Elcomsoft System Recovery UEFI Support

June 16th, 2016 by Oleg Afonin
Category: «Elcomsoft News», «Security», «Software»

As you may already know, we’ve released an update to Elcomsoft System Recovery, a tool allowing to reset or recover Windows and Microsoft Account passwords by booting from an external USB drive. The new build allows creating bootable USB drives for devices exclusively relying on UEFI bootloaders. Why was this change needed? Read below for an answer!

UEFI Boot Support

If you need access to Windows protected files (and files containing password hashes are always protected), you will either require administrative privileges or must boot a separate copy of Windows from a separate boot media. Elcomsoft System Recovery has always come with the ability to create such bootable media.

As computers evolved, industry moved to 64-bit computations. During the last decade, CPU manufacturers migrated completely to 64-bit architecture. Some years later, it became obvious that legacy BIOS was no longer relevant in the new age. BIOS was superseded with UEFI.

To maintain compatibility with legacy operating systems, most systems of that time period came with support for legacy boot mode (BIOS emulation, “compatibility mode”) enabled out of the box. As operating systems evolved, manufacturers started gradually phasing out legacy support. Today we have reached the point where many new devices (2013 and newer) come without any sort of BIOS emulation at all.

Elcomsoft System Recovery comes with a customized bootable Windows PE environment. By booting from this media, customers can gain access to existing Windows installations even if they don’t know the correct password. For a long time, Elcomsoft System Recovery was relying on legacy compatibility mode to boot. This is no longer an option. The increased share of devices shipping without BIOS emulation or legacy boot support required us to adapt.

This was the reason why we included two new choices, allowing you to create bootable media for 32-bit and 64-bit UEFI systems. Making one is easy. First download Elcomsoft System Recovery; choose your desired language; accept Terms and Conditions and enter your product key.

Accept T&C and enter your product key when prompted. At this point, you’ll be able to make a bootable disk (e.g. a USB flash drive) or create a bootable ISO image for later use.

At this point, you can choose between 32-bit BIOS, 32-bit UEFI and 64-bit UEFI configurations. 64-bit UEFI is the most common choice for today’s hardware with the exception of budget nettops, convertibles, Windows tablets and hybrid devices.

32-bit UEFI

The appearance of UEFI coincided with the introduction of 64-bit processors. Today, you’re unlikely to find a general-purpose 32-bit Intel CPU. However, some very modern computers can only run 32-bit versions of Windows. Many budget Windows tablets, convertibles and hybrid computers (for example, many systems built on the Intel Z3570 or Z3770) are physically unable booting a 64-bit version of Windows. Why?

UEFI requires the firmware and operating system loader to be size-matched. Devices that ship with a 64-bit UEFI only load a 64-bit operating system bootloader or kernel. Similarly, devices equipped with a 32-bit UEFI can only load a 32-bit OS bootloader or kernel. Now, once the OS kernel takes over, it can switch to a different processor mode, which, however, restricts usage of the runtime services.

In practical terms, this means that any device that ships with a 32-bit UEFI will be unable to boot into a 64-bit version of Windows. Without legacy compatibility (BIOS emulation) mode, attempting to boot these devices into anything but 32-bit Windows with 32-bit UEFI support will fail. Examples of such devices include the first model of Dell Venue Pro 8 and many models of Lenovo ThinkPad 8 equipped with 2 GB of RAM. In order to gain access to these devices, experts must use 32-bit bootable media.

We had to include a 32-bit UEFI module to support the many budget Windows tablets and convertibles equipped with certain ultra-low power Intel Atom chipsets. As these devices can only run 32-bit versions of Windows, they are physically unable to boot from a 64-bit media.

At this point, we updated to Elcomsoft System Recovery to support for both 32-bit and 64-bit UEFI bootloaders. Customers using the latest version of Elcomsoft System Recovery can create as many as four different types of bootable media, which include legacy BIOS, 64-bit BIOS, 32-bit UEFI and 64-bit UEFI. In order to create a bootable 32-bit UEFI drive, choose this option:

What Next?

Once you make a bootable USB drive, connect it to the computer you’re about to investigate. Configure the device to boot from external media. If you’re booting a tablet, convertible or hybrid device equipped with a single micro USB port, you may need to use an OTG cable in combination with a USB hub (or a dedicated OTG USB hub if you have one). In order for the bootable environment to detect mouse and keyboard, those must be connected to the device prior to boot (hence the use of a hub). Connecting a bootable flash drive to a single USB port, removing it after boot and connecting a keyboard will not allow the bootable environment to load the correct keyboard drivers. In our tests, we found that USB 2.0 hubs are usually more compatible when it comes to bootable environments compared to USB 3.0 hubs.

Once you boot into Elcomsoft System Recovery and accept the license agreement, you’ll see the list of available Windows partitions.

2

Let’s choose partition C: and choose the local password storage (SAM database).

3

You can now specify whether you’re going to reset a local account password, dump password hashes, backup or restore the entire SAM database.

4

If you need to recover the original password, you’ll probably want to dump password hashes and let Elcomsoft Distributed Password Recovery break that account password on another PC. If, however, you just need access to a certain Windows account, you can simply reset its password.

10

11


REFERENCES:

Elcomsoft System Recovery

Reset passwords to local Windows accounts and Microsoft Account and perform a wide range of administrative tasks. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery, and create forensic disk images. Elcomsoft System Recovery is ready to boot thanks to the licensed Windows PE environment, allowing administrators to access locked computers.

Elcomsoft System Recovery official web page & downloads »