Ryan Bennett
asked on
Batch file to disable Windows boot partition from booting
I work for a State agency that manages tens of thousands of machines, and as part of our retiring process we have been using diskpart to disable the active bit on the partition so that it will not boot again so that a worker can't just go grab any machine off the storage shelf and put it back into production. This has been working fine until PGP was updated and now with that update PGP disables changes to the MBR so our batch script no longer works to disable the machines from booting up. I have been messing around with the wmic commands to see if I can get them to disable the drive in the BIOS but I am not having much luck, probably because I don't have much experience with them.
I ask for a batch file because I am more familiar with it, but I am open to anything that will work and help me get this to work. Any help is very much appreciated.
-Ryan
I ask for a batch file because I am more familiar with it, but I am open to anything that will work and help me get this to work. Any help is very much appreciated.
-Ryan
Please try this process.
If you don't have it, download PSTools from Microsoft SysInternals Website, extract the tools, install them, and run PSEXEC.EXE and accept the license agreement.
From a machine with the PGP tool installed, presuming your batch file is named "DisableBoot.BAT" do the following from an administrative-level command prompt:
psexec.exe -d -i -s cmd.exe /k "C:\Tools\DisableBoot.BAT"
The -d tells the PSExec to not wait for the PSExec process to complete.
The -i tells PSExec that the command to be executed needs to interact with the existing desktop application.
The -s tells PSExec that the command will run as local System.
The /k tells the command processor to remain after completing the execution of DisableBoot.bat. This is for debugging purposes only.
If you don't have it, download PSTools from Microsoft SysInternals Website, extract the tools, install them, and run PSEXEC.EXE and accept the license agreement.
From a machine with the PGP tool installed, presuming your batch file is named "DisableBoot.BAT" do the following from an administrative-level command prompt:
psexec.exe -d -i -s cmd.exe /k "C:\Tools\DisableBoot.BAT"
The -d tells the PSExec to not wait for the PSExec process to complete.
The -i tells PSExec that the command to be executed needs to interact with the existing desktop application.
The -s tells PSExec that the command will run as local System.
The /k tells the command processor to remain after completing the execution of DisableBoot.bat. This is for debugging purposes only.
ASKER
Dan - We are putting the batch script into a ZENworks bundle and then force running that bundle on machines that are being retired. So yes this needs to be setup to basically run remotely.
WalkaboutTigger - I could not get the command to work no matter how a massaged it. Question on that though, I'm wondering how would running it this way will be different than simply manually or remotely running or calling the batch script would be? I'm not super familiar with PSExec so I could totally be wrong, but even though psexec is calling the batch file, my thinking is that PGP would still block modification of the MBR.
Thanks very much!
WalkaboutTigger - I could not get the command to work no matter how a massaged it. Question on that though, I'm wondering how would running it this way will be different than simply manually or remotely running or calling the batch script would be? I'm not super familiar with PSExec so I could totally be wrong, but even though psexec is calling the batch file, my thinking is that PGP would still block modification of the MBR.
Thanks very much!
ASKER
I say "it will run remotely", but actually ZENworks will in reality be downloading the script to each local machine then triggering it locally on the machine for us, so the script itself will be running as if someone executed it from the local machine, but it is all automated without interaction except of a password prompt for security so we can't accidentally disable all the machines in a given department.
Hope that explains it better, sorry if I'm confusing the issue.
Hope that explains it better, sorry if I'm confusing the issue.
You could use HxD or another disk-level hex editor and test deleting the beginning of the disk until you find the part that is not protected by PGP.
Then check how much you need to delete to make the disk un-bootable.
Then check how much you need to delete to make the disk un-bootable.
PGP may block it from a normal user, but may not from the SYSTEM account.
Are you using a unified or single-vendor workstation platform? If so, you could use a manufacturer-specific BIOS utility to change the SATA mode from AHCI to normal or, if PGP is using the TPM, you could reset the TPM to factory defaults using a BIOS-specific utility.
What hardware manufacturer are you using?
Are you using a unified or single-vendor workstation platform? If so, you could use a manufacturer-specific BIOS utility to change the SATA mode from AHCI to normal or, if PGP is using the TPM, you could reset the TPM to factory defaults using a BIOS-specific utility.
What hardware manufacturer are you using?
ASKER
We have a variety of hardware venders, but I have been trying a similar approach with wmic commands to disable the disk without any luck.
And I had read somewhere about deleting the first 512 bytes of the disk might be the answer. But not sure how to script that.
Could either of you give an example of how to go about either of these approaches.
And I had read somewhere about deleting the first 512 bytes of the disk might be the answer. But not sure how to script that.
Could either of you give an example of how to go about either of these approaches.
You could delete/rename the file c:\bootmgr, which would prevent Windows from loading.
ASKER
Huh, I had not even thought of that one. I'll have to try that tomorrow. Should not be hard at all. Leave it to me to be as complicated as possible right out of the gate.
ASKER
I have not had a chance to get back to this yet to try it out but I will on Monday.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Appears that it can't be done in a way that is workable and not getting much interest from the "experts" to even attempt a workable script.
Cause if you don't, then just boot from a memory stick with Linux and wipe the partition table.
Of course, if you don't do this remotely then you could just pull the HDD out...
HTH,
Dan