Windows 7 - Into the abyss


Desktop Managers

posted Feb 26, 2010, 12:39 PM by r0m30 1

If you have worked with another OS, usually Linux or OSX you have probably been exposed to a Desktop manager.  Desktop managers create multiple virtual desktops and allow you to distribute your windows among those desktops reducing the clutter so you aren't looking for that missing window all the time.  Once you start using a desktop manager you'll be loathe to be without one.

I've tried two desktop managers on Windows 7, Desktops and Dexpot. I'm currently using Dexpot.

Desktops from sysinternals.com takes an interesting approach to creating your virtual desktops, it creates multiple Windows desktop objects.  This should in theory make this desktop manager almost bullet-proof but it does create some limitations as well.  You can't transfer a window from one desktop to another or do any of the other rule based things you normally expect from a desktop manager.  If you just need a basic desktop manager this is lightweight and should cause very few problems.  I only had one issue while running it.  It seems to breaks the slideshow for background images.  When the slideshow does break all you have to do to fix it is go into the themes and reselect the images you want to rotate, no real harm done just an annoyance.

Dexpot is a more traditional desktop manager it has most of the things you would expect and it works well with Windows 7.  It is what is currently on my machine and so far it just works.  Occasionally a program will pop up a window on a desktop other than the one it is running on and finding out why the program has suddenly stopped responding is frustrating, but usually a quick swap to desktop 1 and a click will get you going again.  I haven't experienced this a lot but it does happen with ImgBurn.

If you don't use the background slideshow and your needs are minimalist Desktops should be fine, if you want or need a more full function desktop manager Dexpot should be high on the list of products to try.

UAC - Still a bust

posted Feb 24, 2010, 4:08 PM by r0m30 1

I know security is hard but that's why they pay you the big bucks.  UAC is still unusable in it's current form and then I find this on technet.  Give me a break......

Quoting (emphasis added)
"End users have been asking for Windows to provide a way to add arbitrary applications to the auto-elevate list since the Windows Vista beta. The commonly cited reason is that some third-party application they frequently use forces them to constantly click through an elevation prompt as part of their daily routine. Windows 7, just like Windows Vista, doesn't provide such a capability. We understand the aggravation, and there might be a legitimate reason that those applications can't run without administrative rights, but the risk is too high that developers will avoid fixing their code to work with standard user rights. Even if the list of what applications get auto-elevated was only accessible by administrators, developers might simply change their application setup program, which requires a one-time elevation, to add their application to the list. We've instead chosen to invest in educating and working closely with application developers to ensure their programs work correctly as a standard user."

The English translation:  We want to look like we are doing something and by making our "solution" unusable we can tout our security efforts and push the blame onto the user and developer communities.

If the "risk is to high" that developers will cheat the white-list function, then that's where you step in and require the user to enter a password, sign the code or whatever you like, not click yet another next button during the install.  Make sure that the experience is unique and if you want recommend that the user says no, great recommend what you will but as the OWNER of this computer I should be allowed to decide what runs on my computer at what authority not Microsoft.  Better still, when a program requires that it be white-listed record and collect that information and then make it PUBLIC, a UAC hall of shame and make it a requirement for Windows logo that the program works for a standard user unless there is a damn good reason it can't.  Windows 7 must be trademarked, put that army of lawyers to work, don't let someone claim Windows 7 compatibility unless it runs for a standard user. This won't happen because it would require someone at Microsoft to put security before profit. 

Other issues:

There needs to be a SINGLE place where trust is established, a registry entry for this and a manifest for that isn't the correct way to be doing this and anyone who does security for a living should know this.

Installation requires and is automatically granted elevation.  I don't know where to start so I won't go on a long incoherent rant.  I'll just say OMFG.

The trust chain for auto-elevation seems a little murky to me, nothing concrete I can put my finger on.  It just feels wrong on some basic level.

------

The real issue here is that security needs to be at the core of an OS and the legacy issues Windows has make that a difficult and costly proposition.  Trust should one of the first services started when the OS initializes and everything should pass through that service for authority before it gets to execute a single instruction.  This is not unique to Windows but Microsoft seems to be better than most at making a bad situation worse.

Backups - Retrospect 7.7 for Windows

posted Feb 20, 2010, 9:00 PM by r0m30 1

As part of my migration to Win7 I checked my critical software for compatibility.  There was a new version of Retrospect (7.7) and it included Win7 support, it wasn't clear (to me anyway) that it was required for Win7 but reading the features I found that they had added a bare metal restore.... sold.
Even better, I've tested it and it works, see the caveat near the end of the post.

 I like Retrospect, I'll admit that I didn't do extensive research, it came with an external USB drive I bought and it worked.  I did upgrade to the "professional" edition so that I could back up clients. There have been several occasions where Retrospect saved me from a full reinstall of Windows and that makes it a critical part of my system.

As a part of my journey into the abyss I decided to let the system sleep, I've never been comfortable with sleep on a PC, there is no memory error correction home PC's and as far as I can tell most consumer level PC's don't even have memory error detection.  So I've made a compromise,  I'll let the PC sleep during the day but do a reboot daily just to ensure that any errors are flushed out of the system.  I'm a fanatical member of the "Boot Windows Daily" cult.

So begins my first issue with Retrospect,  it doesn't wake up the PC from sleep to run scheduled backups.  Even worse it doesn't make the required system calls to tell windows that even if the user is away critical work is being done so postpone sleep until it is finished.   My first attempt to resolve this issue was a bust.  I used the windows task scheduler to schedule an innocuous task a few minutes before the scheduled backups and checked the box that told windows to wake up the computer to run this task.  I assumed that the system would not go back to sleep until the 30 minute sleep timer had expired.  Unfortunately the Windows designers had their thinking caps on when they designed this part of the system.  When the system wakes up for a scheduled task it sets a short ( two minute) timer to give the application time to make the proper calls to prevent the computer from going back to sleep.  My little tickler program didn't make those calls and neither did Retrospect, so the the PC went back t sleep and the backups didn't run until the next morning when I logged on.

[Note: It turns out that Mozy backup also has this issue :-( ]

I did some research, hoping that I could use the external scripting feature of Retrospect to overcome this issue.  It turns out that unless I want to write my own backup scheduling system that wasn't an option.  I like to code but I'm not going to reinvent the wheel unless I have to.

My solution turned out to be rather simple (I like them that way).  I wrote a little program that makes the required system calls to prevent the system from going back to sleep and used the windows task scheduler to start it a few minutes before the backups are scheduled to start.  The program takes one argument, the number of minutes to keep the system from sleeping.  I've posted the source and the executable on the code page for anyone who wants to use it.

The real solution is for retrospect to use the proper Windows calls to prevent sleep and schedule its wake-ups, but I'm not going to hold my breath.

A few other minor annoyances that I have with Retrospect:

It doesn't have the schedule OPTION for catalog copies and grooming.  Yes, you can schedule both of these tasks but they don't have the schedule OPTION like backups do.  I run hourly backups from 6am to 12pm and then a daily backup at 1am.  The schedule OPTION is what allows me to easily limit the hourly backups to 6am to 12pm.  I could and probably will create an overly complex multi-entry (18 to be precise) schedule to accomplish what the schedule OPTION allows me to do on my backups.

The bare metal restore CD doesn't allow you to escape to the command line and do anything other than what is on the menu.  I backup my catalogs to a TrueCrypt container because I can't determine if the catalogs are encrypted or not.  I know it's a little, OK a lot, on the paranoid side but I don't even want a stranger who acquires my PC (be it legally or illegally) to even know what files are or were on the PC.  I have to be able to mount the TrueCrypt container that has my catalog backups so I don't have to endure a catalog rebuild when I need to recover.  This issue can be worked around by downloading the Windows AIK using it to mount the .wim and adding a "start cmd" and a "pause" to the existing startnet.cmd inside the .win on the Retrosect restore CD and then recreating the restore CD, but why should you have to?  If you're going to do this you might as well add the TrueCrypt files to the CD so you don't have to maintain a TrueCrypt traveler CD too.

Backups - MS Backup & Restore

posted Feb 20, 2010, 2:51 PM by r0m30 1   [ updated Feb 21, 2010, 11:50 AM ]

First, on a positive note, the inclusion of a backup with bare metal restore capability is huge.  One attaboy for Microsoft on this one.

The issue I have with Microsoft Backup and Restore is that the backups are not encrypted.  If you have your financial records on your computer you should be using encryption.  I readily admit that most home users do not use encryption so not having the backup encrypted isn't increasing their exposure by much, if their computer is stolen the thief doesn't have to go to the unencrypted backup copy to get their financial data it's right there on the primary drive. 

So what do you do?  First I tried to schedule a backup to a TrueCrypt container on my external USB drive, nope not gonna happen.  The wizard will not present the mounted container as an option.  So a little web surfing and I find the command line program to run the backup (WbAdmin), again it won't play.  I get a message that says my backup destination isn't a supported backup target.  The folks in Redmond seem to have gotten a severe case of Apple-itis ,  they know what's good for me and I'll like it. 

So how do I securely backup using the included Microsoft tool?  Apparently you don't....

As a workaround I'm using Disk2vhd from sysinternals.com to create a VHD of my system drive to a TrueCrypt container.  Disk2vhd allows you to create a .vhd from a running system using the volume shadow copy feature.  If I ever have to use this to restore it's going to be painful.  I'll have to copy the .vhd onto an unencrypted disk, mount the vhd, use imagex to capture a .win, apply the .win to my system drive, and then scrub the unencrypted disk.  There will probably be some disk repair steps in there too.  I haven't tested this so it may not even work.

Thankfully this is going to be my backup of last resort.  I have Retrospect and it encrypts it's backup sets.

No startup sound customization

posted Feb 19, 2010, 12:21 PM by r0m30 1   [ updated Feb 19, 2010, 12:44 PM ]

I'm still baffled by the decision not to allow you to change the startup sound.  My computer has greeted me with Pink Floyd's "Welcome to The Machine"  for over a decade now and it will continue to do so in spite of the stupidity in Redmond.  I've created a small program that simply plays the wave file given to it as the first parameter.  To install it copy it to somewhere in your path and then create a shortcut in your startup menu items.  Make sure you set the Run property to "Minimized" so the dos box doesn't pop up.


Source and .exe available on the code page.

Hope it helps

Initial impressions

posted Feb 18, 2010, 2:08 PM by r0m30 1

I really wanted Win 7 to be a good experience so I went the whole route and bought a SSD to install windows on for max performance.  This cascaded into a series of other upgrades (it always seems to work that way) but none of that is specific to or caused by Win7. 

It's not that much of a change from Vista.  I like the slide show background, I wish it would scale pictures larger than the screen to fit instead of truncating them but O'well. 

Offering a bare metal restore of a system image is a great enhancement.  Unfortunately it won't let me create the system image in a TrueCrypt container on my external USB drive.  Yep, that's what I want a complete vhd with all my personal information on an unencrypted disk.  I'll be using that when Bill Gates and the top 100 MS execs post their  SSN, and bank/investment account numbers on microsoft.com.  I'm hoping that I can find a way around this using the AIK.  There are also two windows recovery environments, 32 bit and 64 bit, and they are incompatible, really???

UAC seemed to be better but then I installed Retrospect and it wouldn't run in the background because UAC wanted permission for it to "modify" the computer,  I did some research and found a piece by Microsoft that will be the subject of a future rant but for now it's bye-bye UAC. 

You can't change the start-up sound anymore...really?? Come on, what focus group said "gee Microsoft you know I just can't decide what sound to play when I start my computer so you decide for me"?  All that marketing hype about Win7 being all about what you want, destroyed less than 5 minutes after the initial install. I have a simple fix in the works and will post it here in a day or two.

Power management is hosed,  if you plug in a UPS Windows recognizes it and immediately sets it up to be a very expensive power strip.  It defaults to taking the critical battery action at 98% of the battery so even the slightest power glitch and you'll be rebooting and it will not let you change these values via the control panel GUI.  There are several discussions of the "feature" on the net and they all point to using the powercfg.exe command line tool to change the values, that changed the values but pulling the plug revealed that the values appear to be ignored.  My fix was to install APC PowerChute  which disables windows power management and works like it should.  If you don't have an APC UPS I have no clue how to get this working.

Windows 7

posted Feb 18, 2010, 2:04 PM by r0m30 1

I didn't plan on upgrading to Windows 7 until I upgraded my computer.  It took a long time to get Vista functioning in an acceptable manner and I didn't want to go through all that again.  Alas, a few of the people who rely on me for support have taken the plunge, either by choice or because they bought a new computer and it had Win 7 pre-installed.  So here I go into the abyss.

1-7 of 7