaged.  Store the hardware scan with the image file.

3)  Create two images (one to be shipped, one to be maintained at the premise in case the shipped image is lost in transit).

In practice, you can connect to as many WinFE booted computers as needing to be imaged, one after another, all imaging to external hard drives.

Of course, not everything always works out as planned.

Custodian machines may not have a CD drive - ship a WinFE CD and WinFE USB together,  just in case....

Hard drives may be bitlocked-you can still access the drive for imaging through WinFE.   Other encrypted drives may be accessed too, depends on the setup of the system.

Custodian machine may be broken - might have to ship the entire machine or hard drive/s, but that's still cheaper than travel expenses.

No internet access for the custodian machine - you need this for this method to could always ship a wireless card with the WinFE CD and external drive.

If volatile memory is required to be captured, like RAM, this isn't your best option or even a good option.  In fact, this is not the best 'live response' method at all.

And yes, this can also be done with many of the Linux forensic boot discs.  But is certainly much easier for the majority of custodians to use a Windows FE OS if their everyday systems are also Windows.  Plus, you can use just about any of your everyday Windows forensics applications.

[caption id="attachment_657" align="aligncenter" width="640"] Well, you may miss out on traveling on the client's dime, but your client will be happy (that's the goal anyway, isn't?).

This may not be good news for anyone wanting to make easy money with travel, but in the long run, your clients (and boss perhaps) will appreciate the savings and speed at which this can be done.  You'll also be to get more done in a shorter period of time.  That is a good thing.

  910 Hits

Adding Our Target System to Our SEAT Workstation

In this step we’ll add our target system virtual disk to our SEAT VM.  We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video.

Add Virtual Disk

Add Virtual Disk▶

As you saw, we chose to add the disk as an independent disk in non-persistent mode.  Any changes to the disk are discarded when we power off our SEAT VM.  Actually, as we’re going to examine shadow volumes, we’re not too concerned about routine changes that our operating system may make to volumes attached to our SEAT VM.  Nothing within the shadow volumes will be changed.  Remember, we’re not out to do a general exam; for that we can use our favorite tools on our image file.

When you add the disk, VMware may present a box that warns of a hardware compatibility issue.  If my SEAT VM was created in an earlier version, I’ll get the following warning.

If you encounter this, change your SEAT hardware compatibility as in the video.  Your hardware may differ from mine, but I bring my hardware up to my current version (Ver. 8).  Choose Alter this virtual machine as your last step.


We’re ready to boot our SEAT workstation and get our target ready for a shadow volume exam.  In Windows, we can see our target system as Volumes E:, F:, and G:  Your volume letters may differ as may the number of partitions on your target.

A little exploring reveals that our target’s system partition is Volume F:  While the last screen shot is right above us, I want to point out a very handy feature of VMware, which is the Pause button. You can see it in the screen shot as the two, vertical bars right below the File menu item.  Pausing the VM freezes the action.  So, if you have a number of tasks underway and don’t want to shut down your SEAT VM, just pause it until you want to return to work.  Remember, too, that the VMware Snapshot feature is your friend.

The first thing that I do is write protect the target system disk.  Even though the disk is non-persistent, it can be written to during our session.  It’s also possible that the volume shadow service may delete one or more of the target’s shadow volumes.  To write protect our target, we’ll employ Windows Diskpart, which is a command line tool that’s part of Windows 7.  In the next video, I’ll step through the process.  We’ll begin at the point where I entered the Diskpart shell.



To exit Diskpart, simply type the command exit. Note that the write protection survives a hot or cold reboot.  Nevertheless, you don’t have to shut down your SEAT VM, unless you want to make certain changes to its configuration in VMware.  Otherwise, you simply can use the Pause feature.  Should you want to remove write protection, go through the steps in the video, but enter the command attributes disk clear readonly as the final command.

That’s it for now.  In the next post, I’ll get down to mounting and accessing the shadow volumes.  Thanks for visiting!


  1. Gerald

    July 10, 2012 at 7:31 am


    Hello, great series and info. Have you experimented with using the SIFT to make all .E01, .AFF or .RAW images available to the Windows Forensic box for Volume Shadow analysis? I have found it to be extremely quick to set up and reliable (takes about two minutes). Successive exams are faster to setup. Corey Harrell did a posting on how to do that here:


    • jimmyweg

      July 10, 2012 at 9:08 am

      >Have you experimented with using the SIFT
      I haven’t. I do have SIFT, but I’m kind of linux-averse. It’s great stuff, but I like my GUI. I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment. As I mentioned, I can make this work with E01s, but it’s a little more work. I started down this road because I received quite a few remarks about problems with EnCase PDE and LiveView. I don’t use EnCase, so I can’t attest to any issues, but I did play with LiveView and prefer my “hand-built” approach. My aim, which will become a little clearer as I progress, is to do a SV exam with X-Ways Forensics. You can use any tool as long as it will run in a VM. For that matter, you can do the same thing directly in the running VM of the target that we bulit in my first post. XWF can be run from a thumb! You also can add the target virtual disk directly to SIFT through VMware. You’ll have to let me know what you think as I proceed. Thanks.


      • Gerald

        July 10, 2012 at 9:45 am

        >I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment.

        Absolutely it will work to access VSCs. Just make sure your Win forensic box is on the same subnet as the SIFT workstation. Send me an email at This email address is being protected from spambots. You need JavaScript enabled to view it. and I will send you back a short PPT on the method. Should save you a bit of experimenting time.


  791 Hits

Getting Ready for a Shadow Volume Exam

We now have built a virtual machine from an image of the target system.  Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation.  Building the VM basically is the same as installing a operating system from scratch, and I’ll  go over the basic steps in the following video.

Build Base VM

Build Base VM▶

I installed Windows 7 Ultimate 64 from a DVD, but you can use an ISO instead of a disc.  I have a library of operating systems on ISOs, as they come in handy.  Please be mindful of licensing requirements.  I didn’t install a network adapter, but will do so later.  I use as much RAM as I can afford, and you can experiment.  RAM can be adjusted from a powered off state.  I like using a single, growable disk for my VM.  For the most part, I set up the system as I like.  I turn off User Account Control, but we must leave System Protection enabled.  I also set my folder view options to allow access to hidden and system files.  Remember that you can use snapshots to protect the state of your VM.  Below is a screenshot of my VM.  I keep my frequently used tools on the desktop.  Be sure to include a shortcut to the command prompt, and be set it to run in administrator mode.

For you X-Ways users, you can configure your options as you do normally.  Be sure, however, to set the option to run XWF as administrator by default, and allowing multiple instances is suggested.  Remember that XWF, as most forensic suites, is USB dongle based.  When you want to work with XWF in your VM, you must connect the dongle to the VM as in the image below.

 If you have more than one Feitian dongle as in the screenshot, you’ll have to experiment to find the correct dongle.  Then, connect it to the VM (Disconnect from host).  Note that, if XWF is running in the host system, it will become aware that the dongle was disconnected and issue a notice.  The easiest thing to do is close the host instances of XWF before you work in the SEAT application.  Of course, if you have more than one dongle, you can work simultaneously in both environments.  Note that you can install any USB devices that you wish by using the same procedure.

Note, too, that our SEAT workstation is portable. At the moment, my VM is about 18GB, so it’s easily copied to another forensic workstation or USB drive.  In the next post, I’ll review how we mount the target VM in out SEAT workstation and begin an exam.


  1. Derek Frawley

    August 3, 2012 at 11:05 am

    Thanks for the vm creation tutorial.
    Do you have anything that will show how to do with E01 file(s) or multiple raw files.( as mentioned in the tutorial) Most of the images i have are E01 and takes too long to re-image.


  2. Scott Koehle

    July 9, 2012 at 7:03 pm

    Great Stuff, Jimmy. Thanks for taking the time to put this website together. Very Helpful.

    Scott Koehle, CFCE
    Altoona Police Department
    1106 16th St
    Altoona, PA 16601


  748 Hits

How many users of WinFE?

I don't believe there is any means of determining how many users of WinFE exist, but the stats of just this blog may be an indication.

So why would this be important?  For one, using any forensic utility that has not been tried, proven, or commonly used by the forensic community is a big risk for the examiner.  I would imagine that having some statistical information on the number of visitors to this blog, plus the number of blogs that talk about WinFE, and training given on WinFE at various conferences and courses lend credibility in its use.  This doesn't mean that every visitor uses or used or tested WinFE, but I would assume that within this number, there is a large percentage of users.

So the stats for this blog and the unique visitor's locations (as of today):

  826 Hits

Creating a VMware Virtual Machine from a Raw Image File

Welcome to my blog and first post!  My aim is to provide tutorials that describe some of the things about which my colleagues have questions.  I’m neither a seasoned blogger nor videographer, so please bear with me as I progress.  I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish.  Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly.  As you’ll see, I have a plan for a few topics and will consider suggestions thereafter.  I do, however, have a full time job that already extends beyond a  “reasonable” workday, so pardon my delays in posting.  The videos herein should be viewed in high-def, and you’re welcome to download them.

This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes.  First, we’ll create a virtual machine from a single dd image file.  In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF)  We can create a target-system VM from a segmented image, but it takes more work to create our configuration file.  We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk.  First, I always take care to see that my image file is read only.  Our image file is MyImage.001.  There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment.  I’m using VMware 8.x, but the steps are the same in 7.x.

I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes.  The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.

Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name.  Below is a screen shot of the contents of a Vista/Win7 vmdk file.  The yellow-highlighted fields are the ones that you will edit.  The first is the number of sectors on the physical disk.  Next is the name of your image file.  Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63.  Then enter the number of cylinders by calculating /255/63.  It’s 19458 in our example, and always round up to the next whole number and do not use commas.  I usually place this file in the same folder as my image, where we’ll name this file MyImage.vmdk.

Here’s an editable copy of our vmdk file: MyImage.txt.  Save the file as a text file and then change the extension to vmdk for actual use.  It’s configured for VMware 8.x.  If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu:


Next, we’ll create a VM, so open VMware and elect to create a new virtual machine.  At this point, the following video will save some explaining:

Create VM

Create VM

This is what we do: Run VMware and create a new VM.  Select the Custom option in the first window.  Choose to install the OS later.  Next, choose the OS (32 vs. 64 is not critical).  Then, pick a name for the VM and a path for the VM files.  It’s best to place them in their own folder.  In the next couple of screens, choose one processor and a little more memory (2-4GB) than the default.  In the network box, select “do not use…”  You can add a network adapter later.  For the I/O adapters box, select LSI Logic (SCSI).  In the Select a Disk box, choose “Use an existing virtual disk.”  Next, navigate to your vmdk file (MyImage.vmdk).  Then click Finish, and you will have built a basic VM.   Now, take a Snapshot in VMware: VM\Snapshot\Take Snapshot.

In the next step, we’re going to edit the registry of our VM (we don’t do this in XP) and remove the password (keep EFS in mind).  We mount the VM as a logical disk in read-write mode (remember, we’re working with a snapshot and the image file is RO).  So, mount the system partition in VMware as writable.  Watch the video: 

Prep for boot

Prep for boot▶

As you saw, I loaded the VM’s System hive in my host’s registry.  I navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI.  I edited the Start value (DWORD) so that it’s 0x00.  The 0 has the effect of starting the service at “boot” automatically by the system loader.  You can edit the other Control Sets, but it’s unnecessary.  Then I unload the System hive and shut down Regedit.

Next, we’ll deal with the user’s password.  I use a free tool named ntpwedit.exe,  (It’s in Russian, but you’ll figure it out.)  We’ll run ntpwedit and point it to the SAM hive in your mounted virtual disk and remove any password that you wish.  Note that you usually can boot a VM with Nordahl’s CD and do so, but it doesn’t always work.  Watch:

Remove Password

Remove Password▶

Now, the VM is ready to boot.  You may wish to fire it up to be sure that it runs, but create another snapshot first.  We want to but be careful about doing anything that could create a restore point, which could delete one or more existing restore points.  For example, installing VMware Tools will create a restore point.  Snapshots allow us to go back and recover a pristine system.  It’s a good idea to check the shadow volumes in your image and be sure that they all show up later with their proper dates when we examine them.  In our example, there are 19:




  1. Red Forman

    September 4, 2016 at 7:20 am

    Hey Jimmy,
    Just tried this with a Windows 10 x64 image and turns out there is no registry entry for LSI_SCSI. I managed to get the VM created successfully starting with the VMDK modified to my VMWare version (12), and the following steps:

    New VM
    Hardware Version VMWare 12 (my version)
    Install OS Later
    Choose OS (Win 10×64)
    Name and location
    Firmware type EFI
    1 Processor 1 Core
    4GB RAM
    No Network Connection
    I/O Controller Types – LSI Logic SAS
    Virtual Disk Type – SCSI

    The rest was the same, except I didn’t need to mount or map the VM HD to change the registry, because Windows 10 has all of the LSI configured as Start=0 by default.

    I did have an issue when I started to try your original method though with permissions on the ‘config’ folder, and I wasn’t able to gain access to it using the ‘Map’ method. So I used FTK Imager and mounted the image Writable – Logical and went from there.

    Hope this helps out some of the others having issues with Windows 10.


    • jimmyweg

      September 4, 2016 at 11:57 am

      Thanks, Red. Yes, the SAS controller is an alternative. Usually, there are two SAS controllers, and picking either should work. I’m not sure why you couldn’t access System32\Config, but perhaps Win 10 tightened up access somewhat. Yet, I can access the folder directly on my native system.


  2. Richard

    August 10, 2016 at 10:52 am

    Anyone willing to share their copy of ntpwedit? The site to download it from is down. I’ve gotten to the point of booting and a login, don’t want to take the time to crack the SAM if I don’t have to. Thanks!


    • jimmyweg

      August 15, 2016 at 8:09 pm



  3. Jason

    July 25, 2016 at 10:19 am

    Using Workstation 11 on Windows 10, i can map the VM drive, however the drive is not displayed in RegEdit and Explorer gives me the error “not accessible. Incorrect function.” when i try to view the contents of the drive. Is this a limitation of Windows 10/Workstation 11? Any workarounds?

    Thank you.


    • jimmyweg

      July 26, 2016 at 12:19 pm

      Hi, Jason. I can tell you that my VMware 12 works fine on/with Win 10. I don’t think you’ve encountered a limitation.You didn’t give me much info. Are you working with an image? What type? What is the guest’s OS? Have you tried the approach using Arsenal image Mounter?


    • EC

      September 12, 2016 at 11:04 am

      Make sure you take a snapshot before trying to mount it as read/write.
      I had the same issue, I kept getting “Not accessible. Incorrect function.” after attempting to mount the drive as read/write in VMWare and browse in explorer. It would mount fine as read only, no errors browsing. Once I did a snapshot it worked fine.


  4. Greg

    May 31, 2016 at 12:48 pm

    Good article, however I’m having trouble with the regedit. I can do the load hive, but the mapped drive doesn’t show up, the hard drive, a recovery partition, and my local drives do, just not the drive I mapped in VMware… I can’t boot that system as I believe it needs the SCSI to start up when the system boots.

    I’ve tried this numerous times, and still a no-go.



    • jimmyweg

      May 31, 2016 at 4:47 pm

      Thanks for writing, Greg. What is the guest OS? Is it GPT (I think it is)? How are you loading and editing the System/SAM hives if you can’t map the system partition? Try mapping the partition before and after the desired system partition. WMware seems to have an issue with mapping the selected partition on GPT.


      • Greg

        June 1, 2016 at 9:36 am

        Imaging it’s GPT (windows 7 box I’m fairly sure), my host is windows 7. I can see the drive mapped to windows (a 455GB drive using about 120GB). Under advanced shows scsi.

        Now on my host I try regedit, file local hive( as in video). On left hand side, I still see my C drive, my USB drive, and now instead of Q (which is the image file that I wish to use), I see an 11GB recovery drive (different letter).



        • jimmyweg

          June 1, 2016 at 11:58 am

          In VMware, how many partitions does it show when you go to map a volume? Post back a list with size and type.


  5. MacLuser

    May 3, 2016 at 4:27 pm

    Will this work for creating a VM of a MAC OSX .00001 image? If not, any suggestions?


    • jimmyweg

      May 4, 2016 at 11:28 am

      OSX is an entirely new ballgame. I will tell you that I can create a VMware VM in Windows from an OSX dd image. However, there is at least a debate over whether doing so conforms with Apple’s licensing conditions. So, I haven’t posted instructions because I don’t want to take a chance on violating the license. I will say that it also requires a tweak to certain VMware system files, and I don’t know whether those edits will work in all versions. You can, however, build a VM in Fusion on a Mac.


  6. Steve Linn

    April 28, 2016 at 9:07 am


    I have a 001 image that I am setting up

    In VMWare when selecting the MyImage.VMDK file I get the following error
    “the file specified is not a virtual disk”

    Here is my code for my VMDK

    # Disk DescriptorFile

    # Extent description
    RW 1953525168 FLAT “MyImage.001” 0

    # The Disk Data Base

    ddb.virtualHWVersion = “8”
    ddb.longContentID = “3dbffea22e044ddc2bb9220dfffffffe”
    ddb.uuid = “60 00 C2 99 79 81 fe 89-c6 64 c8 c2 19 93 b1 ea”
    ddb.geometry.cylinders = “121602”
    ddb.geometry.heads = “255”
    ddb.geometry.sectors = “63”
    ddb.adapterType = “lsilogic”


    • jimmyweg

      April 28, 2016 at 11:08 am

      Let’s check the easies thing first: make sure that your image name in the vmdk is precise. Nxet, double check the geometry, e.g., number of sectors. I take it that your target is a single image file and not a mounted image. Let me know what you find.


      • Steve Linn

        April 28, 2016 at 3:03 pm

        I got a little farther along

        I changed text editor to Notepad++

        got my sector count from FTK Imager

        I was able to go through the entire process – mounting it to the Z: drive and editing the registry hive.

        I did not change the password because I did not need to — I know the password

        When I go to power on the machine I get the error “failed to lock the file…cannot open the disk E:\MyImage.vmdk or one of the snapshots it depends on.

        Module ‘Disk’ power on failed.


        • jimmyweg

          April 28, 2016 at 3:32 pm

          This error usually resolves with a host system reboot.


          • Steve Linn

            April 29, 2016 at 11:03 am

            Little further along….
            Able to install the VM and open it in VMWare – however it says it cannot start normally. I tried to stop the VM and restart it – same issue — should I attempt to repair it?

          • jimmyweg

            April 29, 2016 at 12:02 pm

            You shouldn’t need to do a repair if the original system was working okay. First, choose “no” and see what happens. What OS is the guest?

          • Steve Linn

            April 29, 2016 at 12:26 pm

            The computer worked fine, it was a Win 7 x64

          • jimmyweg

            April 29, 2016 at 12:56 pm

            Then it has to boot in VMware if you correctly created the vmdk, edited the registry, and took a snapshot. Try to back to the first snapshot and boot. Don’t do a repair at that point.

  7. Kevin Chaney

    July 10, 2015 at 11:00 am

    I keep getting this BSOD on every machine I try:

    Stop 0x0000007B

    Any ideas?


    • jimmyweg

      July 10, 2015 at 12:09 pm

      What OS is your VM?


      • Shelby Mertins

        September 21, 2015 at 1:59 pm

        I’m having this problem trying to boot to Windows 7.


        • jimmyweg

          September 21, 2015 at 2:06 pm

          If it’s the same issue that Patrick last reported, it seems to be a Windows issue. Try the repair. Does it boot to safe mode? I get that screen all the time and simply elect to start Windows normally. Go back to square one and make sure that you get the registry edited before your first attempt, in case something was corrupted when you first built the VM.


      • Matthew

        February 10, 2016 at 1:06 pm

        Hi Jimmy
        I keep getting Stop code 0x0000007B on boot
        My OS is Win XP.
        I suspect it cannot boot because I have not changed the appropriate setting in the registry. I looked and cannot find the LSI_SCSI key (probably becuase this is XP).
        Is there an XP version of this key I can change?

        Thanks in advance!


  8. Hannah

    March 12, 2015 at 7:50 am

    Great article but I am having problems mapping the drive. I am using Workstation 10. It seems to map the drive but when I click on it, it says to format the drive. When I try to start the VM, I get a disk error. I can mount the dd and browse the folders using FTK Imager. Any ideas? Thx!


    • jimmyweg

      March 12, 2015 at 8:29 am

      Perhaps your geometry is wrong. Check your vmdk file and be sure that the C-H-S settings are correct. H=255, S=63, C=Total Sectors/255/63. Your total (physical) sectors should be included in the file, too, of course.


      • Hannah

        March 12, 2015 at 2:52 pm

        [Drive Geometry]
        Cylinders: 60,801
        Tracks per Cylinder: 255
        Sectors per Track: 63
        Bytes per Sector: 512
        Sector Count: 976,773,168

        VMDK File
        # Disk DescriptorFile

        # Extent description
        RW 60802 FLAT “nt2935.001” 0

        # The Disk Data Base

        ddb.adapterType = “lsilogic”
        ddb.encoding = “windows-1252”
        ddb.geometry.cylinders = “1”
        ddb.geometry.heads = “255”
        ddb.geometry.sectors = “63”
        ddb.virtualHWVersion = “4”


        • jimmyweg

          March 12, 2015 at 4:12 pm

          First, remove the commas in your sector count number, and RW should be 976773168. The ddb.geometry.cylinders should 60801. Create a vmdk file that contains the following:

          # Disk DescriptorFile

          # Extent description
          RW 976773168 FLAT “nt2935.001” 0

          # The Disk Data Base

          ddb.adapterType = “lsilogic”
          ddb.geometry.cylinders = “608001”
          ddb.geometry.heads = “255”
          ddb.geometry.sectors = “63”
          ddb.longContentID = “4840d9972d5edd9f0f8a2f4afffffffe”
          ddb.uuid = “60 00 C2 9e 44 a1 15 1d-5d 9b 29 09 73 ce 10 47”
          ddb.virtualHWVersion = “10”


  9. David Marques

    April 3, 2014 at 5:56 am


    Thanks for your excellent work and for sharing it!
    Just a quick question as you might have come across.
    I’m trying to write the System registry key as you said so, but on VMWare Workstation 8, when I try to map the partition as writable, got a Windows message saying it can’t open that drive letter.
    I’ve tried in VMWare Workstation 10, and I can map to a drive letter, but then I can’t open folder Config under Windows\System32, as says that I don’t have permissions. I tried of course to edit the permissions, but always get an error that can’t write.

    Have you ever came across something like it?



    • jimmyweg

      April 3, 2014 at 8:44 am

      If you can map the volume as writable with VMware, it seems to be a permissions issue, as you noted. Win 8 can be a little fussier than 7. Have you disabled UAC? First try the normal way through Control Panel. If that doesn’t work, try HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and set EnableLUA to 0x00. Note that you will be unable to use Metro Apps (so what).


  10. saintbin

    September 21, 2013 at 2:45 am

    Hi Jimmy, may i got your need to boot from single dd image?
    1. i create a dd image from a system drive(logical drive) using ftk imager
    2. i create vmdk and VM according your posts step
    3. i load the VM system hive in my host’s registry and operated with your given method and removed the password use ntpwedit
    4. then i power on the VM, but the VM suspended on a starting but black screen. what’s the problem?

    can you help me ?


    • jimmyweg

      September 21, 2013 at 11:11 am

      I don’t know about a black screen, and what do you mean by “VM suspended”? If you’re not even getting to Windows, there may be a problem with your target’s boot loader. Make sure you give it enough time, as it can be slow sometimes. What is the OS?


  11. saintbin

    September 21, 2013 at 1:34 am

    Hi jimmmy, thanks to you that post a great blog.

    but ia have a question, can you tell me, how to loaded the VM’s System hive in my host’s registry and then how to navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI?

    waiting you reply!


    • jimmyweg

      September 21, 2013 at 11:09 am

      It’s in my posts, but mount your virtual disk after taking a snapshot. Mount it as writable. Then open regedit, and select load hive from the File menu, when your focus is on HKLM on your own registry. Navigate to the mounted virtual disk’s SYSTEM hive, select it, and give it a name. You should find the LSI_SCSI key in your mounted hive.


  12. Randy

    August 9, 2013 at 10:39 am

    Thank you for taking the time to put together such helpful information! I am using VMWare Workstation 8 on a Windows 7 x64 host, and I created a VM from an E01 image of a Windows 7 machine.

    I was unable to map the virtual drive, and the vmware.log exposed the problem: “failed to open \\.\PhysicalDrive11 the physical disk is already in use”

    To solve this problem, I closed VMWare Workstation 8 and started it again running it “As Administrator”. It was a permissions issue accessing the physical disk, and running as Administrator fixed it.


  13. Johan S

    June 12, 2013 at 4:54 am

    I solved it, I was not system admin. Thanks for a GREAT tutorial!


  14. Johan S

    June 11, 2013 at 11:01 pm

    Hi! Im stuck again. After mapping the “harddrive” with VM Ware as explained it shows in windows explorer, but it does not show in disk management and it does not show through regedit, so I can not choose the sytem file in it. I guess that some of my computer settings are not right. I would be wery happy if you could help me out again. Thanks for great information!


  15. Johan S

    June 10, 2013 at 5:56 am

    Jimmy, I seem to be stuck on the piece to edit the registry. Where is the video located? I dont see links to it on this page.


  16. Alan

    March 4, 2013 at 12:49 pm

    I have the same problem as Diego. My image is a raw, dd image that opens fine in WinHex Specialist. I made changes to the number of sectors and to the image file name in your template. I saved the file as a vmdk. I do not think I made a mistake.


    • jimmyweg

      March 4, 2013 at 4:41 pm

      Hi, Alan. The “The file specified is not a virtual disk” error typically indicates a problem with your vmdk or an issue with your image. If you want to send the vmdk to me, email it to jweg mt. gov. In WinHex, click on the physical image and send the Technical Details Report, too, if available. Make sure that your vmdk file is in the folder with your image. Check that no commas are in any numbers, e.g., sectors. Double check that you named the image correctly in your vmdk. Check your math for number of cylinders.


      • Alan

        March 4, 2013 at 5:48 pm

        Thanks for the offer to troubleshoot it. I’ll send it to you. I double checked all that you suggested so I am hoping you can shed some light. BTW, I hate captchas.


        • jimmyweg

          March 4, 2013 at 8:05 pm

          Sent you an email. I also hate Captchas, but you can’t believe how many spam comments I was getting. I wish that there was an alternative, and I do use other blockers.


  17. Hans Marius

    March 1, 2013 at 4:08 am


    Iam trying to bring up a machine from E01 file.

    You are using MyImage.001 in the vmdk file, but what should I type there when trying from an E01 file?


  18. windows xp startup programs

    February 2, 2013 at 3:27 pm

    Howdy! I just wish to give you a huge thumbs
    up for the great information you have got here on this
    post. I am returning to your blog for more soon.


  19. Brian

    January 22, 2013 at 2:18 pm

    Jimmy, what is required to get an XP image to boot up in the same manner? Thank you for your time.


  20. Diego

    December 17, 2012 at 8:48 pm

    I followed all steps with VMWare 8.x, but when I navigate to the vmdk file and click next I get the error: “The file specified is not a virtual disk”. I tried creating another VM and check the contents of the generated vmdk file, it contains some weird characters at the beginning and the end, but the file I made manually doesn´t. What could be the problem?


    • jimmyweg

      December 18, 2012 at 8:29 am

      That usually means that your vmdk file contains an error or the wrong type of virual disk. Are you trying to create a vm from a dd image If you’re trying to create a VM from an E01 or mounted disk, you want to open the vmx file after you follow the steps in mypost on E01s.


  21. Brian

    December 14, 2012 at 5:19 am

    Jimmy, I seem to be stuck on the piece to edit the registry. Where is the video located? I dont see links to it on thi spage.


  22. Phill

    November 9, 2012 at 4:27 am

    How did you figure out that you have to modify the registry?
    And do you know why setting the registry key to 0 seems to get it to work?


    • jimmyweg

      November 9, 2012 at 9:17 am

      First, Vista/7/8 VMs prefer SCSI disks. If you simply create one from scratch, SCSI is the default. As many have found, leaving an IDE drive in place usually results in a BSOD. IIRC, it’s a Stop 0x0000007B error, which should be a driver issue. It took a bit of testing and trial and error. The issue/conflicts doesn’t arise with a SCSI disk/drivers. But, the target system probably doesn’t use a SCSI disk, so it won’t load the driver at boot. Vista/7/8 include the LSI SCSI drivers, but we have to make them load at boot. All that takes is editing the driver’s Start value data to 0x00. Thereafter, the SCSI drivers will load at boot and the system will recognize your SCSI disk. Per MS, these are the available value data for Start values (summarized):

      0x0 Part of the (Boot) driver stack for the boot (startup), loaded by the Boot Loader.
      0x1 Represents a driver to be loaded (System) subsystem at Kernel initialization.
      0x2 To be loaded or started (Auto load) Control automatically for all startups,
      0x3 Load on Control but will not be started until demand, for example, by using the Devices icon in Control Panel.


  23. Stephane Denis

    October 12, 2012 at 1:32 pm

    Good stuff Jimmy!

    I didn’t like having to modify the registry though so I used:

    ddb.adapterType = “ide”

    in the vmdk file to avoid it.



    • jimmyweg

      October 12, 2012 at 5:29 pm

      Thanks, Stephane, I’m glad you found my post useful. Typically, Win7/Vista in VMware like SCSI drives, and XP uses IDE. However, if your VM boots, it doesn’t matter. If you have to strip a password and you use my approach for that, you have to mount the disk and edit the registry anyway. Even if you boot with a password-stripper disc, it edits the SAM, too.


  24. Jason

    September 19, 2012 at 9:17 pm

    Great Job here! Thanks so much for the step by step guide. Very informative.

    Few questions.

    Following the guide from ‘Creating a VM from 01 Images’ I was able to get a Win 7 64bit image to boot, but only once. After I shut it down and restarted it I keep getting the BSOD. I tried deleting everything and starting over but still had the BSOD. Anything changing outside of the files created in target directory, like in the VMWare Workstation folder/files? Any other thoughts on this?

    Also in this post in the section about editing the registry of the mapped image it says ‘In the next step, we’re going to edit the registry of our VM (we don’t do this in XP)’ What do you mean ‘we don’t do this in XP’. Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?

    Thanks again!


    • jimmyweg

      September 20, 2012 at 8:19 am

      >After I shut it down and restarted it I keep getting the BSOD.

      If it boots once, it should boot indefinitely, absent something that went wrong in the VM guest. If it BSODs again, don’t do anything until you mount the virtual disk and recheck the registry to be sure that the LSI SCSI Start=0x00. If it reverted back to its original state, perhaps try taking another snapshot after you re-edit the registry. Maybe you somehow set the disk to non-persistent, although I don’t think that you can do that.

      >Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?

      Correct, you don’t. XPs usually don’t come with the native LSI drivers, anyway. You build an XP VM with the standard IDE disk. Then, to get it to boot, you’ll have to do a Windows repair in mnost cases. I can do a post on that if you think it would help a number of folks.


  25. jbscarva

    September 14, 2012 at 10:32 am

    Excellent. Thanks very much!!!!


  26. Nadine Haven

    July 27, 2012 at 9:39 pm

    Thanks for the amazing info. I find these posts have a lot of material. I can’t wait to get a chance to impliment all these great posts. Thank you very much.


  27. Michael Beagle

    July 23, 2012 at 7:15 am

    Outstanding work. Ditto Mr.O’Sullivan’s Comments. Bookmarking and sharing (if you don’t mind).


  28. William O'Sullivan

    July 16, 2012 at 8:36 pm

    Excellent article and explanation. Thank you!

  3764 Hits