Export thread

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Laptop, Secure Boot Mode and ReadSpeed

#1

D

digitalsage

I have one of those lovely Windows 10 laptops with no inner disk drive. I wanted to use ReadSpeed to in turn run SpinRite from a USB load. Went into the boot loader to try and change the boot order to USB first and no joy,

Is my only option to turn off Secure Boot mode? Certainly seems that way.


#2

P

PHolder

Is my only option to turn off Secure Boot mode?

In a word, yes.

Secure boot is preventing you from doing a legacy boot. You will NEVER get SpinRite 6.x to boot in UEFI (non legacy boot).

Be wary, turning off secure boot can damage secrets needed for Windows disk security... make sure you've got them backed up, etc.


#3

D

DanR

turning off secure boot can damage secrets needed for Windows disk security...
Could you explain more about this? All that my Googling has turned up is that if secure boot is turned off a layer of security will be lost if windows is booted up without it. Obviously. But, damaged secrets if booting DOS?


#4

P

PHolder

Could you explain more about this
Well I don't know all the ins and outs of it, because I think it varies between BIOS/UEFI implementations, but you occasionally see reports like this one I found online:
If you disable UEFI mode, the PC will no longer boot until you turn it back on. You can disable secure boot and TPM, but if you have Bitlocker enabled, you will need to manually enter your recovery keys every time you boot up. Also Windows Hello won't work.

So I believe there to be UEFI implementations that clear the keys from the TPM if you disable Secure Boot. If that happened, and you were using Bitlocker, you would be forced to hope you had recovery keys available (somewhere other than on the SSD/HDD you can no longer access.)


#5

D

DanR

I think it varies between BIOS/UEFI implementations
That makes sense.
So I believe there to be UEFI implementations that clear the keys from the TPM if you disable Secure Boot. If that happened, and you were using Bitlocker, you would be forced to hope you had recovery keys available (somewhere other than on the SSD/HDD you can no longer access.)
I am no expert here. That said, My perception is that this would only be a potential issue if if Windows were re-booted without re-enabling secure boot?

That is, if secure boot were disabled to boot and run SpinRite, there would be no mechanism in the DOS boot environment to affect Bitlocker, etc? And no means for any Windows level malware to do anything?

It would then be the responsibility of the user to re-enable secure boot before booting back into Windows.


#6

S

SeanBZA

Disabling Secure boot automatically wipes the keys it has stored, part of the security features. Thus you need the recovery keys to enter them back in on boot after enabling it again.


#7

B

Bplayer

Disabling Secure boot automatically wipes the keys it has stored, part of the security features. Thus you need the recovery keys to enter them back in on boot after enabling it again.
That does not happen on my HP Spectre laptop or HP AIO desktop, both running Win 11. I believe that the TMP stores my PIN an biometric info and it is not impacted by this. If I forget to turn Secure Boot back on and boot int Windows then Device Security will show that Secure Boot is not enabled, but Windows run just fine.


#8

miquelfire

miquelfire

I think the keys that are wiped are for BitLocker. If you don't have BitLocker enabled, then I assume the keys stored in Secure Boot are only there to check that nothing is corrupted with the boot files the UEFI needs to boot the OS (What causes the Windows logo (or BIOS logo if things are set up that way) to appear and the spinning dots)


#9

P

PHolder

The keys affected SHOULD only be those that are required for the actual boot to proceed without human interaction. Thus, normally, only the ones verifying the loading of binaries for secure boot and those allowing Bitlocker to decrypt the volume (where the Windows binaries exist.) There is also no guarantee that all BIOS/UEFI do the blanking to begin with... I'm sure MS/Intel have specs that are SUPPOSED to be followed, but are not always.

Never the less: Please, for your own safety, back up your Bitlocker keys if you use it.


#10

Barry Wallis

Barry Wallis

back up your Bitlocker keys if you use it.
Or even if you don't. :)


#11

P

PHolder

Or even if you don't
Um... I know you're into Magic Barry, but well.. how does one backup keys they don't have if they don't use the tool (BitLocker) the produces the keys you're encouraging them to back up? Please share this incantation so I can backup my non-existent keys now in case I eventually generate them later :D


#12

Barry Wallis

Barry Wallis

Um... I know you're into Magic Barry, but well.. how does one backup keys they don't have if they don't use the tool (BitLocker) the produces the keys you're encouraging them to back up? Please share this incantation so I can backup my non-existent keys now in case I eventually generate them later :D
It was my misreading your post. I thought by "if you don't" you meant to backup the keys if you turn off Secure Boot. On rereading it, I realize now you were referring to using Bitlocker itself.


#13

P

PHolder

Came across this article and posted to Steve's newsgroup, but it might also be helpful here.
BitLocker volumes may be protected with one or several protectors of various types that can be used together (for tougher security) or in parallel (for easier recovery). Multiple combinations of such protectors are available. By default, Windows requires the minimum of two protectors when the user creates an encrypted volume. The volumes are commonly using TPM (the first protector), while the backup Recovery Key (a 48-character numeric password) is created and stored in the AD, the user’s Microsoft Account, or on the hard disk or removable USB drive.


#14

C

CredulousDane

I know it's an old post but I'm interested - how did it go?

I don't have or use Bitlocker and my system is with Secure Boot and UEFI.