Install Windows using UEFI from a USB flash drive

*Update*

Windows 10 now has a new USB install tool which is supposed to work with UEFI. It is the Windows 10 Media Creation Tool.

It can also be accessed from Microsoft’s Windows 10 page.


Original post below:

If you’ve tried installing Windows in the recent past (since Windows 7), you’ve likely gone the install from USB flash drive route. It is faster and more convenient than DVD, and sometimes necessary as many smaller laptops and hybrid tablets don’t have optical drives. Likely you’ve used the very simple (if now somewhat anachronistically named) Windows 7 USB/DVD Download tool (found HERE). This tool – which works for Windows 8, Windows 10, as well as Server 2008 or Server 2012 and later – creates a bootable USB flash drive and copies the install files from the Windows boot ISO.

All is good if you’re using a legacy BIOS or hybrid BIOS/UEFI. The challenge is when you use a UEFI only. The USB flash drive created by this tool likely will not be recognized as a bootable device by the UEFI boot process. Yay for new and improved technology.

I recommend using the Rufus program with the excellent steps provided by Windows Eight Forums here.

Warning: The first time I did this I followed the instructions and set the file type to FAT32, which is basically required for UEFI to load the drivers needed to boot and install Windows. However, upon selecting the ISO I wanted to use, it changed the file type back to NTFS. I didn’t notice this. I made the drive, went to boot, and nothing. Still didn’t recognize the USB flash drive as a bootable device. When I put the USB stick back into my laptop, I noticed it was NTFS formatted. Odd – I know I selected FAT32 as per the instructions. When going through the creation process again, I saw it make the change.

So make sure after you select the ISO to use for the USB install drive creation that you re-select FAT32 as the format option.

 

 

DD-WRT and iptables – blocking outgoing access to specific IPs

Recently my Malwarebytes informed me one of my programs was trying to reach out to a questionable IP. First, I’m glad I have Malwarebytes installed; it’s free, but I purchased a three-pack lifetime subscription which gets you automatic updates rather than you having to manually update. I didn’t mind manually updating, but it’s situations like this which made me decide to donate to the cause.

Anyhow, while working on cleaning up the malware, I wanted to ensure I wasn’t sending anything to the IP (which happened to originate in China. Big surprise there.)

I have a DD-WRT enabled wireless router, which permits iptable rules. In my case you can temporarily enter the rule in the command prompt under the “Administration” tab in DD-WRT to test it out. The rule goes into effect immediately, but only lasts until the next reboot. So if you want it to be permanent, after you test it out you can write it to the firewall in the same tab.

So here are some key rules you can enter to block outgoing traffic.

1) Block outgoing access to an IP without logging (replace the example IP below with an IP of choice):
iptables -I FORWARD -d 219.151.246.14 -j DROP

2) Block outgoing access to an IP *with* logging (replace the example IP below with an IP of choice):
iptables -I OUTPUT -d 219.151.246.14 -j logdrop

3) List all IPTABLES rules with number of rule that include the FORWARD command (you can replace the FORWARD command with any command you want the rule list to include):
*this is in case you made a mistake, or want to remove a rule you no longer need*
iptables -vnL FORWARD --line-numbers

4) Delete an IPTABLES rule referencing FORWARD by number (replace X with the number of rule you listed in #3 above):
iptables -D FORWARD X