I've have looked at and considered Question about potential ISO infection and ISO verification and How do I check the hash of an ISO?
I've been concerned about security and I have been reading a lot about stuxnet and hearing a lot lately about the leaked NSA exploits and the more recent leaked exploits NYtimes
This made me consider the importance of a clean installation of Windows and how the Windows install itself could be used as an exploit.
Can an iso downloaded from Microsoft.com with seemingly correct hash truly be 100% safe to use on a Windows machine?
- Is there room for an exploit after a clean download?
After the iso is downloaded could there be an exploit to
Spoof the SHA1 using something similar to link
- Trick common software like hash calculator that checks SHA1 into saying that it is correct even if it is not.
- Compromise USB/DVD imaging software like unetbootin / win32 disk imager / rufus etc. during the "burning" of the iso.
The .iso would be downloaded from:
Windows Resource Protection
Windows Resource Protection aims to protect core registry keys and values and prevent potentially damaging system configuration changes, besides operating system files. wikipedia
An answer mentioned that Windows Resource Protection is enough to prevent someone from modifying an iso of Windows. I do not think that is true because there are plenty of programs to modify Windows iso. I fail to see how that will prevent a virus if you can add custom programs to the iso that can run at boot.
If you can prove that Windows Resource Protection is enough (which I don't think you can after looking at the links below) please explain why in your answer.
Here is an an example of programs that can modify a windows iso. Just so people do know that it is possible and how easy it is. nLite and RT7lite