Windows
This section will cover downloading an existing, freely available Windows Virtual Machine, uploading it to REVEN and configuring it to make it a good recording environment.
Downloading the VM
Microsoft provides Windows 10 Virtual Machines that can be downloaded from the Internet. For this guide, we will use the MSEdge from the Tool VMs page.
- Navigate to the Tool VMs page VM page
- Please review the license terms.
- Select the
MSEdge on Win10 (x64) 1809
VM, then theHyperV
platform. - Click on Download.
- Unzip the
MSEdge.Win10.HyperV.zip
file you just downloaded on your machine.
Provisioning the VM disk
We will now upload the MSEgde's disk to the REVEN server, a step known as provisioning:
-
Open up your REVEN installation's Project Manager (by default, point a web browser to
http://<your_reven_host>:8880
) -
Select the
VM Manager
tab. -
Click on
Register QEMU VM
-
The VM Import Wizard welcome screen shows up - click on
Start
. -
In the
Select VM
screen, locate theProvision a new VM
section and click onUpload a new VM file from disk
-
Click on
Browse
. -
On your disk, select the
Virtual Hard Disks/MSEdge - Win10.vhdx
extracted from the archive earlier. -
Click on
Upload
. -
When the upload is over, click on
Next
. You are back at theSelect VM
screen.
Registering the VM
Now that the VM disk is available to the REVEN server, it is time to register it as a new VM.
Starting the registration
-
After the end of the provisioning step, you were taken back to the
Select VM
screen. -
Locate the
Register a new VM
section. -
Ensure the disk file we uploaded is selected in the combo box. If not, select it.
-
Click on
Register
. -
This disk requires conversion to the
qcow2
format REVEN uses:- Check
Remove original file
. - Click on
Convert
. - When the operation is over, click on
Next
.
- Check
-
In the
Specify guest
page, select the following options for this VM:-
OS:
Windows
. -
Architecture:
x64
. -
Leave the other options unchanged.
-
Click on
Next
.
-
-
On the
Create disk snapshot
screen, clickNext
.
Booting the VM for the first time
We are now ready to boot this disk for the first time.
- Boot the VM:
- Check
Enable network
. - Click on
Start
. - Click on
Show in browser
: the VM screen appears in a new tab or window. - Log in: use the password
Passw0rd!
(as specified on the Microsoft VM page). - Wait for the desktop to appear.
- Check
Configuring the guest
Now that the VM is booted, it is time to configure the guest environment:
- In the Project Manager, click on
Insert Windows 10 lightener CDROM
. - Go back to the VM screen.
- Disable the KPTI protections:
- Point a file explorer to the CD-ROM drive.
- Right-click on the file
disable-kpti.bat
and selectRun as administrator
. - Wait for the VM to reboot and log in again.
- Disable the CompactOS option:
- Right-click on the Start menu.
- Click on
Windows PowerShell (Admin)
. - Type in
Compact.exe /CompactOs:Never
. - Wait for the operation to finish.
- Finally, make the VM lighter:
- Disable Windows Defender:
- Right-click on the Start menu, select
Run
. - Type in
gpedit.msc
and press Enter. - Navigate to
Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\
. - Double-click on
Turn off Windows Defender Antivirus
and set theEnabled
radio button. - Close the Group Policy editor window.
- Right-click on the Start menu, select
- Run the provided script:
- In an Admin PowerShell window, type in
Set-ExecutionPolicy Unrestricted
. - Confirm with
Y
. - Then type
D:\windows10_lightener.ps1
. - A dialog pops up, click on
OK
. - When asked to reboot, click on
OK
. - Log in again.
- In an Admin PowerShell window, type in
- Re-enable network-related services:
- Right-click on the Start menu, select
Run
. - Type in
services.msc
and press Enter. - Enable the service
Windows Event Log
by double-clicking it, selectingAutomatic
startup type and clickingOK
.
- Right-click on the Start menu, select
- Force .NET 4 precompilation step:
- In an admin shell, type in:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /force
.
- In an admin shell, type in:
- Disable Windows Defender:
Installing tools
At this point, we have done everything that is strictly necessary for REVEN. However, it is a good idea to install Visual Studio's runtimes and other tools to make using this VM easier.
- From your VM, open up the Edge browser.
- If the network does not work:
- Go back to the Project Manager
- Click on
ACPI shutdown
. - Check
Enable network
. - Click on
Start
. - Wait for the VM to boot and log back in: the network should now work.
- Install the following tools - you can type the page's URLs or search for their title in your favorite search engine:
vc_redist.x64.exe
files from The latest supported Visual C++ downloads - at least 2019 and 2013 versions.- Install Autologon64 to avoid typing the autologon password:
- Unzip the downloaded file.
- Run
Autologon64.exe
. - Agree to the terms.
- Enter the login password
Passw0rd!
and clickEnable
. - Check that autologon works by restarting Windows.
At this point, optionally you can also install any software you might want: a web browser, etc.
Finishing configuration
Now that your VM is configured, turn it off:
- Go back to the Project Manager.
- Click on
ACPI shutdown
. - Click on
Next
. - You can skip
Finalize VM preparation
so Click onNext
again.
Taking the first Live Snapshot
Now that the VM is off, it is time to boot it into Emulation mode (which is the mode we can record in) and take a handy live snapshot for future recording sessions:
-
Click on
Start
. -
Click on
Show in browser
. -
The VM will now automatically boot and log in. Wait a few minutes for the desktop to appear - this is slower than earlier, because of the emulation mode.
-
We know Windows shows the desktop as soon as possible but keeps starting processes in the background. At this point, we want to wait until the boot process is effectively finished:
- Right-click on the Start menu and click on
Task Manager
. - Wait for the CPU activity to drop to about 10-20% - usually the Task Manager itself will consume about 10-15%.
- Close the task manager.
- Right-click on the Start menu and click on
-
We will often use a command-line during recording sessions, so we might as well start one now:
- Right-click on the Start menu and click on
Run
. - Type in
cmd
and press Enter. - Wait for the shell to appear.
- Right-click on the Start menu and click on
-
The VM is ready, it is time to take our live snapshot:
- Go back to the Project Manager.
- Locate the
Take a live snapshot
field. - Type in a name,
booted-cmd
for instance. - Click on
Save
.
-
Now that a live snapshot exists, we can safely force shutdown the VM because we will always be restoring a known good state: click on
Force shutdown
. -
Click on
Next
.
Preparing the snapshot
- On the
Prepare the snapshot
screen, click onPrepare
. - Wait for the task to finish. This will take several minutes.
- Click on
Finish
.
And that is it! We now have a VM with a guest environment tuned for a good recording experience. It is time to Record our first scenario.