[ipxe-devel] wimboot

Michael Brown mbrown at fensystems.co.uk
Tue Sep 18 18:40:27 UTC 2012

On Tuesday 18 Sep 2012 18:57:46 Floris Bos / Maxnet wrote:
> One question though.
> Is there a way to let wimboot pass extra information to Windows?
> I am searching for a a way to let my installation script embedded in
> boot.wim know the IP of the server that has the Windows setup files.
> Would prefer not to hard code the IP in the script.
> When you network boot with the official pxeboot.n12 it passes the
> DHCP/PXE reply to Windows, which  stores it in a registry key
> (HKLM\System\CurrentControlSet\Control\PXE)
> This information is normally used by WDS (
> http://technet.microsoft.com/en-us/library/cc770495(v=ws.10).aspx )
> Wonder if the same channel could be used to let wimboot insert
> information into the registry, so that my script can retrieve it there.

No immediate solution, but here are some thoughts:

I don't think that particular channel is available.  pxeboot.n12 doesn't 
actually pass through the DHCP packet contents itself: it passes through a flag 
saying "booted from PXE", which causes bootmgr.exe to attempt a TFTP download 
and, much later, causes (AFAICT) winload.exe to issue PXENV_GET_CACHED_INFO to 
retrieve the DHCP packet.

If you want to try some experiments yourself, you could see if there's any way 
to pass relevant information via the BOOTAPP structure (see src/bootapp.h for 
a very rough outline of this structure; for more complete examples use bochs 
with breakpoints at 0x401000 (bootmgr.exe entry) and 0x211000 (winload.exe 
entry), and examine the structure pointed to by [%esp+4]).

The base memory portions of wimboot are almost certainly still resident after 
Windows has loaded.  wimboot could viably be modified to copy its own (bzImage) 
command line to base memory, and fill out some kind of paragraph-aligned 
structure with a signature, checksum, and pointer to the command line.  Code 
running inside WinPE could then scan through base memory to locate the 
structure, and read out the command line.  (This would be similar to what 
happens during an iSCSI boot with the iBFT.)

One hideously ugly but viable hack would be to abuse the 4-byte MBR signature 
field to contain an IPv4 address, since that information definitely can be 
retrieved from within the booted WinPE.  Please don't do this.

An easier solution might be to use some sensible but completely generic DNS 
name or SRV record, or a discovery process that takes place entirely within 


More information about the ipxe-devel mailing list