Subscribe via e-mail: 
A while back, I reviewed Safety Scanner, Microsoft’s free portable antivirus software. My major complaint was that it was not possible to use Safety Scanner as an offline antivirus tool on Windows PE 3.0. Fortunately, a 4sysops reader, mentioned that you only have to increase the scratch space of the Windows PE image to make Safety Scanner run. Note that only the quick scan and full scan features work on Windows PE. Customized scans are not possible because you can’t select folders under Windows PE.
Microsoft Safety Scanner as offline antivirus tool on Windows PE 3.0
The fact that the Microsoft Safety Scanner runs on Windows PE makes the free antivirus tool much more useful because it allows you to scan a Windows installation while it is offline. Sophisticated viruses are difficult, and sometimes impossible to remove while Windows is running and the best way to remove them is to access the infected drive from a second OS while Windows is offline.
Windows PE is a good choice for an offline antivirus scan because the operating system is lightweight and boots up quickly. Many antivirus software vendors offer boot kits with their scan engines, which are usually based on Linux. The advantage of the Windows PE solution is that you can add Microsoft Safety Scanner to your Windows administration toolbox on your USB stick.
Of course, you can also create a boot CD with Windows PE and Microsoft Safety Scanner. I describe both options. I assume that you already downloaded and installed the WAIK for Windows 7 and the Microsoft Safety Scanner. Note that you need the 32-bit version of Safety Scanner even if you want to scan a 64-bit Windows, because in the scenario described here we will run the antivirus tool on Windows PE, which is 32-bit.
After you launch the WAIK command prompt from the Windows Start Menu with administrator privileges, you have to run this command sequence:
Create a boot CD with Windows PE and Microsoft Safety Scanner
- copype.cmd x86 c:\img
- dism /mount-wim /wimfile:c:\img\winpe.wim /index:1 /mountdir:c:\img\mount
- dism /image:c:\img\mount /set-scratchspace:512
- copy msert.exe c:\img\mount\windows\system32 Note: You have to change to the folder where you downloaded Safety Scanner, or use Windows Explorer to copy msert.exe to the mounted Windows PE image.
- dism /unmount-wim /mountdir:c:\img\mount /commit
- copy c:\img\winpe.wim c:\img\iso\sources\boot.wim
- oscdimg -n -bc:\img\etfsboot.com c:\img\iso c:\img\img.iso
Windows PE 3.0 – Set scratchspace
In Windows 7, you can then just right-click img.iso and burn the ISO image to a CD or DVD. For older Windows versions, you can use ISO recorder.
Create a bootable USB stick with WinPE and Microsoft Safety Scanner
- diskpart
- list disk
- select disk # Replace ‘#’ with the drive number that the list command displays for your USB drive. Be careful because this procedure will erase the whole drive!
- clean
- create partition primary
- select partition 1
- active
- format quick fs=fat32
- assign
- exit
- copype.cmd x86 c:\img
- dism /mount-wim /wimfile:c:\img\winpe.wim /index:1 /mountdir:c:\img\mount
- dism /image:c:\img\mount /set-scratchspace:512
- copy msert.exe c:\img\mount\windows\system32 Note: You have to change to the folder where you downloaded Safety Scanner, or use Windows Explorer to copy msert.exe to the mounted Windows PE image.
- dism /unmount-wim /mountdir:c:\img\mount /commit
- copy c:\img\winpe.wim c:\img\iso\sources\boot.wim
- xcopy c:\img\iso\*.* /e g:\ Note: “g:” is the drive letter of your flash drive
Also check the offline antivirus tool Kaspersky Rescue Disk.
MS released Microsoft Standalone System Sweeper (http://connect.microsoft.com/systemsweeper) for creating a bootable PE CD to clean offline systems.
Interesting! Thanks! I will try it right away.
Thanks for posting these intructions out. I can use them to add more tools to my WINPE image and then use it as a custom boot image in SCCM.
I’ve use the Standalone System Sweeper a number of times now. I put it on a USB key. If the system in question supports USB boots, that’s a much better option. It’s faster, and you can update the definitions and make them stick, unlike a CD. This has worked very well for me at removing or at least disabling troublesome viruses/malware that is otherwise next to impossible to remove on a live system.
I haven’t tried it yet, but supposedly the System Sweeper is also in the DaRT 7.0 beta:
http://www.howtogeek.com/forum/topic/microsoft-standalone-system-sweeper-tool-beta
Thanks a million Michael! Somehow our Kix32 for running login scripts was infected with an old virus, Win32/Netsha. This one infects all of the exe files on a system and so deleting infected files was not an option.
Luckily MS Safety Scanner can clean the files (the only one that effectively did so) but how to fix the files of those computers that couldnt boot? (ntoskrnl.exe missing or corrupted – fun stuff).
Thanks to your article I was able to create a USB and CD loaded with the latest Safety Scanner and bring up the dead workstations and terminal servers that were infected.