Contact

Subscribe via Email

Subscribe via RSS

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Roaming profile permissions and versions

Ever noticed that when you moved from Windows XP to Windows 7 the profile name as a .V2 appended to it? That’s because the profile format changed with Windows Vista and to avoid mistakenly loading the older profile format, Vista and upwards add a .V2 (version 2) to the profile folder name. This way a user can login to both XP and Vista/ 7 machines at the same time and the profiles won’t get mashed. 

Windows 8/ 8.1 changes the format again to version 3. This time, however, they don’t change the folder name. When a Windows 7 user logs in to a Windows 8/ 8.1 machine the profile format is upgraded in-place but the folder name is not changed. Later, if they log in to a Windows 7 machine there will be trouble. Workarounds include this one from a member of the AD team or using GPOs on the computers to redirect roaming profiles to different locations (the “Set roaming profile path for all users logging onto this computer” GPO setting). More information is available in this KB article which seems to be missing. 

Speaking of GPOs and roaming profiles, by default roaming profiles are configured with very minimal permissions. Only the Creator/ Owner and the Local System have full permissions to the roaming profile on the server. Administrators don’t have any permissions, including being able to see the existing permissions. There is a GPO setting which can be used to grant the Administrator group access to roaming profiles. This is a Computer policy, found under Computer Configuration > Policies > Administrative Templates > System > User Profiles and is called “Add the Administrator security group to roaming users profiles”. 

Once this policy is applied to computers, when a user logs in the computer adds the Administrator group to the ACL of the roaming profile. However, this policy has a catch in that it only takes effect on roaming profiles created after the policy was deployed. If a user has a roaming profile from before the policy was deployed, the Administrator group will not be added to it. Even if the user logs in to a new machine the Administrator group will not be added (because in effect the machine is downloading the existing profile and leaving things as they are). Of course, if you delete the roaming profile of an existing user so it’s recreated afresh then the Administrator group will be added. 

admin group gpo

 

The only way to assign access to the Administrator group in such cases is to take ownership of the user’s roaming profile add the Administrator group to its ACLs. Best to create a PowerShell script or a batch file and automate the whole thing. 

BCD Boot menu policy

As part of searching for something BCD related today I learnt of the BCD Boot menu policy setting.

bootmenupolicy

Introduced in Windows 8 this setting controls whether you get a traditional text based boot menu (Windows 7 are prior) or the new touch friendly GUI based menu (Windows 8 and later).

The bootmenupolicy setting can take either of two values: standard or legacy.

For the text menu:

For the GUI menu:

Disabling Connected Standby

As you know a few days ago I purchased a Notion Ink Cain, a Windows 8.1 tablet-slash-laptop. This is my first Windows tablet so while it doubles as both, I have slightly different expectations and use cases from this.

One of these is the battery life. Whereas I always hibernate my regular laptop, the Cain is just put to sleep once I am done with it. I put it to sleep either via the Power button or the device goes to sleep on its own. This is fine but for two problems – (1) since the device is only sleeping and I usually dock it into the keyboard and use the flap as the cover, any key presses when the device is asleep results in it waking up and thus some battery draining; (2) since the Cain supports Connected Standby (nowadays called InstantGo) the device does not really sleep in the way we usually expect Windows devices to sleep, the sleep here is more like a “light sleep” wherein the device is kind of awake and able to let some background stuff like email and other programs run and do their bit.

I work around the first issue either by rotating the Cain and then docking it, such that the keyboard is behind the device and so keypresses don’t get registered (the Cain requires the docking to be correct for the keyboard to be recognize). I also put the Cain in a pouch without the keyboard. It’s not very elegant but that’s what I was doing until today.

The second was an irritating issue. When I first read about Connected Standby I was very impressed with it. It’s not supposed to drain much battery. The requirement is that when on Connected Standby the device will lose less than 5% of its power over a 16 hour idle period, but that didn’t seem to be the case for me (try a powercfg /sleepstudy to get some results) and I wasn’t happy with the battery drain. Maybe it’s because I had set apps such as email to update in real time and so the device was regularly waking up to check email, I found that it barely lasted 2-3 days even when fully idle. That’s not great, and even putting it in airplane mode only made it slightly better.

To work around this I decided to start hibernating the device. I enabled the hibernation option in the Power menu and also created a shortcut to hibernate in the start menu. But these are manual approaches didn’t seem “neat”. I wanted something where the Cain would automatically hibernate after a period of inactivity. I remembered back in Windows 7 (and even on my Windows 8 laptops) there are options under the Power menu in Control Panel to make the laptop sleep after a certain period and then hibernate. On the Cain though, this option was missing and I wasn’t sure why. I had a suspicion it must be because the Cain uses Connected Standby and so perhaps disabling it will reveal these options. I Google’d a bit to see if there’s a way to disable Connect Standby. Surprisingly I couldn’t find anything until finally some forum post mentioned another forum post that gave a registry key setting which disables Connected Standby. Applied that to the Cain and now I have the option to hibernate after a certain period. Yaay!

Unboxing the Cain

I got my Notion Ink Cain tablet day-before. I unboxed it in the car itself! Below are some pics.

Bubble wrap packaging in which I got the Cain

Bubble wrap packaging in which I got the Cain

Out of the bubble wrap. Good quality box.

Out of the bubble wrap. Good quality box.

Close up of the box, showing price and specs

Close up of the box, showing price and specs

Unboxing

Unboxing

A nice touch. The box includes a letter and some mints (not shown).

A nice touch. The box includes a letter and some mints (not shown).

The letter and mints

The letter and mints

The tablet.

The tablet.

Tablet minus the wrapping.

Tablet minus the wrapping.

Tablet in portrait orientation.

Tablet in portrait orientation.

The keyboard-cum-cover. Notice the dock connector in the middle. That's where you dock the tablet.

The keyboard-cum-cover. Notice the dock connector in the middle. That’s where you dock the tablet.

Tablet docked into the keyboard

Tablet docked into the keyboard

Tablet docked and powered on.

Tablet docked and powered on.

Laptop next to my office desktop

Laptop next to my office desktop

Very irritatingly the tablet came with a screen protector. I hate screen protectors. I hate it when they have bubbles, and I hate the way they feel when I touch. One of my first tasks then was to a piece of paper (a good quality paper, one that wouldn’t bend easily) and poke around the screen where there were bubbles between the screen and protector, and slide the paper in to one of these bubbles and thus pry the protector off. Such a relief!

The next step was to set up encryption on the Cain. That’s a bit more detailed so I’ll post it later.

[Aside] Creating a Windows USB to Go drive

Starting today I plan to make posts like these which are just links to other blogs. I find myself referring to this blog nowadays just to check out my notes on a topic or to see the links I refer to. It’s more convenient than my browser bookmarks as there’s more context in a blog post and it’s quicker to search.

Initially I thought of having a separate blog to post such “asides” but that’ll just be one more blog to maintain and search and make a decision when I want to post something. So I’ll just stick to this blog, but put these posts in a separate category and mark them so in the title.

Self Encrypting Drives (SEDs), BitLocker, UEFI, Truecrypt, etc

Past few days I upgraded my laptops with SSD drives. Learnt a few bits and pieces on the way, this is just a dump of what I learnt in case it helps others.

SSDs are fast and can really speed up old hardware, but set your expectations right if you are using encryption. In my case, an aging laptop with a 5400rpm regular HDD was very fast (as expected) when replaced with SSD. But add Truecrypt encryption to the mix, and it slows down a bit. Not too much, but noticeably, and especially when it comes to waking up from hibernation. In retrospect this should be expected as encryption places demands on the CPU, and older laptops mean slower CPUs hence that becomes a bottleneck.

There are SSDs that support hardware based encryption too. These are usually $20-$30 more than the other SSDs but the advantage is that the encryption task is offloaded to the controller of the SSD freeing up your computer CPU and avoiding a performance hit.

There seem to be three varieties of SSDs that support hardware based encryption: (1) also known as Self Encrypting Drives, these are based on an OPAL standard developed by the TCG wherein the drive itself has an engine to encrypt everything written to it (hence the name “self encrypting” drive); (2) those where the hard disk enclosure has a smaller regular (non-encrypted) hard drive, accompanied by an encryptor chip that takes care of encryption; and (3) there is a separate encryptor chip placed between the computer and regular (non-encrypted) hard drive that takes care of the encryption.

Self Encrypting Drives seem to be the popular ones. The Crucial M500, which I used for one of my laptops, is such a drive. SEDs have a 256-bit AES encryption engine that encrypts everything written to the drive by default. On it’s own that’s useless though as there’s no password protecting the keys used to encrypt everything, so anyone can read data from the drive and it will happily decrypt too. To use the drive effectively one needs additional software that support the OPAL standard and which will interact with the drive to password protect the keys. There are many third party software for this but sadly most of them are for enterprises (so the software is very expensive and you can’t get more details until you contact the sales department etc). This is a pity, I wish drive manufacturers included such software for an additional reasonable cost as without such software the hardware-based encryption feature of such SSDs is useless.

From one of the Amazon reviews for the M500 I learnt that a user had good experiences using WinMagic’s SecureDoc. That software too is pricey (nearly as much as the SSD itself!) and I have two laptops so buying two copies of the software is not worth it.

There exists a “free” alternative though. If you are on Windows 8 (or Server 2012) and your SSD is OPAL 2 compliant (the M500 is) and your computer is UEFI 2.3.1 based and has the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined (and has the Compatibility Support Module (CSM) disabled in UEFI, and always boots natively from UEFI) then you can use BitLocker (which is a part of Windows 8) will encrypt the drive using its hardware-based encryption. (If you want to be doubly sure you can use the BitLocker PowerShell cmdlets to specify you want hardware encryption and later use the manage-bde -status command to verify hardware-based encryption is in use).

The UEFI requirement is only if the SSD is used as a startup drive though (i.e. the OS is installed on it and boots up from it). If you are using the SSD as an additional drive, then BitLocker can be used to for hardware-based encryption.

In my case, however, the SSD is a startup drive but neither computer had UEFI. Nor did the computer manufacturer have any updates for flashing UEFI. It does not seem possible to upgrade BIOS to UEFI either (at least not easily and there could be hardware limitations that prevent you from doing so too). So although I have an SED I can’t use BitLocker to use its hardware-based encryption features. Bummer!

For more info on SEDs: check out this KB article from Crucial on the encryption features of the M500; this forum post which clarifies hardware-based encryption does not work with Linux and also mentions SecureDoc; this and this article from AnandTech; this very informative article on how SEDs work.

UPDATE: Turns out I am not entirely correct in saying that SEDs are based on OPAL standards. Not all SEDs are based on OPAL standards. For instance, SSDs from Intel and Samsung (Intel SSD 520 Series, Samsung 840 Series) are SEDs but use a password you specify in the BIOS for hardware encryption. These SSDs require BIOS support for the password – known as ATA password. The drives always encrypt their data and once you specify a BIOS ATA password they keys are encrypted using a hash of this ATA password, thus locking the data (also see this FAQ and whitepaper in case the previous link is broken). (Also, if you are interested in ATA passwords and have a motherboard that does not support ATA passwords (not the same as BIOS passwords!) this forum post might be helpful).

See this page too from Softex.

UPDATE 2: Softex SecureDrive seems to be a reasonably priced product for OPAL SED drives. It’s about US$75 per license, which while high is still less that the US$100+ prices of others.

Using Remove-NetRoute to mass remove routes

Was checking my Windows 8 machine routing table (route print) when I noticed many entries like this:

Not sure what they are. I didn’t create them, and the 192.168.1.1 address is not on my network.

To be on the safe side I wanted to remove them. One could do it via route delete but that’s so old fashioned and slow (I would have to do it for each entry). What I want is a quick and easy way of mass removing routes. Enter the routing table related cmdlets in PowerShell 3.0.

The following one-liner will remove all routes whose NextHop address is 192.168.1.1:

Easy peasy!

For PowerShell 2.0 am sure there would be a WMI way of achieving the same. Will post that later.

Get-WindowsFeature missing

I always open up PowerShell on $randomcomputer and type Get-WindowsFeature expecting to get a list of Windows features. Sometimes it doesn’t work and then I Google on why that’s the case, forgetting that I’ve been down this route umpteen times. So here’s a post for myself.

The *-WindowsFeature cmdlets are available via the Server Manager module which in turn is either present by default (on servers) or installed via the Remote Server Admin Tools (on clients).

  1. Windows Server 2012: Modules are loaded automatically on demand so the *-WindowsFeature cmdlets are available without any additional steps.
  2. Windows Server 2008 R2: Import the Server Manager module and then the *-WindowsFeature cmdlets can be used.
  3. Windows 8: Install the Server Manager via RSAT. This makes the Server Manager module available for automatic loading and then the *-WindowsFeature cmdlets can be used. Windows 8 also provides (Get|Enable|Disable)-WindowsOptionalFeature cmdlets as part of the DISM module (which is present by default). These provide similar functionality to the *-WindowsFeature cmdlets (doesn’t work on remote computers though!). Add the -Online when using these cmdlets as they can work with the running instance or a mounted Windows image.
  4. Windows 7: Installing the Server Manager via RSAT doesn’t help. It doesn’t include the Server Manager module and so the *-WindowsFeature cmdlets are not available. An alternative is to install the 3rd party Client Manager module which gives the *-ClientFeature cmdlets.

Managing BitLocker disks on Server Core

I have a Server Core 2012 that has two BitLocker encrypted disks on it. When I encrypted those disks the server had the full GUI but after I converted to Core there’s obviously no GUI to just double click and be prompted for a password etc. So need to use the command line tools.

There seems to be two ways.

First are the BitLocker command line tools. Manage-bde looks like the most useful command here. Using this one can see the status of all the drives on the machine, lock, unlock, set auto-lock auto-unlock, and also turn on or off BitLocker encryption on a drive.

Typing manage-bde in the command prompt gives you all the options. Each of these options have further switches which you can discover by typing manage-bde <option-name> -?.

To view the status of all drives on the machine:

To unlock an encrypted drive (with drive letter D:) to use with the system:

I use passwords, hence the -pw switch. If you use recovery keys or certificates there are switches for that too. manage-bde prompts for a password and unlocks the drive, mounting it on the specified drive letter.

To set the drive (with drive letter D:) as auto-unlocked:

That’s all. From now on the drive will be automatically unlocked when attached to the system.

The syntax for disabling auto-unlock and locking a drive are pretty obvious from the examples above. The thing to remember is you always specify the manage-bde command followed by a dash switch specifying what you want to do, and after that you specify the drive letter.

There are two other commands: Repair-Bde for repairing corrupted BitLocker encrypted drives and BdeHdCfg for setting up a drive with BitLocker encryption (though it doesn’t seem to be required any more as Manage-Bde includes some of this functionality).

Apart from the BitLocker command line tools you can also manage BitLocker via PowerShell. This is only for Windows 8/ Windows Server 2012 and is available via the BitLocker module (requires RSAT on Windows 8).

To view the available drives on a system and their BitLocker status do:

You can also check the status of a specific drive with the above cmdlet by passing it the drive letter with the -MountPath switch.

To unlock a BitLocker drive (with letter D:) do:

The cmdlet does not prompt for a password. You have to pass it via the -Password switch. You can’t pass the password as plain text either, so have to convert it to a secure string. Use the ConvertTo-SecureString cmdlet for that or just use Read-Host and convert the inputted text to secure string on the fly.

To set auto-unlock on a drive (with letter D:) do:

Similar cmdlets exist for locking and auto-locking drives.

After writing this post I discovered a TechNet article that goes into more detail on the above command line tools and cmdlets. Go check it out.

Windows Advanced Firewall

Just some notes on the Windows Firewall.

  1. Starting with Windows Vista and Windows Server 2008 you have to use the netsh advfirewall firewall command-line context to manage the firewall. You still have the netsh firewall context, but that’s just for backward compatibility.
  2. Starting with Windows Vista and Windows Server 2008 you also have three profiles: domain (which applies when you are connected to a domain), public (for networks you mark as public), and private (for networks you mark as private/ home). Prior to this the firewall only had a domain profile (which is still present) and a standard profile (which now maps to the private profile). So by using the netsh firewall context you can only modify the domain and private profiles
  3. netsh advfirewall firewall (show|add|set|delete) commands can be used to view, add, modify, and delete rules. You can’t filter by rule names unfortunately. All you can do is filter for all rules based on their profile and direction (inbound or outbound). Moreover you can’t format the output and neither can you manage multiple rules (except if they are part of a group but then you can’t filter further in terms of “all rules of a particular group that belong to such and such profile”). Very limited, actually.
  4. Starting with Windows 8 and Windows Server 2012 you have PowerShell 3 and this can manage the firewall. Unfortunately, while you can install PowerShell 3 on Windows 7 and Windows Server 2008 R2, it doesn’t have the NetSecurity module which provides the firewall cmdlets. So you can’t manage the firewall on these OSes with PowerShell 3. See this blog post for a list of PowerShell 3 firewall related cmdlets.

Windows backups

Got myself a new USB 3 external disk for taking backups so past few days I’ve been exploring that. My laptop’s about 6 months old now and I have customized it to the way I want and I would hate having to lose all that should anything happen. So apart from a data backup – which is what I usually do – I wanted something that would just “image” the drive and be restore-able easily.

The wannabe geek that I am, my initial impulse was to explore solutions like ImageX or Disk2VHD. ImageX especially appealed to me as it’s a file based image format so if I manage to use it I’ll have a backup in an image format that just backs up the actual files instead of doing a sector based backup. This would mean the backup size is small (if a 100GB partition only has 50GB worth of files, the backup is only 50GB in size as opposed to a sector image backup that would be 100GB in size), I can restore to partitions that aren’t the same size as the original partition, I can mount the backup and fiddle around, I can compress the backup… and in general it just feels pretty cool using ImageX to backup, so why not!?

This forum post talks about using ImageX for backups. Microsoft does not recommend using ImageX for system backups because it has some limitations – mainly to do with extended attributes being lost and sparse files no longer being sparse and junctions possibly getting corrupted – and although I don’t actually use any of these features I am not sure Windows does not use them by default (as a matter of fact I do know Windows uses junctions for the SxS (side-by-side) folder so I could be unaware that it’s using the other features too somewhere by default). Also, while ImageX is cool, there is the additional hassle of having a WinPE (or BartPE) disk ready so I can restore the ImageX backup and reinstall the boot-loader etc.

Disk2VHD was another option I considered but again, it’s a hassle converting the VHD disk to a physical disk. Sure it’s possible, but as I have learnt when actually having to restore files after a problem: you don’t tend to be too appreciative of geeky solutions then, you are probably pissed and irritated and short of time and so just want something that works and gets the job done as quick as possible.

The forum post that talks about ImageX gives many more suggestions. DriveImage XML is a good alternative. I have used it in the past to backup my machine computer and while I am not a fan of its interface it takes an image level backup and is good at what it does. To restore the backup I can use their Linux based recovery CD or create a WinPE disk using Bart’s PE Builder. I tried DriveImage XML and it was fast too.

Windows 7

image.pngAnd then I stumbled upon Windows 7’s in-built backup program. Which is really the subject matter of this post. You see, my mind was still stuck on Windows backup being that old crappy backup software that came with Windows XP – I hadn’t really updated myself to the fact that Windows Backup is now kind of cool. It does regular backups, but it also offers the option to make a System Image backup – which is exactly what I was looking for!

A System Image is essentially a VHD file with a bunch of XML files that contain metadata about the backup. You can take the backup to an external disk or a network path. The backup program creates a folder on path you specify, within which there’s a subfolder with the name of the machine you are trying to backup, with a subfolder containing the date of the backup. As I mentioned above, the System Image backup is a VHD file containing a snapshot of the C: drive and the hidden system drive (so you have two VHD files created). Unlike the regular backup, which is also offered, you can’t restore individual files with a System Image (as it’s a file image after all), but since you can mount these VHD files as a drive letter (Windows 7 and later let you mount VHD files) essentially you can navigate through the backup and just copy and restore files from the System Image if you wish. I find that cool!

Best of all, you can choose to create a System Repair Disc – or if you don’t do that, just use the Windows 7 installation disc and choose the “Repair” option – and then point it to the external disk or network path containing the System Image backup and it will restore the image. Easy!

I am paranoid and like my backups to be encrypted. That too is no problem coz I can use BitLocker to encrypt the disk I will be backing up to and so now the System Image is encrypted. When restoring, the program is smart enough to ask for the BitLocker key after which the System Image is available.

image.pngThe Storage Team blog has four posts ([1], [2]. [3]. and [4]) that introduce the Windows 7 backup features. I recommend everyone reads it, including the comments which answer many questions. They talk not just about the System Image backups, but also the regular backup (where you take a full backup followed by many incrementals, and which you can restore file by file) as well as features like System Restore that let you use Volume Shadow Copy (VSS) to automatically have previous versions of files preserved on a drive. This Paul Thurrott article too talks about Windows 7 backup features and has many screenshots.

I must point out that if the System Image backup is taken to a network path only the latest backup is kept. On external disks it keeps multiple backups but it moves the older backups to the Shadow Copy storage area. Shadow Copy (aka “System Restore”) is disabled by default for non-OS drives, so only one copy o the System Image will be kept even on external disks. And if Shadow Copy is enabled, by default only 30% of the partition size is allocated for Shadow Copy and so only 30% of the partition size will be used for System Image backups. If you use the external disk exclusively for System Image backups you can tweak this via the “System Restore” (click “Configure” in the screenshot).

Last, but not the least, for those who like the command-line there is a wbadmin command. This is useful if you want to script or schedule creation of System Image backups based on other triggers (when you connect to a home network, for instance).

Windows 8

It’s worth pointing out that Windows 8 has a different sort of backup. Windows 8 backups are more like the Mac OS X “Time Machine” backups wherein you specify an external disk and the OS periodically saves snapshots of your files and documents to that disk. You can specify the snapshot intervals and how long you’d like to keep them, and the OS offers you a GUI to go back to previous versions/ deleted files. It is sort of like Windows 7’s “System Restore” feature but with more prominence. And it does not do System Image backups.

However, Windows 8 does have the Windows 7 backup program – in a different name (it’s called Windows 7 File Recovery) – and that lets you do regular backups and System Image backups, so all that was discussed above still applies there.