PXE icon indicating copy to clipboard operation
PXE copied to clipboard
verified publisher icon ventoy

iVentoy installs Windows bypassing security features

Open ppatpat opened this issue 7 months ago • 6 comments

iVentoy https://github.com/ventoy/PXE/releases

iventoy-1.0.21-linux-free.tar.gz, iventoy-1.0.21-win32-free.zip, iventoy-1.0.21-win64-free.zip

All these distribution files contain "\data\iventoy.dat" which is decrypted in RAM by iventoy app into "\data\iventoy.dat.xz". as previously explained here https://github.com/ventoy/PXE/issues/106

Analyzing "iventoy.dat.xz\iventoy.dat.\win\vtoypxe64.exe" we see it plays with the Windows PE registry right before launching the install process in order to bypass several Windows Security features:

  1. LabConfig
  2. BypassTMPCheck
  3. BypassSecurityCheck
  4. BypassNRO

Please read about the potential side-effects of installing Windows with these bypasses enabled.

Not offering the admin with both, the disclosing in advance of these Windows PE registry manipulations before Windows Install, and the option to select which bypass should be enabled or not, affects the usefulness of the tool.

Considering :

  1. Executable files are not signed.
  2. Main app seems to require Admin rights
  3. The code base heavily relies on dubious hacks and shady security breaches and bypasses
  4. Opaque procedures not knowing all that is going on in iVentoy executable/s

Use with extreme caution on a home environment.

Image

ppatpat avatar May 07 '25 17:05 ppatpat

Might misunderstand your point, but what's the issue here? The things you highlighted are the following things needed for Windows 11 to be installed on unsupported hardware. Here is a rundown of everything:

  • LabConfig - The registry key in which these flags need to be set
  • BypassTPMCheck - Bypasses Windows 11's check for TPM 2.0
  • BypassSecureBootCheck - Bypasses Windows 11's check for the Secure Boot status in the UEFI
  • BypassNRO - Bypasses the Microsoft Account requirement in the Out-of-Box Experience, letting you create a local user account.

JerrySM64 avatar May 07 '25 18:05 JerrySM64

@JerrySM64 All these bypasses are enabled by iVentoy even if your target hardware meets all Windows 11 system requirements. Then the point of this finding is a Windows 11 installed on compatible hardware with iVentoy without the admin knowing about the bypasses. i.e. by disabling the TPM 2.0 requirement, you are effectively reducing the security of the installed Windows 11.

Please consider the Windows Install Process (Setup.exe) "mirrors" into the target OS several properties from the Windows PE environment that launches the install process i.e. extra drivers added and other parameters, then as an admin I think it's always a good idea knowing what's done at the Windows PE stage before Setup.exe is run.

ppatpat avatar May 07 '25 20:05 ppatpat

Well the thing is that it doesn't matter. Like at all. All it does is turning off the enforcement of those things. If your PC has Secure Boot and TPM 2.0 enabled, it'll use it. If not, it won't complain about it. The admin (you) most likely knows if those things are turned on or not. iVentoy is a thing for people who have some knowledge about the things they're doing. It's not something so easy that my grandma could use it.

JerrySM64 avatar May 08 '25 00:05 JerrySM64

Yes, iVentoy will create these registry to make old hardware can install Windows 11. Agree with @JerrySM64 that this will not reduce the security of the final installed Windows 11 system. If your hardware has TPM then it will still be enabled and actived.

I add this notes in the README.




-------------------------------------------------------------- Background ----------------------------------------------------------- iVentoy and Ventoy are two completely different softwares.

Name Official Website Open Source Edition Use Case
Ventoy https://www.ventoy.net 100% open source Only open source edition Install OS through USB/HDisk
iVentoy https://www.iventoy.com part open source
part closed source		 Free-Edition
Pro-Edition		 Install OS through network(PXE)

This repo only contains the open source part of iVentoy. So you should decide to use it or not.

ventoy avatar May 08 '25 01:05 ventoy

@JerrySM64 I disagree with your assessment.

@ventoy, Your software does things that just cannot be done on serious software. As an admin I would be terrified running iVentoy on any serious environment,

ppatpat avatar May 08 '25 15:05 ppatpat

When install Windows, iVentoy will load a driver and will create these registrys in the WinPE envrionment, that is how iVentoy works.

Anyway, iVentoy is a close-source software, so you decide to use it or not.

ventoy avatar May 08 '25 15:05 ventoy