NTLite "corrupts" admin privileges? (Win8.1 Virtio drivers)

[newfrontiers]

Hello good folk,

I'm a big fan of NTLite and a premium user. I just have a quick question which I can't seem to resolve on my own.

I've been banging my head against the wall for the past 3 days, trying every possible solution I can think of, to no avail. - searched this forum, searched google, etc.

I've created three windows ISOs using NTLite so far - win11, win10 and win8.1.

I need all of them for research purposes, which I won't go into for the sake of keeping this thread succinct and to the point.

Win11 and Win10 work flawlessly, no issues there.

But with win8.1 NTLite seems to be "corrupting" the admin privileges somehow.

Since I'm installing the NTLite Win ISOs in kvm/qemu linux virtual machines, I use the Virtio drivers. And as said above, Win11 and Win10 work flawlessly.

But the NTLite win8.1 ISO cannot install the Virtio drivers.

I get this error:



I'm also attaching the full Virtio error log below.

Now, when I install the default Win8.1 ISO without modifying it with NTLite, and run the Virtio drivers, they install correctly and work totally fine.

Therefore, I must be doing something with NTLite which prevents the Virtio drivers to from installing.

Judging from the default Win8.1 virtio installation VS the NTLite Win8.1 virtio installation, I can see that the default one prompts the Admin approval when installing the drivers, but the NTLite ISO does not.

Which leads me to believe that it might be something to do with the Admin Rights or privilege escalation, which I've disabled somehow (?)

For the past 3 days, I tried 14 different Win8.1 ISO permutations using NTLite with every solution I can think of and ALL OF THEM have the same Virtio error as shown above. I tweaked the components, the settings, the unattended, everything. Isolated different potential causes and tried to pinpoint the root cause. Nothing worked.

If anyone can provide any input, I will greatly, greatly appreciate it.

I'm also attaching my latest NTLite XML file.

Thank you!!!

 

[garlin]

Your log error resembles another open VirtIO issue.

[031C:08CC][2023-09-10T02:12:42]i301: Applying execute package: virtio_win_gt_x64.msi, action: Install, path: C:\ProgramData\Package Cache\{4C49C419-DE39-421B-B0F8-5F0DE1486869}v0.1.189\virtio-win-gt-x64.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7"'
[031C:08CC][2023-09-10T02:12:50]e000: Error 0x80070643: Failed to install MSI package.
[031C:08CC][2023-09-10T02:12:50]e000: Error 0x80070643: Failed to execute MSI package.
[0598:04D4][2023-09-10T02:12:50]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[0598:04D4][2023-09-10T02:12:50]i319: Applied execute package: virtio_win_gt_x64.msi, result: 0x80070643, restart: None
[0598:04D4][2023-09-10T02:12:50]e000: Error 0x80070643: Failed to execute MSI package.

There's nothing in this preset that changes Admin rights or UAC elevation, unless it's part of your Post-Setup script or the imported reg file.
I would try it again, except with no Event Logs blocked.

 

[newfrontiers]

Your log error resembles another open VirtIO issue.


There's nothing in this preset that changes Admin rights or UAC elevation, unless it's part of your Post-Setup script or the imported reg file.
I would try it again, except with no Event Logs blocked.

Thanks a lot for the reply! Yes, I saw this github thread as I was researching the problem.

However, in my case as I mentioned above, Virtio works perfectly fine and installs correctly on a default Win8.1

But then it fails to install after I modify the Win8.1 ISO with NTLite.

Therefore, the common denominator is NTLite.

I must be doing something wrong with NTLite that's causing this issue.

And I already created 14 Win8.1 NTLite ISOs trying to fix the issue. One of the ISOs I created was with unblocked Event Logs, but it didn't work. So retrying again will achieve nothing, unless I find the root cause.

I'm not sure it's an Admin Rights problem, that's just my guess based on what I've observed thus far. It could be a totally different cause.

Thanks!!!

 

[garlin]

The issue relates to one of the management services, the only one I can imagine is WinRM (Remote Management).

 

[newfrontiers]

The issue relates to one of the management services, the only one I can imagine is WinRM (Remote Management).

Thanks a lot for the suggestion!

I just enabled some of those Remoting and Privacy components including the Remote Management, created a new ISO and installed it. Still didn't work, unfortunately. Same exact issue. These are the components I enabled:



And by the way, the reg and shell scripts that I'm loading in NTlite are simply 1-line scripts to change the default wallpaper of the Windows install. They are totally inert.

 

[garlin]

Restore Windows Update?

 

[nuhi]

newfrontiers, will test this tomorrow, assuming you also had the same issue with just the preset without REG or PS1 additions, which are external to the tool.

 

[nuhi]

Tested it on 8.1 in Proxmox, got the same error on a non-edited OS.
It is because those drivers inside the VirtIO are unsigned.
I rebooted the OS with the troubleshooting options (boot menu, option 7), to allow unsigned drivers.
Then the installation passed (you need to push install unsigned driver a few times).

So... I don't know how you saw no issues on a non-edited ISO, maybe it was an older version of VirtIO.

 

[garlin]

virtio-win driver signatures

All the Windows binaries are from builds done on Red Hat’s internal build system, which are generated using publicly available code. Windows 8+ drivers are cryptographically signed with Red Hat’s test signature Windows 10+ drivers are signed with Microsoft attestation signature. However they are not signed with Microsoft’s WHQL signature. WHQL signed builds are only available with a paid RHEL subscription.

The drivers are cryptographically signed with Red Hat’s vendor signature. However they are not signed with Microsoft’s WHQL signature.

Warning: Due to the signing requirements of the Windows Driver Signing Policy, drivers which are not signed by Microsoft will not be loaded by some versions of Windows when Secure Boot is enabled in the virtual machine. See bug #1844726. The test signed drivers require enabling to load the test signed drivers. Consider configuring the test computer to support test-signing and installing Virtio_Win_Red_Hat_CA.cer test certificate located in /usr/share/virtio-win/drivers/by-driver/cert/ folder.

 

[newfrontiers]

Tested it on 8.1 in Proxmox, got the same error on a non-edited OS.
It is because those drivers inside the VirtIO are unsigned.
I rebooted the OS with the troubleshooting options (boot menu, option 7), to allow unsigned drivers.
Then the installation passed (you need to push install unsigned driver a few times).

So... I don't know how you saw no issues on a non-edited ISO, maybe it was an older version of VirtIO.

Thanks a lot for that!

I did a lot of additional troubleshooting myself over the last few days, and it turns out the NTLite preset itself was causing the issues. For some reason it was corrupting the Unattended, even though when I was loading the preset into NTLite the Unattended looked fine.

So finally, I loaded the Win8.1 ISO and manually built a new preset from scratch. I adjusted the Unattended myself, without loading any of the former presets. And viola, everything works fine now. I installed the same Virtio drivers without issues.

Also yes, regarding your Virtio question, I am using a much older Virtio driver that's compatible with win8.1, i.e. 'virtio-win-0.1.189'

Just one last question regarding Win8.1, is it possible to remove/hide the "Build 9600" watermark in the bottom right corner via NTLite?

I tried adding a registry file as I was building the ISO, which should've in theory hidden the Build 9600, but it didn't.

 

[garlin]

Reg files can't remove the watermark since you're in TESTSIGNING mode. You need one of those 8.1 watermark editors, or a modified DLL.
Both of which are out of bounds for NTLite forum discussion, since they require patching binary files.

But you're not the first person with this exact problem.

 

[newfrontiers]

Reg files can't remove the watermark since you're in TESTSIGNING mode. You need one of those 8.1 watermark editors, or a modified DLL.
Both of which are out of bounds for NTLite forum discussion, since they require patching binary files.

But you're not the first person with this exact problem.

Yeah, I thought so too, thanks for letting me know. I found a workaround for that.

 

[Clanger]

newfrontiers someone somewhere may have installed them signed and not used watermark disabling or file patching or might even be willing to sign them, you dont know until you ask. try your regular haunts and sign up to a few new ones if you have to, it might be worth it
Watermarks are a pain in the rear :/

 

[garlin]

The real answer is extracting WHQL drivers from CentOS:
https://github.com/infokiller/win10-vm

 

[newfrontiers]

newfrontiers someone somewhere may have installed them signed and not used watermark disabling or file patching or might even be willing to sign them, you dont know until you ask. try your regular haunts and sign up to a few new ones if you have to, it might be worth it
Watermarks are a pain in the rear :/

Ah wow thanks a lot for that! I already found a way how to completely and permanently remove the watermarks, as I said in my previous comment but didn't share it here because garlin mentioned this is outside the scope of this forum. And I don't want to infringe upon any of the rules.

Looking at the resources you've linked which cover very similar tools and if you think I should share how I did it, I can succinctly do so. It might help others in the future.

 

[garlin]

3rd-party watermark solutions aren't hard to find online. Pick one that works on your Windows.