Skip to content
/ UpdateWindowsRE-CVE-2022-41099 Public
forked from halsey51013/UpdateWindowsRE-CVE-2022-41099

Script to update Windows Recovery Environment to patch against CVE-2022-41099

0 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tylermontneyacc/UpdateWindowsRE-CVE-2022-41099

BranchesTags
 
 

Repository files navigation

Overview

Forked from u/InternetStranger4You with some considerable changes.

Layout

Code is split between two modules:

  • Microsoft.Windows.PSGeneral
    • Wrapper code for DISM and ReAgentC
    • Extended tests for pending reboot
    • Automatic resizing/rebuilding of Windows RE partition
  • Microsoft.Windows.PSMitSec
    • Incorporating Microsoft.Windows.PSGeneral
    • Retrying Add-DismPackage, if necessary
    • Expanding the Windows RE partition, if necessary

Of course, the modules are for demonstration purposes. If you wish to use them properly, you should create manifest files and reference dependencies appropriately.

Logging

PSFramework is used instead of the built-in cmdlets.

Notes

  • Add-DismPackage always seems to fail once. The error message itself says it could be a temporary error (such as a race condition to update the Service Stack). Retrying after a few seconds always succeeds.
    • It was suggested that this could be due to in-place feature upgrades. I noticed this on a fresh install of Windows 10 21H2.
  • As mentioned under Layout, this script will automatically resize the Windows Recovery (WinRE) partition (if specified). By resize, I mean delete and rebuild.
    • Requires a GPT disk. Not that you can't use MBR, it's just I didn't feel like figuring that one out. Most disks should be GPT by now.
    • Requires an existing WinRE partition. This is to re-use the existing Winre.wim file. The .wim is present nowhere else locally. (Of course, the script itself would require one; otherwise, there's nothing to patch.)
  • Implement Test-PSMitSec_CVE202241099

TO-DO

Important

  • See if the patch is applied before updating.
    • Applying it again won't cause it to fail.
    • Patch can take a few minutes to apply. Microsoft Intune seems to run scripts more than once, so this would save time.
  • When Add-DismPackage fails for the first time, it outputs a ton of progress bar text (looks very messy). It should be suppressed.
  • Add parameter for Resize-WinREPartition to accept Winre.wim from alternate source (such as flash drive with install media).

Not-so Important

  • Improve variable/function names
  • Remove unnecessary variable initializations (I tend to write PS like C#)
  • Move some output from Verbose to Host

About

Script to update Windows Recovery Environment to patch against CVE-2022-41099

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%