Windows 10

This section will cover downloading an existing, freely available Windows 10 Virtual Machine, uploading it to REVEN and configuring it to make it a good recording environment.

• Downloading the VM
• Provisioning the VM disk
• Registering the VM
  • Starting the registration
  • Booting the VM for the first time
  • Configuring the guest
  • Installing tools
  • Finishing configuration
  • Taking the first Live Snapshot
  • Preparing the snapshot

Downloading the VM

Microsoft provides Windows 10 Virtual Machines that can be downloaded from the Internet. For this guide, we will use the MSEdge from the Tool VMs page.

1. Navigate to the Tool VMs page VM page
2. Please review the license terms.
3. Select the MSEdge on Win10 (x64) 1809 VM, then the HyperV platform.
4. Click on Download.
5. Unzip the MSEdge.Win10.HyperV.zip file you just downloaded on your machine.

Provisioning the VM disk

We will now upload the MSEgde's disk to the REVEN server, a step known as provisioning:

1. Open up your REVEN installation's Project Manager (by default, point a web browser to http://<your_reven_host>:8880)

2. Select the VM Manager tab.

3. Click on Register QEMU VM

   

4. The VM Import Wizard welcome screen shows up - click on Start.

5. In the Select VM screen, locate the Provision a new VM section and click on Upload a new VM file from disk

   

6. Click on Browse.

7. On your disk, select the Virtual Hard Disks/MSEdge - Win10.vhdx extracted from the archive earlier.

8. Click on Upload.

   

9. When the upload is over, click on Next. You are back at the Select VM screen.

Registering the VM

Now that the VM disk is available to the REVEN server, it is time to register it as a new VM.

Starting the registration

1. After the end of the provisioning step, you were taken back to the Select VM screen.

2. Locate the Register a new VM section.

3. Ensure the disk file we uploaded is selected in the combo box. If not, select it.

4. Click on Register.

   

5. This disk requires conversion to the qcow2 format REVEN uses:

   1. Check Remove original file.
   2. Click on Convert.
   3. When the operation is over, click on Next.

6. In the Specify guest page, select the following options for this VM:

   1. OS: Windows.

   2. Architecture: x64.

   3. Leave the other options unchanged.

   4. Click on Next.

      

7. On the Create disk snapshot screen, click Next.

Booting the VM for the first time

We are now ready to boot this disk for the first time.

1. Boot the VM:
   1. Check Enable network.
   2. Click on Start.
   3. Click on Show in browser: the VM screen appears in a new tab or window.
   4. Log in: use the password Passw0rd! (as specified on the Microsoft VM page).
   5. Wait for the desktop to appear.

Configuring the guest

Now that the VM is booted, it is time to configure the guest environment:

1. In the Project Manager, click on Insert Windows 10 lightener CDROM.
2. Go back to the VM screen.
3. Disable the KPTI protections:
   1. Point a file explorer to the CD-ROM drive.
   2. Right-click on the file disable-kpti.bat and select Run as administrator.
   3. Wait for the VM to reboot and log in again.
4. Disable the CompactOS option:
   1. Right-click on the Start menu.
   2. Click on Windows PowerShell (Admin).
   3. Type in Compact.exe /CompactOs:Never.
   4. Wait for the operation to finish.
5. Finally, make the VM lighter:
   1. Disable Windows Defender:
      1. Right-click on the Start menu, select Run.
      2. Type in gpedit.msc and press Enter.
      3. Navigate to Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\.
      4. Double-click on Turn off Windows Defender Antivirus and set the Enabled radio button.
      5. Close the Group Policy editor window.
   2. Run the provided script:
      1. In an Admin PowerShell window, type in Set-ExecutionPolicy Unrestricted.
      2. Confirm with Y.
      3. Then type D:\windows10_lightener.ps1.
      4. A dialog pops up, click on OK.
      5. When asked to reboot, click on OK.
      6. Log in again.
   3. Re-enable network-related services:
      1. Right-click on the Start menu, select Run.
      2. Type in services.msc and press Enter.
      3. Enable the service Windows Event Log by double-clicking it, selecting Automatic startup type and clicking OK.
   4. Force .NET 4 precompilation step:
      1. In an admin shell, type in: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /force.

Installing tools

At this point, we have done everything that is strictly necessary for REVEN. However, it is a good idea to install Visual Studio's runtimes and other tools to make using this VM easier.

1. From your VM, open up the Edge browser.
2. If the network does not work:
   1. Go back to the Project Manager
   2. Click on ACPI shutdown.
   3. Check Enable network.
   4. Click on Start.
   5. Wait for the VM to boot and log back in: the network should now work.
3. Install the following tools - you can type the page's URLs or search for their title in your favorite search engine:
   1. vc_redist.x64.exe files from The latest supported Visual C++ downloads - at least 2019 and 2013 versions.
   2. Install Autologon64 to avoid typing the autologon password:
      1. Unzip the downloaded file.
      2. Run Autologon64.exe.
      3. Agree to the terms.
      4. Enter the login password Passw0rd! and click Enable.
      5. Check that autologon works by restarting Windows.

At this point, optionally you can also install any software you might want: a web browser, etc.

Finishing configuration

Now that your VM is configured, turn it off:

1. Go back to the Project Manager.
2. Click on ACPI shutdown.
3. Click on Next.
4. You can skip Finalize VM preparation so Click on Next again.

Taking the first Live Snapshot

Now that the VM is off, it is time to boot it into Emulation mode (which is the mode we can record in) and take a handy live snapshot for future recording sessions:

1. Click on Start.

2. Click on Show in browser.

3. The VM will now automatically boot and log in. Wait a few minutes for the desktop to appear - this is slower than earlier, because of the emulation mode.

4. We know Windows shows the desktop as soon as possible but keeps starting processes in the background. At this point, we want to wait until the boot process is effectively finished:

   1. Right-click on the Start menu and click on Task Manager.
   2. Wait for the CPU activity to drop to about 10-20% - usually the Task Manager itself will consume about 10-15%.
   3. Close the task manager.

5. We will often use a command-line during recording sessions, so we might as well start one now:

   1. Right-click on the Start menu and click on Run.
   2. Type in cmd and press Enter.
   3. Wait for the shell to appear.

6. The VM is ready, it is time to take our live snapshot:

   1. Go back to the Project Manager.
   2. Locate the Take a live snapshot field.
   3. Type in a name, booted-cmd for instance.
   4. Click on Save.

7. Now that a live snapshot exists, we can safely force shutdown the VM because we will always be restoring a known good state: click on Force shutdown.

8. Click on Next.

Preparing the snapshot

1. On the Prepare the snapshot screen, click on Prepare.
2. Wait for the task to finish. This will take several minutes.
3. Click on Finish.

And that is it! We now have a VM with a guest environment tuned for a good recording experience. It is time to Record our first scenario.