How to protect Microsoft's Diagnostics and Recovery Toolset (DaRT) from unauthorized access

DaRT is a robust toolkit that provides advanced troubleshooting utilities--but not all users should be granted access to all that power. See how to make sure only authorized users obtain access.



Unauthorized access is the biggest problem IT faces. Whether it's a design flaw, a bug, or something far more nefarious, unauthorized access can all but destroy corporations. In fact, under certain circumstances, it has succeeded in doing so.

The same tools that admins use to manage a network are freely available to those seeking to wreak havoc or to obtain financial gain--or maybe just to stir things up "4 the LULZ." This does not make the tools evil--just harmful should they fall into the wrong hands. And that includes Microsoft's Diagnostics and Recovery Toolset (DaRT).

Developed to aid IT in all matters of Windows management and recovery, DaRT's utilities were created with the express purpose of bypassing just about any roadblock that prevents a user from accessing his/her data, as well as to help analyze system information and offline provisioning of a system.

The following steps will show you how to password protect DaRT for additional security. We'll also look into scenarios where password protection may not be efficient or even advisable and explain how to manage those instances as securely as possible.

Before moving forward, let's review the requirements:

  • PC with Windows 7 (or later) installed
  • Microsoft Windows 7 (or later) installation media
  • Microsoft Diagnostics and Recovery Toolset 7 (or later)
  • USB Flash drive (Optional)

Creating a DaRT image

Start by launching the Recovery Image application. When the wizard opens, click the Browse... button to locate the path where the installation media is stored and then click Next (Figure A).

Figure A


In the Tools window, select the check boxes beside the apps you wish to include along with your image. Click Next to continue (Figure B).

Figure B


Under Advanced Options, you can add more drivers to the Drivers tab. On the WinPE tab, you can select Cmdlets to be included. The Crash Analyzer tab lets you add advanced debugging tools. When you're ready, click Next to proceed (Figure C).

Figure C


Before creating the DaRT image, you must select an output folder and an image name to store the working files in a directory. Check the boxes next to Create WIM, Create ISO, and/or Create PowerShell Script to include those files in the directory.

Under the Advanced Editing section, you'll see the Edit Image option. Checking this box will let you add, remove, or modify the files included in the image prior to completing the task.

After you select the desired options, click Prepare to create the DaRT image (Figure D).

Figure D


Depending on the options you included, the process may be longer or shorter. However, once complete, the DaRT image will be ready to use (Figure E).

Figure E


Password protect the DaRT image

Now you have the option to edit the DaRT image. Click on the Open In Windows Explorer... button to navigate the directory structure (Figure F).

Figure F


Drill down through the directory \Sources\Recovery\Tools. The file WinREConfig.xml must be opened in a file editor and have the following lines added to enable password protection and limit access to the recovery tools to authenticated admins only.


Click the Create button to update the DaRT image with the changes made (Figure G).

Figure G


The DaRT image may now be deployed. When admins authenticate using a local Administrator account on the desktop, the recovery tools window will be presented with all the options available (Figure H).

Figure H


When non-admins access the recovery tools without authenticating, the window will be presented with access to all apps except those that modify the system settings, hardware, or user account passwords (Figure I).

Figure I


Create a bootable DaRT image

In the Create Bootable Media window (Figure J), you have the option to copy the ISO to CD/DVD or USB flash drive. Provide the path to the ISO created by the DaRT Recovery Image wizard, select the media type, and click the Create Bootable Media button to begin the creation process (Figure K).

Figure J


Figure K


Booting to the USB drive from a desktop will allow users to launch the recovery tools without the need for a password. Since this is a limitation imposed by Microsoft, keeping the USB drives stored in a physically secure location will allow access to all necessary apps but will limit access to the drives themselves (Figure L).

Figure L


Restrict recovery tools included in image

To limit access to specific apps in the toolset, rerun the DaRT Recovery Image wizard and from the second step above in the Create A DaRT Image window, check only the boxes of the apps you wish to give access to. All unchecked boxes will be displayed but access will be completely restricted (Figure M).

Figure M


Proceed with the remainder of the DaRT image creation process and once complete, boot the DaRT image to see which applications are available while the others remain inaccessible (Figure N).

Figure N


Though the sections above may be performed individually as per your needs and the needs of the organization, they may also be blended to find the right fit. Disabling access to unused apps while password protecting administrative apps and deploying them only via PXE or USB flash drive may be the best of both worlds to strike a balance between accessibility and security.

More Windows how-to's

Your thoughts

Have you secured DaRT to protect against unauthorized access? Share your experiences and advice with fellow TechRepublic members.

By Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...