Speeding up the Windows 7 installation with slipstreaming

At work, one of our hardware supplier was supposed to ship the exact same model we bought last year but they actually delivered a serie of laptops with M2 SATA based SSD disk. What a surprise!

We discovered that our immutable architecture approach was broken by this internal recent hardware component. M2 SATA and NVMe didn’t exist when Windows 7 SP1 was released in 2009.
An engineer provided two links to the following knowledge base articles:

The first link is very interesting because it exposes a way to slipstream (you may remember the Update rollup 1 for Windows XP released in 2003) hotfixes directly into the Windows 7 ISO image.
Now that Windows 7 shifted to the same “servicing” model as Window 10 (see Simplified servicing for Windows 7 and Windows 8.1: the latest improvements), it’s also a huge opportunity to reduce the number of updates required for a vanilla Windows 7 SP1 ISO image.

First, please don’t strictly follow what’s written in KB2990941, you may have some difficulties to get the Windows 8.1 ADK that was relevant and current when they released this article in September 2015. This version of ADK isn’t strictly required. Your brave old Windows 7 WAIK can do all the steps.
I’ll show below the steps using a combination of The Windows® Automated Installation Kit (AIK) for Windows® 7 + The Windows® Automated Installation Kit (AIK) Supplement for Windows® 7 SP1.

There’s a 2nd reason why you should not strictly follow what’s written.
There are two errors in the various dism commands in step 9.
The compression mentioned in the notes can only work for an online image and cannot be used for an offline image which is what we work with in method 1.

Do you have the Windows 7 WAIK installed in its default location?

What do I need?

What’s next? What’s the plan?

  • We inject first the servicing stack from April 2015 that is a requirement for the convenience update
  • We inject the convenience update right after
  • Then we only inject the July 2016 rollup into the install.wim because it contains the latest version of the Window Update Agent (WUA)
  • We inject the two M2 hotfixes
  • Finally we inject the drivers

With the little script I provided, the steps are less cumbersome and error prone.
They look like this:

.\inject.bat 3020369
.\inject.bat 3125574

:: inject only July 2016 rollup (contains latest WUA) into install.wim and not boot.wim and winre.wim
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Mount-WIM /WimFile:c:\temp\src\sources\install.wim /Index:1 /MountDir:c:\temp\mount
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Image:C:\temp\mount /Add-Package /PackagePath:c:\temp\hotfix\Windows6.1-KB3172605-x64.cab
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /unmount-Wim /MountDir:"C:\temp\mount" /Commit

.\inject.bat 2990941
.\inject.bat 3087873

:: add the drivers
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Mount-WIM /WimFile:c:\temp\src\sources\boot.wim /Index:1 /MountDir:c:\temp\mount
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Image:C:\temp\mount /Add-Driver /Driver:c:\temp\drivers /Recurse
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /unmount-Wim /MountDir:"C:\temp\mount" /Commit
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Mount-WIM /WimFile:c:\temp\src\sources\boot.wim /Index:2 /MountDir:c:\temp\mount
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Image:C:\temp\mount /Add-Driver /Driver:c:\temp\drivers /Recurse
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /unmount-Wim /MountDir:"C:\temp\mount" /Commit

"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Mount-WIM /WimFile:c:\temp\src\sources\install.wim /Index:1 /MountDir:c:\temp\mount
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Image:C:\temp\mount /Add-Driver /Driver:c:\temp\drivers /Recurse
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Mount-WIM /WimFile:c:\temp\mount\windows\system32\recovery\winre.wim /Index:1 /MountDir:c:\temp\winremount
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /Image:c:\temp\winremount /Add-Driver /Driver:c:\temp\drivers /Recurse
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /unmount-Wim /MountDir:"c:\temp\winremount" /Commit
"%_WAIKLOCATION%\Tools\Servicing\Dism.exe" /unmount-Wim /MountDir:"C:\temp\mount" /Commit


Congratulations, you’ve successfully slipsteamed updates into a Windows 7 image 😀

What’s else did you get?

Well, you’ve a larger image… that’s a fact and definitely a drawback.

You also have an image that requires less post-installation updates and that can immediately, rapidly and successfully scan for missing updates against Windows Update.
That makes two benefits

In my work environment, the above slipstreamed image allowed me to divide by at least 3 the time it takes to install from scratch a fully up-to-date Windows 7 box 😎

My immutable architecture approach is repaired and performs faster like it did in 2009 when Windows 7 SP1 was RTM.

ETW provider security – fix event id 30

In february 2016, Robin ten Berge posted the following on the PM.org mailing list

The whole thread is archived here

I’ve also encountered this behavior (2 events) after rebooting and having patched 2012 R2 Hyper-V servers.
The event logging service encountered an error (5) while enabling publisher {0bf2fb94-7b60-4b4d-9766-e82f658df540} to channel Microsoft-Windows-Kernel-ShimEngine/Operational. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.

I was also able to reproduce the error by just enabling and disabling the Microsoft-Windows-Kernel-ShimEngine/Operational log when the server is running 🙂

To fix it, my google fu found this http://www.geoffchappell.com/studies/windows/win32/services/scm/events/diagnostic.htm and I just added the LOCAL SERVICE as suggested.

Here are the steps I used to fix it:

  • Launch an elevated perfmon: C:\windows\system32\perfmon.exe
  • Expand ‘Data Collector Sets’
  • Expand ‘Event Trace Sessions’
  • Right-click ‘Eventlog-System’ running session and click ‘Properties’
  • In the ‘Trace providers’ list, scroll down to ‘Microsoft-Windows-Kernel-ShimEngine’ and select it.
  • Click on the ‘Security’ button next to it
  • Click ‘Add’, type ‘LOCAL SERVICE’, click ‘Check Names’ (adjust the location if required)
  • Untick all permissions and just leave TRACELOG_GUID_ENABLE
  • Just click “Apply” button in the ‘Security settings for this ETW trace provider’
  • You don’t need to click “Apply” or “Ok” button in the parent (Eventlog-System properties( window or you’ll get an ‘Access Denied’ (normal, you are not allowed to modify a running trace)