Lately I have been getting asked the Question: So where can I get my hands on the latest copy of ERD Commander? To help you guys out I decided to put something together and post it on my blog.
As you know Microsoft acquired Winternals back in 2007. ERD Commander is included in Microsoft’s Desktop Optimization Pack. To get the latest’s version of ERD Commander you first need to get your hands on Microsoft Desktop Optimization Pack 2009 R2 (MDOP).
How to get MDOP:
MDOP subscribers can download the software at Microsoft Volume Licensing Site (MVLS).
1. Download the Microsoft Desktop Optimization Pack 2009 R2
2. Install the appropriate DaRT (Diagnostic and Recovery Toolset)
A. Windows 7 and 2008 R2: x64, x86
B. Windows Vista and Windows Server 2008: x64, x86
C. Windows 2000, Windows XP, and Windows Server 2003: x86
Depending what Windows version of DaRT you install will determine what version of Windows ERD Commander Recovery Disk can be used on. Example: If you create a Windows 2008 R2 x64 ERD Commander Recovery Disk it will boot on a Windows 2003 x86 OS but you will not find an active partition and not all the MSDart Tools will work. It is important to create ERD Commander Recovery Disk specific for the Operating System you are wanting to triage.
4. Optional: Download and extract to a folder Debug Symbols
Listed below are the Step-by-Step instructions without the screenshots. At the bottom of this post you can download my original doc with screenshots.
1. Click on Start, Programs and launch the ERD Commander Boot Media Wizard
2. Browse to where your Windows CD is located.
3. This step is going to extract the files and create a temp location to build your image.
4. Select your tools. I kept the default which is everything.
5. On my ERD Commander Recovery Disk I wanted to add the Debugging Tools and Symbols. You must have the tools already installed on your computer before you start the ERD Commander Boot Media Wizard.
6. System Sweeper Definition gives you the ability to triage an infected system.
7. You need internet connectivity to download the updates.
8. I didn’t need to add any additional drivers to my boot disk.
9. I added the Debug Symbols to my ERD Commander Boot disk just in case I needed them in the future. This will help me if I am ever in a squeeze and I need to launch
Crash Analyzer to view a dump without being connected to the internet. All I have to do is point the Crash Analyzer Wizard to the
following path: X:\Windows\DebugSymbols and it should be able to read my symbols.
Remember the ERD Commander Boot disk has to load in memory. So whatever you dump on your ERD Commander Boot disk make sure the computer you are wanting to triage has adequate memory to support the size of your boot disk.
10. I chose the default path to put the .ISO.
11. This step is creating your ERD Commander Recovery Disk. Make sure you have adequate space on this drive otherwise this process will fail.
Trust me I know..
12. Select your burning device.
13. Burn Baby Burn…
14. Your ERD Commander Recovery Disk is done!!
Now go and save the world…