This tab is dedicated entirely to working with Offline Windows installations. The tools on this tab are intended to operate on an installation of Windows that does not boot by itself, or cannot be repaired from within its own environment. In offline mode, d7x can be run from:
- A Tech Bench Computer (which I will refer to as a TBC from here on out) with an infected or troublesome Windows install attached as a slave hard drive or via USB dongle.
- A Windows PE based boot medium, where d7x has write access to its own directory. e.g. a bootable network image or flash drive… NOT when running FROM a CD, however it will work just fine FROM a flash drive when booted from a CD…
- Windows PE any version should work, provided the VB6 runtimes are installed. I currently use a VistaPE slim build over the network which I compiled from a package from … I think some Winbuilder site. It works great in this environment.
- I can provide a workaround upon request if it doesn’t work in your favorite blend of WinPE…
You must select a target partition to operate on. By default, if d7x detects a Windows installation that is not the current live system, it defaults to this partition. Example, you attach a slaved drive to your TBC which is assigned by Windows a drive letter, pretend it is F: drive. When you start d7x and switch to the Offline tab, it should automatically switch to the F: drive as the target.
Note that if the drive letter was added to the TBC after you started d7x, you may need to hit the refresh button next to the drop down box.
Beside the Target Partition selection box, you have some information d7x attempts to gather from the target partition.
- Suspected OS – This will either be Windows XP or it will read Vista+. I cannot detect any further than this currently (at least not without loading the registry.)
- Windows Dir – This one is obvious, but what may not be, is that clicking on the label will open that directory!
- User Profile Dir – This one is obvious, but what may not be, is that clicking on the label will open that directory!
- Latest Minidump – Also obvious information, yet clicking on this label will launch Nirsoft’s Blue Screen View (if in your 3rd Party Tools directory) and configure it to point to that partition automatically, letting you examine the minidumps with one click!
This option will remove passwords from a Windows XP, Vista, 7, 8.x, or 10 system with ease. What it cannot do is remove Microsoft account passwords (the online accounts).
Disable BSOD AutoReboot & Enable Minidumps
Disable Windows auto-reboot on a blue screen, and enable minidump reporting. Both useful to allow you to examine the crash information.
Edit Offline Registry
Loads all registry hives (System, Software, the NTUSER.DAT files for each user, etc. etc.) from the offline Windows installation into the current system registry under HKLM with the prefix “guest_” (e.g. the System registry hive will load as HKLM\guest_System or the user ‘Bob’ will appear as HKLM\guest_Bob). This enables you to edit the registry of the offline Windows installation to fix various issues.
Malware Removal Helper Tools
These items are the same as their counterparts on the d7x Tools tab, with the exception that they are operating on the offline installation of Windows.
YES, the Malware Search Tool will run on the offline partition’s file system AND registry!
Program Blocker is extremely useful to stop .exe files from running on the Windows installation that you cannot stop from inside that running environment. When you use Program Blocker to block an .exe file, it will stay blocked after Windows loads on that drive normally until you run d7x again to remove the Program Blocker rules, if you wish to do so.
Start Auto Mode
This button runs each item that is checked from the list, in that order.
Windows 10/11 built-in Ransomware Protection (Controlled Folder Access) and CryptoPrevent (repost) CryptoPrevent version 21.7.23 adds a new setting for “Controlled...