This month, Microsoft released the Malware Removal Starter Kit. And let me begin by saying how funny it is when things come around full circle.
The basic idea is that you can create a bootable CD that boots using a Windows PE operating system (OS). Windows PE is a watered down version of Windows that was originally designed as an OS for running the graphical portion of Windows Setup. Even so, there are a few antivirus applications that will run in a Windows PE environment (the Malware Removal Starter Kit gives you a full list).
While the Microsoft Malware Removal Kit itself is nothing more than a text file that you can download, that text file tells you how you can create a modernized version of the boot disk that I described earlier.
There are some obvious advantages to creating a CD for the purpose of removing malware from an infected system. One drawback, however, to this technique is that Windows PE does not support network connectivity, so you will not be able to download updated antivirus signatures. One way of getting around this problem is to place an updated copy of your antivirus software on to a USB flash drive. You can run the software directly from the USB flash drive, rather than using the version on the CD.
Creating a malware removal disk requires you to download and install the Windows Automated Installation Kit. You can run the Windows AIK on Windows XP (SP2 or higher), Windows Server 2003 (SP1 or higher) and on Windows Vista. The instructions that I am about to give you are for Windows XP and Windows Vista.
Creating the CD
The first step in creating a bootable Windows PE CD is to create a Windows PE build that you can place on the CD. To do so, follow these steps:
- Select the Windows PE Tools Command Prompt command from the Start | All Programs | Microsoft Windows AIK menu.
- At the command prompt, enter the following commands:
- copype x86 c:\WinPE
- imagex/mountrw winpe.wim 1 c:\WinPE\Mount
- reg load HKLM\_WinPE_SYSTEM c:\WinPE\Mount\windows\system32\config\system
- reg add HKLM\_WinPE_SYSTEM\ControlSet001\Services\FBWF /v WinPECacheThreshold /t REG_DWORD /d 96 /f
- reg unload HKLM\_WinPE_SYSTEM
Now that you have configured the Windows PE environment, you must prepare the antivirus software. There are a number of antivirus products that can be used, but for the purposes of this article, I am going to use Microsoft's Malicious Software Removal Tool. If you want to use something else, then I recommend consulting the Microsoft Malware Removal Starter Kit documentation to see if your particular product can be used.
Enter the following command to create a folder named Tools beneath the C:\WinPE\mount folder:
- mkdir c:\WinPE\mount\Tools
- Go to to download the Malicious Software Removal Tool. When prompted, save the file that you are downloading to the c:\WinPE\mount\Tools folder
- Enter the following command: peimg /prep c:\WinPE\Mount
- Type the word Yes when prompted, and press Enter
- Enter the following command: copy c:\WinPE\WinPE.wim c:\winpe\ISO\sources\boot.wim
- Press Y when prompted
- Enter the following command: oscdimg -n -bc:\WinPE\etfsboot.com c:\WinPE\ISO c:\WinPE\WinPE_Tools.iso
Doing that will create a 200 MB ISO file. Use CD burning software to create a bootable CD from this ISO file. When you boot the CD, the Malicious Software Removal Tool will not run automatically. You can find the Malicious Software Removal Tool in the CD's \Tools folder.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
Dig Deeper on Endpoint security management tools