This morning, I was poking around on the Windows 8 Forums site, and found a nifty tutorial on the improved check disk (chkdsk) utility that’s been built into Windows pretty much since Day 1 of its nearly three decades of life. Alas, there is an error in that tutorial that caused me a bit of stumbling around until I finally had the intelligence to call on the utility’s own built in help file (shown in the following screenshot, along with my attempt to use this new feature which garbage collects unneeded security descriptor data on the target drive):
Upon looking at the file I recognized that the security descriptor switch in the tutorial appears as “sdccleanup” when it should instead be “/sdcleanup”; likewise, “offlinescanandfix” should be “/offlinescanandfix” as well. But with these minor gaffes corrected, I was able to explore the new capabilities and see how they worked. I can’t say that the changes are laden with drama, but they do offer some nice new capabilities, including the security descriptor cleanup (which will recover increasingly more space on drives as files are added then deleted over time) and the spot fix capability, which performs limited repairs without requiring a system reboot (except when they are required on the system/boot volume, which will have to be performed immediately following the next reboot).
Good stuff: check it out!
At midnight, Wednesday, January 31, the Microsoft budget upgrade offer for Windows 8 expires. I just jumped up to the Windows 8 Upgrade Offer page, and learned that those promo codes Microsoft has been sending me via e-mail (thanks to my various Windows Live accounts) bring the price down from an already-awesome $39.99 to an even more stellar $14.99, if entered into the promo code field during the “pay for it before you get a key” phase of the ordering process.
Act fast, because the “deal” is off starting on February 2 (this Thursday).
If you don’t want to install the OS any time soon, you can quit the process as soon as you’ve paid for your new license and you get a key for a Windows 8 install. You can always grab the ISO file from other sources later on: as long as your key is good you can wait until you’re ready to install, well after the January 31 deadline comes and goes. In my case, I’ve already built a couple of bootable UFDs with x64 Windows 8 Pro install images — one for UEFI machines, the other for machines with conventional BIOSes. I’ve used them before for numerous Win8 installs, and I’ll use them again with my bargain basement keys.
And again: if you do have a promotional code for Windows 8, it takes the already low $39.99 cost down to an irresistible $14.99. But you must grab your key before midnight Wednesday to take advantage of this pricing. Don’t delay: do it now!!!
In the past three or four months, I’ve messed around with various takes on installing Windows – especially Windows 8 — on PCs sporting the Unified Extensible Firmware Interface, in lieu of the more traditional BIOS firmware used to raise PCs from a cold dead start to normal operation since time immemorial. Along the way, I’ve encountered lots of speculation, rumor, and word of mouth information on this fascinating topic. This morning, I finally came across a detailed reference in the TechNet Library that I wanted to share with all of my readers.
What you see to the left is a snippet from that element of the TechNet Library entitled “Phase 4: Image Deployment,” specifically the entry that’s highlighted in black: “Installing Windows to an EFI-Based Computer.” It explains that you must run Windows set-up, which may or may not take advantage of a special answer file to perform all kinds of interesting and intricate disk partitioning and formatting as part of the initial set-up process.
There’s an equally interesting article elsewhere in TechNet entitled “Sample: Configure UEFI/GPT-Based Hard Drive Partitions by Using Windows Setup” (and a variant that uses Windows PE and DiskPart instead). These items include step-by-step answer file entries (for the first of these two options) or ready-to-run script files (for the second) to handle the details of disk layout, partition assignment and sizing, and so forth and so on.
So far, this is the first and best detailed set of instructions and information on working with UEFI that I’ve found. It’s already helped me to make sense of the kinds of default disk layouts that Setup creates on its on when you perform a UEFI-based install, and I now understand how to increase the size of some of the non-Windows disk partitions that have occasionally given me trouble in the past (particularly the Windows RE tools, MSR, and Recovery Image partitions that Setup creates on its own).
What I still long to do, however, is to boot my UEFI PCs into the EFI shell immediately following start-up and learn how to work on my systems inside that pre-Windows boot run-time environment. I’ve read the Intel books (Beyond BIOS… and Harnessing the UEFI Shell) but I’ve yet to get to the command line and do anything with it after booting into EFI. Because I’m dying of interest and curiosity, I’m hoping some reader can recommend how I can built a boot USB or CD-ROM that will actually put me into a working run-time environment after booting into EFI.
Otherwise, these resources make me feel much more comfortable working with EFI-based installs, image captures, and deployments. Though I haven’t yet reached UEFI nirvana, that makes me feel a whole lot better about this stuff. Hopefully, other readers will benefit from access to these resources as well.
In my last blog, “What Gets Lost When Using Win8 Refresh,” I recounted my adventures after running the “Refresh your PC” facility built into Windows 8 on a machine that refused to let me use the record image (recimg) command to set up a current system image as my refresh basis. After additional work with the newly-refreshed system, I have to point out that what happened to my test machine was a worst-case scenario — namely, what happens when you permit the refresh to take your system back to the state it occupied just after you installed the OS.
Even so, this proved to be an extremely helpful maneuver for that system, and here’s why:
- Before refresh, the recimg command would not complete successfully. After refresh, it worked like a charm. As I pointed out in my last blog (having already captured a current image that included all the new drivers I’d had to install, as well as all of the apps and desktop applications that I decided were worth installing once again), this means even if you do have to try the worst case, you will probably only have to do that once.
- Before refresh, Hyper-V wasn’t working properly for me, either. I’d exported, then imported, my collection of virtual machines, to move them from a slower to a faster drive, only to discover that I couldn’t get them to work properly with an external switch to permit those virtual machines to access the Internet. None of the tweaks, tricks, or re-configurations I tried would fix this problem before the refresh. After the refresh, I had to redefine my Hyper-V settings and re-import my virtual hard disks (.vhdx files in all cases). But as soon as I did so, and defined a new external switch, everything worked just as it should have all along.
The stated purpose for refresh is to restore a troubled Windows installation to normal and stable operation. In this case, it took an install that was having issues with several key capabilities and replaced it with an install that showed none of those problems. Having troubleshot and noodled around with mysterious Windows gotchas for years, this strikes me as nothing short of miraculous. And if you take the time to create a custom refresh image for yourself at good opportunities (following a clean install, adding all Windows update that policy permits, updating all drivers, then installing all apps and applications to which users are allowed access, then after updates, driver changes, and adding new apps or applications thereafter), you can get back to a normal, stable state with minimal effort any time after that.
But the wonder and beauty of refresh comes with one interesting caveat: you should get in the habit of recording the complete file specification for the refresh images you save, especially those you don’t save on the system drive in the default directory (if your user systems are like mine, many of these use smaller SSDs for boot/system purposes, and nobody wants them cluttered up with big backup files). The following screencap illustrates why this is the case, showing the results of the recimg /showcurrent command, which displays the location for the most recently collected refresh image on a given system:
The mappings between Windows disk drive numbers and drive letters isn’t always obvious. For example, on this particular test system, the image file’s full specification in File Explorer is: F:/RefreshImage/CustomRefresh.wim. That’s what you have to use as the target when invoking the recimg command to restore that particular image, so it’s wise to record it somewhere, so you can provide the right specification should you ever need to use the recimg command to perform a refresh operation.
I’ve frequently looked at and pondered the meaning of the following “warning display” that precedes the use of Windows 8′s much-vaunted “Refresh your PC” maneuver. Last week, I actually launched this tool to truly understand what it would do to a PC if put to work. Going through those motions illuminated this warning with some interesting and — at least, for me — unforeseen implications of what’s really involved in the kind of refresh that returns Windows 8 to “factory fresh” settings.
As it turns out the promised list of apps removed is quite illuminating. Too bad it comes only after you’ve committed to performing a refresh. I’d recommend that MS consider performing a preliminary scan, and report this information before actually doing the refresh, so as to permit potential users of the utility to better assess the impact on their Windows 8 PCs. A quick look at this list gives me the opportunity to explain where I’m going with this and one great big honkin major gotcha that lurks therein:
Indeed, I expected my applications to be gone when I restarted my PC after doing the refresh. The warning is quite clear in that regard. But I didn’t realize that because installing Windows drivers often occurs in the content of running some kind of install utility, that the same thing would happen to the bulk of the device drivers installed on that PC as well. According to a favorite driver maintenance tool I use regularly — namely, DriverAgent — I had zero drivers out of date before I ran PC refresh. After running the refresh, I found myself with 21 (out of 69 total) drivers out of date, with all the lovely headache and aggravation that comes along with running down, obtaining, and installing Windows drivers these days. It wasn’t terribly difficult, but it did take more than half a day for me to figure out how to get those drivers installed and working after I’d laid hands on the most recent versions of the files involved. Now, my number of out of date drivers is down to one (it’s for an Intel 82579LM Gigabit Network Connection network interface I’m not actually using on that motherboard; though I’ve found the most current driver, I haven’t yet figured out how to install it on this particular unused device — that is, I can install it, but the install doesn’t seem to “take”).
7Zip Comes to a Partial, but Much-Appreciated Rescue
Along the way, I also learned an extremely valuable driver update technique. Entirely by accident (I picked the wrong right-button menu entry when opening a file) I discovered that 7Zip will open executable files and extract all their embedded contents where you tell it to put them. Because many driver updates come in installable packages (some of whose contents you may not want or be unable to install on your machine, as for example when seeking to apply a custom update for motherboard x against a completely different model y from a different manufacturer) this turns out to be a great way to grab the .inf, .cat, and .dll files that so often make up the actual drivers themselves, without having to work through an installer that might also want to load your machine down with unwanted management and supporting utilities along the way. The most extreme case of this comes from some Marvell disk controllers, which insist upon installing an outdated version of Apache server as part of their management infrastructure when run as-is. I don’t want or need that stuff (as I suspect many others also do not) but until I found this technique to get to the good stuff without also taking on (and then later manually deleting) unwanted elements, I never found an expeditious way to deal with this common driver issue. Even Legroom Software’s Universal Extractor (which has in the past proved incredibly useful in doing the same kind of thing) isn’t as quick or easy to use as 7Zip for this particular application. At the same time, 7Zip has shown itself able to unpack every .exe driver installer I’ve thrown at it, while Universal Extractor fails to do that job on about half of those same files nowadays.
The Real Value of the Windows 8
On December 7, 2012, I wrote a blog post here entitled “Create Your Own Refresh Image for Windows 8,” which explains how to use this command-line utility to capture a Windows image (.wim) file that the refresh command can later use as a “restore point” (or should that be “refresh point?”) in the future. I now understand that the real value of this approach is its ability to preserve all the drivers on a PC as well as the apps installed following system installation. One interesting side effect of my manual refresh of the system is that now that I’ve done this, the
recimg command is working (I had been working under the impression that the EFI partition on its system disk was preventing recimg from working, but it’s running on that system as I write these words) to capture my cleaned-up image for me. Should I need to refresh my PC again in the future, I no longer have to go back to ground zero! Now, if I could only figure out what screwed up in my original install in the first place… Sigh. Windows!
OK, by now everybody’s heard about the Department of Homeland Security’s Advisory (originally released on 1/10/2013, most recently updated yesterday, 1/17/2013). Here’s the meatiest part of that document’s recommendations:
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future. [The advisory includes pointers to descriptions for how to disable Java in most major modern browsers, and there are plenty of other articles on the Web that explain how to do this for less popular ones, too.]
The guiding principle behind the DHS recommendation is risk avoidance — namely, that the only way to avoid future zero-day vulnerabilities in Java is to turn it off, since there appears to be no way to guarantee these can’t happen again. In fact, the very day after Oracle posted update version 11 (1/15/2013), a cybercrime forum posted a message that a new zero-day exploit kit for Java would be sold off to the two highest bidders at a starting price of $5K (source: InformationWeek Security). In fact, InformationWeek security maven Mathew J. Schwartz quite accurately labels Java an “attack magnet” in a recent story entitled “10 Facts: Secure Java For Business Use.” Among his recommendations that fall shy of what the DHS Advisory implores (“disable Java”), he mentions use of management tools like PolicyPak to restrict access to questionable or unauthorized Java code (and can even disable Java completely by policy, should that prove necessary). He also mentions use of white-listing tools such as NoScript for Firefox or Adblock Plus (for Chrome, Firefox, and Opera), both of which permit whitelisting of specific sites for active content while denying runtime access to all other active content.
My favorite among his recommendations is to maintain one browser to use for everyday surfing and Web access with Java disabled, and another, different browser to use only when accessing known good Java-based active content that must be used for legitimate business reasons. One would turn only to the Java-enable browser when circumstances compelled its use, and avoid using it otherwise. Schwartz also suggests that Oracle should patch faster, perhaps by devoting more resources to its upkeep and maintenance. The company’s planned two-year release cycle for Java, scheduled to begin with version 8 later in September, 2013, may or may not help to improve security. What would help, however, is to decouple the primary Java runtime environment from the Java browser extension, which means that end users often install and expose that extension to attack without even being aware of the exposure that creates, and the vulnerabilities to attack it presents. Schwartz quotes an expert from Stach & Liu as saying “Since so few websites legitimately use the Java browser extension, it is most prudent to disable it entirely” or perhaps to “only re-enable it for specific sites determined to be trustworthy.”
These days the rule of thumb for Java use seems to be “Use only when nothing else will work, and only when what’s used it known to be safe from potential vulnerability and attack.” Because it’s so hard to be sure, the DHS recommendation to disable first, and ask questions later, makes a depressing amount of sense. I still have to visit enough Java-based websites to write about them, that I’ve set up a special VM (snapshotted daily) where I keep a browser with Java enabled, and only work on that VM when I absolutely must use Java. If the worst happens, I can always toss an infected or exploited VM, and revert to the previous snapshot. It’s not completely foolproof or totally secure, but it does work, and it will protect my primary production runtime environment from attack and potential compromise.
Thanks to Mary Jo Foley’s ZDNet post from yesterday (“Microsoft goes public with its plan to manage Windows, iOS, and Android devices“) I found myself poking around on the MS Windows Intune pages this morning. As with much of the rest of Microsoft’s web presence, these pages are now built on HTML5 and CSS3, and carry a distinct flavor of the “Windows Store UI” (or what I call TIFKAM, short for “The Interface Formerly Known As Metro”).
Here’s a sample of some graphical elements from the Windows Intune page
The newly-upgraded offering works with Microsoft’s own Windows Intune cloud management service, with System Center 2012 Service Pack 1, and Windows Azure Services for Windows Server. This latter item supports what MS is calling a “Cloud OS” to provide “…a consistent platform across customer datacenters, service provider datacenters, and the Microsoft public cloud” (quote from MS press release entitled “Microsoft Advances the Cloud OS With New Management Solutions“). This latest release of the Windows Intune server when combined with SCCM 2012 SP1, permits IT organizations to “…crack the bring-your-own-device challenge.” According to Mary Jo Foley, the latest release provides capabilities for managing iOS (iPad, iPhone, and network-enabled iPods) and Android (smartphones and tablets) devices, along with Windows PCs, tablets, and so forth (including Windows 8 RT tablets), and with certain Windows Phone devices as well.
This sounds pretty intriguing but also potentially troublesome and time-consuming. I’m going to grab hold of this technology and see how it works with my collection of iOS devices (we have 4 in the household right now: 2 iPhones, an one each iPad and iPod) and Windows desktop, notebook, and tablet PCs (8 of them, including 4 machines running Windows 8 [1 tablet, 1 desktop, 2 notebooks], and another 4 running Windows 7 [2 notebooks and 2 desktops]). If Intune can help me manage and control all of these machines it could be a huge boon, and might also portend well for businesses at all scales. Stay tuned!
John Savill has been a player in the Windows world since the late 1990s, when his Windows NT FAQ became a go-to resource for IT professionals looking for Windows NT tips, tricks, and details that was both accurate and reliable. He’s continued to play a positive role in that world ever since, as a Microsoft MVP and a regular contributor to Windows publications and Websites of all kinds. These days, he works for Microsoft as a virtualization expert (his most recent book Microsoft Virtualization Secrets, provides lots of great info about Windows Server 2012, Hyper-V v3, and a panoply of uses for MS virtualization technologies). When he’s not busy doing his job, he’s still digging into new MS technologies, and building better tools to help ordinary users be productive. His Windows 8 Cheat Sheet for Keyboard and Touch compiled recently for Windows IT Pro, makes a great case in point:
Two weeks ago, my eight-year-old son begged me to update his Acer 5222 notebook from Windows 7 to Windows 8, so we performed the upgrade together. He dived right in, and has been surfing the web, playing games, and fooling around happily with the system ever since. I handed him a print-out of this cheat sheet yesterday, upon which he asked me “Why didn’t you give this to me sooner?” Fortunately, I had a good answer: the cheat sheet didn’t post until 1/13/2013 (yesterday), so I couldn’t have given it to him any sooner, even if I’d wanted to! This is a nice little helper that any Windows 8 newbie will find useful.
As a writer, I spend what time I’m not reading and researching various technical subject matters writing about those same things. My tool of choice (or mandate, for most of the publishers for whom I work) is Microsoft Word. My current version of Word comes from MS Office Professional Plus 2010 and is designated Version: 14.0.6129.5000 (64-bit) in the Help/About display. A couple of days ago I was working on a story for Tom’s IT Pro and had put about 6 hours’ worth of work in without saving the file. Through some crazy accidental combination of right-hand keystrokes (I still can’t reconstruct exactly what they were) I got shown a Word Window with a single character at the lower right-hand side of the screen, and the rest of the page blank. This caused me to think I’d opened a new window by mistake, so I closed it. When I got a save dialog, I declined to save, thinking I would find my open work window underneath. Alas, I was sadly mistaken and quickly realized I’d saved nothing of my previous work.
Rather than give up and start over, I started poking into the Word Autosave and Autorecover features. By clicking File, then Recent, then clicking Recover Unsaved Files, I was able to find and restore my work file as of the most recent Autosave (which is set by default in Word 2010 at ten-minute intervals, so you never lose more than 10 minutes’ work — a much more palatable concept than losing 6 hours’ worth). Although I had never before been forced to learn this recovery technique, because it saved me more than half a day of what would otherwise have been wasted work, I’m delighted to share this tip with you, in case you too were unaware of its presence and capabilities.
Though the old saying is “If you build idiot-proof systems, only idiots will use them” I’m very glad that Microsoft took the steps necessary to protect me from my own idiocy in this particular case.
Yesterday, Microsoft disclosed at CES that Windows 8 sales had hit 60 million in 10 weeks (70 days, which makes the benchmark date January 4, 2013) after its launch (source: NBC News Blog 1/8/2013). At roughly the same time in the Windows 7 sales cycle, Microsoft reported crossing 60 million at around 74 days out, saying further that this 60M number represented “more than have ever been sold in any other single quarter” (attributed to Bill Koefoed, MS GM of investor relations on 1/29/2010).
By my reckoning, this means that Windows 8 is selling roughly on par with Windows 7 after its release. Though pundits and analysts have been sounding notes of doom and gloom regularly on Windows 8 for the past year or longer, perhaps the new OS and its much-maligned touch-oriented interface is doing better than many had thought or hoped. Certainly, matching the Windows 7 sales track is nothing to sneeze at, especially since so many have speculated that Windows 8 could sell even better if more touch-enabled hardware were available to let it really do its thing best. If what we’re seeing at CES in Las Vegas this week is any indication, OEMs and peripheral vendors are working overtime to deliver touch-friendly PCs, platforms, peripherals, and add-ons galore.
That said, some of these sales don’t yet translate into “Windows 8 running on user desktops” because many Windows licenses are sold to OEMs so they can install them on desktops, notebooks, tablets, and so forth. Microsoft gets to book their purchases as sales, even though those same OEMs might not yet have passed those licenses onto actual buyers at any given moment in time. Market research firm NPD also reported on 1/4/2013 that “…the new [Win8] operating system did little to boost holiday sales or improve the year-long Windows notebook sales decline…” but also that “sales of Windows notebooks under $500 fell by 16 percent while notebooks priced above $500 increased 4 percent.”
My gut feel is that the Windows 8 phenomenon has yet to hit its full stride, and that it will take until mid-year — with broader more affordable access to touch-enable Windows 8 tablets, ultrabooks, and notebooks — before the real shape, market share, and momentum of the Windows 8 market is more fully understood. Sales will continue, but I suspect they’ll remain flat or without much added slope until July or August. After that, it will be extremely interesting to see if the sales curve spikes sharply upward, or if it continues its current modest trajectory.