In reading over the forum traffic at TenForums. recently, I encountered an item of great interest. This thread is entitled “File System Filter ‘wcifs’ Event ID 4.” Despite the title, it reveals that a number of Windows 10 users have been unable to create or use restore points recently. Curious to understand if my own system might be affected, I went looking for wcifs-related errors on my production PC. And sure enough, I found them. Not only that, I was also unable to revert to a brand-new restore point I created. This leads to my hypothesis — namely, that Win10 restore points appear broken.
Reverting to a recent restore point reported success, but then this message appeared following restart. Ouch!
What Makes Win10 Restore Points Appear Broken?
Discussion of the underlying problem based on error codes points toward some issue(s) with the Volume Shadow Service, or VSS. One astute reader pointed to a TechNet article about the File Screening Minifilter Driver. And indeed, errors related to that driver or to WCIFS appear to be present in all reports of this apparent breakdown for restore points in Build 1607 Version 14393. That’s the current production version of Windows 10, the Current Branch to be perfectly clear.
Another thread on TenForums picks up and runs further with the WCIFS theme. It’s entitled Warning about File System Filter ‘wcifs’ – what is THAT ??? That’s exactly my own actual symptoms, too, so I dug in to learn more. The emerging consensus is that this is indeed a Windows bug (not something caused by third-party applications or user error). And of course, this leads to the question posed in the afore-linked thread: What is WCIFS anyway?
This acronym stands for Windows Container Isolation file system, and refers to a file system driver for Windows Containers (a relatively new addition to the Windows OS, which hints at some reason(s) why it might be experiencing difficulties). A Google search on “windows container isolation filesystem” turns up lots of interesting hits, too. It looks like container support started making its way into Windows 10 and Windows Server 2016 earlier this year (sometime in April, perhaps). It’s a way to isolate a container from the host OS, so that file system changes inside the container don’t affect that OS. I’d have to guess that something has gone wrong with this somewhere, or that the context for Volume Shadow copies has somehow gotten mishandled, and that efforts to restore are violating container boundaries.
What to Do About Broken Restore Points?
This is an interesting set of problems whose resolution will be worth watching. I’ve filed a detailed report with the Windows 10 Feedback Hub, and hope it will lead to some action. In the meantime, I’m also no longer relying on restore points to haul my fat from the fire. I’ve upped my backup frequency to nightly using Macrium Reflect, and remain pretty sure I’ll be able to put myself back in action with no more than a day’s work lost. I’d suggest others think about the same or similar strategies, until this matter is resolved.
As the release for Windows 10 Creator’s Update nears, the pace of Insider Preview releases is accelerating. Just last week, I got stuck upgrading my desktop test PC to Build 15031 Enterprise. Ultimately, I performed a clean install of that build, plus its usual aftermath. But I got caught by an oversight when I could neither see nor grab Thursday’s subsequent 15042 Build. Thus, I re-state the maxim that entitles this post: “Always adjust defaults after clean install.”
What does that mean in this particular case? Alas, I forgot that a clean install of the Insider Preview automatically sets the build pace “Slow.” But only users who opt into “Fast” pace get new Builds as soon as they’re released. Slow users must wait until MS deems new releases stable enough for wider distribution. This led me down a few false trails before I found the real, dead-simple solution. My clean install was in the Slow group by default: toggling it Fast changed my status. Within minutes, I was happily downloading 15042; in under an hour it was installed and backed up.
Just one small toggle switches Insider Preview pace from “Slow” to “Fast.”
How Long Does the Switch-Over Take?
After selecting Fast as shown above, I wondered how long I’d have to wait for an upgrade offer. The “Note” at the end of the screencap hints at possible delay. So I waited 5 minutes, then tried my luck. I was pleasantly surprised when the 15042 update offer popped up. I was even more pleasantly surprised when I got through the entire upgrade process AND a complete system backup of the new build in under an hour.
If one can only remember things that need tweaking in the wake of a clean install, one can avoid such hiccups. The next time I do one, I’ll create a checklist which I will post here. Please: stay tuned!
Late last week MS released a new Windows 10 Insider Preview build. Little did I know that there would be “Interesting Issues in Insider Preview 15042.” But after a couple of failed installs, I found myself “bitten” on my Dell Venue Pro 11. That’s when I remembered that the release notes included this warning:
A small percentage of PCs may fail to update to this build due to a corrupt registry key. If your PC appears to be at the spinning dots black screen during boot for an unusual amount of time while updating to this build, hard reboot your PC and then run the following commands in an admin Command Prompt…
Those commands included deleting two registry keys, and disabling locality state for IPv6 on affected machines. (See the release notes for all the details, please.)
It took three tries to get it installed, but eventually I got Build 15042 up and running.
Interesting Issues in Insider Preview 15042 Lead to Multiple Install Attempts
Ultimately, it would take me 3 tries to get the install to work properly. The first one failed at 77% of the way through the post-reboot phase of processing the upgrade. In the wake of the first failure, I used TenForums guru Kari’s UUPtoISO tutorial to build an ISO from the leftover files. (That’s a nice and unexpected benefit of such a failure, as it turns out.)
Then my second attempt using setup.exe from the mounted ISO file failed in the same part of the install process. That’s when I remembered the warning from the release notes. I’m pleased to say that after following its instructions, the third install try indeed proved to be the charm. I now have a working install of Build 15042 running on my Dell hybrid tablet.
The UUP-to-ISO conversion tool also reads MS-supplied values to construct the ISO file name. Here’s what it produced for this latest build:
This name appears to indicate we’re nearing final status for the beta version of Windows 10. I’m also guessing from the appearance of OEM in this filename that the build is either at or soon to hit OEM release status. That’s usually shared with OEMs 30 days or so before the final release goes public. Thus, the timing is right for an early-to-mid April release for the next Win10 version, as recent news and rumors from Microsoft have led many insiders to expect.
Almost two weeks ago, I blogged here about the addition of a new security feature in Insider Preview Build 15031. It’s called Dynamic Lock. Dynamic Lock senses the signal strength from a cellphone paired via Bluetooth with a Windows 10 device. When that signal drops below a threshold, the feature causes the Win10 device to lock itself. This turns off direct access, and puts up the lockscreen, much like an inactivity disconnect. Now, thanks to the efforts of Rafael Rivera at Thurrott.com/Petri.Net, Win10 Dynamic Lock gets cool tool power. It comes in the form of a small utility named draconyx.exe. Here’s a screen cap:
The draconyx.exe program measures signal strength from Bluetooth devices once every minute or so and reports current readings.
When Win10 Dynamic Lock Gets Cool Tool, What Can It Do for You?
Internally, Dynamic Lock uses a measure of something called Received Signal Strength Indication (RSSI) to make the call on locking a device. According to Rivera, the control connects to a Bluetooth-paired cellphone “several times a minute.” Each time it does, it measures the RSSI value, then disconnects from the phone. When that value drops below a certain level, it locks the device. Rivera’s observation about the way this works is worth heeding, for those running phones and Win10 devices from battery: “Because an active connection is established every time this ritual is performed, you can bet there will be a battery life hit on both devices.” You’ve been warned!
That threshold value, according to Rivera, appears to be about -10 deciBels (dB). For Bluetooth devices 0 dB represents an optimal signal. A drop of 10 dB represents almost 70% reduction in signal strength, according to a deciBel to amplitude converter. That’s a pretty major drop and may be further away than it really needs to be before imposing a lock. At home, I was able to observe the lock kick in when I carried the phone all the way to the other side of the house, about 45 feet away. Perhaps that’s because my signal-rich kitchen sits between the room where the Dell Venue Pro 11 lay and the other room where I put the paired iPhone.
Using Draconyx.exe to Set the Lock Threshold
For those who want to lower the default distance, Rivera identifies a registry value BluetoothRssiMaxDelta (DWORD) one can set up to tweak the threshold. (See his story for the details.) You can use it to set up a threshold to lock your device when you leave the room, your office space, or your building, as you like. And that’s what makes it a cool tool. Thanks Rafael: Nice work!
Rivera also opines that the Dynamic Lock is flaky enough that it might not make it into the upcoming Creators Update in April. We’ll have to wait and see on that, but I hope it stays in the production OS. It’s an interesting and convenient feature, as far as I can tell.
By default, Windows 10 includes a built-in admin account. In fact, it’s named “Administrator.” Here, I explain here how to enable disable Win10 Administrator account. Basically, there are two ways to proceed: at the command line, or in Computer Management.
Enable Disable Win10 Administrator Account from the Command Line or PowerShell
This is just a matter of working a specific NET command — namely net user. Just a minor variation on the same command turns the Administrator account on or off (no means disabled/yes means enabled):
net user "Administrator" /active:no
net user "Administrator" /active:yes
net user administrator <Password>
Remember: run this from an account that’s a member of the Administrators group. Don’t do it from the Administrator account, either. And please, do it from a command prompt or PowerShell window “run as administrator.” The third command sets a password for that account at the command line, too. (Replace <Password> with the password of your choosing, and make it a good one.)
Enable Disable Win10 Administrator Account from Computer Management
Here, we use the GUI method. Type “Computer Management” into the search box, then run the Computer Management console. In Computer Management, navigate to Users inside Local Users and Groups. Next, right-click on the “Administrator” account in the resulting list in the middle pane, as shown. Then, open its Properties window. By default the Administrator account is disabled. To enable it, uncheck the box that reads “Account is disabled.” To disable the account, re-check the same box.
Just one little checkbox enables or disables the account (it’s disabled by default).
[Click screencap to see full-size image]
For sure, if you are going to use the Administrator account, your next move should be to log into that account and set a suitably strong password. By default, that account has no password defined and just logs right into the PC where it’s been enabled. That’s best remembered and corrected immediately, lest you leave a security hole in that system big enough to steer a battleship through.
When Does Administrator Come in Handy?
Again by default, the first account you set up on a Windows 10 machine is a member of the Administrator’s group. If something happens to that account — for example, a corrupted user profile — you might not be able to log into that machine locally with admin privileges. In some cases, domain accounts might also be locked out or unusable. That’s when the built-in Administrator account can be a real life-saver for conducting recover and/or repair operations.
On the other hand, this account is disabled for a good reason: doing so “reduces the attack surface on a Windows PC,” in the immortal words of Ed Bott. Always a good idea, and why you should only enable it during emergences, then disable it again when the emergency is over.
Microsoft’s upcoming Windows Insider Program for Businesses will cater to IT professionals.
Through the program, nicknamed WIP4Biz, IT admins will be able to test new Windows 10 features with their existing systems and give feedback to Microsoft prior to go-live dates. There is already a Windows Insider Program, however, that IT professionals can and have enrolled in to test Windows 10 updates. And it’s not clear how WIP4Biz will differ.
The Windows 10 insider program for businesses will make it easier to run preview builds and share information with peers working on similar issues, Microsoft said. The program will also let admins view feedback submitted by other members of their own IT staff.
It’s a good idea to make it easier for organizations to test Windows 10, and WIP4Biz is likely to mitigate problems such as business application incompatibility, said Robby Hill, founder and CEO at HillSouth, a Microsoft partner in Florence, S.C.
IT shops reported a number of issues following the Windows 10 Anniversary Update’s release in August 2016. For example, it did not support antivirus software from various vendors, and Microsoft had to release a fix the following month.
HillSouth dealt with that issue with its Kaspersky Labs antivirus software; Kaspersky released its own temporary fix before Microsoft issued its patch.
“That was a result of lack of testing with a lot of different vendors,” Hill said. “It took a week for the vendor to correct the issue and work with Microsoft to remedy it.”
Having a better way to test enterprise software with Windows updates could prevent these sorts of problems, but it remains to be seen how exactly the Windows 10 insider program for businesses will work. Microsoft hasn’t provided many details, but it will share more in the future, a spokesperson said. In the meantime, interested IT professionals can pre-register for the new program today.
Anybody can learn stuff, but lessons learned the hard way are the ones that stick with you. Case in point: I’ve got a Windows desktop PC I use as a test machine. Furthermore, I’ve got it set up as a dual-boot environment. On one SSD I’ve got a bootable installation of the Win10 Current Branch release (1607.693). On the other SSD, I’ve got a bootable installation of the Win10 Insider Preview (Build 15031). A recent kerfluffle with installing 15031 on that machine forced me to wipe that second SSD, and perform a clean install. As I did that, I remembered that one should disconnect drives before multi-boot install on a Windows PC. That way, I corrected an earlier flub where my Current Branch drive booted up both Windows versions (because I didn’t disconnect the other SATA drives before performing that install).
Why Disconnect Drives Before Multi-Boot Install?
Apparently, if you add a second OS instance the Windows Installer simply updates boot entries for the Boot Configuration Data (BCD) table for the already-installed OS. Thus, it adds the partition information for the second OS to the boot table on the first OS drive. That’s how it shows up on the boot menu for the PC involved.
But if you disconnect all other drives on a system except your OS target drive, you get a clean setup. Then the new target drive has its own independent BCD table. Also, one boot drive isn’t dependent on another boot drive for the Windows bootloader that brings it to life. Of course, that also means you must rebuild the new BCD to take note of the prior Windows install so can boot it selectively as well.
Working with EasyBCD Instead of BCDEdit
Windows offers a built-in BCDEdit command line utility you can use to manipulate this information, but it’s a bit of a slog to use. Although it costs $30, NeoSmart Technologies’ EasyBCD is a worthwhile and friendlier replacement. After I wiped the second SSD, installed 15031, and got all the way through updates and cleanup, I fired up EasyBCD next and used it to add in data for the previous Windows data (shows up as “Win10 Current Branch” in screencap):
Entry #2 is for the old OS, and Reflect makes it easy to add a repair partition for image recovery.
As an added bonus, Macrium Reflect offers a facility to drop a recovery partition onto a boot drive. This lets you boot into that partition from the boot menu. Then you can run Reflect on its own to restore partitions from an image backup. A handy way to recover from serious Windows issues, but only if you have a current backup handy!
Last month, I was mucking around with my Asus RT-AC68U router. Among other experiments, I plugged in a USB flash drive into one of its ports to share it with the network. This morning, I unplugged it from the router to try to use it for recovery on a temporarily disabled test PC. No dice: instead of using it to reboot that machine, I found myself tasked with overcoming USB flash write-protection on that drive.
Cute little sucker, but unfortunately dysfunctional.
What’s Involved in Overcoming USB Flash Write-Protection?
Good question! I turned to a tutorial on TenForums for my first set of answers. It’s entitled “Disk Write Protection – Enable or Disable in Windows.” The tutorial makes three basic prescriptions
Flip a physical switch: some UFDs (and most external USB drive enclosures) have a write-lock switch on them. It’s something like the old tab on floppy disks that turned off their write-ability. My Patriot Memory TAB 16GB USB 3.0 UFD lacked this tab, so this option was out.
Use Diskpart to turn off readonly attribute: The syntax, after selecting the disk you wish to reset is: attributes disk clear readonly. Didn’t work either.
Bummer! None of the easy fixes worked. So I started poking around further. I soon found out that most UFD makers offer proprietary low-level formatting utilities to scrub their drives when they go south. A quick trip to the Patriot Memory Support forums showed a well-visited thread where owners can request a copy of their utility, and get it e-mailed to them. That’s what I did next.
Low-Level Formatting Madness
Being temperamentally disinclined to wait for much when troubleshooting, I kept poking around online and found a Website named FlashDrive-Repair.com. They’ve got utilities from many vendors, including Patriot Memory, available for download. Their downloads also get a clean bill of health from VirusTotal (phew! the Internet can be a dodgy place). But none of the tools I could find there worked, either — the two I tried gave up when they discovered the UFD was write-protected. What good is a low-level formatting tool that pays attention to such things?
So now I’m waiting for Patriot to cough up their utility, and try that one out. If it works, I’ll restore the UFD to service. If it doesn’t, I’ll toss it out and buy another set of 16GB UFDs from Newegg the next time I order something from them. Looks like they go for $9-15 for the ultra-compact models these days. No great loss either way.
I’ll report back when I hear from Patriot as to whether their proprietary tool does the trick. In the interim, keep those fingers crossed!
Email phishing attacks against high-level executives increased at Tri-Counties Regional Center last year. To combat and boost awareness of the problem, CIO Dominic Namnath turned to user training videos.
“Your user is the most vulnerable point,” Namnath said. “Spoofing the CEO’s email asking him to check out a website, which is an attack website — it wouldn’t be hard to imagine something going wrong.”
Tri-Counties Regional Center, a nonprofit healthcare services provider in Santa Barbara, Calif., takes a layered approach to desktop security, using Sophos for endpoint protection and network security. But phishing attacks — which fool users into clicking a link to a malicious website or file — are still quite concerning, Namnath said.
The organization first hired an IT consultant to provide annual anti-phishing training sessions for users, but that wasn’t sufficient, Namnath said. Now, Tri-Counties uses Ninjio, a security awareness training company that provides animated videos based on real-life security breaches. Users watch one three- to four-minute video a month that explains how a specific type of threat occurs and how to avoid it.
For instance, one video shows a hospital network become infected with ransomware because a phishing attack duped an employee. The employee learns how to prevent an attack by hovering the cursor over a link in an email to see a preview of the URL.
At Tri-Counties, IT tracks how many anti-phishing training videos users watch and assigns them a quota to reach in a certain timeframe. If users don’t meet the goal, Namnath restricts their access to certain websites.
“Basically, they won’t be able to get to any fun stuff,” Namnath said. “Those who aren’t being educated are our biggest risks.”
Thirty percent of attempted phishing emails get opened by users, according to the Verizon 2016 Data Breach Investigation Report.
Zack Schuler, a former network engineer and founder of Ninjio, started the company in 2015 because other anti-phishing training videos were 45 minutes long and not very engaging, he said.
“If we could just educate people so they knew what they were doing and knew what to look out for, then we’d have this massive dent in security vulnerabilities,” he said.
Cellphones are such a vital ingredient of modern life that we bring them with us everywhere we go. MS exploits this truism in the latest build of Windows 10, 15031. There’s a new facility in the Sign-In Options called “Dynamic lock” that detect when the phone is out of Bluetooth range and locks a paired PC in response. Here’s a screen cap showing this turned on for my Dell Venue Pro 11 and my iPhone. It shows just how Build 15031 brings dynamic lock to Windows 10:
As is so often the case with new software from Microsoft, this comes with a catch. The Bluetooth control panel widget is MIA in Build 15031 (you won’t find it, period). Thus, you must go through the “Devices and Printers” interface to pair your phone with your PC, then visit the Settings app under Accounts, Sign-in options. Once the device is paired, you can check the box next to “Allow Windows to detect…” This instructs the PC to switch to the lock screen, and blocks casual access to those lacking credentials.
I expect this capability will extend into production Windows when the Creator’s Update goes live in April. It will be a handy extension to desktop security for Windows, but only as long as you remember to take your (paired) cellphone with you when you walk away from your desk. My record on that is pretty good, though — as is most people’s — so this should work nicely.