40

In Windows 10, the Windows Recovery Environment (WinRE) can be launched by repeatedly cutting power to the computer during the boot sequence. This allows an attacker with physical access to a desktop machine to gain administrative command-line access, at which point they can view and modify files, reset the administrative password using various techniques, and so on.

(Note that if you launch WinRE directly, you must provide a local administrative password before it will give you command line access; this does not apply if you launch WinRE by repeatedly interrupting the boot sequence. Microsoft have confirmed that they do not consider this to be a security vulnerability.)

In most scenarios this doesn't matter, because an attacker with unrestricted physical access to the machine can usually reset the BIOS password and gain administrative access by booting from removable media. However, for kiosk machines, in teaching labs, and so on, measures are usually taken to restrict physical access by, e.g., padlocking and/or alarming the machines. It would be very inconvenient to have to also try to block user access to both the power button and the wall socket. Supervision (either in person or via surveillance cameras) might be more effective, but someone using this technique would still be far less obvious than, e.g., someone attempting to open the computer case.

How can the system administrator prevent WinRE from being used as a back door?

Addendum: if you are using BitLocker, you are already partially protected from this technique; the attacker will not be able to read or modify files on the encrypted drive. It would still be possible for the attacker to wipe the disk and install a new operating system, or to use a more sophisticated technique such as a firmware attack. (As far as I am aware firmware attack tools are not yet widely available to casual attackers, so this is probably not an immediate concern.)

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
  • 1
    It also should be noted that physical access isn't a requirement, if only repeatedly failing power during boot is necessary. That could happen accidentally, too. – I'm with Monica Oct 11 '17 at 07:21
  • 1
    BTW, if an attacker has physical access to your PC, he has nearly reached his goal. – glglgl Oct 11 '17 at 15:21
  • @glglgl, it greatly increases the risk, obviously. But in this use case, the potential attacker is typically someone who *has* to have access to the computer, because that's what it's there for. We can't eliminate all risks, but that doesn't mean we should give up and ignore the ones where we can. – Harry Johnston Oct 11 '17 at 20:00
  • Windows 10 WinRE doesn't give you access to command prompt without admin password. In its flows, you get prompted to pick one of the admin accounts of Win10 and provide password for that account. Only when that verification passes, you get to access command prompt and other features like system reset. – videoguy Dec 02 '18 at 05:24
  • @videoguy, if you launch WinRE by repeatedly interrupting the boot sequence, it **does** give you access to a command prompt without an admin password. Don't ask me why. That's just the way it works. This was already mentioned in the question. – Harry Johnston Dec 02 '18 at 05:58

4 Answers4

37

You can use reagentc to disable WinRE:

reagentc /disable

See the Microsoft documentation for additional command-line options.

When WinRE is disabled in this way, the startup menus are still available, but the only option that is available is the Startup Settings menu, equivalent to the old F8 startup options.

If you are carrying out unattended installations of Windows 10, and want WinRE to be disabled automatically during installation, delete the following file from the install image:

\windows\system32\recovery\winre.wim

The WinRE infrastructure is still in place (and can be re-enabled later using a copy of winre.wim and the reagentc command line tool) but will be disabled.

Note that the Microsoft-Windows-WinRE-RecoveryAgent setting in unattend.xml does not appear to have any effect in Windows 10. (However, this might depend on which version of Windows 10 you are installing; I have only tested it on the LTSB branch of version 1607.)

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
  • 1
    I would suggest also adding a recovery entry manually that isn't part of the `recoverysequence`. That will allow recovery without (hopefully?) being auto-started. – user541686 Oct 10 '17 at 20:46
  • There is a reason why WinRE is enabled on Win10. If your system fails to boot and you want to repair, WinRE tools help you do it. Once someone has physical access, all bets are off. Disabling it doesn't really help in that regard. One can easily create USB stick with WinRE and boot from it and now has access to whole C:\ drive. – videoguy Dec 02 '18 at 05:27
  • @videoguy, that's why we disable booting from USB in the BIOS, and alarm the cases so users can't reset the BIOS password. And of course we have the tools we need to repair the system without needing WinRE, or since these are kiosk machines, we can just reinstall. – Harry Johnston Dec 02 '18 at 05:57
17

Use BitLocker, or any other hard drive encryption. It's the only reliable and truly secure way to achieve what you want.

Swisstone
  • 6,357
  • 7
  • 21
  • 32
  • 1
    @HarryJohnston: I am not very familiar with Windows, but won't an attacker who has physical access to the computer _always_ be able to wipe the drive and reinstall the operating system? – Thomas Padron-McCarthy Oct 10 '17 at 05:44
  • 2
    @ThomasPadron-McCarthy, not if the BIOS is properly configured and they can't get the case open. – Harry Johnston Oct 10 '17 at 05:48
  • 11
    "It's the only reliable and truly secure way" This pretty much states the other answer is either invalid or gives a false sense of security. Elaborating on why that's so would turn this short answer into something helpful. – Mast Oct 10 '17 at 06:30
  • @Mast It succeeds in disabling the local recovery environment. It doesn't prevent booting from a usb stick to reset the password. It doesn't stop you from taking the harddisk out and connect it to another computer. (But op already stated the latter wasn't a goal) – poizan42 Oct 10 '17 at 10:40
  • 5
    This. If someone repeatedly cutting power to gain access is a concern, then putting the disk into a different computer certainly is, too. Bitlocker (or similar software) is really the only way of preventing that. No credentials typed in, no disk access (not useful, meaningful access anyway, you can sure overwrite everything, but you can always smash the disk with a hammer, too). – Damon Oct 10 '17 at 11:49
  • 4
    @poizan42 the OP address this *other* concern elsewhere. They're only concerned with WinRE *for the purpose of this question*. – AncientSwordRage Oct 10 '17 at 12:29
  • @Damon, I'm not sure you understand the scenario. How is the attacker going to remove the hard drive if they can't open the computer case? (Yes, physical security can be bypassed if you're determined and/or reckless enough, but we're not talking about nuclear launch codes here.) – Harry Johnston Oct 10 '17 at 19:56
  • 1
    @HarryJohnston how are they able to repeatedly cut power and physically control it, but unable to open the case? What’s preventing them from cutting the case open? – Tim Oct 10 '17 at 20:31
  • @Tim, that's an acceptable risk, because (a) it is unlikely to happen, and (b) if it did, it would be fairly obvious and we'd have a good chance of catching the vandal via surveillance footage and/or entry logs. We could even get the police in to take fingerprints! To expand on (a) the underlying problem is that there are a significant number of people who (either subconsciously or consciously) don't really believe that hacking is dishonest. If there's some way to break into a machine that doesn't involve causing physical damage or risking setting off an alarm, they'll take it. – Harry Johnston Oct 10 '17 at 20:39
  • ... and in the cases where someone *is* willing to cause physical damage, it is almost always done in order to steal the equipment, not to hack into it. BitLocker would be essential if there was valuable data on the HDD, but that would be pretty unusual for a machine in this situation. – Harry Johnston Oct 10 '17 at 20:40
  • @HarryJohnston then just make the wire go into the wall, and the plug terminate behind the wall. If they’re so adverse to damaging it, they won’t cut the wire. – Tim Oct 10 '17 at 20:53
  • @Tim, yes, I already mentioned this class of solution in the question. But why go to all that trouble and expense when you can just disable WinRE instead? – Harry Johnston Oct 10 '17 at 21:16
  • I can now confirm that WinRE will not have access to BitLocker-encrypted drives unless you can provide the recovery key. – Harry Johnston Oct 10 '17 at 22:56
1

Bit Locker also works in the case when someone steals your hard drive and use this as his secondary drive in his Pc so that Pc boot with his OS and secondary hard drive as a drive only it does not require any password and if it is not being protected by BitLocker any one can easily explore its contents, Please be carefull trying this because repeating this behaviour cause serious corruption of data.

Always use encryption to prevent this kind of problems. Please read this for further information about disk encryption.

Disk Encryption

TAHA SULTAN TEMURI
  • 119
  • 4
  • 1
    What on earth are you talking about? If you want to mount a bitlockered drive as a secondary drive, you need its recovery key. If you do anything to upset the TPM in the host machine, you need its recovery key. If you boot off a portal copy of windows, you'll need its recovery key. – Mark Henderson Oct 10 '17 at 15:19
  • 2
    @Mark, I think you've misinterpreted this answer; it is saying that if you *don't* use BitLocker then an attacker can steal the hard drive and access the contents. On the other hand, it completely misses the point of the question, which refers to computers that have been physically secured; if the attacker can't get the case open, they can't steal the hard drive. – Harry Johnston Oct 10 '17 at 19:45
  • Exactly @Harry Johnstno ,I meant to say that encryption provide you more security. – TAHA SULTAN TEMURI Oct 11 '17 at 05:04
  • @HarryJohnston If an attacker can't get the case open, he's not trying hard enough. A hacksaw and some elbow grease will "open" any computer case, to say nothing of power tools or an old-fashioned "smash and grab". Not to say that this is a likely risk for use case, but still, ["physically secured" is a relative term, and almost never all that secure, in reality](https://www.theregister.co.uk/2007/11/02/chicaco_datacenter_breaches/). – HopelessN00b Oct 11 '17 at 17:19
  • @HopelessN00b, yes, it's all about risk profiles. – Harry Johnston Oct 11 '17 at 19:53
0

run the following command to disable Recovery Environment due to shutdown failures (which includes intentionally yanking the power cord):

bcdedit /set {current} bootstatuspolicy ignoreallfailures

Also add this to disable the Recovery Environment:

bcdedit /set {current} recoveryenabled no

both are under Windows Boot Loader section of the BCD store.

David Walker
  • 1
  • 1