Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used for many tasks. It was originally designed as a 32-bit replacement for DOS - for windows deployment, backup and recovery. WinPE is a complete, standalone operating system and will work independently of any other operating systems already installed. See here for more information.
When a computer is running (booted from) a full version of Windows certain files are 'locked' - making it difficult to take a system backup or to remove a virus/malware. Consequently some tasks are best performed when the operating system is offline - this can be achieved by booting to another operating system such as WinPE to access the offline system.
There are two distinct methods for booting WinPE - RAM Boot and Flat Boot. RAM Boot is the most common method and anyone who has installed Windows Vista/7/8/8.1 will already (perhaps unknowingly) have used it. Microsoft recommend a minimum of 512 MB RAM in order to run a RAM booted version of WinPE - in my own tests it was possible to boot some versions of WinPE with 256 MB RAM. For more details about RAM and Flat boot WinPE and RAM requirements, please see here.
When WinPE is RAM Booted or Flat Booted from read only media it will not save any changes made to it when the system is rebooted. A benefit of this is always having a clean (virus free) WinPE operating system on boot.
WinPE is easy to customise. The builds prior to customisation are very limited and the UI (User Interface) is command line. It is possible to adapt these builds to use a GUI shell and other programs and utilities can be added so that various tasks can be carried out, including but not limited to -
There are a number of different versions of official Microsoft WinPE. I believe that the earlier versions used the same codebase as Windows XP/2003 - these are usually referred to as WinPE 1.*.
Earlier versions of WinPE (prior to the introduction of version 2.0) were aimed at enterprise customers and were not available to the general public. As of version 2.0 it was possible for non-enterprise customers to create their own WinPE by using the freely available Windows Automated Installation Kit (WAIK). The WAIK has now been replaced with the Windows Assessment and Deployment Kit (ADK).
Windows Operating Systems use a numbering format for identification purposes - these numbers can be used to identify the codebase from which a particular WinPE was created. Windows builds use the numbering format ‘MajorVersion.MinorVersion.Build’ - e.g. 6.1.7600. Unlike the product names associated with Windows Operating Systems (e.g. Windows 7) these numbers can refer to multiple products - version 6.1.7600 for example refers to both Windows 7 and Windows Server 2008.
WinPE versions include -
There are 32 bit and 64 bit versions of all of the above WinPE systems. To install a Windows 32 bit operating system you will need to use a 32 bit WinPE, and to install a Windows 64 bit operating system you will need to use a Windows 64 bit WinPE - I am referring here to running setup.exe included with the operating system media.
More recent versions of WinPE are likely to better support more recent hardware without the need for injecting drivers. WinPE 3.x builds are very stable and I would personal recommend using these builds unless a Windows Forensic Environment is required - or hardware is not supported.
Document date - 20th January 2018