Removing Sensitive information from Windows answer files

Dr. K got the following question from an inKpad! Newsletter subscriber:

Question:
My Windows 7 answer file contains sensitive information. Is this file left behind on a system after a Scripted Installation or imaging process has completed?

Answer:
The short answer is: Yes. The longer answer is as follows.

Let’s take a look at why this file is left behind and what can be done about it when sensitive information is contained within.

Beginning with Vista, Windows has used a XML file to process and apply settings during the online configuration phase of a Windows installation. This phase begins the first time the computer boots after Windows setup completes the WinPE phase of installation (if booting from Windows media). You will know the online configuration phase has started when the screen reads: Please wait a moment while Windows prepares to start for the first time.

Much like the online config phase, deploying a sysprepped system image will result in the specialize pass occurring at first boot after the sysprep process has been completed. Both the online configuration phase and the specialize pass utilize a XML answer file to configure OS and hardware settings. These answer files can be customized to automate customization for large-scale deployment.

When installing Windows directly from the media, or from a K2000 Scripted Installation, this answer file is cached to %WINDIR%\Panther\unattend.xml during the WinPE portion of setup. Windows keeps the file in this directory in case there are settings defined in the oobeSystem pass that will be processed on future logins. Windows also removes any passwords that were stored in the answer and replaces them with the text *SENSITIVE*DATA*DELETED*.

Now this is where it gets tricky: there are a few different ways to tell Windows which answer file to use and depending on which method you go with, the XML file may end up getting re-cached and in the process refill *SENSITIVE*DATA*DELETED* fields with actual passwords, and this time those passwords will not be purged during a later pass. On the imaging side, sysprep does not destroy the answer file that was used nor does sensitive data get purged from the original answer file.

So if you either define your answer file location using HKLM\System\Setup!UnattendFile or %WINDIR%\Panther\Unattend\unattend.xml there is a chance that the sensitive data in %WINDIR%\Panther will be re-written and potentially accessed. Or if you house your sysprep answer file somewhere like %WINDIR%\system32\sysprep you could end up leaving passwords behind in your gold master image.

Confused yet? Don’t worry; we can boil it down to a best practice:

  • Always delete any cached or embedded answer files before delivering the computer to the End User.

You can script automatic cleanup with the K1000 Scripting module, a Postinstallation task on the K2000, or add this behavior into %WINDIR%\Setup\Scripts\SetupComplete.cmd. As these answer files no longer serve a purpose after deployment they can be safely removed, thus protecting sensitive data without interrupting the flow of your normal deployment operations.

About the Author