What About an XP VM?

From the start, my presentations concerned Windows 7 (and Vista).  When someone raised a question about XP, I thought it might be helpful to issue a post about building VMs from XP.  We go about it differently, and I’m going to presume we’re starting with a single, dd image.  First, we begin with a different vmdk descriptor file.  Here’s a screenshot:

With one, notable exception, the descriptor file is configured like the one that we used for Windows 7.  For XP, we use a standard IDE disk for our system.  Here’s a text file that you can edit, but change the extension back to vmdk.  It’s for use in VMware 9.  Use WordPad or an application that will respect the delimiters.  Remember, edit your file to identify the image name, number of physical sectors, and number of cylinders.

Next, I’ll go through the creation.

We chose the version of XP that’s on our target system.  If you come across Windows XP Media Center Edition, select XP Professional.  After the VM is created, take a snapshot.  If you want to strip passwords, use the procedure that I described earlier, and mount the disk as read-write and run a password stripper.

We don’t do shadow volume exams in XP, so we don’t need to mount the virtual disk in our SEAT workstation.  Nevertheless, as with any operating system, we probably have a need to run a VM of the target system for any number of reasons.  Our VM is ready to boot, or so we think.

Familiar sight?  I’ve found that the easiest and most effective fix for the BSOD is to do a Windows repair.  To do that, you need an installation disc of the same version of XP as your target.  Here, we need an XP Home CD or an ISO.

You can configure VMware to boot from your physical CD drive or an ISO image.

When you start your VM, make sure that it has focus (click your mouse in the VM).  When you see the POST screen, hit Escape once.

When you hit Escape, the screen should look like this:

Here, we’ll arrow down and elect to boot from the CD.  When you first try this, you may find that VMware doesn’t give you enough time to choose a boot option.  It can be quite frustrating, and a Glock is not the answer!  I’ll show you a more effective fix for this later.

After electing to boot from the CD, you’ll press a key when you see this message:

In the next video, we’ll follow along with the rest of the process.

The first decision screen is where we’re asked whether we want to install windows.  We’ll elect to do so, and then accept the license agreement.  Next, Windows finds an existing installation and offers choices.  We’ll choose  to repair the existing installation by pressing the R key.  Windows then proceeds through the setup.  During the installation, we’re offered some choices, which we can accept.  We also have to enter our license key.  After the reboot, we have a working VM.

Now that we’ve repaired our XP VM, it will boot just fine!  However, we may not be home free.  Often, the change in hardware will make Windows tell us that we must activate our XP installation.  There are a couple of options here.  If you’re in law enforcement, you can seek assistance through the Microsoft Law Enforcement Portal, which is a great resource.  If you’re not in law enforcement or want an alternative, there is a utility named WPA Kill, which you can find through a Google or a similar search engine.  I’m not advocating its use, but I do advocate complying with licensing requirements or otherwise being authorized to use a utility like this.

Many antivirus scanners will trap WPA Kill, so be sure to enter an exception so that you can download and save the file.  You can save a copy to a CD or include it in an ISO image.  If the activation requirement presents, you still can boot to Safe Mode, where you can run WPA Kill.  Sometimes, you may find that Windows offers you 30 days until you must activate your VM.  Of course, using snapshots can keep you “frozen” in time.

I’ll point out that XP can be difficult, and there are times when I’ve been unable to build a bootable VM.  Defects in the underlying operating system may be to blame.  There also can be troublesome driver issues.  In the latter cases, experimenting in Safe Mode may help.  There’s also a nasty issue that pops up now and then and which renders your keyboard and/or mouse unusable.  It’s a driver issue, and I haven’t figured out a fix, although Virtual Forensic Computing has.  If you want to start with an E01 image, you can mount the image and build your VM from a physical disk as I described in a previous post.  You also can use segmented images.

As promised, here’s a way to gain some time when you want to hit Escape to see the boot menu:  In Windows 7, go to \ProgramData\VMware\VMware Workstation.  Here, you’ll create or edit a file named settings.ini.  In the file, type the line Bios.bootDelay=”3000″.  That will force a three-second delay before your system boots.  If you want more time, enter the number of milliseconds, e.g., “5000” is five seconds.  Use quotation marks around the number.


Leave a Reply

Your email address will not be published. Required fields are marked *