Академический Документы
Профессиональный Документы
Культура Документы
Contents
Basics ........................................................................................................................................................................................ 1
Introduction to Windows 7 .............................................................................................................................................. 1
Creating a Windows 7 USB Installation Source ........................................................................................................... 4
Upgrading to Windows 7 - Overview ............................................................................................................................ 9
Migrating to Windows 7 using WET............................................................................................................................ 10
Migrating to Windows 7 using USMT ......................................................................................................................... 15
Networking ............................................................................................................................................................................ 21
Configuring IPv4 in Windows 7.................................................................................................................................... 21
Configuring IPv6 in Windows 7.................................................................................................................................... 25
Internet Connection Sharing (ICS) Configuration in Windows 7 ........................................................................... 28
Working With Wireless Network Connections in Windows 7 ................................................................................ 32
Working with Windows Firewall in Windows 7 ......................................................................................................... 38
Configuring Windows Firewall with Advanced Security in Windows 7................................................................. 43
Configuring BranchCache in Windows 7 .................................................................................................................... 51
Creating a VPN Connection in Windows 7 ................................................................................................................ 55
DirectAccess Feature in Windows 7............................................................................................................................. 59
Deployment ........................................................................................................................................................................... 62
Preparing for Windows 7 Image Capture .................................................................................................................... 62
Mounting and Unmounting Windows 7 Image Using ImageX and DISM ........................................................... 66
Creating WinPE Using WAIK for Windows 7 .......................................................................................................... 76
Windows 7 Image Capture Demonstration................................................................................................................. 80
Windows 7 Image Deployment Demonstration ........................................................................................................ 85
Managing Existing Windows 7 Images ........................................................................................................................ 91
Servicing Windows 7 Image Using DISM ................................................................................................................... 98
Applying Updates to Windows 7 Image Using DISM ............................................................................................ 105
Creating Virtual Hard Disk (VHD) using Disk Management in Windows 7 ...................................................... 108
Creating Virtual Hard Disk (VHD) using Diskpart in Windows 7 ....................................................................... 113
Management ........................................................................................................................................................................ 117
www.utilizewindows.com
Basics
Introduction to Windows 7
Basics
Introduction to Windows 7
Before you start
Objectives: learn about main features in each Windows 7 edition and what minimum hardware requirements
are
Prerequisites: no prerequisites.
Key terms: windows 7 editions, starter, home basic, home premium, professional, enterprise, ultimate,
hardware requirements, processor architecture.
Windows 7 Editions
There are six different Windows 7 editions:
Starter
Home Basic
Home Premium
Professional
Enterprise
Ultimate
Starter
Windows 7 Starter edition does not support DVD playback, Windows Aero user interface, IIS Web Server,
Internet connection sharing, or Windows Media Center. It also does not support advanced, new features like
AppLocker, Encrypting File System, DirectAccess, BitLocker, BranchCache, and Remote Desktop Host. It
supports only one physical processor.
Home Basic
Window 7 Home Basic does not support domains, Aero user interface, DVD playback, Windows Media
Center, or IIS Web Server. It also does not support enterprise features such as EFS, AppLocker, DirectAccess,
BitLocker, Remote Desktop Host, and BranchCache. It supports only one physical processor. The x86 version
supports a maximum of 4 GB of RAM, whereas the x64 version supports a maximum of 8 GB of RAM.
Home Premium
Windows 7 Home Premium supports the Windows Aero UI, DVD playback, Windows Media Center, Internet
connection sharing, and the IIS Web Server. It does not support domains and it does not support enterprise
features such as EFS, AppLocker, DirectAccess, BitLocker, Remote Desktop Host, and BranchCache. The x86
version of Windows 7 Home Premium supports a maximum of 4 GB of RAM, whereas the x64 version
supports a maximum of 16 GB of RAM. Windows 7 Home Premium supports up to two physical processors.
1
www.utilizewindows.com
Basics
Introduction to Windows 7
Professional
Windows 7 Professional supports all the features available in Windows Home Premium, and it also supports
domains. It supports EFS and Remote Desktop Host but does not support enterprise features such as
AppLocker, DirectAccess, BitLocker, and BranchCache.
Enterprise
Windows 7 Enterprise and Ultimate Editions support all the features available in all other Windows 7 editions
but also support all the enterprise features such as EFS, Remote Desktop Host, AppLocker, DirectAccess,
BitLocker, BranchCache, and Boot from VHD. Windows 7 Enterprise and Ultimate editions support up to
two physical processors. Windows 7 Enterprise is available only to Microsoft's volume licensing customers, and
Windows 7 Ultimate is available from retailers and on new computers installed by manufacturers.
Although some editions support only one physical processor, they do support an unlimited number of cores on
that processor. For example, all editions of Windows 7 support quad-core CPUs. We can use Remote Desktop
to initiate a connection from any edition of Windows 7, but we can connect to computers running Windows 7
Professional, Windows 7 Ultimate, or Windows 7 Enterprise. We can't use Remote Desktop Connection to
connect to computers running Windows 7 Starter, Windows 7 Home Basic, or Windows 7 Home Premium.
Hardware Requirements
Windows 7 Starter and Windows 7 Home Basic have the following minimum hardware requirements:
20-GB (x64) or 16-GB (x86) hard disk drive, traditional or Solid State Disk (SSD), with at least 15 GB
of available space
Windows 7 Home Premium, Professional, Ultimate, and Enterprise editions have the following minimum
hardware requirements:
1 GB of system memory
40-GB hard disk drive (traditional or SSD) with at least 15 GB of available space
Graphics adapter that supports DirectX 9 graphics, has a Windows Display Driver Model (WDDM)
driver, Pixel Shader 2.0 hardware, and 32 bits per pixel and a minimum of 128 MB graphics memory
www.utilizewindows.com
Basics
Introduction to Windows 7
system will be unable to utilize any RAM that the computer has beyond 4 GB. We can install the x64 version
of Windows 7 only on computers that have x64-compatible processors. The x64 versions of Windows 7
Professional, Enterprise, and Ultimate editions support up to 128 GB of RAM. The x64 version of Windows 7
Home Basic edition supports 8 GB and the x64 edition of Home Premium supports a maximum of 16 GB.
www.utilizewindows.com
Basics
Creating a Windows 7 USB Installation Source
Procedure
Before we begin keep in mind that during this process USB flash drive will be completely erased, so we have to
make sure that we save any data that it contains. In our example we have a Windows 7 installation DVD
present in our D drive, and a USB flash drive available trough drive E, as shown on the picture.
www.utilizewindows.com
Basics
Creating a Windows 7 USB Installation Source
We know that we are running CMD in elevated mode because we have the 'Administrator' in the name of the
CMD window.
Figure 4 - Diskpart
Next, we will enter: list disk. With this command we can view all the available disks on our computer.
In our example, Disk 0 is the hard drive. We know that because the size of our internal hard disk is 40GB. The
size of our USB flash drive is 4 GB (3875 MB to be more precise). To work with USB drive we need to select
it. To do that, in our case, we have to type in: select disk 1.
After the selection we will clean the USB drive. We have to wipe out any partition information and anything on
it. To do that we will type in: clean.
www.utilizewindows.com
Basics
Creating a Windows 7 USB Installation Source
Figure 7 - Clean
After the cleaning, notice that, if we browse to the Computer, our USB drive now changed. There is no info
shown about the free space.
Now we need to create the partition on our USB drive. To do that, in Command Prompt we will enter: create
partition primary.
After that we will format our new partition with the FAT32 as our file system. To do that we will enter: format
fs=fat32 quick.
Figure 10 - Format
Now, we need to mark our new partition as active. To do that we will enter: active.
Figure 11 - Active
Now we have a USB drive with an active partition. To use it as the installation source we also have to make it
bootable. As we will see, we will run the bootsect command to copy the boot manager information that
Windows 7 requires to perform the install, to our USB drive. Then we will have to copy the entire content of
the Windows 7 DVD to the USB drive. To do all that, first we need to exit from Diskpart. In CMD enter: exit.
www.utilizewindows.com
Basics
Creating a Windows 7 USB Installation Source
Figure 12 - Exit
In our example, Windows 7 installation DVD is in the D drive. In the D drive, in the folder called 'Boot', there
is a program called 'bootsect'. We will run it with the '/NT60' parameter and we will also specify the drive
letter of our USB drive. This will copy the the boot manager files to our USB drive. The command, in our case,
looks like this: d:\boot\bootsect /NT60 e:.
Figure 13 - Bootsect
As we can see, our E drive was updated with all the necessary boot manager information that Windows 7 needs
to boot of the USB drive.
3. Copy DVD Content to USB Drive
The last step is to copy all files from the Windows 7 DVD to our USB drive.
www.utilizewindows.com
Basics
Creating a Windows 7 USB Installation Source
Once the copy is complete, our USB drive is ready for use. Of course, on the computer on which we want to
perform the installation, we have to go to the BIOS and make sure that the USB device is selected to boot
from. After that the installation will be the same as if we were installing from a DVD.
www.utilizewindows.com
Basics
Upgrading to Windows 7 - Overview
Different Editions
Edition upgrades can only be performed from a lower edition to a higher edition. It can be performed using
installation media or using the Windows Anytime Upgrade. Windows Anytime Upgrade was introduced in
Windows Vista and it allows us to purchase an edition upgrade for the operating system over the Internet.
Keep in mind that we cannot upgrade 32-bit edition to 64-bit edition of Windows and vice-verca.
Different Platforms
To change or migrate to a different platform (32-bit or 64-bit) we can use the Wipe-and-Load or Side-by-side
migration of Windows 7 or use multi boot. We will be required to migrate user data and application settings
between the two installations. This is not upgrade, but migration.
Hardware Requirements
Before upgrading we need to have at least 15 GB of free hard drive space. Windows Vista and Windows 7 in
general have the same hardware requirements. To check for hardware incompatibilities we can use Windows 7
Upgrade Advisor tool that will inform us of any device or software incompatibilities that our computer might
have. Before running Upgrade Advisor it is recommended to connect all devices to the computer, such as
printers, scanners, cameras and other devices that we will be using on Windows 7.
Recommendations
It is recommended to perform full backup of existing installation in case the upgrade fails. Also we should
ensure that we have proper product keys available for Windows or any application or game that is installed on
existing installation.
The biggest benefit in upgrading from an existing installation to Windows 7 is that the users settings and
applications are preserved.
www.utilizewindows.com
Basics
Migrating to Windows 7 using WET
10
www.utilizewindows.com
Basics
Migrating to Windows 7 using WET
As we can see on the picture, we can use WET utility to transfer user accounts, their documents, pictures,
movies, videos etc. Notice that we can not transfer applications. On the next screen we can choose where to
save our data.
We can use a special "type A to type A" USB cable which is also called Easy Transfer Cable. It is used to
connect two computers together. We can also transfer data over network by establishing a TCP/IP connection.
The third option is to store data on a removable media, local hard disk, network share or a mapped drive. In
our example we will select third available option. On the next screen we have to select which computer we are
using.
This is our old computer. It is Vista computer so we only have one option. When we select it, the tool will scan
for all available user accounts on our machine.
11
www.utilizewindows.com
Basics
Migrating to Windows 7 using WET
Once the scan is complete we can see that it detected one profile (ivancic) and Shared Items. In our example
we will only select "ivancic" account and click Next. On the next screen we can set the password for the data
that will be exported.
Figure 19 - Password
In our example we will leave password empty and click Save. On the next screen we can choose where to save
our files.
12
www.utilizewindows.com
Basics
Migrating to Windows 7 using WET
Remember that we could easily browse to a network location and save our migration data there. That way the
data would be available for every computer on the network. In our example we will save our data on a local
hard disk, to c:\migration folder.
13
www.utilizewindows.com
Basics
Migrating to Windows 7 using WET
Our data will be exported with a MIG extension. Now we can copy it to a new Windows 7 computer and run it
by double clicking it or by running migwiz and then importing it.
14
www.utilizewindows.com
Basics
Migrating to Windows 7 using USMT
Prerequisites: you have to be familiar with migration concepts in general and with tools which you can use.
Key terms: usmt, user profile, scanstate, loadstate, command, account, cmd, syntax, source, destination
Now, we want to copy all users from Windows XP to Windows 7. To do that, first we need to
run scanstate tool on the Windows XP. To check which parameters must be provided to the scanstate tool
simply enter scanstate in CMD.
15
www.utilizewindows.com
Basics
Migrating to Windows 7 using USMT
We can see that the syntax is: scanstate <StorePath> [Options]. In this demo we will save all data locally
in c:\usmt\users folder, so lets create a migration store by entering the following command: scanstate
c:\usmt\users. This command will gather information about all user accounts on this machine and save it in
the c:\usmt\users folder. It is possible to modify this command to select which account to include or exclude.
In our case it gathered information about 8 users.
16
www.utilizewindows.com
Basics
Migrating to Windows 7 using USMT
Destination Computer
Once the scanstate is complete we can switch to the destination computer which is Windows 7 in our case.
Now, we need to remember where we saved users from the source machine. The best thing would be to use a
network share so we can access those resources from any computer on the network. For the purpose of this
demonstration we have copied gathered user profiles which were exported to thec:\usmt\users folder on the
Windows XP machine, to the c:\usmt\users folder on the Windows 7 machine. Also, we have
copied x86folder which contains USMT, to the c:\usmt folder on Windows 7 machine. The first thing we
need to do on destination computer is to run elevated CMD. To do that, right-click CMD and select 'Run as
administrator'. Next, we need to get to the c:\usmt\x86 folder, so we will enter the command: cd
c:\usmt\x86. Next, to load users that we exported from Windows XP, we will use that loadstate tool. Let's
enterloadstate in CMD.
17
www.utilizewindows.com
Basics
Migrating to Windows 7 using USMT
We can see that the syntax for the loadstate command is loadstate <StorePath> [options]. To load user
accounts we will enter the command: loadstate c:\usmt\users /lac. The /lac option means that we want to
create local accounts that do not exist on our destination computer. If accounts already existed we would not
have to use the /lac switch because the information would be migrated to existing accounts. Now, because we
did not provide passwords for accounts that were migrated, they will be created as disabled. Once all accounts
are created, the migration data is copied.
18
www.utilizewindows.com
Basics
Migrating to Windows 7 using USMT
Some often used options for the scanstate and loadstate commands are:
/lac - creates a user account if the user account is local and does not exist on the destination computer
/lae - enables the user account created with the '/lac' option
Once the migration is complete we can go to the Computer Management to verify new accounts.
19
www.utilizewindows.com
Basics
Migrating to Windows 7 using USMT
As we can see, new accounts were created but they are disabled. Disabled accounts have an icon with an arrow
pointing down. To enable an account right-click it, go to Properties, in General tab uncheck the 'Account is
disabled' option and then click Apply.
20
www.utilizewindows.com
Networking
Configuring IPv4 in Windows 7
Networking
Configuring IPv4 in Windows 7
Before you start
Objectives: Learn how to configure IPv4 settings on Windows 7 machine by using GUI and how to
troubleshoot connectivity in command line.
Prerequisites: you should know all about IPv4 address and about different ways to apply network settings.
Key terms: IPv4, network, address, connection, IP, settings, case, center, ping
The Network Center will show us many options, but the one section we are particularly interested in is "Active
networks". In our case we already our network connection configured, and we are connected to the "intranet"
at our workplace.
To see the details about that connection we can simply click its name, which is "Local Area Connection" in our
case. To see the details about that specific connection we can click on the Details button.
21
www.utilizewindows.com
Networking
Configuring IPv4 in Windows 7
Notice that our connection currently uses DHCP to get the required information about the network
connection. We already have our IPv4 address, subnet mask, DNS server. Notice that we can also see the
"DHCP Enabled" option which is set to "Yes", and we can also see the IP address of the DHCP server. To
change network settings we can click the Properties button. The new window will open on which we have to
select which item we want to configure. In this case we will select the "Internet Protocol Version 4
(TCP/IPv4)" protocol, since we want to change IPv4 address.
22
www.utilizewindows.com
Networking
Configuring IPv4 in Windows 7
When we click the Properties button again, we will be able to enter new IPv4 settings. Notice that currently we
have the "Obtain an IP address automatically" option selected.
This means that our computer will use DHCP to get the connection information. To enter the information
manually we can simply select the "Use the following IP address" option. In our case we want our computer to
always use the same IP address, so we will enter 192.168.1.145 as an IPv4 address, 255.255.255.0 as the subnet
mask, 192.168.1.1 as our default gateway, and we will use the 10.10.1.2 as our DNS server. Our configuration
now looks like this.
23
www.utilizewindows.com
Networking
Configuring IPv4 in Windows 7
To check if our connection works we should try to communicate with another host on the network. To do that
we can use the "ping" tool in command line. Let's try and communicate with the default gateway (192.168.1.1).
Figure 34 - Ping
In our case everything works fine. If we have trouble communicating with another host, we can try and ping
our own IP address, which is 192.168.1.145 in our case. If that does not work, we should try and ping the local
loopback address which is 127.0.0.1, which will check if the the IPv4 stack is properly installed. To check you
IP address and subnet mask we can use the "ipconfig /all" command. If everything seems OK, but the "ping"
action still does not work when we try to communicate with another host on the network, we should check our
firewall settings. In Windows Firewall with Advanced Security, in Inbound Rules section, we have to make
sure that "File and Printer Sharing (Echo Request - ICMPv4-In)" rule allows communication.
24
www.utilizewindows.com
Networking
Configuring IPv6 in Windows 7
The Network Center will show us many options, but the one section we are particularly interested in is "Active
networks". In our case we already our network connection configured, and we are connected to the "intranet"
at our workplace.
To see the details about that connection we can simply click its name, which is "Local Area Connection" in our
case. To see the details about that specific connection we can click on the Details button.
25
www.utilizewindows.com
Networking
Configuring IPv6 in Windows 7
Notice that we already have Link-local IPv6 Address configured. Link-Local address is similar to the APIPA
address in IPv4. Link-local IPv6 address always starts with "fe8". If we see a Link-local address configured on
our machine, that means that our computer was not able to contact the DHCPv6 server. To change our
network settings we can click the Properties button. The new window will open on which we have to select
which item we want to configure. In this case we will select the "Internet Protocol Version 6 (TCP/IPv6)"
protocol, since we want to change the IPv6 address.
26
www.utilizewindows.com
Networking
Configuring IPv6 in Windows 7
By default, our computer is configured to obtained the IPv6 address automatically. In this tutorial we will try to
assign a Unique-Local IPv6 address to our host. Unique-Local addresses are similar to private addresses in
IPv4. Unique-Local address always starts with "fc" or "fd" (first 8 bits). The next 40 bits represent the "globalid", and the next 16 bits represent the "subnet-id". The remaining 64 bits represent a host. The "global-id" part
will represent our organization, while we can use the "subnet-id" to create multiple subnets. The "global-id"
part should be randomly generated, but in our case we will simply choose some random "global-id" and the
"subnet-id". So, our example Unique-Local address will be: FCAB:BEBC:ABAC:0100::1000. The default
subnet prefix length is 64.
Let's now go to the command line and check our settings by using the "ipconfig" command.
Notice that now we have our IPv6 address configured, but the Link-local address also remained intact. That
means that our computer basically has two configured IPv6 addresses that can be used for communication.
27
www.utilizewindows.com
Networking
Internet Connection Sharing (ICS) Configuration in Windows 7
Figure 41 - Connections
So, we want to share our Internet connection from this computer with other computers which are located on
our LAN. Internet connection is typically connected to a cable modem, a DSL modem, etc. Local Area
Connection is typically connected to a Switch on our local (private) network. On that Switch we will typically
have other computers connected.
28
www.utilizewindows.com
Networking
Internet Connection Sharing (ICS) Configuration in Windows 7
To enable ICS, we will select our Internet connection, go to its properties, and select the Sharing tab. Here we
will select the "Allow other network users to connect trough this computer's Internet connection" option. This
will basically enable ICS on this computer. In our case we will uncheck the "Allow other network users to
control or disable the shared Internet connection" option.
If we click the Settings button, we will be able to control some basic firewall settings. This way we can quickly
enable some basic services that we want to be accessible from the Internet trough our ICS computer. As you
can see, when we enable ICS, our computer starts to act as a router and a NAT device.
29
www.utilizewindows.com
Networking
Internet Connection Sharing (ICS) Configuration in Windows 7
For example, let's say that we have a web server on our private network and that we want to make it publicly
accessible. The host name of the web server is "web-server". To configure this, we will select "Web Server
(HTTP)" from the list of services and click the Edit button. We will enter the name of the computer "webserver". We could also enter the IP address of the computer.
Notice that other settings can't be changed (port is 80). Note that we can only do this for one computer on the
same port. This is considered port forwarding. We can add other or the same services, but they have to use
different ports. With this configured, when someone on the public network tries to access our public IP
address together with the port 80, that request fill be forwarded to the "web-server" computer on our private
network.
30
www.utilizewindows.com
Networking
Internet Connection Sharing (ICS) Configuration in Windows 7
When the ICS is enabled, our network connections will automatically be configured with some specific settings.
First, the Local Area Connection will be configured with the 192.168.137.1 IP address. With ICS, our computer
automatically becomes the gateway for computers on our private network, and the gateway address will be the
address of the LAN interface of the ICS computer. ICS computer will also start to hand out IP addresses and
other information to computers on our private network (it will become the DHCP server). This is why it is
important that the computers on the private network are DHCP enabled. We can use commands "ipconfig
/release" and "ipconfig /renew" to obtain new configuration from the ICS server. If we see an IP address
which starts with "169.254.", this means that the computer was not able to contact the DHCP server.
31
www.utilizewindows.com
Networking
Working With Wireless Network Connections in Windows 7
Ad Hoc Networks
To create an Ad Hoc wireless network we have to go to the Network and Sharing Center in Control Panel. In
the Network and Sharing Center we will click on the "Set up a new connection or network" option. On the
next window we have to select the "Set up a wireless ad hoc (computer-to-computer) network" option.
The next thing we need to do is to specify the name of our network and choose the security type. For ad hoc
networks, the available security types are Open, WEP and WPA2-Personal. Remember that WPA2-Personal is
a lot more secure than WEP, so we should always use WPA2 if all devices support it. In our case we will
choose WPA2-Personal, so we also have to specify the security key.
32
www.utilizewindows.com
Networking
Working With Wireless Network Connections in Windows 7
The purpose of the ad hoc network is to provide temporary wireless network access for devices in close
proximity, without the need of wireless access point. On the next screen we will also be able to turn on Internet
connection sharing. This is because our computer is also connected to the wired network which has Internet
connection, so we can share that Internet connection with the clients on the ad hoc network if we want.
At this point other devices will be able to find and connect to our wireless ad hoc network. If we click on the
network icon in the System Tray, we can see that our ad hoc network is waiting for users.
33
www.utilizewindows.com
Networking
Working With Wireless Network Connections in Windows 7
Note that the icon used for ad hoc network has three computers connected in triangle, while the infrastructure
networks have bars as the icon. One other thing that we should remember about ad hoc networks is that they
will be removed once all users disconnect from it. Also, users who connect to the ad hoc network are not able
to save it in the list of wireless networks.
If we don't enable Internet connection sharing, users which connect to our ad hoc network will not get their IP
address automatically from the DHCP. If you have experience with IP addressing, you will know that in this
case the devices will automatically use some address from the APIPA range, and this will actually work. We can
also specify the IP address on every device manually (this also includes the computer on which we set up the ad
hoc network). However, if we enable Internet connection sharing in the first place, all devices will get their IP
address from the DHCP server on the computer on which we have created the ad hoc network.
34
www.utilizewindows.com
Networking
Working With Wireless Network Connections in Windows 7
In our case we are connecting to a network which is using WPA2-Personal security standard, so we have to
provide the password to gain access to the wireless network.
So, when we enter the correct security key we will connect to the network, and that's it. Now, sometimes the
SSID of the wireless network is not being broadcasted. To connect to that kind of network we have to create
the wireless network profile manually. To do that we have to go to the Network and Sharing Center, and select
the "Set up a new connection or network" option. In the window we have to select the "Manually connect to a
wireless network" option.
On the next screen we have to specify the SSID (network name), security type, encryption type and the security
key. We also have to select the "Connect even if the network is not broadcasting" option. This will ensure that
our computer will connect to the network which has SSID broadcasting disabled. Note that we have to know
all those settings before we start connecting.
35
www.utilizewindows.com
Networking
Working With Wireless Network Connections in Windows 7
Now, if we go to the Network and Sharing Center, and then select the "Manage wireless networks" option, we
will see our newly created network listed.
Here we will also see any other network that we have previously connected to. Here we can delete all those
wireless networks or modify them. Have in mind that we can't modify the SSID of the existing network here. If
the SSID is changed, we have to delete the old network and create a new one.
One other thing that we should have in mind is the Profile Type. If we click on the Profile Type button in the
"Manage wireless networks" window, we will be able to choose the type of profile to assign to new wireless
networks.
36
www.utilizewindows.com
Networking
Working With Wireless Network Connections in Windows 7
Have in mind that by default all wireless networks created on the computer can be used by all users. However,
we can set up the per-user profile configuration. This way users can create connections that can only be
accessed and modified by them (per-user).
Troubleshooting
The stronger wireless signal means the better wireless performance. There are several thing that we can do to
ensure proper wireless signal in our network. First, we have to ensure that all clients are in the range of our
wireless access point. To improve the range we can implement additional antennas or signal boosters in our
wireless network. Also, some physical object may cause obstructions and interference. Another option is to
install additional access points. This will increase the coverage of our wireless network.
Some devices will cause interference with our wireless network. Those devices are cordless phones,
microwaves, Bluetooth devices, or any other device with radio signal. We should move those devices away
from our AP. Also, we should always ensure that the wireless channel used in our network is not overlapping
with another channel.
Windows 7 includes many troubleshooting tools that can be used to troubleshoot wired and wireless networks.
For example, we can use a Network Diagnostics tool to diagnose the connection issues. When troubleshooting
wireless networks with this tool, the first thing we should do is try to connect to the AP, and then run the
Network Diagnostics tool.
The most common problem with wireless networks is the wrong configuration. So, the first thing we should do
is to ensure that we have configured the correct SSID and WEP/WPA keys.
37
www.utilizewindows.com
Networking
Working with Windows Firewall in Windows 7
Firewall in Windows 7
Windows 7 comes with two firewalls that work together. One is the Windows Firewall, and the other
is Windows Firewall with Advanced Security (WFAS). The main difference between them is the complexity
of the rules configuration. Windows Firewall uses simple rules that directly relate to a program or a service. The
rules in WFAS can be configured based on protocols, ports, addresses and authentication. By default, both
firewalls come with predefined set of rules that allow us to utilize network resources. This includes things like
browsing the web, receiving e-mails, etc. Other standard firewall exceptions are File and Printer
Sharing, Network Discovery, Performance Logs and Alerts, Remote Administration, Windows Remote
Management, Remote Assistance, Remote Desktop, Windows Media Player, Windows Media Player Network
Sharing Service.
With firewall in Windows 7 we can configure inbound and outbound rules. By default, all outbound traffic is
allowed, and inbound responses to that traffic are also allowed. Inbound traffic initiated from external sources
is automatically blocked.
Sometimes we will see a notification about a blocked program which is trying to access network resources. In
that case we will be able to add an exception to our firewall in order to allow traffic from the program in the
future.
Windows 7 comes with some new features when it comes to firewall. For example, "full-stealth" feature blocks
other computers from performing operating system fingerprinting. OS fingerprinting is a malicious technique
used to determine the operating system running on the host machine. Another feature is "boot-time filtering".
This features ensures that the firewall is working at the same time when the network interface becomes active,
which was not the case in previous versions of Windows.
When we first connect to some network, we are prompted to select a network location. This feature is know as
Network Location Awareness (NLA). This features enables us to assign a network profile to the connection
based on the location. Different network profiles contain different collections of firewall rules. In Windows 7,
different network profiles can be configured on different interfaces. For example, our wired interface can have
different profile than our wireless interface. There are three different network profiles available:
Public
38
www.utilizewindows.com
Networking
Working with Windows Firewall in Windows 7
We choose those locations when we connect to a network. We can always change the location in the Network
and Sharing Center, in Control Panel. The Domain profile can be automatically assigned by the NLA service
when we log on to an Active Directory domain. Note that we must have administrative rights in order to
configure firewall in Windows 7.
By default, Windows Firewall is enabled for both private (home or work) and public networks. It is also
configured to block all connections to programs that are not on the list of allowed programs. To configure
exceptions we can go to the menu on the left and select "Allow a program or feature through Windows
Firewall" option.
39
www.utilizewindows.com
Networking
Working with Windows Firewall in Windows 7
Figure 57 - Exceptions
To change settings in this window we have to click the "Change settings" button. As you can see, here we have
a list of predefined programs and features that can be allowed to communicate on private or public networks.
For example, notice that the Core Networking feature is allowed on both private and public networks, while
the File and Printer Sharing is only allowed on private networks. We can also see the details of the items in the
list by selecting it and then clicking the Details button.
Figure 58 - Details
If we have a program on our computer that is not in this list, we can manually add it by clicking on the "Allow
another program" button.
40
www.utilizewindows.com
Networking
Working with Windows Firewall in Windows 7
Here we have to browse to the executable of our program and then click the Add button. Notice that we can
also choose location types on which this program will be allowed to communicate by clicking on the "Network
location types" button.
Many applications will automatically configure proper exceptions in Windows Firewall when we run them. For
example, if we enable streaming from Media Player, it will automatically configure firewall settings to allow
streaming. The same thing is if we enable Remote Desktop feature from the system properties window. By
enabling Remote Desktop feature we actually create an exception in Windows Firewall.
41
www.utilizewindows.com
Networking
Working with Windows Firewall in Windows 7
Windows Firewall can be turned off completely. To do that we can select the "Turn Windows Firewall on or
off" option from the menu on the left.
Note that we can modify settings for each type of network location (private or public). Interesting thing here is
that we can block all incoming connections, including those in the list of allowed programs.
Windows Firewall is actually a Windows service. As you know, services can be stopped and started. If the
Windows Firewall service is stopped, the Windows Firewall will not work.
In our case the service is running. If we stop it, we will get a warning that we should turn on our Windows
Firewall.
Figure 63 - Warning
Remember that with Windows Firewall we can only configure basic firewall settings, and this is enough for
most day-to-day users. However, we can't configure exceptions based on ports in Windows Firewall any more.
For that we have to use Windows Firewall with Advanced Security, which will be covered in another article.
42
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
43
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
Once we open WFAS we will see a list of rules. Rules are divided to the Inbound, Outbound and Connection
Security rules. Notice that there is a lot of predefined rules that we can use. Some of them are enabled, and
some of them are disabled. Each rule can be disabled/enabled for the different network profile (domain,
private, public). We can also see the application that the rule relates to, the action, the protocol that is used,
local and remote address, the local and remote port, allowed users and allowed computers.
Figure 65 - Rules
To restrict access to our computer we would edit the Inbound rules. To restrict users to access remote
resources, we would go to the Outbound rules section. This is what we will do in this example. For the purpose
of this demo we will block users on our local computer to access the www.utilizewindows.com site. So, to add
a new rule, we can right-click on the Outbound rules section, all click on the New Rule option from the menu
on the right side of the window.
44
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
On the first screen we can choose to create rules based on programs, ports or use a predefined rule. We can
also create a custom rule, which we will do in our example.
On the next screen we can specify if this rule applies to all programs or only to a specific program. For
example, here we could choose only specific Web Browsers. We could also apply this rule to specific services
only. For the purpose of this demo we will choose the "All programs" option and click Next.
Figure 68 - Programs
On the next screen we have to choose the right protocols and ports. For this, you have to know about different
networking protocols and their specific ports. For example, to access web sites our Web Browsers use HTTP
protocol. HTTP protocol uses TCP transport layer protocol, on port 80 by default. When configuring the
Outbound rule, it is more important to configure the Remote port. The local port is actually auto-generated
when the connection gets established, and it is used as a return path. Because of that, we don't have to enter it
here. The remote port is the port we are connecting to. For the remote port we will use the specific port 80.
45
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
Figure 69 - Protocols
On the next screen we have to choose the IP addresses that this rule applies to. For the local IP address we can
choose the "Any IP address" option or choose to enter specific IP address. In this case this is not important
since this rule will only be applied to the local machine. However, if we were to configure this rule trough
Group Policy and push it down to our machines, we would then have to specify the specific IP addresses that
this rule should be applied to.
Figure 70 - IP Address
46
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
If we click on the Customize button we can also select which interfaces this rule applies to. By default it will be
applied to all interfaces, but we can choose to only apply it to wired or wireless interfaces, or to remote access
sessions.
The important thing to configure is the remote IP addresses to which this rule applies to. So, we have to know
the IP address of the www.utilizewindows.com site. To get the IP address we will try and PING it in the
command line.
Figure 72 - Ping
We got the reply and now we know that the IP address is 192.232.223.73. Let's click on the Add button and
enter the IP address.
47
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
Notice that in this window we can also enter the whole subnet, the range of IP addresses, or some predefined
set of computers (WINS servers, DHCP servers, DNS servers, or local subnet computers. When we click OK,
our screen now looks like this.
48
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
On the next screen we choose the action we want to be performed for this rule. In our case we will block the
connection.
Figure 75 - Action
On the next screen we have to choose the network profile that this rule applies to. The default is all profiles.
Figure 76 - Profile
On the next screen we enter the name of our rule and a brief description.
Figure 77 - Name
When we click Finish, we will see our new rule in the list.
49
www.utilizewindows.com
Networking
Configuring Windows Firewall with Advanced Security in Windows 7
When we try to browse to the www.utilizewindows.com now, we will see something like this.
Bigger organizations often use multiple IP addresses assigned to multiple servers which all serve the same web
site. For example, facebook.com uses several ranges of IP addresses, and in order to block facebook.com we
have to enter all those IP addresses (or ranges) in our outbound firewall rule in order to block access to
Facebook, for example.
50
www.utilizewindows.com
Networking
Configuring BranchCache in Windows 7
Prerequisites
Remember, before we can use BranchCache feature on our local computer, we have to have a BranchCache
enabled server. This means that the BranchCache feature has to be installed on the server. This can be done by
using the Add Features Wizard.
Also, we have to go to the properties of shared folder on the server, go to the Sharing tab, click on the
Advanced Sharing button, and then click on the Caching button. We will see a window like this.
51
www.utilizewindows.com
Networking
Configuring BranchCache in Windows 7
Keep in mind that if we configure BranchCache in Group Policy, we have to manually configure Windows
Firewall with Advanced Security settings. This includes Inbound and Outbound rules.
52
www.utilizewindows.com
Networking
Configuring BranchCache in Windows 7
If we configure BranchCache from the command line, firewall rules will be automatically enabled for us.
Notice that the firewall rules are enabled, and service start type is set to manual (which is the right type). To
check the status of BranchCache on computer we can enter the "netsh branchcache show status".
We can also configure the cache size. For example, if we want to set the cache size to 10% of our disk space,
we would enter the command "netsh branchcache set cachesize size=10 percent=true".
53
www.utilizewindows.com
Networking
Configuring BranchCache in Windows 7
To see the local cache usage we can enter the "netsh branchcache show localcache".
Notice that here we can also see the location of the cache.
54
www.utilizewindows.com
Networking
Creating a VPN Connection in Windows 7
55
www.utilizewindows.com
Networking
Creating a VPN Connection in Windows 7
On the next screen we will select the "Use my Internet connection (VPN)".
On the next screen we have to enter the IP address of the VPN server (or the host name which points to that
IP address). Here we can also choose the name of the connection, and if we want to use a smart cart to
authenticate, if we want to allow other people to use this connection.
Figure 92 - IP Address
56
www.utilizewindows.com
Networking
Creating a VPN Connection in Windows 7
Figure 93 - Credentials
If everything was entered correctly, we should be able to connect to the VPN server now. When we do that, we
will be able to access resources on the remote network.
We can always change properties of our VPN connection. To do that, simply right click it and select the
Properties option.
Figure 94 - Properties
57
www.utilizewindows.com
Networking
Creating a VPN Connection in Windows 7
On the Options tab we can set dialing options, as well as redialing options (rediail attempts, etc.). On the
Security tab we can select the type of VPN and data encryption options.
If we use IKEv2, our system will have the ability to reconnect automatically. However, if we select the
Automatic type, the strongest available type of VPN will be used. On the Networking tab we can choose the
version of IP protocol that is to be used (IPv4 or IPv6), and if we'll allow file and printer sharing over the VPN
connection. On the Sharing tab we can specify if we want to allow other users to connect trough this
connection. So, we can use Internet Connection Sharing feature to share a VPN connection.
58
www.utilizewindows.com
Networking
DirectAccess Feature in Windows 7
What is DirectAccess
DirectAccess is an always on connection to our remote private network, regardless of where we are. Starting
from Windows 7 and Windows Server 2008 R2, we can use DirectAccess feature. DirectAccess in Windows 7
uses IPv6 with IPsec VPN connection which is always on. DirectAccess is different from a VPN protocol.
DirectAccess connection process doesn't require user intervention or logon (it is automatic) in contrast to a
VPN solution. It starts from the moment we connect to the Internet and allows authorized users to access
corporate network file server and intranet web sites.
Since DirectAccess is automatic, we will always have access to the remote (corporate) intranet, regardless of
where we are. DirectAccess is bidirectional, which means that servers on corporate network can access remote
clients in the same fashion as if they were connected to the local network. In many VPN solutions, the client
can access the server, but the server can't access the remote client.
DirectAccess provides administrators the ability to control resources that are available to remote users and
computers. Administrators can ensure that remote clients remain up to date with antivirus definitions and
software updates. They can also apply security policies to isolate servers and hosts. Remote DirectAccess
clients can still receive software and group policy updates from the sever on the corporate network, even if the
user hasn't logged on. This allows administrators to manage and maintain remote computers like never
before. DirectAccess reduces unnecessary traffic on the corporate network by not sending traffic that is headed
for the Internet to the DirectAccess server. Intranet communications are encrypted and sent to the
DirectAccess server, and then on to the intranet. Internet communications are sent directly to the Internet
hosts without encryption and without going through the DirectAccess server.
59
www.utilizewindows.com
Networking
DirectAccess Feature in Windows 7
the other hand, organizations can use full enterprise network access where the IPsec session is established
between a DirectAccess client and the server.
www.utilizewindows.com
Networking
DirectAccess Feature in Windows 7
When we first configure DirectAccess on a server, it creates a Group Policy Object (GPO) at the domain level
and filters it for us for that specified security group that we create during the installation process. Only clients
that are members of that group get DirectAccess policies and will be able to connect to the DirectAccess
server. Through this Group Policy we can configure settings such as 6-to-4 relay server name, the IP-HTTPS
server to connect to if all other connection methods fail, and weather the Teredo is used for DirectAccess and
the Teredo server address.
We can also configure the DirectAccess from the command line using the netsh command. Have in mind that
all configurations made manually with the netsh utility will be overwritten by corresponding Group Policy
settings.
To determine if the client has made a successful DirectAccess connection, we can connect on the network
connection icon in the system tray. This will open a status of our connection which will say "Internet and
Corporate" access. In that case we know that we have successfully connected to the DirectAccess server. If the
status is "Local and Internet", we know that there is no connection to the DirectAccess server.
As we know, DirectAccess clients use certificate for authentication. If a computer doesn't have a valid
computer certificate, which should be received from ADCS, it can't connect successfully. We can verify client
certificate using the certificate snap-in.
61
www.utilizewindows.com
Deployment
Preparing for Windows 7 Image Capture
Deployment
Preparing for Windows 7 Image Capture
Before you start
Objectives: learn what you have to do before you can capture and deploy Windows 7 images
Prerequisites: you have to understand what is automated Windows installation, what is Windows
SIM and what is Sysprep.
Key terms: image, winpe, waik, imagex, capture, reference, installation, deployment
Note that you should not install WAIK on the reference computer. You should install WAIK on the
Technician computer (the one on which you work as an administrator). Reference computer should be
configured for end users. When the installation is complete we can run the Deployment Tools Command
62
www.utilizewindows.com
Deployment
Preparing for Windows 7 Image Capture
Prompt. To do that go to Start > All Programs > Microsoft Windows AIK > Deployment Tools
Command Prompt.
Creating WinPE
Now that we have WAIK installed and a reference computer prepared, we have to create a WinPE CD. WinPE
is contained in WAIK, but we have to create WinPE CD or DVD by running the 'copype' command within the
PETools folder. Once the WinPE files and folders are created we can use the 'oscdimg' utility, which is also
part of the WAIK, to create ISO image from the created WinPE files and folders. Then we can use that ISO
image to burn a bootable DVD and boot from it. Our WinPE has to contain ImageX tool which we will use to
capture and deploy Windows images. ImageX stores the image in the Windows Image file format (.wim
format). To see how to prepare WinPE read the article Create WinPE Using WAIK for Windows 7.
www.utilizewindows.com
Deployment
Preparing for Windows 7 Image Capture
make that VHD bootable. To an example on how to capture Windows 7 installation read the article Windows 7
Image Capture Demonstration
Excluding Files
We can also exclude certain files and folders from being captured. We can do that using configuration files. The
'Wimscript.ini' file is the configuration file that ImageX will use. Withing a 'Wimscript.ini' file we have three
sections of configuration. Those sections are:
ExclusionList
ExclusionException
CompressionExclusionList
The ExclusionList section allows us to define what files and folders are to be excluded from the capture. The
ExclusionException section allows us to override the default exclusion list during the capture process. The
CompressionExclusionList allows us to define files, folders and file types that we want to exclude during the
compression process. ImageX will look for the 'Wimscript.ini' within the same folder that stores the ImageX
tool. Example of Wimscript.ini:
[ExclusionList]
ntfs.log
hiberfil.sys
pagefile.sys
"System Volume Information"
RECYCLER
Windows\CSC
[CompressionExclusionList]
*.mp3
*.zip
*.cab
\WINDOWS\inf\*.pnf
As we see in our example, our wimscript.ini has ExclusionList section. In that section we defined what files and
folders are to be excluded during the ImageX process. We also defined what files, folders and types of files are
to be excluded from compression process. In addition to manually creating an image, ImageX can help us
modify an image without extracting it and also to deploy the captured image to a target computer.
64
www.utilizewindows.com
Deployment
Preparing for Windows 7 Image Capture
65
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
Image Location
We have our DVD in our DVD drive, so let's find our image. We will browse to the [DVD
Drive]:\sources folder. There we can find 'install.wim' image.
Install.wim, which is a Windows image file, stores all five Windows 7 edition (we can see them below the
install.wim image). Because of Single Instance Storage, if some file is common between all five of those
editions, the wim file will only store one copy of that file. That's why our image is only 2,1 GB in size for all
editions of Windows 7.
Now, we will copy install.wim image from the DVD to our hard drive, to the C:\images folder in our case.
We will also create new folder inside of C:\images folder, which we will use to mount our image. We will call it
'mount'. The content of C:\images folder now looks like this:
66
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
Remember, in order to use ImageX and DISM we have to have Windows 7 Automated Installation Kit
(WAIK) installed on our computer. Next, what we need to do is run the Deployment Tools Command
Prompt from the Start Menu > Microsoft Windows AIK. We will make sure to open it with elevated
privileges (right-click, Run as administrator).
As we can see, we get a report in xml format. At the top we can see image GUID, number of images,
compression, etc. Below we can see Available Image Choices. This portion is important because here we see
which index number belongs to which edition of Windows. So, for example in our case, we see that Image
67
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
Index '5' belongs to the Windows 7 Ultimate edition. Another example is Home Premium which has index
number 3.
When we mount an image, we have to designate which image edition we want to mount. We will do that using
particular Index Number. Let's try that now. We will mount our image using the /mountrw parameter. We use
/mountrw so we can read as well as write to that image (mount rw, read-write). If we only want to read the
image, we would use the /mount parameter. So, the whole command is: imagex /mountrw
c:\images\install.wim 5 c:\images\mount.
68
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
The c:\images\install.wim is the image we are mounting. Number 5 is the index number and it determines
that we want to mount the Windows 7 Ultimate edition. C:\images\mount is the folder which we use to
mount our image.
Remember, we don't have to use the image from the DVD. We could also use some image that we prepared
ourselves. Now, when we mount our image, the content from the wim image (install.wim in our case) is
extracted and copied to our mount folder (C:\images\mount in our case). When the mount is complete, we
can go to that folder and browse for files.
Remember, wim image stores files inside the image trough a file-based mechanism instead of sector based
mechanism. That means that we can easily access the content of the wim file once it is extracted using ImageX
or DISM, and also work with it as we like. We can copy files from it, add new files, install new drivers, enable
or disable features and language packs. All files that we see in the mount folder will be copied to our hard drive
when the actual installation happens. Let's see the Users folder.
69
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
We can add new folders and files to that image. Just for demonstration we will add new folder named 'info' and
a text file named 'Read me' inside of the mount folder. We can create our text file somewhere else on our
computer and copy it to the mount folder. We have to have administrative privileges to copy our text file to the
mount folder.
So, we are actually making changes to our image as if we are sitting on the machine with the loaded Windows 7
Ultimate. We have access to all files.
Unmounting
After we have made all changes we will unmount our image. When we unmount our image with ImageX, we
have a choice of either committing the changes (saving the changes that we made in the wim image), or
discarding all changes. If we run the unmount command without the /commit parameter, the changes we
made will not be saved.
70
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
To unmount our image and save all changes we will enter the following command: imagex /unmount
c:\images\mount /commit. Also, we should exit the mount folder in Explorer before we unmount our
image.
In our command we use the /unmount parameter to unmount our image. We had to specify the location of
our mounted image, which is in our case C:\images\mount folder. Also we use the /commit parameter to
save all changes that we made to our image. Also notice that we got an error but we don't actually have to
worry about that in this case. This error happened because we had our mount folder opened in Explorer when
we were unmounting our image.
71
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
Notice that we got an error. The specified image is already mounted for read/write access. This means that the
image somehow is still mounted. We can try and unmount our image again using ImageX tool, but this time
without the /commit parameter. If we used DISM to mount our image we should try and unmount our image,
without committing changes. Also, to recover from this error we can try and use the imagex
/cleanup command to delete all resources associated with mounted wim image that has been abandoned. If
that doesn't work we can also try and run dism /cleanup-wim command. If that doesn't work, we can try and
restart our machine. If that doesn't work we can try and use another mount folder. If that does not work, we
have to clear all our temporary directories, and also in Registry browse to
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WIMMount\Mounted Images" and delete any keys
below this.
Errors can occur because of various reasons, like corrupt drivers, viruses, etc. We should always have a backup
of our image, because our images could get corrupt when we are working with it.
Now let's try to mount our image using DISM again. This time everything works as expected.
72
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
Once the mounting is complete let's verify that the changes we made are still there. Let's browse to our mount
folder.
As we can see on the picture, our 'info' folder and 'Read me' text file are there. Now, DISM gives us a bit more
options. We can use DISM with the /get-mountedwiminfo parameter to see all mounted images.
73
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
If we had more than one image mounted we would see them all. We can also use DISM to check the edition of
the mounted image. To do that we would enter the command: dism /image:c:\images\mount /getcurrentedition. The /image parameter specifies the mounted image we want to check, and /getcurrentedition is used to check mounted edition.
Notice that the current edition is Ultimate. We can also use the /get-drivers parameter to see any installed
third-party drivers in the mounted image.
In our case there is only one third-party driver in the driver store. Using DISM we can add drivers or even
remove drivers from the image. Next, we can also use the /get-features parameter.
74
www.utilizewindows.com
Deployment
Mounting and Unmounting Windows 7 Image Using ImageX and DISM
Using /get-features parameter we can view all available features on the edition of Windows that has been
mounted. We can see the feature name and the status (enabled or disabled).
Unmounting
Once we are done working with the image, we can unmount our image using the /unmount-wim parameter.
We have to specify the mount directory with the /mountdir: parameter. Also, we can use either
the /commit parameter (which will save the changes that we made to our image), or use
the /discard parameter if we don't want to save our changes. In our case we will not save any changes. The
command is: dism /unmount-wim /mountdir:c:\images\mount /discard. We should exit the mount
folder before we unmount it.
Image was unmounted, changes were discarded and files were closed.
75
www.utilizewindows.com
Deployment
Creating WinPE Using WAIK for Windows 7
76
www.utilizewindows.com
Deployment
Creating WinPE Using WAIK for Windows 7
Once the files are copied we are automatically transferred to the c:\wpe folder. Let's see the content of that
folder using the 'dir' command.
In our C:\wpe folder we see that we have ISO folder, which is the folder that we will burn to an image. Also
we have default winpe.wimfile, and we have etfsboot.com file (which is boot manager).
The next step is to open wimpe.wim image file and copy files that we want into that image. The main thing
that we want to copy to winpe.wim is the ImageX tool. To do that we will open second command prompt
with elevated privileges (right-click CMD, then select 'Run as administrator'). In that second CMD we will go to
the 'c:\program files\windows aik\tools\' folder. Use the 'dir' command to check the content of that
folder. What we need to do next is use the ImageX command to mount the c:\wpe folder. Before we do that
we have to create a folder to mount it to. In our case we will create c:\wpem folder.
ImageX for 32bit systems is located in the 'x86' folder, so we will open it. Next, we will use ImageX command
with /mountrw switch. /mountrw will make our mount readable and writable. We will also choose
our winpe.wim file, boot the first installation in it (option 1), and choose our output folder (c:\wpem). The
final command looks like this: 'imagex /mountrw c:\wpe\winpe.wim 1 c:\wpem'.
77
www.utilizewindows.com
Deployment
Creating WinPE Using WAIK for Windows 7
The content from the c:\wpe folder was mounted to the c:\wpem folder. When the mount is complete we
can browse to the c:\wpem folder and see the content of the image.
Now we have to copy ImageX from the 'C:\Program Files\Windows AIK\Tools\x86' folder to our
'c:\wpem' folder.
Now we can unmount the image and commit changes. Remember that we can also copy other data, tools,
drivers or anything else that we want to have available once we boot up with that WinPE image. To unmount
the image let's go to the command prompt and run the following command: 'imagex /unmount /commit
c:\wpem'.
78
www.utilizewindows.com
Deployment
Creating WinPE Using WAIK for Windows 7
What really happened is that the content of the c:\wpem folder (mount) was saved to the windows image.
Image was then unmounted and saved to the winpe.wim file.
Next, we are going to copy c:\wpe\winpe.wim file to the c:\wpe\ISO\sources folder and change the name
to boot.wim. We can do this using Windows Explorer. The 'sources' folder of every Windows 7 installation
contains two important files: install.wim and boot.wim. The boot.wim is for booting the DVD and starting
the installation. Install.wim stores the actuall installation files. At this poing we can create ISO image from our
prepared folder. The WAIK has a tool called oscdimg (Operating System CD Image) creator which we can
use to create ISO images from data on our hard drive. Let's go back to Deployment Tools Command Prompt
and run the oscdimg command. We will specify -n for long file names, specify the source folder,
specify destination file, and also specify the boot files which will be included in the boot sector (-b), so that
our image will be bootable. The whole command is: 'oscdimg -n c:\wpe\iso c:\wpe\winpe.iso b"c:\wpe\etfsboot.com'.
Once the ISO image is complete we can burn it to a CD or DVD, which we can then use to boot our
computer from.
79
www.utilizewindows.com
Deployment
Windows 7 Image Capture Demonstration
Enter System Out Of Box Experience (OOBE) (from the System Cleanup Action list)
Click OK
Runnin WinPE
Our referenced computer is now prepared and turned off. Now we need to boot that computer using WInPE
CD which we created earlier. WinPE runs from the command line. It boots the system with a limited version
of Windows 7, which provides disk access and limited networking support. It has two different architectures: a
32-bit version and a 64-bit version. The version must match the intended installation version of Windows 7.
Once we enter WinPE we can go to the root folder so that we can run ImageX which we copied earlier.
80
www.utilizewindows.com
Deployment
Windows 7 Image Capture Demonstration
In WinPE we have access to our network. This is great because we can transfer images to the shared folder on
our network. In our case we have a shared folder named 'shared-images' on computer named 'nx7300'. We will
map a network drive to our shared folder using a net use command: 'net use z: \\nx7300\shared-images'.
Our shared folder is password protected, so we have to provide our credentials. Notice that we had to provide
the computer name in front of our user name. If we had a domain account, we would provide a domain name
instead of computer name.
The shared folder is now mounted as our Z drive. Before we use ImageX command we have to see on which
partition our Windows 7 installation is on. To do that we can use diskpart command.
81
www.utilizewindows.com
Deployment
Windows 7 Image Capture Demonstration
In our case we only have one disk. Let's select it and list partitions on that disk. To select it enter the 'select
disk 0' command.
We do that because we might have multiple disks with multiple boot partitions. We have to capture the proper
image. In our case we only have one partition. In Windows 7, if we use BitLocker, we will always have at least
two partitions when looking disks with diskpart. The first partition, size of 100MB would be BitLocker
partition. Letters for partitions in WinPE can be different from those in regular Windows 7. While running
Windows PE on a machine with BitLocker, the first logical partition is already used as drive C: (i.e., Partition 1)
and does not contain the reference computer's Windows 7 installation. We can always check the content of our
partitions.
82
www.utilizewindows.com
Deployment
Windows 7 Image Capture Demonstration
Let's go back to our WinPE disk (x: drive) and run the ImageX command to capture our Windows 7 image.
ImageX is a command line tool that creates an image from a reference computer. We will use the command
'imagex /capture c: z:\win7.wim "Win7 Image" /compress fast /verify'. The /capture means that we
are capturing Windows image, c: is the drive we are capturing, z:\win7.wim will be the exported file on the z:
drive that we mapped to, "Win7 Image" will be the image name, /compress fast will perform fast
compression, and we will also verify the image (/verify switch).
83
www.utilizewindows.com
Deployment
Windows 7 Image Capture Demonstration
ImageX will first scan all files that are on our C: partition and then create an image out of all that files. Once
the process is complete we will have win7.wim file which we can deploy to other computers, or which we can
use to perform recovery if our computer brakes down. If we intend to transfer that image to different
computer, we must run Sysprep on the reference computer before we capture the image.
84
www.utilizewindows.com
Deployment
Windows 7 Image Deployment Demonstration
85
www.utilizewindows.com
Deployment
Windows 7 Image Deployment Demonstration
Notice that in our case we have one disk available, Disk 0. Let's select it by entering 'select disk 0' command.
Then we are going to clean it by entering the 'clean' command. Next, we are going to create new 100 MB
partition for BitLocker by entering the 'create partition primary size=100' command.
Next, we will select that newly created partition using the 'select partition 1' command, format it using the
NTFS file system with the 'format fs=ntfs label="BitLocker"' command and assign a drive letter C to it
using the 'assignt letter=c' command.
86
www.utilizewindows.com
Deployment
Windows 7 Image Deployment Demonstration
This partition will not be visible once we log on to our Windows 7. Letters assigned to partitions in Windows
can be different from those assigned in Diskpart.
Next, let's create second partition that will hold our Windows 7 system. We will enter the 'create partition
primary' command. Notice that we did not specify the size of the partition so diskpart will use all the
remaining space for our partition. After the creation we can check our partitions using 'list parition' command.
Notice that now we have second partition which is 39 GB in size. Next, we will select that new partition,
format it using NTFS, assign a drive letter to it and make it active. After that we can exit Diskpart.
87
www.utilizewindows.com
Deployment
Windows 7 Image Deployment Demonstration
88
www.utilizewindows.com
Deployment
Windows 7 Image Deployment Demonstration
Notice that we have win7.wim file available here. That is the Windows 7 image that we created earlier
ourselves in our case.
When this process is finished we need to configure our partition so that it can be used to start the computer.
To do that we will use a command line tool called BCDBoot which is available
in [drive]:\windows\system32\ folder. BCDBoot copies the necessary boot loader files to the partition.
These files are the BOOTMGR program, which is responsible for locating available operating system
installations and starting the operating system, and the Boot Configuration Data (BCD) store, which is a
database that identifies possible operating systems and their locations on disk. The BCD store contains BCD
entries, with each entry identifying a separate installation instance. The BCD store in Windows 7 and Vista is
89
www.utilizewindows.com
Deployment
Windows 7 Image Deployment Demonstration
similar to the Boot.ini file in previous Windows versions. In our case the command will be
'd:\windows\system32\bcdboot d:\windows'.
90
www.utilizewindows.com
Deployment
Managing Existing Windows 7 Images
Facts
Image servicing begins by mounting a previously captured image, which makes the contents of the image
accessible to be viewed or modified. Mounting an image does not start the operating system in the file.
Mounting an image as read-only lets us view the image, but not make changes. To save changes made to a
mounted image back to the original image, we must commit the changes before dismounting the image. An
online image is the operating system currently running on a computer; whereas, an offline image is a WIM file.
DISM Tool
Imagine how much time would it take us to deploy the the existing image to the computer, make necessary
changes and recapture the new image... To overcome this problem we need a method to update and service our
images offline and without booting them up. Windows 7 introduces a Deployment Image Servicing and
Management (DISM) tool. DISM is a command line tool which is used to manage existing Windows images.
DISM is part of the Windows Automated Installation Kit (Windows AIK). We can use DISM to install
updates, drivers and language packs, to enable or disable Windows features, to perform intra-edition upgrades,
and to customize international settings. With DSIM we can service different platform types, such as 32bit and
64bit. That means that we can service a 64bit image on a 32bit computer. In addition to servicing offline
images, the DISM tool can work with the installation image that is currently online (running Windows). When
we work with an online image, we generally gather information rather than make changes to the image. Any
option used on the online image can be used with the offline image as well. However, not all 'get' options are
available on the online image (for example, get-apps). If we run get-apps on the offline image, we will get info
on all MSI applications on the image. With this tool we can only service existing system images. We cannot
capture a new image. DISM is backwards compatible with older tools in the Windows Vista Automated Installation Toolkit.
Additionally, DISM works with limited functionality on a Windows Vista SP1 image.
Mounting Images
Before we can service existing image with DISM, we have to mount or apply the image. The DISM /mountwim option mounts the wim file to the directory specified by the mount directory option. If there is more than
one image in the wim file we can use the index option to specify which one we want to mount. We can also
mount an image as read-only by using the /readonly parameter.
91
www.utilizewindows.com
Deployment
Managing Existing Windows 7 Images
In addition to using DISM, we can use ImageX to mount and unmount images as well. We can use the /mount
option with ImageX to mount image in read-only format to a specified folder. If our wim file has more than
one image we can use the index number of the image to mount that specific image. If we also want to be able
to write to that image we can mount our image using the /mountrw option. Once we have mounted our image
using ImageX and we're done working with it, we can use the /unmount option which will unmount the image
from the specified folder. We can also use the /info option to display information of our wim file with the use
of ImageX. With the use of ImageX and DISM we can take our existing images and update, manipulate and
continue to maintain them without the need of re-creating new images from scratch.
We have a separate article which describes mounting images using ImageX or DISM tool in detail: Mount and
Unmount Windows 7 Image Using ImageX and DISM.
Drivers
We can gather information on existing drivers on the image. We can also add new drivers or remove existing
ones. DISM can only manage drivers in a form of INF files. DISM does not support drivers in the form of
MSI packages or EXE files. It is recommended to place our drivers in a convenient location and properly name
the folders to easier identify them.
DISM has the capability to add a single driver using the /add-driver parameter, and by specifying exact file
name. We can also add multiple drivers by specifying the folder in which they are located. We can also add all
drivers in subfolders of the parent folder if we use the /recurse parameter. If we want to add drivers that are
unsigned, we can use the /forceunsigned option.
DISM can only remove third-party drivers. We can not remove default built-in drivers in a Windows 7 image.
All third party drivers are renamed in a form of OEM[number].inf, for example OEM11.inf. We can use
the /get-drivers option to find the driver we are looking for and then remove it using the /removedriver option.
Apps
With DISM we can gather information about Windows Installer or MSI applications, and application patches
(MSP files). We can only gather this information from an offline image. Online image does not support
application servicing. We can use the /get-apppatchesoption to list of the application patches in MSI
installations that are available in our image. We can also use the GUID of the application to display
information relevant to only that specific application. The /check-apppatch parameter will show us specific
information about the MSP patches installed in the offline image. We would use the /patchlocation to specify
the path of the MSP patch to gather information about specific MSP file. To gather information about all MSP
patches installed on our image we can use the /get-apppatchinfo parameter. Using the /get-appinfo and
the /productcode parameter we can gather detailed information about a specific MSI application installed on
the image. If the /productcode option is not used, the /get-appinfo returns detailed information about all MSI
92
www.utilizewindows.com
Deployment
Managing Existing Windows 7 Images
applications. The /get-appsparameter displays all MSI applications installed on the image as well as the GUID
for each of them. Then we can take advantage of the GUID option to check specific information when using
other parameters.
Have in mind that /get-apppatches and /get-apppatchinfo options only work for MSP patches. The /getappinfo and the /get-appsoptions only work for MSI installations. DISM cannot be used to obtain
information from EXE, DLL or batch files. Additionally, DISM tool cannot be used to apply and install
patches or MSI applications to an offline image. The Microsoft Deployment Toolkit (MDT 2010) can be used
instead to install applications to an offline image.
Patches
In addition to adding drivers and gathering information about installed applications, DISM can be used to
apply operating system packages and patches. One of the greatest challenges when working with images is to
keep our images updated with the latest security and operating system patches. The most straight forward way
to accomplish this is to boot the image, visit Microsoft updates, install necessary patches and recapture the
image. This method is time-consuming and requires that we 'sysprep' the system again. The easiest way to
update our images is to use DISM. The DISM package servicing options can be used with the mounted offline
image to add, remove or update windows packages provided in the cabinet (CAB) files. We can also use the
package servicing options to install, update or remove Windows update stand-alone installers or MSU files.
Features
DISM can also be used to enable or disable Windows features on both offline mounted images and online
Windows installations. Have in mind that DISM commands are not case-sensitive, however, feature or patch
names are case-sensitive.
For example, the /get-packages command will display basic information about all packages on the mounted
image. We can also use the/add-package parameter to install packages on to the system. The package must be
in a form of MSU file. We can use the /remove-package option to remove existing package from the image.
The /get-featureinfo and /enable-feature option can be used to gather information about installed features
on the image, and then enable feature on that image as well. We can use /disable-feature to remove feature
from the image.
International Settings
We can use the /get-intl which returns information about the international settings and languages on an online
image. This is the only option which can be used on the online image. We can also use other parameters such
as /set-timezone to change the time zone on offline image.
Editions
Using DISM we can list editions that are stored on an image. We can also change the current edition to a
higher edition. When we perform an intra-edition upgrade to an offline image, we do not require product key.
93
www.utilizewindows.com
Deployment
Managing Existing Windows 7 Images
We can use options such as /get-currentedition,/set-edition or /set-productkey to perform intra-edition
upgrade.
WindowsPE
In addition to the servicing options mentioned, we can also use DISM to service WindowsPE image. DISM
enables us to prepare WindowsPE image, list packages or even enable logging. We also have the ability to
associate the Unattended.XML answer file to the mounted image.
Committing Changes
After making changes to the mounted image, we must commit the changes so that they are saved to the mount
directory before dismounting the image. We can use the /commit-wim parameter to commit the changes to
the folder.
Completion
After completing our work with the mounted image, we have to commit the changes and use the /unmountwim parameter to dismount and close the image file. To commit changes we can use the /commitwim parameter, or use the /unmount-wim together with /commitparameter. This way the changes are
saved.
/mountdir - specifies the local directory in which to mount the WIM file
/index - specifies the edition if there is more than one edition within a WIM file
/remount-wim - remounts the WIM file if the mount directory is lost or orphaned
/cleanup-wim - cleans up any previously used resources from the previous mounts
94
www.utilizewindows.com
Deployment
Managing Existing Windows 7 Images
/get-mountedwiminfo - lists all the currently-mounted images and information about each image,
such as the mounted path, index, location and read/write permissions
/unmount-wim /discard - reverts all changes made since the last changes were committed and
dismounts the WIM file
We can use the following DISM command options to manage the system image drivers:
/add-driver /driver /recurse - adds all of the drivers in the directory and its subdirectories
/get-drivers /all - displays basic information about all drivers, in addition to the all out-of-box
drivers
/forceunsigned - overrides the digital signature requirements for drivers on 64-bit versions of
Windows 7
The driver path must use the driver's published name. Use /get-drivers /all to view the published name. We
cannot remove default drivers. Place your drivers in a convenient location before using DISM to update the
system image drivers. DISM does not support drivers in the form of .msi packages or .exe files. If adding
multiple drivers in the same command, the drivers are installed in the order that they are listed in the
command.
We can use the following DISM command options to manage Windows applications (.msi) and application
patches (.msp files):
/get-apppatches - displays a list of MSP files that are available on the image
/check-apppatch /patchlocation - displays information only if the MSP patches are applicable to
the offline image
/get-appinfo - displays detailed information for all the installed MSI applications
/get-apps - displays all MSI applications installed on the offline image as well as the GUID
95
www.utilizewindows.com
Deployment
Managing Existing Windows 7 Images
DISM does not retrieve information from .exe or .dll files. The DISM command does not have an /add-apps
option to install applications; use Microsoft Deployment toolkit to install applications to a previously-captured
offline image.
We can use the following dism command options to manage Windows packages provided in a cabinet (.cab) or
Windows Update Stand-alone Installer (.msu) file format:
/get-packages - displays basic information about all the packages that have been installed on the
image
/add-package /packagepath - installs a specific .cab or .msu package to the image, including:
a single .cab or .msu file, a folder containing a single expanded .cab file, a folder containing a single
.msu file and a folder containing multiple .cab or .msu files
DISM commands are not case-sensitive; however, feature names are case-sensitive. We cannot remove .msu
installations.
We can use the following DISM command options to manage international settings for an offline or online
image:
/get-intl - returns information about the international settings and languages on an online image
The Windows 7 installation media has a pre-staged package for each Windows 7 edition. This is referred to as
an edition-family image. We can use the following DISM command options to manage and configure the
Windows editions on an offline or online image:
/set-productkey - enters the product key for the current edition in an offline Windows image after
you change an offline Windows image to a higher edition.
96
www.utilizewindows.com
Deployment
Managing Existing Windows 7 Images
The following options revert all pending actions from the previous servicing operations because the actions
might be the cause of a boot failure:
/cleanup-image
/revertpendingactions
/mount - mounts a Read-Only version of the image file to the specified directory
/export - deletes unnecessary resources from the image file, reducing its size
/append - appends files to the image. Appended image files must use the same compression type as
the initial capture
Examples
We have an article on how to service existing images and on how to apply updates to existing image, so be sure
to check them out if you want to see a demo on how to work with images using DISM.
97
www.utilizewindows.com
Deployment
Servicing Windows 7 Image Using DISM
Image
For the purpose of this demo, we will be working on image which we will get from the Windows 7 installation
DVD. In our case we have copied install.wim image from the Windows 7 installation DVD ([DVD
drive]:\sources\install.wim) to the C:\images\ folder. In that folder we have also created the 'mount'
folder which we will use to mount our image.
Next we need to open Deployment Tools Command Prompt with elevated privileges. To do that go to Start >
All Programs > Microsoft Windows AIK > Deployment Tools Command Prompt (Deployment Tools
Command Prompt comes with WAIK for Windows 7).
Mounting
Next we will mount our image. To do that we will enter the following command: dism /mount-wim
/wimfile:c:\images\install.wim /index:5 /mountdir:c:\images\mount. 'DISM' means that we are using
DISM to mount our image. /mount-wim parameter means that we want to mount existing image.
With /wimfile parameter we specify the location of our image. With /index parameter we specify which
edition we want to mount (Ultimate in our case). With /mountdir parameter we specify where do we want to
mount our image.
98
www.utilizewindows.com
Deployment
Servicing Windows 7 Image Using DISM
Different editions of Windows will have different features available. Among other things we have a feature that
is called Minesweeper. This is a game that is available for free in Windows and it is currently enabled. Let's
gather more information about that feature. We will use the following command: dism
/image:c:\images\mount /get-featureinfo /featurename:Minesweeper. Remember that feature names
are case-sensitive.
99
www.utilizewindows.com
Deployment
Servicing Windows 7 Image Using DISM
Now we will disable that feature. To do that we will enter the following command: dism
/image:c:\images\mount /disable-feature /featurename:Minesweeper.
If we want to enable some feature we can use the /enable-feature option. In our case Minesweeper is disabled
on our mounted image so it will not be available by default once we install our Windows 7 Ultimate edition.
We can run the dism /image:c:\images\mount /get-features command to check for available features
again. Notice that the status of the Minesweeper feature is now 'Disable Pending'.
100
www.utilizewindows.com
Deployment
Servicing Windows 7 Image Using DISM
101
www.utilizewindows.com
Deployment
Servicing Windows 7 Image Using DISM
Adding Drivers
We have added a new folder called 'addons' to the C:\images\ folder. Here we have copied the driver that we
want to add to the image driver store. In our case we want to add drivers for Samsung ML1640 printer.
To add our driver we will run the following command: dism /image:c:\images\mount /adddriver:"C:\images\addons\SamsungML1640\ssp2m.inf". Notice when specifying the path to our drivers,
we also specified the Setup Information file (.inf extension). In our case that file is ssp2m.inf.
102
www.utilizewindows.com
Deployment
Servicing Windows 7 Image Using DISM
Driver content has been copied to the driver store successfully. If we enter the command dism
/image:c:\images\mount /get-drivers, we can see all third party drivers installed in our image.
Notice that our new driver now has a published name: oem1.inf. Below that we can see the original file name
(sspm.inf), class name (Printer), provider name (Samsung), date and version.
Unmounting Image
We have made all changes that we wanted so we are ready to unmount our image. To do that we will enter the
following command: dism /unmount-wim /mountdir:c:\images\mount /commit. Be sure to exit folder
that is used for mounting in Explorer.
103
www.utilizewindows.com
Deployment
Servicing Windows 7 Image Using DISM
Notice the /commit parameter. It is used to save all changes that we made to our image. If we don't want to
save changes can use the/discard parameter.
104
www.utilizewindows.com
Deployment
Applying Updates to Windows 7 Image Using DISM
Image
In our case we will be working on the default Windows 7 image that we have copied from Windows 7 DVD,
called install.wim. It is located in the [DVD drive]:\sources\ folder, and we will copy it to
our c:\images\ folder. We also have c:\images\mount\ folder which we will use to mount our image. We
have also installed The Windows Automated Installation Kit (WAIK) for Windows 7. This is necessary because
we need to use the DISM command line tool. So, the first thing we will do is run Deployment Tools
Command Prompt with elevated privileges. To do that go to Start > All Programs > Microsoft Windows
AIK > Deployment Tools Command Prompt (right-click > Run as administrator).
Mounting Image
We have to mount our install.wim image so we can work on it in offline mode. To mount our image we will
use the follwing command:dism /mount-wim /wimfile:c:\images\install.wim /index:4
/mountdir:c:\images\mount.
Current Packages
When the mounting is complete, we can see what packages does it currently contain. To do that we will enter
the following command (against our mounted image this time): dism /image:c:\images\mount /getpackages.
105
www.utilizewindows.com
Deployment
Applying Updates to Windows 7 Image Using DISM
The /get-packages option shows us all installed packages on our image. The benefit of using DISM is that we
can have an image which we can frequently update so we don't have to worry about that image becoming out
of date. This way, we don't have to install our image, then apply updates on live machine, and then capture the
new image. We can always work on our existing image which saves a lot of precious time.
We can only install packages which are in .cab or .msu format. In our case we will install an update package
that we downloaded from Microsoft website. We will put that file in c:\images\packages folder. The update
file in our case is Windows6.1-KB2533623-x86.msu.
Adding Packages
To add that package we will enter the following command: dism /image:c:\images\mount /add-package
/packagepath:c:\images\packages\Windows6.1-KB2533623-x86.msu. To add packages we use
the /add-package option, but we also have to specify the package path with the /packagepath parameter.
106
www.utilizewindows.com
Deployment
Applying Updates to Windows 7 Image Using DISM
We can verify that our package is installed by using the dism /image:c:\images\mount /getpackages command. Our package will be last on the list because it is the newest installed package. The status
is Install Pending because the actual installation of our package will happen when the image is being applied
to the machine.
107
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Disk Management in Windows 7
Disk Management
The first thing that we will do is create a VHD file. To do that we can use Disk Management tool, which is
available in Control Panel > Administrative Tools > Computer Management > Disk Management. Once in
Disk Management, we will go to Actions and select the 'Create VHD' option. When we do that we will have to
select the location where we want to store our VHD, disk size, and the format of our VHD.
In our case we will save our VHD file to the C: drive. The name of the VHD file is 'UserFiles.vhd'. The size of
our virtual disk will be 256 MB. Since our disk is so small we will select 'Fixed size' for our disk format. Fixed
size will create the VHD with the complete size of 256 MB, wile the 'Dynamically expanding' will create the
VHD with zero MB and will expand up to the 256 MB as we write information to it. When we click OK, the
Disk Management tool will attach our newly created VHD automatically.
108
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Disk Management in Windows 7
To initialize disk, we will right-click on Disk 1 and select the 'Initialize Disk' option.
109
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Disk Management in Windows 7
Now we can create new volume on our VHD and specify a drive letter. To do that we will right-click on
unallocated space on our Disk 1 and select the 'New Simple Volume' option.
The wizard will appear. The wizard will first ask us about the size of the volume. We will leave maximum size
in our case.
110
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Disk Management in Windows 7
Next, we will choose the file system and perform a format. In our case we will select NTFS as our file system
with default allocation unit size, volume label will be 'UserFiles', and we will perform a quick format.
Once the format is complete, we can browse to our computer and see our newly created E: drive.
Everything that we do on E: drive is actually saved in UserFiles.vhd file. If we go to the C: drive, we can see the
UserFiles.vhd file which is used as our virtual disk.
We can also detach VHDs from our computer. To do that, let's go back to Disk Management, right-click our
virtual hard disk (Disk 1 in our case) and select the 'Detach VHD' option.
111
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Disk Management in Windows 7
If we only want to detach the VHD, and don't want to delete the VHD file, we mustn't select the 'Delete the
virtual hard disk file after removing the disk' option. So, we have to be careful here if we want to use the VHD
file on another computer.
Video Tutorial
We also have a video tutorial on how to create and manage VHD using Disk Management.
112
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Diskpart in Windows 7
Running CMD
When running CMD in this case, we have to be sure that we run it with administrative privileges. To do that,
right-click on CMD, and select 'Run as administrator' option. This will give us elevated command prompt, so
we will click on Yes when we get User Account Control prompt.
From the CMD we will run diskpart. To do that, simply enter "diskpart" and hit Enter.
Once in Diskpart we will run the following command: "create vdisk file=c:\install1.vhd maximum=15000".
This command will create a virtual hard disk file on our C: drive, with the file name "install1.vhd", and
maximum disk size of 15000 MB. We could also add the "type=fixed" or "type=expandable" parameter, but
the default is "fixed" so we didn't write it.
Once the VHD creation is complete we will have a install1.vhd file on our C: drive, with 15 GB in size.
113
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Diskpart in Windows 7
Now we can attach our virtual disk to the system. To do that first we have to select the disk that we want to
attach. To do that we will enter the following command: "select vdisk file=c:\install1.vhd". This command
will select the install1.vhd virtual hard disk so that we can work with it.
Now that the virtual disk is selected we can run the attach command. The command is: "attach vdisk".
Let's check the details of our selected virtual disk. To do that we will enter the command: "detail vdisk".
At this point our disk is not initialized. We can't create any partitions or volumes on this disk if we don't
initialize it. To initialize the disk we will enter the command: "convert mbr". This will convert our disk to basic
disk format with the master boot record partition style.
114
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Diskpart in Windows 7
Now we can create a partition on the disk. To do that we will use the command: "create partition primary".
We won't specify the size, so the whole unallocated space will be used to create the partition.
Now we can format our partition. To do that we will use the command: "format fs=ntfs label="install"
quick". This command will format our partition using NTFS file system, label it as "install", and it will use
quick formatting.
That's it. We can now use our virtual disk and save files to it. Let's try to make a new directory in it. To do that
we will leave diskpart, and enter few commands.
115
www.utilizewindows.com
Deployment
Creating Virtual Hard Disk (VHD) using Diskpart in Windows 7
We can now browse to it using Windows Explorer.
We can also detach virtual disk from our system. To do that we have to go back to diskpart and determine
which virtual disk we want to detach. In our case we want to detach install.vhd disk. First we have to select that
file: "select vdisk file="c:\install1.vhd"
At this point we can detach the disk using the command: "detach vdisk"
All this can be done using Disk Management tool in Windows 7. We have a separate article in which we
show how to create virtual disk using Disk Management.
116
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
Management
Advanced Driver Management in Windows 7
Before you start
Objectives: Learn how to use Device Manager, how to edit Group Policy for drivers, and how to add Device
Paths using Registry Editor.
Prerequisites: you have to know what are drivers, you have to know what is Group Policy and you have to
know what is Registry and Registry Editor.
Key terms: device, driver, install, computer, policy, group, guid, option, windows, manager, audio
Device Manager
To open Device Manager, we cab right-click on Computer, select Manage, and then select Device Manager
from the menu on the left.
Let's try and update the drivers for the Audio Controller drive on our computer. We will right-click it, and
select "Update Driver Software" option.
117
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
On the next screen we will select "Browse my computer for driver software".
On the next screen we will select the "Let me pick from a list of device drivers on my computer" option.
118
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
By default, the only drivers that will be shown to us are the compatible drivers, but we can force it to show us
the incompatible ones as well. We do that by deselecting the "Show compatible hardware" option.
Just for the sake of this demonstration, we will try to install the "Yamaha USB Audio" driver, which was not in
the compatible hardware list.
When we click next, we will be warned that this driver might not work with our device. We will click Yes on
the warning.
Now, we already know that this driver will not work with our device, because the manufacturer of our Audio
device is not Yamaha at all. By doing this we want to show you what happens when we install some driver
which is not compatible, or which causes errors with our device. This can happen when we try to install
119
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
updated drivers for our devices, so we should know how to troubleshoot this kind of problem. When we install
a problematic driver, we will see an exclamation mark on that device in the Device Manager.
There are three ways in which we can troubleshoot this. If the problem with the driver is so serious that it
doesn't even allow us to even boot to regular environment, we can reboot our computer into Safe Mode, then
come to Device Manager and then do a Driver Rollback. When we reboot we can also try and go to Last
Known Good Configuration instead of Safe Mode. We do that by pressing F8 when we reboot. The Last
Known Good Configuration will basically go back to the old version of the driver. Keep in mind that Last
Known Good Configuration is overwritten every time we successfully boot to our computer. That means that
if we boot to our computer after we install the problematic driver, Last Known Good will be overwritten
together with that problematic driver. That's why it is important to remember when the problem happened and
if we have logged in after the problem happened. If we didn't log in, the Last Known Good Configuration will
probably help us to fix the issue.
To roll back the problematic driver we can right-click problematic device, go to its properties, go to the Driver
tab, and then click the Roll Back Driver button.
120
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
Have in mind that we can only rollback one version of the driver. Windows remembers only the previous
driver installed. When we click on the Roll Back Driver button, it will ask us to confirm our intention and give
us a little warning.
We will click Yes, and when we do that, the old driver will be restored, and our device will be working again.
121
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
The "Device class guid" identifies the drivers actual device. GUID is unique between all the different devices
installed on our computer. To get the GUID we have to have that device installed at least once on a computer.
There is no way to pull the GUID without installing the device. We will now copy that GUID by right-clicking
on it and selecting the Copy option. Now, we will open our local Group Policy editor. To open Group Policy
console, we can type "gpedit.msc" in the run menu. In Group Policy Editor we will go to Computer
Configuration > Administrative Templates > System > Driver Installation.
Here we have two settings. One is "Turn off Windows Update device driver search prompt". If we enable it,
this will remove the option that ask us if we want to check the Windows updates whenever our computer does
not have a driver. Another setting is the "Allow non-administrators to install drivers for these device setup
classes". Let's open that policy and enable it.
122
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
When we enable it, we can click on the Show button. Using the Show button we can add a GUID to the list of
classes which determines the devices which users can install without administrative privileges. We will rightclick on the Value field and select the Paste option. This GUID identifies the Audio device on our computer.
From now on, all users will be able to install drivers for that device. This is great for devices which have to be
installed on many computers in our organization. For those devices we can make sure through local Group
Policy or Active Directory environment that users are able to install them.
123
www.utilizewindows.com
Management
Advanced Driver Management in Windows 7
In Registry Editor we will go to the HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows >
CurrentVersion. In the CurrentVersion we will double-click the DevicePath string.
By default, Windows only looks in the %SystemRoot%\inf location. We can add additional paths to be
searched by separating them by a semicolon. In our example we will also add a network location which
contains the drivers. The location is \\w2k8\drivers. The sub-folders in the path will also be searched.
This way we can put all the different drivers for devices in our environment up on the "drivers" share.
124
www.utilizewindows.com
Management
Staging a Driver in Windows 7
Example Procedure
In this demonstration we will see how to pre-stage a driver in driver store in Windows 7. For the purpose of
this demo we have already downloaded a Realtek AC97 WDM Driver, and put it in
the C:\drivers\realtek\Win7. To stage a driver we will use a command line utility called pnputil. We have to
open our CMD with administrative privileges. To do that, right-click CMD and then select "Run as
administrator". Let's see all switches that we can use with pnputil command.
If we run the "pnputil -e" command, we will see a list of all nonstandard drivers that are built in. These drivers
are pre-installed after the installation of Windows 7. Those drivers include drivers for printers, mice, etc.
Notice that the published name for all drivers is OEM and a unique number. We can reference particular driver
using that unique published name. Let's now add a new driver to the driver store. We will use a "pnputil -a"
125
www.utilizewindows.com
Management
Staging a Driver in Windows 7
command and give a path to the driver that we want to add. In our case the path
is c:\drivers\realtek\win7\alcxau.inf. The pnputil will first process the driver file.
Our driver doesn't have a valid digital signature that verifies who published it. Because of that we get a
Windows security warning. In our case we downloaded this driver from the publisher we trust, so we will go
ahead and install this driver anyway.
Our driver was successfully imported. Notice that the published name for our imported driver is oem9.inf in
our case. Now that we have added our driver to the driver store, our users will be able to install the
corresponding device without the need to download the driver and without the need of entering administrative
credentials. So ordinary users will be able to install any device which has a pre-staged driver on our machine.
For the purpose of this demo, let's now delete our driver. For that we will use the following command: pnputil
-d oem9.inf. The -d switch means that we want to delete it, and oem9.inf is the published name of our driver.
126
www.utilizewindows.com
Management
Staging a Driver in Windows 7
Our driver was removed successfully. As we can see, we can take advantage of the PnP utility to pre-stage a
driver into our Windows 7 installation. If a standard or nonstandard user tries to install device, they will not be
prompted for the actual driver, since Windows will install it automatically from the driver store.
127
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
For the purpose of this demo we have added a new disk to the system which is 512 MB in size. This disk is
completely new, and the space on it is unallocated. Because of that, when we opened Disk Management we got
a prompt to initialize that disk. We have to do that before Logical Disk Manager can access it. In our case we
will select the MBR partition style and click OK. When we do that, notice that the status of the disk changed to
Basic and Online. Notice however that the disk is still unallocated.
128
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
To create a new volume on the disk, we can right-click it and select the appropriate option. In this example we
will right-click on the unallocated space on our new Disk 1, select the "New Simple Volume" option and click
next. The first thing we have to do is to specify the volume size. In our case we will use 256 MB.
On the next screen we have to choose the drive letter. We will use letter E.
On the next screen we will choose the NTFS file system and type in the volume name. We will perform a quick
format.
When we click Next and then Finish, we will see our new volume in the Disk Management Console.
129
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
Now, let's add additional disks to the system to perform more advanced disk management. We will add two
more disks, each having 512 MB of free space. Those two new disks have never been used before so we have
to initialize them before we can use them. To initialize disk, we can right click on the disk name and select the
Initialize Disk option.
If we want, we can now extend or shrink our simple volumes. In our case we will right-click SimpleVolume,
select the "Extend Volume" option, and then click Next. We will get a list of all disks on our system. Notice
that the Disk 1 is already selected.
If we extend our volume by using free space from the same disk, our disk can remain a Basic disk. If we choose
some other physical disk, we will have to convert our disks to the Dynamic ones. We have to do the
conversion because when we use multiple disks, we are actually creating a Spanned volume. As you should
130
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
already know, Spanned volumes cannot be created on Basic disks. So, when we try to select multiple disks in
this case, we will get a warning about the conversion to Dynamic disks.
If we choose to extend our volume, we will be able to do that without the conversion to Dynamic disk. In our
case we will extend our volume with the remaining space on our Disk 1, which is 253 MB in our case. Our
volume now has 509 MB in total.
Notice that we have 4 disks available, and notice that all of them are initialized (status is online). The next thing
we will try to do is create a simple volume on Disk 2. First we have to select the disk and then enter the
appropriate command. To select the disk we will enter:select disk 2. To create a simple volume with the size
of 256 MB we will enter the command: create partition primary size=256.
131
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
The next thing we have to do is format the partition and assign a drive letter to it. In order to do that we first
have to select the appropriate partition on the already selected disk. First we will list all partitions by using
the list partition command. Notice that we only have one partition on our disk so we will select it by using
the select partition 1 command. When we select the partition, we will format it by using the format fs=ntfs
label=SimpleDiskpartVolume quick command. So, the file system will be NTFS, the label will be
SimpleDiskpartVolume and we will do a quick format. After that we will assign a drive letter F by using
the assign letter=F command.
And that's it. Our partition is now ready to use. To leave Diskpart we can enter the exit command.
132
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
Drive letter will be E again, we will use NTFS file system and perform a quick format. Our disks now look like
this. Notice that we have one striped volume across two hard drives. This is actually software RAID
In the similar way we can create a spanned volume as well. We will right click unallocated space on Disk 1 and
select the "New Spanned Volume" option. We will use remaining space from Disk 1 and Disk 2. Our disks
now look like this.
133
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
Let's now create a mirrored volume. As you should know, we have to have two disks available in order to
create this type of volume. We have only one disk left so we will delete our spanned volume for now. Now, we
will select the mirrored volume from the remaining space on Disk 2 and the free space on Disk 3. Notice that
we have to have the same amount of space on both disks. We could not use the whole 512 MB from Disk 3
since we only have 255 MB available on Disk 2. Our disks now look like this (mirrored volume is red).
Mirrored volume is fault tolerant. The same information is written to both disks at the same time. That way if
one of the disks dies, we have another one with the same data. Also remember that we can only have two disks
in a mirrored volume. In contrast, striped volume can have more disks.
134
www.utilizewindows.com
Management
Using Disk Management and Diskpart to Mange Disks in Windows 7
Now let's simulate a hard drive failure. Let's right click on Disk 2 and select the Offline option. Now let's see
the statuses of our disks. Notice that for mirrored volume the status is "Failed Redundancy". That means that
the data only exists on one disk and the other one doesn't contain the duplicates. However, we can still access
data on that volume. On the other hand, striped volume failed completely and we can't access data on that
volume any more.
As we can see, one failed disk can cause a lot of damage. Remember that it is always recommended to use the
hardware RAID device instead of software RAID, as we did here in this demo. If you use software RAID,
always make sure you have a proper backup set up.
135
www.utilizewindows.com
Management
Disk Quotas in Windows 7
Disk Quotas are disabled by default, so the first thing that we need to do is to enable them. We do that by
checking the "Enable quota management" option.
136
www.utilizewindows.com
Management
Disk Quotas in Windows 7
If we check the option "Deny disk space to users exceeding quota limit", we will actually enforce quotas. This
means that we will be using so called hard quotas. Hard quotas will actually restrict space usage, not only
monitor it. If we leave that box unchecked, we will actually use so called soft quotas. Soft quotas are only used
to monitor disk space, and users can go beyond their limits. When that happens, we will be able to see that in
Even Viewer. Remember that we set quotas on a volume level, for everyone. For the purpose of this demo we
will use a volume which has 500 MB of free space in total. Because of that space will limit disk space to 50 MB,
and set a warning level to 40 MB, for all users.
137
www.utilizewindows.com
Management
Disk Quotas in Windows 7
The warning level that we set here will only be visible in the Event Viewer, meaning that users will not know
that they reached the warning level. We can also choose to log all events in Event Viewer. In addition we can
see all quota entries by clicking the Quota Entries button.
Notice that Administrators don't have quota limits by default. Here we can also add exceptions for specific
users. However, we can't add exceptions to the group of users. To do that we can go to Quota from the menu
and select New Quota Entry. A new windows will open in which we have to find specific users. Notice that
only object that we can search are Users. In our case we will enter the "ivancic" name and click Check Names.
138
www.utilizewindows.com
Management
Disk Quotas in Windows 7
When we click OK, we will get a new windows in which we will be able to choose if we want to limit disk
usage or not. In our case we won't limit the disk usage, since this is an exception to the quota limits that we
want to use for other users.
All other, new users will have new disk quotas applied, which is in our case 50 MB (40 MB warning level). Note
that in our case we have enabled soft quotas (tracking only).
139
www.utilizewindows.com
Management
Disk Defragmenter Tool in Windows 7
On the Disk Defragmenter tool we will see all our disk and when the last defragmentation was run.
As we can see, the scheduled defragmentation is enabled by default and it will run at 1:00 AM every
Wednesday. We can also modify that schedule. If we click the "Analyze disk" button, the system will check the
disk and tell us if we need to defrag our disk or not. Notice that our disks are barely fragmented (C: drive is
140
www.utilizewindows.com
Management
Disk Defragmenter Tool in Windows 7
only 2% fragmented), which is great and we don't need to run defragmenter in our case. To defrag the disk we
can simply select it from the list and click on the "Defragment disk" button. Defragmentation can take a very
short time if the fragmentation is small or it can take up to several hours if the disk is big and badly
fragmented.
Remember that some files, like certain system can't be moved during the defragmentation process. Also,
network drives cannot be defragmented. By default, Windows 7 defragments our disks automatically. We can
also use defrag command in command line to defragment our disks.
141
www.utilizewindows.com
Management
Removable Storage and System Security in Windows 7
Security Issues
Removable devices actually represent a big security risk because they can be used to easily copy sensitive data to
it (to steal personal or confidential data). To deal with this problem we can use Removable Storage
Access policies in Group Policy. For example, we can forbid writing of data to removable media. We can also
prevent users from running software from removable media, or to copy data from the removable media to our
computer.
Group Policies related to hardware depend on the type of device. For example, we can set restrictions on our
CDs, DVDs, floppy drive, and removable disks. We can also set custom class restrictions which are based on
Globally Unique Identifier (GUID). A GUID is a 16-byte alphanumeric string specific to a device. We can also
restrict all removable storage at once.
We can deny read, write and execute actions on our removable devices. This also includes our mobile phones,
media players and similar devices (for this we use Windows Portable Devices (WPD) policies).
To enforce configured policies we can set the time to force reboot. If we don't configure this setting, policies
will not be take effect until the system is restarted.
To open Group Policy we can enter gpedit.msc in Search box. Removable Storage Access policies can be set
on the whole system or per-user basis. In our example we will forbid users to read and write to removable
disks. To do that we will go to Computer Configuration > Administrative Templates > System >
Removable Storage Access.
142
www.utilizewindows.com
Management
Removable Storage and System Security in Windows 7
In this window we will enable the following policies: "Removable Disks: Deny read access" and "Removable
Disks: Deny write access". Those policies will be active when the system reboots. We can also force the reboot
by using the "Time (in seconds) to force reboot" policy. Settings for users are available in User Configuration
> Administrative Templates > System > Removable Storage Access.
143
www.utilizewindows.com
Management
Application Compatibility Issues in Windows 7
Compatibility Troubleshooting
In our example we have a program called COMREG which has some problems running in Windows 7. The
first thing we will try is to troubleshoot compatibility. To do that we will right-click it and select the
"Troubleshoot compatibility" option. The troubleshooter will scan the application and see if it the problem can be fixed.
In our case we have two options. The first option is to try recommended settings. Let's choose that option
now.
Notice that in our case the troubleshooter will apply create environment that corresponds to Windows XP SP2
system. If we choose the second available option (Troubleshoot program), we will be able to troubleshoot the
problem ourselves. In this window we can respond to several questions and that will help us to solve
compatibility issues. In our case we will select the first three options.
144
www.utilizewindows.com
Management
Application Compatibility Issues in Windows 7
When we click next we will be able to choose the version on which the program worked on. In our case we will
select the Windows 98 option and click Next.
On the next screen it will ask us about display problems that we noticed. In our case we will select the
transparency issues.
Once we click Next we will be able to run our program with different settings applied.
145
www.utilizewindows.com
Management
Application Compatibility Issues in Windows 7
If we go to the properties of that program, and then go to the Compatibility tab, we will see all the options that
were set during troubleshooting.
So, we can set all those options manually in Compatibility tab of the particular program. By default
compatibility settings will be saved for single user. If we want to force those settings for all users on the
computer we can click the "Change settings for all users" button. Note that some applications won't work even
146
www.utilizewindows.com
Management
Application Compatibility Issues in Windows 7
if we set compatibility modes. If that is the case we can take advantage of the Windows XP Mode in Windows
7, which is actually a virtual Windows XP machine.
147
www.utilizewindows.com
Management
UAC Configuration in Windows 7
When we click that option, we will be able to choose when to be notified about changes to our computer. The
default setting is to notify us only when programs try to make changes to our computer. In this case UAC will
not notify us when we make changes to Windows settings. When the UAC prompt us activated, the Secure
Desktop (dimmed desktop) will be displayed for a maximum of 150 seconds. We will not be able to perform
any other action until we respond to the prompt. If we don't respond, the system will automatically deny the
request after 150 seconds.
148
www.utilizewindows.com
Management
UAC Configuration in Windows 7
We can also choose the "Always notify" option in which we will be notified when programs try to make
changes and when we make changes to Windows settings. We can also choose to be notified but without
dimming our desktop (without Secured Desktop feature). In this mode we will be able to interact with the
computer even when the UAC prompt is active. We can also choose to never notify us. In this case we will be
able to do all administrative tasks (if we are a member of the Administrators group) without UAC prompts.
Standard users won't be able to perform actions which require administrative privileges in this mode, as they
will be automatically denied.
149
www.utilizewindows.com
Management
UAC Configuration in Windows 7
Notice the different UAC Policies. We can configure the behaviour of the elevation prompt for administrators
and for standard users. Different settings which we can choose are shown on the pictures below.
We can also control UAC settings for the built in administrator account. By default UAC is disabled for the
built-in administrator account, but we can enable it here. To turn UAC off or on we can use the "Run all
administrators in Admin Approval Mode". All other UAC policies are dependent on this option being enabled.
The default setting is on. In "Switch to the secure desktop when prompting for elevation" policy we can enable
or disable the Secure Desktop feature for the whole system. By using other policies we can also choose to only
elevate executable that are signed and validated or that are installed in secure locations. Signed and validated
applications use Public Key Interface (PKI) checks. Secure locations in Windows 7 are "C:\Program Files\"
and its sub-directories, "C:\Program Files (x86)\" and its sub-directories, and "C:\Windows\system32\r-".
150
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
Zone Configuration
To configure Internet Options we will go to the Control Panel > Network and Internet > Internet Options.
The security settings applied to website depend on the corresponding security zone the website is in. We can
configure zones and security levels on the Security tab.
The three default security levels are medium, medium-high and high. We can also use the "Custom level"
button to change the default security level of each zone and their details. This includes ActiveX control
behavior, scripting or user authentication settings.
Different zones will apply different security settings to websites that are in that zones. Local intranet zone
contains sites that are found on our intranet, in our organization. IE can detect intranet sites automatically. We
151
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
can also manually add websites to this zone. The default security level of the Local intranet sites zone is
medium-low. To check default settings we can click on the Sites button.
Restricted sites are potentially malicious and that can damage our computer. The default security level for
restricted sites is high.
The Internet zone contains all websites that are not contained in the other three security zones. The default
security level for the Internet zone is medium-high. Internet Explorer also has a new feature called Protected
Mode. Protected mode will not allow infected IE to damage other parts of the Windows system. By default
Protected Mode is enabled for sites in the Internet and Restricted sites zone.
152
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
Existing Libraries
Before we create our custom library, we should be aware that we already have some libraries configured on our
system. Libraries created by default are Documents, Pictures and Music. For example, if we right-click our
Documents and select Properties, we will get window like this:
153
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
Notice that in this case the Documents library currently includes locations "C:\Users\Admin\My Documents"
and "C:\Users\Public\Public Documents". Although we have two locations in Documents library, when we
open it, we won't see those locations. We will only see files and folders.
As you can see in this example, we only see files and folders from all locations which are included in the library,
but we don't know on which location they are located (until we go to its properties).
154
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
When we do that, we will be able to change the name of the Library. In our case we will simply leave it New
Library.
When the name is set, we can select our new library. Since we didn't include and folders in this library, we will
be prompted to include a folder.
The second way to create a library is to right-click some existing folder which we want to have in our library,
and then select the "Include in library" option, and then "Create new library" option. For the purpose of this
155
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
demo, we have create two folders on our Desktop. One folder is "New Catalogs", and other is called "Old
Catalogs". We want to put those folders in one Library called Catalogs. To do that, we will first right-click New
Catalogs and create new library for it.
By default, the name of the library created in this way will be the same as the first folder that we added.
However, we can always right-click our library and choose to rename it.
156
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
To add another folder (Old Catalogs), we can right-click it, select the "Include in library" option, and then
select our newly created library from the list. Since we now have two locations in our library, we will rename it
to Catalogs. Our library now looks like this:
If we right-click our library, and go to its properties, we see that we can choose to optimize our library for
certain type of items (like music, videos, documents, pictures or general items). This selection impacts how our
files will be presented in the library, and how they will be indexed.
If we take a look at our Catalogs library, we'll see that the default view (Arranged by option) is the folder view.
In this view we can see which files are located in which folder in our library. Also, when we create new files, we
can choose in which location we want to store them.
If we change the view to some other option than the "Folders" option, we will typically get a list of files from
all locations included in the library. For example, in our case we have created two text files in each location
157
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
(New Catalogs and Old Catalogs folders), and we have selected the "Date modified" view in our Catalogs
library.
As we can now see, we don't know which file is located in which location. When we create a new file in this
view, that file will be saved directly to the first added folder in the library, which is New Catalogs in our case.
But, we can also change default save locations. To do that, go to the properties of the library, select the location
you want to be the default save location, and then click the "Set save location" button.
158
www.utilizewindows.com
Management
Configuring Security Zones in Windows 7
Here we can select to share it on the HomeGroup or to share it with specific people.
159
www.utilizewindows.com
Management
Printer Configuration in Windows 7
Installing Printer
In todays world, almost all printers are plug-and-play. In majority of cases we will simply plug in our printer,
and Windows will install drivers for it automatically. If it doesn't have drivers in its drivers store, it will try to
find them in Windows update. If this fails, we can always install drivers which came with the printer or simply
download drivers from the manufacturers site and install them.
Despite that, we should be aware of how to add printer in Windows if we don't have self-installing drivers. For
example, we have connected Samsung ML-1640 printer to our computer. Windows tried to install it
automatically but the installation failed because Windows couldn't find the drivers.
Next, we downloaded drivers from the official website and installed them. In our case this solved the problem,
since we downloaded the EXE file which took care of installing drivers for us automatically. But, in some cases
with other printers we will only get ZIP file with driver files in it. In this case we have to add our printer
manually. To manage printers in Windows 7 we can go to Start > Devices and Printers. Here we will see a
button for adding a printer.
160
www.utilizewindows.com
Management
Printer Configuration in Windows 7
When we click on "Add a printer", we will be asked what type of printer do we want to install. We can choose a
local printer or a network printer.
If we select a local printer, we will be asked to choose a port. We can select an existing port or we can create a
new port. For the purpose of this demo we will use a USB001 port.
161
www.utilizewindows.com
Management
Printer Configuration in Windows 7
The next thing is to define the manufacturer and the model of our printer for the driver installation. Windows
already has many drivers available, which we can choose from the list. But, if our printer is not listed, we can
try selecting Windows Update option. If Windows Update doesn't work, we have to use the Have Disk option
which will enable us to select driver file manually. So, let's say that we have extracted our ZIP file which
contains drivers to C:\Temp, when we click Have Disk, we would click Browse, and navigate to the driver files
located in C:\Temp location.
You'll notice that Windows will only let you select Setup Information file (*.inf file). When you select the setup
file, you will be able to proceed and install the printer.
Managing Printer
Once the printer is installed, we can go to its properties. Notice that you can select two properties, one for the
device (Properties), and one for the printer itself (Printer properties). To see the properties of the printer itself,
we have to select the Printer properties. On the General tab we can see the name of the printer, available paper.
We can also print a test page here and change preferences.
On the Sharing tab we can choose to share our printer. Here we can also choose to add additional drivers for
different versions of Windows.
162
www.utilizewindows.com
Management
Printer Configuration in Windows 7
Notice that we have an option to render print jobs on client computer, which is selected by default. This way,
clients will do all the processing and just send the print job to the print spooler.
On the Ports tab we can see on which port our printer is located. Here we can select multiple ports, and
document will print to the first free checked port. Here we can add, delete and configure existing ports.
On the Advanced tab we can define the availability of the printer, select the driver for the printer, choose how
to spool documents, and other options.
On the Security tab we can modify permissions for our users. As you can see, by default everyone can print.
163
www.utilizewindows.com
Management
Printer Configuration in Windows 7
The CREATOR OWNER can manage its documents. This is the user who created the print job, so it can
manage its own print jobs. Administrators will have all permissions. Of course, here we can add additional
groups and users and configure permissions for them.
Print Server
Every computer which has printer installed can act as a print server. Let's check this out by clicking "Print
server properties" button in Devices and Printers window. Here we will see tabs named Forms, Ports, Drivers,
Security and Advanced. On Forms tab we can define new forms with new measurements. On Ports tab we can
work with ports. On Drivers tab we can manage printer drivers on the computer. On the Security tab we can
define default permissions which will be defined for everybody and every printer.
164
www.utilizewindows.com
Management
Configuring Power Options in Windows 7
Power Options
We can find Power Options screen in Control Panel. The screen looks like this.
Here we can see three built in power plans, Balanced, Power saver and High performance. We can choose the
one we want to use and we can customize the plan by clicking on the "Change plan settings" link. For example,
if we try to customize the Balanced power plan, we will see this.
165
www.utilizewindows.com
Management
Configuring Power Options in Windows 7
So, we can choose when to dim the display or when to turn it off. We can also choose when to put the
computer to sleep and adjust the brightness of the screen. If we click on the "Advanced settings" link, we will
see this.
166
www.utilizewindows.com
Management
Configuring Power Options in Windows 7
In this window we can change advanced settings for all three power plans (we can choose the plan on the drop
down list). For some options we will have to click on the "Change settings that are currently unavailable" since
some of the options need elevated privileges.
Note that we can't delete default power plans, but we can create our own custom power plan. To do that we
can click on the "Create a power plan" link in Power Options.
On the next screen we will have to choose the default plan that is closest to what we want (it will serve as a
template). In our case we will select "High performance" and call it "Custom HP".
On the next few screens we will be able to choose display and sleep settings. In our case we will choose that
our display never turns off and our computer never goes to sleep, and click the Create button. The new plan
will then be listed on the Power Options screen.
167
www.utilizewindows.com
Management
Configuring Power Options in Windows 7
We can always change settings for our new power plan. For example, if we don't want our hard disks to turn
off, we will enter 0 as a value for minutes.
168
www.utilizewindows.com
Management
Configuring Power Options in Windows 7
To change to another power plan we can use the -setactive switch. We have to use the GUID of the power
plan we want to change to. So, in our case, if we wanted to switch back to the Balanced power plan, we would
have to enter the following command: "powercfg -setactive 381b4222-f694-41f0-9685-ff5bb260df2e".
We can also export our settings by using the -export switch. We will have to specify the location and name of
the file, and the GUID of the plan we want to export. The command looks like this: "powercfg -export
C:\CustomHP 381b4222-f694-41f0-9685-ff5bb260df2e". Now that we have our plan exported, we can import
it on multiple computers by using a script.
To delete a power plan we can use the -delete switch and specify the GUID of the plan we want to delete, for
example: "powercfg -delete ae6a8d04-daf8-497f-ac3d-68dff990adc6". The plan we are trying to delete mustn't
be active.
So, we have actually deleted the CustomHP power plan that we have created earlier. Let's now try to import the
plan back by using the -import switch. The command looks like this: "powercfg -import C:\CustomHP". If
the import is successful, we will see the new GUID of the imported power plan (it will be different from the
previous, despite of the same name of the plan).
Of course, we can also delete and import power plans from the GUI, and we will see the options to delete the
plan if we try to change settings on the custom power plan which is not active (we can only delete custom
power plans).
169
www.utilizewindows.com
Management
Configuring Power Options in Windows 7
To see the report of the power management settings, including diagnostics, we can use the -energy switch. The
system will be observed for some time in order to acquire data for the report. After that we will get the report
in a HTML format which can be opened with the browser.
170
www.utilizewindows.com
Management
Configuring Power Options in Windows 7
To check the devices that can wake up the computer from sleep mode (like mouse or keyboard), we can use
the "-devicequery wake_from_any" switch.
171
www.utilizewindows.com
Management
Configuring Offline Files in Windows 7
In Caching window, we can set which files are available to users who are offline.
172
www.utilizewindows.com
Management
Configuring Offline Files in Windows 7
The option "Only the files and programs that users specify are available offline" means that we have enabled
manual caching. The option "No files or programs from the shared folder are available offline" means that no
caching is allowed at all. The option "All files and programs that users open from the shared folder are
automatically available offline" means automatic caching. If we choose the "Optimize for performance"
option, executable files from the network share will be cached to the client machine. In our case we will leave it
to manual.
The next step is performed on the client machine. The first thing we should do on the client machine is check
the settings in Control Panel > Sync Center. Important thing to check here is the "Manage offline files" option.
In the window that appears we will be able to disable offline files feature and view our offline files.
173
www.utilizewindows.com
Management
Configuring Offline Files in Windows 7
On the Disk Usage tab we will see how much disk space is currently used and available for storing offline files.
174
www.utilizewindows.com
Management
Configuring Offline Files in Windows 7
On the Encryption tab we can encrypt offline files, and on the Network tab we can configure the time interval
to check for a slow connection. In our case we will leave all those options to default settings. The next thing to
do is to open the shared folder from our client machine. In our case, the UNC path to our shared folder is
//ivancic-s/scan. In that shared folder we have one file called "Demo text file". To make this file available
offline, we will right-click it and select the "Always available offline" option.
Once the file is made available offline, we will see a state of the file as "Always available" at the bottom of the
Explorer window, when we select the file.
If we lose network connectivity and try to open the shared folder again, we will see that the Status of the folder
is Offline, but the availability is Available.
This means that we can open up the shared file and work on it while we are not connected to the network, and
save all the changes. Once we connect to the network again, we the modified file will be synced with the file on
the shared folder on the server.
175
www.utilizewindows.com
Management
Configuring Offline Files in Windows 7
Multiple Users
Keep in mind that if multiple users are working on the same files in the shared folder, we might encounter
conflicts when syncing cached files back to the server. If someone else from modifies the same file as we have
modified, we will see a conflict notification in our Sync Center.
When we click on a specific conflict, we will be asked which version we want to keep.
We can choose to keep the file on our client machine, keep the file on the server, or to keep both files (one file
will be renamed). So, as we can see, offline files are primarily intended for personal use. If multiple users work
on the same files, there is a chance of overwriting changes on files made by other users, so keep that in mind.
176
www.utilizewindows.com
Management
Managing Services in Windows 7
Services Snap-in
To open the Services snap-in we can enter "services.msc" in the Search box. The snap-in with the list of
services will appear.
In the Services console we right-click a service and then choose what to do with it. We can start it (if it is not
running), stop it (if it is running), pause it, resume it and restart it.
177
www.utilizewindows.com
Management
Managing Services in Windows 7
We can also go to the properties of the service. When we do that, a new window will appear. On the General
tab we can see the general information about the selected service and its startup type.
Note that we can change the startup type here. The startup type can be "Automatic (delayed start)", Automatic,
Manual or Disabled. Services that are set to startup automatically will start at boot time. If the startup type is
Automatic (delayed start), it starts just after the boot time which can result in faster boot. Keep in mind that
178
www.utilizewindows.com
Management
Managing Services in Windows 7
some services require the startup type to be automatic in order to function properly. Manual startup type
enables Windows to start a service when it is needed, and we can always start this service from the Services
console by selecting the Start action. The Disabled startup type won't allow service to start even when it is
needed.
On the Log On tab we can see the account which is used to start the service.
We can even browse and select a specific user account that we want for the service to run in. The next tab is
the Recovery. Here we can select what the system will do if the service fails.
179
www.utilizewindows.com
Management
Managing Services in Windows 7
We can specify an option if the service fails once, two times and for the subsequent failures. We can select to
restart the service, select to take no action, to restart the service, to run a program or to restart the computer. If
we choose the Run a Program option, we will be able to specify the program that we want to execute and
specify the command line parameters if we need. Note that programs that we specify here should not require
user input. Otherwise the program will just stay open for the prompt for user intervention until the user
responds to the prompt. If we choose the Restart the Computer option, we will be able to specify after how
many minutes will the computer restart, and we can enter a message that will be shown to the user.
Note that on this window we also have an option to "Enable actions for stops with errors". All options set here
are for failures by default, but if we check the "Enable actions for stops with errors", all those options will also
apply for stops because of errors.
On the Dependencies we can see on which services our service depends on. We can also see services which
depend on our selected service.
180
www.utilizewindows.com
Management
Managing Services in Windows 7
For example, if our service won't start, we can check if all the dependent services are started as working.
To do a restart of the service in the command line, we can combine the two mentioned commands using the
"&&" symbol. The command will look like this: "net stop {service_name} && net start {service name}".
181
www.utilizewindows.com
Management
Managing Services in Windows 7
Another command we can use to start or stop a service is "sc start" and "sc stop". For example, to start a
service named Apache2.4, we would enter the command "sc start Apache2.4". To stop it, we would enter "sc
stop Apache2.4".
We can also use "sc" to do many other actions with Services. To see other available actions, enter "sc" in CMD
and hit enter.
182
www.utilizewindows.com
Management
Using msconfig in Windows 7
msconfig Tool
To open msconfig tool in Windows 7, we can enter "msconfig.exe" in Search, and then select it. We can use
msconfig to configure startup type, boot options, service startup, and the startup of other applications.
General Tab
In the General tab we can select the startup type for our computer. As we can see, we can have the normal
startup, diagnostic startup and selective startup. In diagnostic startup the system will be booted but with basic
device drivers and basic services. In selective startup we can choose if we want to load system services and
startup items (which are visible in the Startup tab).
Boot Tab
On the Boot tab we can manage different operating system boot options.
183
www.utilizewindows.com
Management
Using msconfig in Windows 7
Here we can choose the default operating system that will be booted. In our case we only have one OS
installed, but if we had more dual-boot or multi-boot, we would see other installations here. Also, we can select
to start our OS in Safe mode (Safe boot option). The Safe boot modes are:
No GUI boot - removes the graphical moving bar and / or Windows animation (Windows Welcome
screen) during start-up.
Boot log - set up a boot logger that will log everything that is loaded during the boot process, for
troubleshooting purposes. Log file is available after the boot in C:\Windows\ntbtlog.txt.
Base video - boot with base video drivers using lowest resolution and color depth. This is also known
as VGA mode in advanced boot options.
OS boot information - shows driver names as drivers are being loaded during the startup process.
We can also set the number of seconds in which the boot menu is displayed (the timeout option). We can also
make all those settings permanent for all future reboots, not just one single reboot.
On the Advanced settings we can specify the number of CPUs to be used, maximum memory, and debug port
and baud rate for remote debugging.
184
www.utilizewindows.com
Management
Using msconfig in Windows 7
Services Tab
On the Services tab we can see a list of services and their status (running or stopped).
Note that we can't start or stop a service here, but we can enable or disable it. When we disable a service, it
won't start the next time we boot. When we enable it, it will start when the machine reboots. This won't stop or
185
www.utilizewindows.com
Management
Using msconfig in Windows 7
start the service immediately. The great thing here is that we can hide all Microsoft services by checking the
"Hide all Microsoft services" option. This gives us a great view of the third party services and their status.
Startup Tab
On the Startup tab we can see all the items that start during the user or computer boot.
We can see the item name, manufacturer, path to the executable, and the location of the registry key or
shortcut that causes the application to run. We can clear the check box for a startup item to disable it on the
next startup. Startup is a great place for viruses and other malware to plant them self, so this is a good place to
check if we have some suspicious startup items. Keep in mind that some startup items are important for our
system, and disabling those items can lead to undesired results. We should always check the name of the
executable on the Internet and find out why it is used, if its malware or not, and if we can safely disable it.
Tools Tab
Under the Tools tab, we can find and launch virtually all of the support and troubleshooting tools that we
might need to manage our system.
186
www.utilizewindows.com
Management
Using msconfig in Windows 7
When we select a specific tool, we will also see the command that is used to start the selected item.
187
www.utilizewindows.com
Management
Event Viewer in Windows 7
Event Viewer
We can open Event Viewer in different ways, such as trough Computer Management and Administrative
Tools. However, the easiest way is to type "eventvwr" in search box, or "eventvwr.msc" in the Run box to
open the Event Viewer.
The standard Windows logs are now located under Windows Logs section (Application, Security, Setup,
System and Forwarded Events logs). If we select particular log, and then select some event, we will see the
summary of the event at the bottom of the Viewer, in the preview pane. On the right side we have options to
filter logs, to create custom logs, view properties of the event, etc. We can also see event properties by rightclicking the event, and then selecting the "Event Properties" option.
188
www.utilizewindows.com
Management
Event Viewer in Windows 7
Event properties give us more information about the event. If we go to the Details tab we can even get an
XML view if we need to save, parse it, etc. When we right-click an event, we also have an option to attach a
task to event. This way, if the event occurs again, the task will run. When we select the "Attach Task To This
Event" option, the Basic Task wizard will appear. The first thing we can do is give the name to the task.
On the next screen we can see that it will by default fill the log, source, and event ID information for us.
189
www.utilizewindows.com
Management
Event Viewer in Windows 7
On the next screen we can specify the action we want the task to perform.
If we select a program, we will be able to select a program or script that the task will run.
If we specify to send an e-mail, we can specify from whom the e-email should come from, who will receive it,
subject, text, attachment, and we need to specify the SMTP server.
190
www.utilizewindows.com
Management
Event Viewer in Windows 7
If we select a "Display a message" option, we will be able to specify a message that will appear on the desktop
when the event occurs.
So, this wizard will create a task in the Task Scheduler, based on the trigger from our event. Task Scheduler is
available in Administrative Tools. Tasks created by Event Viewer will be stored under "Task Scheduler Library"
-> "Event Viewer Tasks".
Here we can see the details about our task, and even force it to run.
The next thing we should consider is the size of our logs. For example, if we right-click on the Application log,
and select the Properties option, we will be able to select the maximum log size.
191
www.utilizewindows.com
Management
Event Viewer in Windows 7
The larger the size, the more events it can save, but at the same time, it takes up space and impacts
performance. We can also specify what to do when the maximum event log size is reached. The default is to
overwrite events as needed. If we specify the "Do not overwrite events" option, we will have to manually clear
the log. Also, users won't be able to use the computer until the log is cleared. Only the administrator will be
able to log on to the computer and clear the log.
In this window we also see the actual path to the log file and the current log size.
Using Filters
We can filter our logs by choosing the Filter Current Log option from the Actions menu. In the filter we can
specify the event level (critical, warning, verbose, error, information).
192
www.utilizewindows.com
Management
Event Viewer in Windows 7
Also, we can enter IDs, task categories, keywords, users, and computer to filter using this criteria.
Keep in mind that filters are only active only while we stay in the current log. If we select another log, the filter
will reset. If we want to define our own view with filters and preserve it, we can create a custom view from the
Actions menu. The custom view has the same options as when creating a filter. In our case we will create a
view which will only show us errors that happened in the last 24 hours in the Applications log.
Note that when we choose the log, we can combine multiple logs if we wish. We can even use the Applications
and Services Logs which can show us events from hardware, Internet Explorer, and even more details events
under the Microsoft section from other Windows services. Almost every major Windows service has its own
log.
193
www.utilizewindows.com
Management
Event Viewer in Windows 7
When we define our own view, we can name it and give it description. We can even organize our custom views
in folders.
So, now when we select our custom view, only filtered events will be shown.
194
www.utilizewindows.com
Management
Event Viewer in Windows 7
We can always edit our custom view by right-clicking it and choosing the appropriate option, as well as export
it.
195
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
Performance Monitor
In this demo we will take a look at how we can use the Performance Monitor to capture information about our
machine performance. We can access Performance Monitor by typing "perfmon" in the Start Menu search
box.
If go to Monitoring Tools > Performance Monitor, we will see the performance of our machine in real time.
196
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
Here we only see data for our processor, by default. This counter has been added for us (Processor Time
counter). We can also monitor other things. Let's say that we want to monitor memory usage as well. To do
that we will click on the green plus sign (add button), and select the counter from the list. We can select the
counter form the local or remote computer. In our case we will select the Memory > Committed Bytes In Use
counter, which is also represented as percentage.
197
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
When we click OK, we should see both counters in the graph. By default, both our counters are now red, but
we can change the color of the counter if we click on it on the list of counters.
198
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
So, we can add multiple different counters from multiple different objects, if we want. In addition to the
Performance Monitor, we can use Data Collector Sets.
In the window that appears we give our set a name, and choose if we want to create it from the template or
create it manually. In our case we will do it manually.
199
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
On the next screen we can choose if we want to create data logs or alert. In our case we will select alert.
With this option we will specify that if something is above or below a certain value, a counter alert will be
thrown. So, on the next window we have to specify the counter which will be tracked. In our case we will
monitor the free space on our C: disk, presented as percentage. If the free space goes below 20 (%), the
counter alert will be thrown.
200
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
Here we can click on the Finish button, but if we click Next, we can set additional options. On the next
window we can choose to open the properties for this data collector set.
In the Properties we can set many different options for our Data Collector Set. For example, on the Stop
Condition tab we can select when will our Data Collector Set stop running. We can choose to stop it based on
the overall duration or based on the limits of maximum size of the collected data.
201
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
We can also set a schedule for our Collector Set (on the Schedule tab). If we don't schedule the Collector Set,
we will have to start it manually. We can also change the directory where the Set will be stored (on the
Directory tab), choose who can work with it (on the Security tab), and specify the task that will run when the
set stops (on the Task tab).
Now, lets go to the specific alert in our Demo Set and open its properties (right-click it and select the
Properties option).
On the Properties of the alert, we will see the sample interval, which is 15 seconds by default.
202
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
On the Alert Action tab, we can specify an action. Here we can select to log the data in the application or start
another data collector set.
On the Alert Task tab, we can select to run a task when this alert is triggered.
203
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
To start the Data Collector Set, we have to select it and select the Start option.
So the previous example was the Performance Counter Alert. We can also use Data Collector Set to create data
logs.
204
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
In this type, we can also select the counter, but note that we can also collect current system configuration
information. Configuration information is pulled from the Windows Registry. We have to enter the registry
keys which we want to record.
To get the correct key, we can use Registry Editor and find the path to the key.
If we have two data collector sets, we can run one from the other. For example, since we now have an alert
data collector set (which runs when something goes below or above certain value), we can set its action to run
the other data collector set (which will gather data about our system).
205
www.utilizewindows.com
Management
Monitoring Performance in Windows 7
There are two default collector sets in Windows 7. One is the System Performance set, which collects
information about the CPU, hard disk drive, system kernel, and network performance. Another is the System
Diagnostics set which collects detailed system information in addition to the data gathered in the system
performance set.
Reports
We use the Reports tool to view the collected data or to create new reports from a set of data collector set
counters. Note that if a collector set has not run, no reports will be available. For example, we can run a System
Diagnostic report which includes the status of hardware resources, system response times, and processes on
the local computer. To generate this report we have to start the System Diagnostics data collector set in the
Performance Monitor. When it finishes, we can reach the report in the Report section.
206
www.utilizewindows.com
Management
Using WinRS and PowerShell for Remote Management in Windows 7
We have to say "Yes" to the prompt (just enter "y"). This command will set up Windows Remote Management
on the computer. Remember that we have to run this command on all computers which will participate in
remote management. For this demo, we have done this on our two Windows 7 desktop machines in our LAN.
Those computers are not members of Active Directory domain.
Trust Set Up
Once the Windows Remote Management service is set up, the next have to do is configure trusts between our
two computers. Have in mind that because these computers are not in the same Active Directory domain,
there's no Kerberos trust or certificate trust set between our computers. Because of that we have to manually
set up trust between our remote management services. Our first computer is named "WIN-7-VM1", and our
second computer is named "WIN-7-VM2". So, the "WIN-7-VM1" will trust "WIN-7-VM2", and vice verca.
On "WIN-7-VM1" machine we will enter the following command in elevated CMD:
207
www.utilizewindows.com
Management
Using WinRS and PowerShell for Remote Management in Windows 7
winrm set winrm/config/client @{TrustedHosts="WIN-7-VM2"}
In Active Directory environment we wouldn't have to worry about this because all the clients have a Kerberos
trust.
208
www.utilizewindows.com
Management
Using WinRS and PowerShell for Remote Management in Windows 7
So, with this we have actually run "ipconfig" command on WIN-7-VM2 machine, and in that way found the IP
address of remote computer. To check the content of C:\ drive on remote computer, we would enter:
winrs -r:WIN-7-VM2 dir C:\
So, we can run any command we want on that remote machine.
But, we haven't specified the user which will be used to run our commands. The thing is, Windows Remote
Shell will try to negotiate authentication. If negotiation is not not successful, it will prompt us for the
credentials. If we want, we can also specify the user under which the command will run using the "-u"
parameter, like this:
PowerShell
We can also use PowerShell to manage remote computers. To open PowerShell, we simply enter "powershell"
in cmd.
209
www.utilizewindows.com
Management
Using WinRS and PowerShell for Remote Management in Windows 7
In PowerShell we can also enter regular commands, but we can now also use advanced PowerShell features like
filtering or piping. Combining those features with remote management makes it even stronger. So, we can run
PowerShell commands on a remote machine using a "icm" command. We have to specify the name of the
computer, and then script or block of script. We can define a block of script by putting it in brackets. For
example, to get the ipconfig information from the "WIN-7-VM2", we would enter
icm WIN-7-VM2 {ipconfig}
210
www.utilizewindows.com
Management
Using WinRS and PowerShell for Remote Management in Windows 7
To shutdown remote computer:
icm WIN-7-VM2 {stop-computer -force}
To restart remote computer:
icm WIN-7-VM2 {restart-computer -force}
So, as we have seen we can send commands to remote machines. Practically, any command we can run locally,
we can also send to remote machine.
211
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
Remote Desktop
In this demo we will see how we can use Remote Desktop in Windows 7 to manage remote computers. The
first thing we need to do is enable Remote Desktop on the destination computer. We can do that in Control
Panel > System and Security > System > Remote Settings.
In Remote Settings we can allow Remote Desktop in two ways. We can allow connections from computers
running any version of Remote Desktop (less secure), or we can allow connections only from computers
running Remote Desktop with Network Layer Authentication (more secure). In our case we will select the
option with Network Layer Authentication since we only have Windows 7 machines on our network.
212
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
If we select the less secure version, we will be able to connect to this machine from Windows XP or even older
versions of Windows. Network Level Authentication will first authenticate the Remote Desktop connection
before opening the actual session.
By default only members of the Administrators and Remote Desktop Users local group are able to make
connections to a client running Windows 7 using Remote Desktop. On the Remote settings tab, we can click
on the Select Users button, and add additional users to this list. Those users will be added to the Remote
Desktop Users group. This list displays all the current members of that group.
213
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
Initiating Connection
On the source computer we can go to Start > All Programs > Accessories > Remote Desktop Connection.
This will open the Remote Desktop Connection software.
If we click on the "Options" link, we will be able to specify all options for the connection. On the General tab
we can specify the name of the remote computer.
214
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
In our case we will connect to "WIN-7-VM2" machine. We can also specify the username we want to use to
connect. We can also save this actual connection as a connection file. This way we will be able to simply
double-click on that connection file and the remote session will start with our saved settings.
On the Display tab we can show the Remote Desktop session in full-screen or use different resolution,
depending on our computer screen. We can also choose the color depth of the remote session. Lower color
depth can give us little better performance.
215
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
On the Local Resources tab we can specify the audio, keyboard and devices and resources settings.
If we click on the Settings button in the "Remote audio" section, we can specify if we want to bring the audio
onto this computer, play it on remote computer or choose not to play audio. We can also choose to record
audio from our computer or not record audio at all.
216
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
When it comes to keyboard settings, we can specify when to apply key combinations. In our case, when we are
in full-screen mode, the remote computer will receive the key combination we press.
Under "Local devices and resources" we can specify if we want to connect the printers that are on this source
computer into the remote computer so we can print from the remote computer to my locally attached printers.
We can even select to use local clipboard on remote computer. If we click More button under this section, we
can even specify if we want to use smartcards, serial or parallel ports, drives and other plug and play devices on
the remote machine.
On the Programs tab we can specify a program that we want to start when the connection establishes.
217
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
On the Experience tab we can select different visual settings for the session. The more options we remove, the
faster our connection will be, and vice versa. We can also simply choose a connection speed and it will optimize
all options automatically.
In our case we have selected LAN option, since we will be using this connection in our LAN.
On the Advanced tab we can configure server authentication settings when connecting to a server that does
not support Network Level Authentication. Here we can also configure settings to connect trough Remote
Desktop Gateway which allows us to connect to a remote computer on another network over a public or
Internet network.
218
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
We have now saved this connection on our Desktop. When we double-click it, we will get this warning:
Figure 363 - Connection Publisher WarningSince we are not in a domain environment, there is no trust implemented between our two computers, so we
get a warning about that. In our case we know that it's a trusted computer, so we'll connect to it. We can also choose the "Don't ask again" option.
This is actually the Network Level Authentication part. There is no Remote Desktop session open until we
provide our username and password. If we didn't have Network Level Authentication enabled, it would first
open the Remote Desktop session and then would've asked us for credentials.
When connecting through Remote Desktop we are using certificates to secure the connection. Also, because
these machines are in a workgroup environment, the certificates are self-signed and created on each machine.
219
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
Since we trust this machine, we can click Yes, and the Remote Desktop session will be established.
When we connect to the client, we will see the actual desktop on the remote computer. Users on the remote
computer will see that someone is logged on remotely, but they won't see or be able to use the computer. So,
the shadowing is not supported and users on the remote computer can't view the screen. So, we actually take
control of the computer.
If we tried to login as a different user, and there was a user currently logged on the remote computer on the
other end, we would see this warning:
220
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
Also, the user on the remote machine would've been asked if they want to allow us to connect.
If they don't respond, they will be logged out and we will be allowed to connect. Once we are connected, we
can simply click on the X mark to disconnect the session.
221
www.utilizewindows.com
Management
Configuring and Using Remote Desktop in Windows 7
We can also go to the Start menu and log off, and this will actually log us off from that remote machine. If we
disconnect, we actually stay logged on. So, this way we can connect to our remote machine again (or log on
locally with the same user account) and everything will be as we left it when we disconnected.
We can also run Remote Desktop from the command line. For example, to connect to the "WIN-7-VM2"
machine we would enter the following command:
mstsc /v:WIN-7-VM2
222
www.utilizewindows.com
Management
Remote Assistance in Windows 7
Remote Assistance
The main benefit of Remote Assistance is that it can be initiated from remote user. Once the session is
established, we can view their screen and chat with the remote user.
In order for Remote Assistance to work, it must be enabled on the destination computer. By default, Remote
Assistance is enabled, but we can check this in the System Properties, on the Remote tag. To open System
Properties, go to Control Panel > All Control Panel Items > System.
Have in mind that Remote Assistance is different and separated from Remote Desktop. Computer can have
Remote Assistance access without having Remote Desktop enabled, and vice versa.
223
www.utilizewindows.com
Management
Remote Assistance in Windows 7
If we click on the Advanced button, we can specify if we want to allow our computer be controlled or not, and
specify how long the invitations can remain open.
When the Remote Assistance session is established, the person who is helping can request to control the
machine. We can take away that option by unchecking this box. By default, invitations last six hours after we
create them. If the invitation is not used until then, it will expire. On this window we can also make sure that
invitation cannot be run from any machine other than Windows Vista or later. If we check this, Windows XP
machines won't be able to use that invitation to initiate a Remote Assistance session.
Creating Invitations
To create an invitation, which is the first step in establishing a Remote Assistance connection, we can go to
Start > All Programs > Maintenance > Windows Remote Assistance. On this screen, we can either invite
someone to help us or we can help someone that's inviting us by opening their invitation.
224
www.utilizewindows.com
Management
Remote Assistance in Windows 7
Let's click on the "Invite someone you trust to help you". There are three ways in which we can create
invitation.
We can save an invitation to a file and then send it to someone, send it using compatible e-mail program
(Outlook, Thunderbird, etc.), or use Easy Connect. Easy Connect works primarily with a LAN network. It
basically uses a form of broadcast mechanism where another computer on that same LAN can detect the Easy
Connect connection. As long as they have the password for the Remote Assistance, they can connect.
In our case, we will save the invitation as a file to our local C:\ drive. We can call it anything we want.
225
www.utilizewindows.com
Management
Remote Assistance in Windows 7
This password needs to be communicated with the person who will help us. Otherwise without this password
they will not be able to connect.
Establishing a Connection
So, now we have sent this invitation that we have generated using web mail, and we have phoned the person
who will help us and told him the password. The user who will help us can establish a connection to us in two
ways. He can choose the "Help someone who has invited you" option from the Windows Remote Assistance
window. When he chooses that option, he will see this options.
226
www.utilizewindows.com
Management
Remote Assistance in Windows 7
So, he can click the "Use an invitation file" and then browse for the invitation he got from the remote user, or
he can try to use Easy Connect method. Another method is to simply double double-click the Remote
Assistance invitation file. This will open up Remote Assistance and ask us for the password.
When he enters the password, and clicks OK, he still won't be able to connect until we, on the other end, allow
him to connect.
227
www.utilizewindows.com
Management
Remote Assistance in Windows 7
Once we click Yes, the connection will be allowed, and the user who is helping us will be able to view our
screen.
So, the default setting is view only, and helper cant really interact with the machine. We can open the Chat
feature and chat with the remote user to give them directions.
228
www.utilizewindows.com
Management
Remote Assistance in Windows 7
The helper can also request control by clicking the "Request control" button.
We will receive a prompt asking us if we want to allow him to take control of our machine.
229
www.utilizewindows.com
Management
Remote Assistance in Windows 7
Note that here we can also select to allow the helper to respond to User Account Control prompts as well. If
we don't select this, if any User Account Control prompts open up, the helper won't be able to respond to
them, but we at the actual computer will be able to respond to them. If we check this box, this will allow the
session to connect with the User Account Control prompts and allow the helper to respond to them.
To close the session we can click on the "Stop sharing" button, or simply close the Remote Assistance window.
Have in mind, Remote Assistance requires both name resolution and TCP/IP connectivity.
230
www.utilizewindows.com
Management
System Recovery in Windows 7
Restore Point
We can use restore points to recover from a damaged Windows installation. If we have problems with our
system, but we can still log on to Windows, we can open up the Backup and Restore console in the Control
Panel, and choose "Recover system settings or your computer" option, which is located at the bottom.
231
www.utilizewindows.com
Management
System Recovery in Windows 7
From here we can choose the restore point from the list. In our case we only have two restore points. In our
case we will choose the latest one and click Next. On the next screen we will get a description of our action.
232
www.utilizewindows.com
Management
System Recovery in Windows 7
Keep in mind that system restore does not touch our user files. Only system data and system settings will be
affected. When we click finish, the restoration will begin. Reboot will be required.
In advanced methods, we can use a system image which we created earlier, or we can reinstall from scratch
using Windows installation media.
233
www.utilizewindows.com
Management
System Recovery in Windows 7
When we try to use system image option, it will first ask us to back up existing files, before continuing. After
that it will ask us to reboot our computer, after which we will be able to select the system image to restore
from. The media on which the image is located has to be connected to the computer.
All this is great, but what if we can't boot to our system at all.
234
www.utilizewindows.com
Management
System Recovery in Windows 7
On the next screen, instead of clicking the "Install now" option, we click the "Repair your computer" option.
This will show us system recovery options.
235
www.utilizewindows.com
Management
System Recovery in Windows 7
If we don't have Windows installation media or System Repair Disk, we can try and press the F8 key on our
keyboard during boot. We will get a menu like this:
236
www.utilizewindows.com
Management
System Recovery in Windows 7
On this menu we select the "Repair Your Computer" option which will show us a list of recovery tools.
On this screen we will select System Image Recovery Option and then select the system image we created
earlier. From this point on, we will be asked about how we want to partition our disks (do we want to keep
237
www.utilizewindows.com
Management
System Recovery in Windows 7
current partitions or use partitions from the image), and we will also be warned that we will lose all current data
on our disk (since the restore will use all data from the system image and overwrite all existing data).
238
www.utilizewindows.com
Security
Credential Manager in Windows 7
Security
Credential Manager in Windows 7
Before you start
Objectives: Learn what is Credential Manager, why it is used, where to find it, and how to manage saved
credentials used to gain access remote resources.
Prerequisites: you have to be familiar with tools which can be used in Windows to manage authentication
locally, with sharing permissions, with UNC paths, and with Windows user accounts.
Key terms: credentials, Windows, ID, access, manager, password, username, vault, resource, provider
When we click OK, we will be asked to enter our credentials. We will do that now.
239
www.utilizewindows.com
Security
Credential Manager in Windows 7
Notice that we can check "Remember my credentials" box. If we don't check that box, we will have to enter
our credentials every time we want to access this resource. Remember that in this case our computers are not
on a Windows domain. If we were on a domain, Windows would automatically check our credentials against
Active Directory. Since we are working with local user accounts, we must specify the name of the computer
where the user is located. This is because every computer in the Workgroup environment has its own users.
That's why we have entered "lenovo\mediacenter" as the user name, "lenovo" being the name of the
computer, and "mediacenter" being the actual username. So, we have to know the username and password
information located on the computer that we want to connect to. This is how Workgroup environment works.
We will also check the "Remember my credentials" box.
Once we click OK, if we entered credentials correctly, we will be connected to the Lenovo computer. We can
see that there is one shared folder and one shred printer on that computer.
240
www.utilizewindows.com
Security
Credential Manager in Windows 7
If you are unable to connect to the remote machine, and you are sure that you have entered username and
password correctly, make sure that remote access and sharing is enabled on your remote machine. You can do
that in Network and Sharing Center under Advanced Sharing Settings.
Managing Credentials
Since we have chosen to save our credentials we will be able to access our remote resource without entering
our credentials again. But the question is, where are those credentials saved? The answer is the Security Vault
which we can manage using the Credential Manager located in Control Panel.
Notice that under Windows Credentials section we have saved user name and password for the "lenovo"
computer. Here we can edit that credential or remove it from the vault. We can even add additional Windows
credentials by specifying the name of the server, username and the password.
241
www.utilizewindows.com
Security
Credential Manager in Windows 7
We can also enter certificate credentials if we want to authenticate with the resource using certificates or smart
cards. We can even enter generic credentials for non-Windows resources like websites or applications.
We can always backup our vault. To do that we can simply click on the "Back up vault" option. In our case we
will save them to the Desktop, but for restoring, it is better to save them to removable media.
When we click Next, we have to somehow protect those credentials. Before we enter the password for our file
Windows 7 wants us to enter Secure Desktop and to do that we are prompted to press Control+Alt+Delete.
Once we are in Secure Desktop we can go ahead and enter a password for our backup file.
242
www.utilizewindows.com
Security
Credential Manager in Windows 7
Now that we have our credentials backed up, we can always restore them using the "Restore vault" option in
Credential Manager.
In Windows 7 we can also link our Windows account to an online ID. With online IDs we can easily access
online resources with our online ID. To link our Windows account to an online ID, we can simply click on the
"Link online IDs" option.
The first thing we have to do is install an online ID provider. When we click on the "Add an online ID
provider" option, we will be redirected to a web page where we can download ID providers. At the time of
writing this article there is only one option and that is Windows Live Sign-in Assistant.
243
www.utilizewindows.com
Security
Credential Manager in Windows 7
So we will download that provider and install it. When the provider is installed, it will be available in the Online
ID Provider list.
When we link our account with our Windows Live ID, we won't have to enter credentials for resources related
with that online ID.
244
www.utilizewindows.com
Security
Running Apps as Different Users with Run As in Windows 7
Run As
When we right click some application, we will see an option to simply open the application, or to run it as
administrator.
If we choose the "Run as administrator" option, the app will open with administrative rights. One other option
that we have is to hold the Shift key while we right click on the app icon. This will bring the "Run as different
user" option on the list.
245
www.utilizewindows.com
Security
Running Apps as Different Users with Run As in Windows 7
With the "Run as different user" we can open the app with someone we actually specify. This way we can test
applications as other users. In order for this feature to work, the service "Secondary Logon" has to be started.
The Secondary Logon service is configured to start manually by default. So, we should set it to start
automatically if we plan to use "Run as different user" feature.
Let's see an example. We have a user account named Students which is member of the Users group only.
Now, let's try to open Computer Management snap-in as that user and try to do some things that only
administrators should be able to do. First we will right click Computer Management and choose the "Run as
different user" option.
246
www.utilizewindows.com
Security
Running Apps as Different Users with Run As in Windows 7
Btw. Computer Management icon can be found in Control Panel > Administrative Tools (icons view). When
we do that, the Windows Security window will appear. Here we have to enter the user name and the password
of the user which we want use to open the application (Students in our case).
The Computer Management console will appear. Keep in mind that we will be able to do some actions as
ordinary user here, but some actions should be denied. For example, if we try to create a new user account in
the Local Users and Groups, we will get a warning like this:
247
www.utilizewindows.com
Security
Running Apps as Different Users with Run As in Windows 7
We were denied to create a new user. Remember, this happened because we ran the Computer Management
console as a Students user account which is member of the Users group only (it doesn't have administrative
rights).
Also, let's try to check Device Manager and see what happens.
We got a warning that we can only view device settings (not change them), since we are logged on as a standard
user (actually we ran the app as a standard user). So, as we can see, this feature is great if we need to test how
our apps will behave when different types of users try to use them.
www.utilizewindows.com
Security
Running Apps as Different Users with Run As in Windows 7
the application. In our case we will again use the Students user account and we will try to open the Registry
Editor. The full path to Registry Editor app is C:\Windows\system32\regedit.exe. The full command looks
like this: runas /user:Students C:\Windows\regedit.exe. When we hit Enter, we will be prompted to enter
the password for Students.
We can specify to save the credentials so we don't have to enter the password every time we run the
command. To save the credentials, we simply enter /savecred switch in the command, like this: runas
/user:Students /savecred C:\Windows\regedit.exe. We can use the Credential Manager (located in Control
Panel) to manage saved credentials.
Keep in mind that runas cannot execute an application that requires elevation if the target user account's UAC
settings include prompt for consent or prompt for credentials.
249
www.utilizewindows.com
Security
User Account Policies in Windows 7
250
www.utilizewindows.com
Security
User Account Policies in Windows 7
Of course, we can change those settings to suit our needs. For example, if we select "Allow log on trough
Remote Desktop Services" policy, we add specific user or group of users to the list, or remove them.
Account Policies
Under Security Settings let's check Account Policies. Under Password Policy we can change things such as
maximum and minimum password age, minimum password length and complexity requirements, etc.
In our case these settings are not configured, but we can change that to suit our needs. For example, it is a
good idea to change the minimum length of passwords from 0, to prevent blank passwords.
251
www.utilizewindows.com
Security
User Account Policies in Windows 7
If we set the "Minimum password age" option to 5, users who change password won't be able to change it
again for 5 days. Minimum and Maximum password age options are only applied to users which don't have
"Password never expires" option set. For example, user Kim Verson has "Password never expires" option
checked, so minimum and maximum password age is not applied to Kim (we have used Local Users and
Groups in Computer Management to check this).
If we enable Password history policy, users will have to use unique passwords every time they change it.
Maximum password age has to be configured for password history to take effect. Maximum password age
enforces users to change passwords after specified length of time. Password complexity policy prevents using
simple passwords which are easy to crack. If we set that option, users will have to use special characters in their
passwords, with minimum of 6 characters, and won't be able to use dictionary words or any part of user login.
If we set the "Store passwords using reversible encryption" should not be set, since passwords will essentially
be readable as plaint text.
252
www.utilizewindows.com
Security
User Account Policies in Windows 7
The next thing we can check is Account Lockout policy.
Keep in mind that these account lockout policy applies to all users on local computer, including the
Administrator account. If we only have one administrative account on the machine and that account gets
locked out, we won't have any way to log in to the machine with the user which has administrative rights any
more. This is the case on local machines, so we should be careful when setting account lockout policy on local
machines. The value of 0 in "Account lockout threshold" means that accounts won't be locked out. If we
specify some other number here, the system will count invalid log on attempts and then lockout the user after
the specified threshold. We can also specify the duration of the lockout and how much time the counter of
invalid log on attempts is remembered.
253
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
Folders
For this demonstration we have created an "NTFS demo" folder on our C partition. Inside of that folder we
have three subfolders: "Admins", "Kim Verson", and "Marko".
In our case, we want to allow access to certain folders only for specific users. For example, only computer
administrators should have access to the "Admins" folder. Only administrators and Kim Verson should have
access to the "Kim Verson" folder, and only administrators and user Marko should have access to the "Marko"
folder.
Inheritance
As you should already know, child objects (files and folders) inherit permissions from their parent, by default.
So, in our case, by default, "NTFS demo" folder will inherit permissions from the C drive. Let's check this out.
We will right click the "NTFS demo" folder and go to its properties, then open the Security tab, and then click
on the Advanced button.
254
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
Notice that the option "Inherit inheritable permissions from this object's parent" is checked by default. Also,
notice that permissions are inherited from "C:\". The next thing we should do on the "NTFS demo" folder is
remove inheritance. This way, our new permissions won't be affected by the permissions set on the C drive. To
remove inheritance, we can click on the "Change Permissions..." button on the Advanced window, and then
uncheck the box for "Include inheritable permissions from this object's parent" option. When we do that, the
Windows Security window will appear.
255
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
At this point we have to options. We can keep all current permissions on that folder and then work with them,
or we can remove all current permissions and set new ones from the beginning. The recommended thing to do
is to Add current permissions, which will make all current permissions explicit. This way we know which
permissions were previously set on the object. When we do that, notice the "Inherited From" column. It
changed from "C:\" to "<not inherited>", which is what we want for "NTFS demo" folder.
Inheritance Removed
Now we can manually make changes to permissions on "NTFS demo" folder, and permissions on C drive
won't affect them. But, what about subfolders in "NTFS demo" folder. Let's check the Security tab for "NTFS
demo" folder, and for one subfolder, for example, "Admins".
256
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
Notice that the Allow column for "NTFS folder" has black check marks, while "Admins" folder has check
marks which are grayed out. This means that permissions for the "Admins" folder are inherited. Let's click on
the Advanced button on the Security tab for the "Admins" folder.
Notice that subfolders in "NTFS demo" folder now inherit permissions from the "NTFS folder" itself.
Proper Inheritance
Now we have one problem which considers inheritance. All subfolders in "NTFS demo" folder have the same
permissions as "NTFS demo" folder. This is a problem because if we check permissions on the "NTFS demo"
folder, we will see that all users have access to that folder, and since subfolders will inherit those permissions,
all users will have access to all subfolders in "NTFS demo" folder, which is not what we want. Because of that
fact, we have to modify permissions on the "NTFS demo" folder. First, we will remove all permissions except
for the Administrators group, which can have full control. Our permissions on the "NTFS demo" folder now
look like this.
257
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
If we only leave it like this, only administrators will have access to "NTFS folder" and its subfolders. Since all
users have to go to "NTFS demo" first to get to their own folder, we also have to ensure that other users can
list "NTFS demo" folder content. Beware that we also have to ensure that they don't have access to all
subfolders in "NTFS folder", but only their specific subfolder. For this to happen, we will add permissions for
"Authenticated Users" group again and give it the "Read & Execute" permission. Authenticated Users group
contains all users which log on to the machine. We should always use Authenticated Users group instead of
Everyone group, since users have to at least authenticate to get access. Everyone group will enable access for
anonymous users as well.
258
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
If we leave it like this, this permission will again be propagated to all child objects in "NTFS demo" folder. We
have to change that. We have to set this permission only for "NTFS demo" folder. For this we have to click on
the Advanced button on the Security tab, and check the Apply To column. Notice that now permissions will be
applied to this folder, subfolders and files.
To change this we will click on the "Change Permissions..." button, and double click on the permission for
"Authenticated User". On the "Permission Entry for NTFS demo", we will change the "Apply to" option to
"This folder only".
259
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
When we do that, permission for Authenticated Users group will only be applied for "NTFS demo" folder, and
not its subfolders. This way we ensure that all users can access "NTFS demo" folder, but don't have access to
specific subfolders.
So, the next thing to do is give explicit permissions to specific user for certain subfolder in "NTFS demo"
folder. For example, we will give the Modify permission to user Kim Verson for subfolder "Kim
Verson". Remember that maximum permission we should give to ordinary users is the Modify permission.
The difference between "Full control" and "Modify" permission is that users with "Modify" won't be able to
take ownership of the object or change its permissions.
260
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
To conclude, we have enabled access for all users to "NTFS demo" folder by using Authenticated Users group
which is not propagated to subfolders. Administrators have full control on "NTFS demo" folder, and this
permission is propagated to all child objects (files and folders) in "NTFS demo" folder. We have set explicit
permissions for specific users so that they can access their own subfolder (additional, explicit permissions, can
be added even when inheritance is enabled).
Special Permissions
As you should know, the 6 standard NTFS permissions are actually collections of more granular, special NTFS
permissions. For most situations, standard permissions provide enough control. In some situations we might
need more specific NTFS permissions. In fact, we already used special permissions when we set the
propagation level of permission in previous example. Propagation level is configured using the "Apply to"
option in advanced permission configuration. We have several options here like "This folder only", "Subfolders
and files only", "Files only", etc.
We can also configure special permissions for users in a way that they can only create new objects, but can't
delete them (or vice versa ;) ). For example, let's add a special permission for user Marko for the subfolder
"Marko", so that he can only add new files and folders, but can't delete them. For that we will go to the
Security tab and add user Marko with "Read & Execute" permission. Next, we will click the Advanced button,
261
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
and then click on the "Change Permissions..." button, and click on Edit button for Marko entry. Here, we will
see that some special permissions will already be selected because we gave Read & Execute permission
previously. So, for user to be able to add new objects, we also have to select permissions "Create files / write
data", "Create folders / append data", "Write attributes", and "Write extended attributes". Since we don't want
to allow user to delete files and folders, we won't select permissions "Delete subfolders and files", and
"Delete".
Effective Permissions
To check the effective permissions for specific user or group, we can go to Effective Permissions tab in
Advanced section. For example, let's check what permissions has the Users group on the "Marko" folder.
262
www.utilizewindows.com
Security
Editing NTFS Permissions in Windows 7
In our case, the Users group doesn't have any permissions on the "Marko" folder, and this is what we want.
Effective permissions can be very useful when we want to check permissions for users which belong to
multiple groups, because it also takes into account the inheritance and propagation levels. This way we don't
have to manually calculate the final permissions.
263
www.utilizewindows.com
Security
Advanced Sharing Settings in Windows 7
Domain - in this case computers are connected to an Active Directory domain. This location type will
be selected automatically when we join our computer to the domain.
Home - this location is a trusted (also called private) local area network
Work - this location is a trusted (private) local area network. This option is typically used when
domain is not implemented in work environment.
When we connect to a new network, we will get a prompt to choose the location for our network connection.
We can always change this later, if we need to.
264
www.utilizewindows.com
Security
Advanced Sharing Settings in Windows 7
When it comes to sharing, we should first check settings on the "Change advanced sharing settings" option in
our Network and Sharing Center.
265
www.utilizewindows.com
Security
Advanced Sharing Settings in Windows 7
In our case we are currently connected to our work network, so let's check out options in that profile. The first
option is "Network discovery". Network discovery option enables our computer to discover (to see) other
computers on the network, and other computers will be able to discover our computer.
Keep in mind that if we disable Network discovery, we don't disable other forms of sharing. As you can see on
the picture, File and printer sharing is another option. When we enable file and printer sharing, files and
printers that we have shared on our computer can be accessed by other users on the network. With this type of
sharing we have more control over who we share our files with on the network.
The Public folder sharing option enables network users to access our public folder. Public folders can be read
and written to by all users. Even network users will be able to write files to our public folder. Files shared with
266
www.utilizewindows.com
Security
Advanced Sharing Settings in Windows 7
public folder sharing are found in the C:\Users\Public folders. Public folder sharing is more simple and
quicker, but we can't set permissions for individual users (all users have access).
Another option is Media streaming. When media streaming is on, people and devices on the network will be
able to access pictures, music and videos on our computer. Also, our computer will be able to find media
resources on the network. In Media streaming options we will be able to name our media library, choose on
which networks to share, and what type of media to share.
File sharing connections option allows us to protect share connections using a 128-bit encryption, or 40- or 56bit encryption for legacy devices.
267
www.utilizewindows.com
Security
Advanced Sharing Settings in Windows 7
The Password protected sharing option means that only users which have a user account and password on our
computer can access our shared files and printers, and Public folders. If we want to give other users access,
we'll have to turn off this option.
The HomeGroup connections option is only available in the Home Network profile. It determines how
authentication works for HomeGroup resources. HomeGroup is a simple way to manage sharing and
authentication on Home networks running Windows 7. If all computers in the HomeGroup have been
configured with the same usernames and passwords, we should choose the "Allow Windows to manage
homegroup connections" option. However, if we have different users and passwords on each computer, we
should use the second option.
268
www.utilizewindows.com
Security
Working With Shared Folders in Windows 7
Shared Folders
As you know, in Windows 7 we can set up Shared Folders in three different ways: Basic, Advanced and Public
folder sharing. We will now see how that works. For the purpose of this article we will create a folder named
"demo" on our Desktop. Next, we will right click it, select its Properties, and then open the Sharing tab.
269
www.utilizewindows.com
Security
Working With Shared Folders in Windows 7
Notice that we can see two Sharing sections on this tab. The first section is named Network File and Folder
sharing. Here we have a Share button which will take us to the Basic sharing options. On the Advanced Sharing
section we can click on the Advanced Sharing button which will take us to advanced options.
Basic Sharing
To edit Basic sharing options we simply click on the Share button in the first section.
Basic Sharing
This interface is a bit simpler than in Advanced Sharing. Here we can choose the users and groups and then
add them to the list. When we click Add, we can then change Permission Level by choosing appropriate
permission from the list.
Notice that we can only give Read and Read/Write permissions. Owner permission is set for the user who
created the share.
When we click the Share button, we will get a UNC path to the shared folder which we can then copy and send
to other users. They will have to enter the whole path to access our shared folder.
270
www.utilizewindows.com
Security
Working With Shared Folders in Windows 7
To stop sharing folder in this Basic configuration, simply right-click shared folder, select the "Share with"
option, and then select "Nobody".
Right-Click Sharing
We can also share any folder by right-clicking it and then selecting the "Share with" option.
This way we can share folder directly to a HomeGroup with Read or Read/Write permissions. We can also
choose the "Specific people" option which will take us to the Basic Sharing screen that we already saw above.
Advanced Sharing
Advanced Sharing is the original way of sharing things in Windows and administrators will almost always want
to use this method of sharing.
Let's click on the Advanced Sharing button. We will enter the "demoshare" as our share name (the share name
can be different from the name of the folder).
271
www.utilizewindows.com
Security
Working With Shared Folders in Windows 7
Notice that here we can limit the number of simultaneous users here, and that we can edit permissions and
caching options. Let's check out Permissions by clicking on the permissions button.
272
www.utilizewindows.com
Security
Working With Shared Folders in Windows 7
Notice that the Everyone group by default has Read permission on shared folders. Here we can now add other
users or groups and set their Share permissions.
Let's click on the OK buttons and check our shared folder in Windows Explorer. To do that we will enter the
UNC path to our share. Our computer name is WIN-7-VM and we know that the share name is "demoshare".
The UNC path syntax is \\computername\sharename. So, the UNC path to our share is \\WIN-7VM\demoshare. To check your computer name you can go to System properties (right-click your computer
icon and select Properties option). Let's enter the UNC path to our WIN-7-VM computer to see all shared
folders.
273
www.utilizewindows.com
Security
Working With Shared Folders in Windows 7
Note that we can see our demoshare folder and the Users folder. We see the Users folder because this is where
the Public folder is located. Now, what if we want to share some folder but we don't want it to be visible to all
users? To do that we can use Administrative Share. To configure administrative share, we simply put the $ sign
after the share name. For example, let's add another share name to the same folder but this time with the $ at
the end. The added share name will be "demoadmin$". To add another share name, we simply click on the Add
button on Advanced Sharing window. When we Add new share, we will get a new window to enter options.
When we click OK, the "demoadmin$" will be added to the list of share names.
Notice that the "demoadmin$" is not listed, and that's great. We can still access that share by entering the
whole UNC path manually: \\WIN-7-VM\demoadmin$.
274
www.utilizewindows.com
Security
Working With Shared Folders in Windows 7
Now, remember that share permissions and NTFS permissions work together. The most restrictive permission
is the effective permission. Administrators sometimes give Full control to Everyone group in share
permissions, and then manage user permissions using NTFS permissions. This way administrators manage
permissions from one location.
To delete that share we can enter the command net share docs /delete. For the full syntax of the net share
command enter net share /?.
275
www.utilizewindows.com
Security
HomeGroups in Windows 7
HomeGroups in Windows 7
Before you start
Objectives: Learn how to create, how to join, and how to edit HomeGroup in Windows 7.
Prerequisites: you have to know what is sharing and what is HomeGroup in general.
Key terms: HomeGroup, Windows 7, sharing, libraries, permissions
HomeGroup
We can use HomeGroup feature in Windows 7 to simply share data between multiple computer in a home
network. Have in mind that we can only have one HomeGroup per LAN network. So, it's basically designed
for home environments. Only members of the HomeGroup will have access to shared data. HomeGroups are
protected with password.
To create a HomeGroup, we can go to Control Panel > HomeGroup. We will get the following screen.
If a HomeGroup already exists on the network, we will see it on this screen. Then we will be able to join that
existing HomeGroup. So, on this screen we can click on the "Create a homegroup" button. Another way
HomeGroup is typically created is when you change a location for your network to the "Home network". Go
to the Network and Sharing Center and try to change the location for your network to the Work network, and
then back to the Home network. When you do that, you will get the following screen.
276
www.utilizewindows.com
Security
HomeGroups in Windows 7
This screen is the same one when we try to create HomeGroup in Control Panel. So, all we have to do is select
what we want to share. In our case we will select all options except documents. Once the HomeGroup is
created, we will see a HomeGroup password.
We should save this password in secure place. The password is case sensitive. When we click Finish, the
HomeGroup will be created. Now, we can go to our Computer and select Homegroup from the menu. If no
one joined our homegroup, we will see the following screen.
277
www.utilizewindows.com
Security
HomeGroups in Windows 7
People on other computers will see a screen like this when they open HomeGroup.
When users join existing Homegroup, they will also have to specify things they want to share. Also, users will
have to enter the password for the Homegroup in order to join it. Once they join the Homegroup, they will
start seeing things from users on the homegroup under the Homegroup section in Windows Explorer.
As you can notice, we actually share libraries in HomeGroup. As you should know, by right-clicking on specific
library, we can specify how we want to share them. We can specify if we'll only give read permissions or
Read/Write permissions for Homegroup users.
278
www.utilizewindows.com
Security
HomeGroups in Windows 7
If we give Read/Write permission, users from other computers will be able to edit existing and create new files
on our computer. We can also create our own custom libraries and share them on HomeGroup.
To change HomeGroup settings, we can always go to the Control Panel > HomeGroup.
279
www.utilizewindows.com
Security
Configuring Auditing in Windows 7
Group Policy
In order to manage auditing, the first thing we have to do is go to our Group Policy editor. To do that we can
enter "gpedit.msc" in search, and open the gpedit program. Next, we have to navigate to Computer
Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
Here we can see all auditing policies. In our case we will try to audit files and folders. For that we will select the
"Audit object access" policy and select the Success and Failure options.
280
www.utilizewindows.com
Security
Configuring Auditing in Windows 7
The next step is to select the folder which we want to audit. For this demo, we have created C:\Docs folder.
Inside of Docs we will have Admin Data and User Data folders. We have configured security settings in a way
that all users can create data in User Data folder, but they can't delete them.
Now let's go to the Properties of the User Data folder, then Security tab > Advanced button, and then the
Auditing tab. Click the Continue button to in order to see auditing properties.
Here we will click the Add button, and enter the Authenticated Users object.
281
www.utilizewindows.com
Security
Configuring Auditing in Windows 7
When we click OK, we will be asked to select auditing entries. In our examples we will select Successful and
Failed Delete options.
Now that we have set up auditing, we have to wait for our users to take actions. After some time, we can check
Event Viewer to see if there were successful or failed auditing events. All audit events are stored in the
Windows Logs > Security. In our case we have logged on with user Kim Verson, and tried to delete a file in
User Data folder, so let's see how we can find this in Event Viewer. In our case we had to use Filter and Find
option to find appropriate entry shown on the picture below.
282
www.utilizewindows.com
Security
Configuring Auditing in Windows 7
In the details of the event we can see that the user Kim Verson tried to delete a file from User Data folder, but
that action was restricted. As you can see, there are many more auditing events listed. Be sure to check out at
least some of them.
283
www.utilizewindows.com
Security
Configuring Auditing in Windows 7
Advanced Auditing can give us better view of what's going on our computer.
284
www.utilizewindows.com
Security
Encrypting File System in Windows 7
On our computer we have a user named "Kim Verson". If we log on with that user account, we can create a
file in a EFS-demo folder. That's because all authenticated users have the permission to work in that folder. For
this demo, Kim Verson will create a file named "Verson CV.txt".
285
www.utilizewindows.com
Security
Encrypting File System in Windows 7
The next thing we will do is encrypt that file. To do that we have to go to the properties of the file, and click on
the Advanced button on the General tab. This will open the Advanced Attributes window.
Here we have to select the "Encrypt contents to secure data" option. When we click OK, the system will
prompt us to encrypt the whole folder. Since we are encrypting a specific file, the parent folder will remain
unencrypted, so any files that we put in the folder will remain unencrypted. The recommended practice is to
encrypt folders, and not files. When we encrypt folder, and file that we create in that folder will automatically
be encrypted.
286
www.utilizewindows.com
Security
Encrypting File System in Windows 7
For this demo we will only encrypt the file, and not the folder. Notice that the Details button is grayed out. It
will become available when we encrypt our file. When we click OK, the color of our file will change to green,
indicating that our file is now encrypted. Also, we will get a prompt to back up our encryption key.
Keep in mind that when we are not in a domain environment, our computer will locally generate certificates for
EFS encryption. That's why it is very important to back up our encryption keys.
So, to recap, Kim Verson created the file "Verson CV" in a folder accessible by all users on the computer. Kim
encrypted that file, and because of that, other users won't be able to access it, despite of NTFS permissions.
Let's try this now. We will log on as a different user and try to open Verson CV file.
287
www.utilizewindows.com
Security
Encrypting File System in Windows 7
As we can see, the access to the file is denied to other users. So, each user can encrypt their own files, and other
users wont be able to open them, despite all NTFS permissions.
EFS Certificates
EFS certificates for each user are created when the user first encrypts some file. In local environment, each
certificate is stored locally within the users profile. This means that if we copy our encrypted file to another
computer, we wont be able to open them (since there is no EFS key for our user on the other computer). In
order to be able to open our encrypted files on other local computers, we have to export our private keys and
import them on other computers.
Let's add another file called Marko CV to the same folder and encrypt it. If we open properties of our
encrypted files and open the Advanced Attributes, we'll notice that now we can click the Details button. When
we do that, we will see the list of users who can access the file.
288
www.utilizewindows.com
Security
Encrypting File System in Windows 7
Notice that here we have an Add button. With this we can add more users to the list of users who can access
our files. When we click the Add button, we will be presented with the list of user certificates. We have to
select the certificate of the user to which we want to allow access.
289
www.utilizewindows.com
Security
Encrypting File System in Windows 7
So, we can share an encrypted file with multiple users, as long as we have access to their certificates. Keep in
mind that other users will be able to provide access to other users as well.
Recovery Agent
By default, in Windows 7 there is no default recovery agent designated in local environments. There is no single
user which can access all files. To create a recovery agent, we first must generate a pair of recovery keys. To do
that, we will open CMD as Administrator. In CMD, we will run the "cipher /r:RecoveryAgent" command. In
our case we have logged on to our computer as an Admin user which is a member of the Administrators group.
290
www.utilizewindows.com
Security
Encrypting File System in Windows 7
We will have to enter the password which will be used to protect our generated files. With this we get a selfsigned local certificate and a local private key certificate with the name of "RecoveryAgent". The next thing to
do is to import those keys into local Group Policy. To do that, we will open local group policy (enter
gpedit.msc in search) and go to Computer Configuration > Windows Settings > Security Settings > Public Key
Policies > Encrypting File System. Next, we have to right-click the Encrypting File System and select the Add
Data Recovery Agent option.
The wizard will open. On the Select Recovery Agents screen we have to browse to our generated certificates in
EFS-demo folder. When we select our certificate we will get a warning that Windows can't determine if the
certificate has been revoked. This is because this is a self-signed certificate, so we can click Yes in this case.
When we do that, we will see our certificate in the list.
When we click Next and Finish, we will see our Recovery Agent certificate in the Encrypting File System node.
This certificate will allow our Admin user (we have created this certificate with the Admin user) to recover
encrypted files as well.
291
www.utilizewindows.com
Security
Encrypting File System in Windows 7
We can add multiple recovery agents (different users). All we have to do is generate keys while logged on as a
specific user.
When we have designated our recovery agents, we have to run the "cipher /u" command in order to update all
encrypted files with the designated recovery agents. We will enter that command as Admin user.
Notice that Marko CV file was updated (file created by Admin), while the Verson CV file couldn't be
decrypted. To decrypt Verson CV file we have to log on as Kim Verson and then run the cipher /u command
again. We have to do that for all user accounts. This is because we have created Recovery Agents after the users
have already encrypted their files. That's because it is best to designate recovery agents before users start to
encrypt their files. That way recovery agents will be added automatically, so we don't have to run cipher /u
command.
Backing up Keys
It is very important to back up EFS keys. There are two ways to do that. We can click on the prompt to back
up our key. We can also go to Control Panel > User Accounts and click on the "Manage your file encryption
certificates" option. When exporting certificates we will be able to choose the format. We should export all
certificates in the certification path.
292
www.utilizewindows.com
Security
Encrypting File System in Windows 7
On the next screen we will have to enter our password for the exported certificates, to keep them secure.
We will also have to specify the location of the exported file. We should always copy this file and keep it in a
safe place. Make sure that you know the location and the password for exported certificates.
Another way to work with certificates is the Certificate Snap-in in the MMC console. We can also export our
keys from there.
293
www.utilizewindows.com
Security
Configuring BitLocker in Windows 7
BitLocker Configuration
The first requirement for BitLocker is that our computer should have a TPM chip installed on the
motherboard. The TPM chip must be enabled in the BIOS. After that we can go to the BitLocker
configuration in Windows. We can find BitLocker in Control Panel, and the screen looks like this.
As we can see, here we can turn on BitLocker. When we click that option, the BitLocker wizard will appear.
The thing is, in our case, our computer doesn't have a TPM chip installed. If that's the case, we will get the
following message.
However, we can still enable BitLocker, even if we don't have a TPM chip. To do that, we have to configure
some Group Policy options. So, let's open group policy editor by entering "gpedit.msc" in search, and allow
BitLocker configuration without TPM. Keep in mind that for this to work we have to have a removable USB
key available to store the recovery key information. In Local Group Policy Editor we will go to Computer
Configuration > Administrative Templates > Windows Components > BitLocker > Operating System Drives.
Here we will select "Require additional authentication at startup" policy. We will enable this policy and also
select the option "Allow BitLocker without a compatible TPM".
294
www.utilizewindows.com
Security
Configuring BitLocker in Windows 7
When we click OK, we can go back to the BitLocker configuration in Control Panel. This time we will see a
different screen, like this.
Note that now we can select the "Require a Startup key at every startup". Before we select that option, we
should have a USB flash drive inserted, on which the startup key will be stored on. So, when we move on, we
will select the USB key (ROKI (E:) in our case).
295
www.utilizewindows.com
Security
Configuring BitLocker in Windows 7
The startup key will be saved on the USB disk, but on the next screen we will be given an option to save the
recovery key as well. We can also print the recovery key, which will look something like this.
In our case we will also save the recovery key to the USB flash drive. On the next screen we will have an option
to run BitLocker system check, which will ensure that BitLocker can read the recovery and encryption keys
correctly before encrypting the drive. When we click the "Start Encrypting" button, the encrypting process will
begin, but we will be able to continue working until the process finishes. From this point on, to turn on our
computer we will have to have a USB drive with the startup key inserted in our computer.
When the encryption finishes, we will get two more options on the BitLocker window in Control Panel. As we
can se, we can now suspend protection and we can manage BitLocker.
The Suspend Protection option won't decrypt back the drive, it only pauses the protection so that we can make
certain boot changes if we need to, and then reconfigure the BitLocker. If we click the Manage BitLocker
option, we will see options to Save or print our recovery key again, or to duplicate the startup key.
296
www.utilizewindows.com
Security
Configuring BitLocker in Windows 7
If we try to boot without our startup key (USB stick removed), we will get the following message.
To fix this, we have to enter the USB flash drive, and then hit the Escape key.
Configuring Recovery Agents
When configuring recovery agents, the firt thing we have to do is to generate a set of recovery keys. To do so,
we will open command line. In our case, we have logged on with the Admin user and we will generate keys for
that user. In CMD we will enter the command: "cipher /r: RAAdmin". The name of the file will be
"RAAdmin". After that we will have to type in the password to protect our PFX file.
Keep in mind that your files will be created in your current working directory. The next thing we have to do is
load our certificates. To do that we will open Local Group Policy Editor and navigate to Computer
Configuration > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption.
To add the recovery agent, we will go to Action (or right-click "BitLocker Drive Encryption), and then select
"Add Data Recover Agent.
297
www.utilizewindows.com
Security
Configuring BitLocker in Windows 7
The Wizard will appear. In the Wizard we will first have to browse for the folder where we have saved our
certificate file that we have created using cipher command.
So, the certificate actually designates the user account. We are taking this certificate for this user account, and
specifying it as the recovery agent. In that way, this user account will be able to recover BitLocker enabled
drives.
In Active Directory environment, we would get these certificates from Active Directory Certificate Server. That
way a single user account can be used on any computer in the environment to recover BitLocker encrypted
drive. This way we can even install hard drive from one machine to another and use the recovery agent to
recover files from BitLocker encrypted drive.
298
www.utilizewindows.com
Security
Configuring BitLocker in Windows 7
The next thing to do is to configure group policies for BitLocker. To do that, in Local Group Policy Editor we
will navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker
Drive Encryption. We will edit the policy named "Provide the unique identifiers for your organization". Here
we can specify the identifier that will be inserted into the BitLocker drive every time a new drive is
encrypted. When we set this, the DRA will only be able to unlock drives that have this identifier. Under other
sections we can configure how our drives can be recovered. For example, under Operating System Drives
section, we will configure the "Choose how BitLocker-protected operating system drives can be recovered"
policy. In our case we will enable this policy and select the "Allow data recovery agent" option. This way, the
recovery agent we specified earlier will be able to recover BitLocker-protected operating system drive. We
should do the same thing with other types of drives.
Once we set this policies, we will be able to recover BitLocker-protected drives using the specified recovery
agent (Admin user in our case), in case the encryption keys are lost. Keep in mind that this is the first step we
should take before we start to use BitLocker, especially in Active Directory environment. In case we already
started using BitLocker on some drives, we can run the "manage-bde -setidentifier {drive letter}" command
to update encryption information on those drives. In our case we will update our C: drive.
To restore a locked drive, we can use the -unlock switch together with the manage-bde command.
299
www.utilizewindows.com
Security
Configuring BitLocker to Go in Windows 7
Prerequisites
Before we start using BitLocker, we will format our USB flash drive using FAT32 file system and the default
allocation unit size. Also, before we start using BitLocker, we should have our Data Recovery Agents (DRAs)
configured. Next, we will open Local Group Policy Editor by entering gpedit.msc in search. Here we will
configure some local policies related to BitLocker To Go. We will navigate to Computer Configuration >
Administrative Templates > Windows Components > BitLocker Drive Encryption. Here, the first thing we
can do is set up unique identifiers for our organization. This setting will allow us to specify unique string that
will be written on BitLocker devices.
In our case we have simply entered UtilizeWindows as our identifier. This will allow us to restrict people from
being able to access or DRAs from being able to recover devices and drives that don't have this unique ID on
it. We can enter multiple IDs. After that we will go to the Removable Data Drives section. Here we will enable
the Allow access to BitLocker-protected removable data drives from earlier versions of Windows.
300
www.utilizewindows.com
Security
Configuring BitLocker to Go in Windows 7
By doing this, users can take the USB drive and plug it in to Windows XP or Vista machine and be able to
access it. Next thing we can do is to enable Deny access to removable drives not protected by BitLocker. We
can also choose to deny write access to devices configured in another organizations.
With this we are restricting our computers to have write access to a USB flash drive that has not been
encrypted with BitLocker with our own organization ID. That means that we can't bring someone BitLocker
enabled drive from someone else and use it. The next thing we will do is enable the Configure use of
passwords for removable data drives policy. We will select the Require password for removable data drive
option.
301
www.utilizewindows.com
Security
Configuring BitLocker to Go in Windows 7
Control Panel
Now that we have some basic policies set, we can go to Control Panel and turn on BitLocker for our USB
drive. In our case, our USB flash drive is ROKI (E:).
Next, we will be able to choose the way to unlock the USB flash drive. In our case we have the password
option set (because of policy settings), so we will enter our password.
302
www.utilizewindows.com
Security
Configuring BitLocker to Go in Windows 7
On the next screen we will have the option to save and print our recovery key. This step is very important for
recovery purposes.
On the next screen we will start the encryption process. Once our USB flash drive is encrypted, we can start
using our drive. When we plug it out and then back in, in Control Panel we will see that the USB drive is
locked.
When we try to open our USB drive from the Explorer, we will see a window in which we can enter the
password to unlock the drive.
303
www.utilizewindows.com
Security
Configuring BitLocker to Go in Windows 7
Note that we can save our password so that our USB drive is automatically unlocked when we plug it in. Once
we click Unlock, we will have full access to our USB drive. We can manage BitLocker settings on our USB
drive now in Control Panel. We can change the password used to unlock the drive, save the recovery key again,
etc.
304
www.utilizewindows.com
Security
Windows Defender in Windows 7
Windows Defender
In Windows 7, Windows Defender is integrated into Action Center, and this enables consistent alerts when
certain actions are required related to Windows Defender. We can find Windows Defender in Control Panel, or
we can simply search for it using Search in Start menu.
First thing we can do is to configure quick scan, full scan or custom scan.
www.utilizewindows.com
Security
Windows Defender in Windows 7
We can choose to scan certain drives, but also certain folders or USB flash drives. Once the scan is complete
we will see the scan statistics. If we choose the quick scan, it will search in important folders only, like the
system folder and check certain registry keys.
On the Tools menu we can configure Windows Defender options. We can enable or disable automatic
scanning.
By default, our computer will be scanned at 2 AM. We can also choose to check for updated definitions before
scanning.
306
www.utilizewindows.com
Security
Windows Defender in Windows 7
We can also specify other options like default actions, real-time protection, excluded file types, etc. For default
actions, we can choose what will happen when certain items are detected. We can choose to remove it or
quarantine it or we can leave it to "recommended action based on definitions".
Real-time protection is enabled by default, but we can choose which security agents we want to run.
We can exclude files and folders from being scanned. We can also exclude files based on file type. There are
also some advanced options we can set, like if we want to scan within archive files, e-mails, and removable
drives. We can also choose if we want to use heuristics and create restore points.
307
www.utilizewindows.com
Security
Windows Defender in Windows 7
If we go back to the Tools menu, we can see that we can manage quarantined items, and view items that we
have allowed.
In the Quarantined items we will see items that have been recognized as malicious. In the Allowed items we
will have items that were recognized as malicious, but the user allowed them, so they are not monitored any
308
www.utilizewindows.com
Security
Windows Defender in Windows 7
more. Sometimes, apps that are legit may seem as malware to Windows Defender, and that's why we have an
option for allowed items.
309
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
Optimization
Monitoring Resources in Windows 7
Before you start
Objectives: Learn how to use Task Manager and Resource Monitor to see how your system resources are
being used.
Prerequisites: you have to know what system performance is in general.
Key terms: performance, Windows 7, Task Manger, Resource Monitor, process
Task Manager
Task Manager can easily be opened by pressing the CTRL+SHIFT+ESC keys. We can also start it by rightclicking Taskbar and selecting the Start Task Manager option.
Task Manager will show us all the processes running for current user. We can click the "Show processes from
all users" if we want to see all processes running on the system. We can click on the column name to order the
list by that column. We can also set process priority and affinity by right-clicking particular process.
310
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
Note that priority can be: real-time, high, above normal, normal, below normal, and low. The priority controls
how the system can delay or switch between processes. With affinity we can select processors (or processor
cores) that are allowed to run selected process.
On the Processes tab we can also end (kill) a process. We do that by selecting a particular process and then
clicking the End Process button.
We can also use Task Manager to start or stop running application. We can do that on the Applications tab.
Note that not every software program or process will be shown on the Applications tab. Typically, applications
that are started by the user, and applications shown on the Taskbar will be shown on the Applications tab.
311
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
On the Services tab we can see a list of services on our computer, and their status. From here we can also start
or stop particular service by right-clicking it. We can also view the process (in the Processes tab) associated
with the service.
312
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
If we want more control over our services, we should go to the Services console. We can do that by clicking on
the Services button from here.
On the Performance tab we can check the performance of our computer.
313
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
Here we can use the percentage of CPU usage at the moment and also usage history from past few minutes. In
our case we have multiple (four) cores, so we see four graphs, one for each core. On this tab we can also see
current memory usage and memory usage history for the last few minutes. If the CPU Usage History graph is
showing 100 percent, it can mean that some program might not be responding or is over using CPU
resources. If the Memory graph is consistently high, it can mean that we have too many applications opened at
the same time. As a temporary solution, we can quit some running programs to decrease the demand for RAM.
However, the only long-term solution is to add more physical RAM. Also, we could try implementing the
ReadyBoost feature.
Below CPU and memory graphs, we can see details about memory and resource usage. In the Physical Memory
section we can see the total amount of RAM installed, and also the amount of RAM recently used for system
resources (Cached). Here we also see amount of Available and Free memory. In the Kernel Memory section we
can see the total amount of memory being used by the core part of Windows called the Kernel. The used
virtual memory is shown on the Paged amount, while the Nonpaged amount shows the amount of RAM used
by the Kernel. In the System section we can see 5 values related to Handles, Threads, Processes, Up Time, and
Page File Handles (Commit). These are all pointers that refer to system elements such as files, directories,
registry keys, events, etc.
314
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
On the Networking tab we can see network usage. Utilization is listed as a percentage of the total available
theoretical bandwidth (such as 100 Mbps for a Fast Ethernet connection).
On the Users tab we can see logged on users on our computer, and their login method. From here we can
Disconnect or Logoff listed users.
315
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
If we go back to Performance tab, note that we can run Resource Monitor from here.
Resource Monitor
The Resource Monitor is more enhanced tool for checking out performance and resources on the
computer. We can enter also enter resmon.exe in Search to start the Resource Monitor.
316
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
On the Overview tab we can see performance for our four major system components and resources. Those are
CPU, Disk, Network, and Memory. On the CPU section we see a list of processes, their description, status,
number of threads, etc. We can click on the particular column to sort the list based on that column.
On the Disk section, we can see which processes are using our disks. We can see which process reads or writes
which amount of data, and the total usage. We can also see the file that is doing the most amount of reading
and writing to.
On the Networking section, we can see the amount of traffic coming and going to our machine and what
services or applications are using it.
On the Memory section, we can see what applications and services are using the most memory.
317
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
Now each mentioned resource also has a separate tab. Each tab allows us to view the processes and certain
information about that process. We can filter the results according to the processes or services that we want to
monitor. For example, we'll go to the CPU tab and select the permon.exe process. Note that services,
associated handles (registry keys and files), and associated modules (DLLs and executables) are now filtered by
perfmon.exe. So, this way we can check all this for specific process.
318
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
While we are in the filtered mode, only resources that are used by the selected process or service, are displayed
on all other tabs. So, if we go to the Memory tab, we will also see the information filtered by the perfmon.exe.
319
www.utilizewindows.com
Optimization
Monitoring Resources in Windows 7
The same thing is on the Disk tab. We will see files that the selected process is reading and writing to. On the
Network tab we will see the network activity is performed by our selected process (TCP connections and
listening ports).
320
www.utilizewindows.com
Optimization
Using Reliability Monitor in Windows 7
Reliability Monitor
To find open Reliability Monitor, we can enter "perfmon /rel" in Search box. The Reliability Monitor monitor
shows us information about the application, Windows, and misc failures, as well as other warnings and
information.
Note that in our case we have one failure (marked with red x icon) in the Application failures row. Also, we
have info icons for every day. If we look at the bottom of the window, we will see more detail about the events
on the selected day.
321
www.utilizewindows.com
Optimization
Using Reliability Monitor in Windows 7
On the Action column we can check for solutions or view technical details about our events.
Note that not all days are visible on the graph. To go back in time, we can click on the left arrow. We can go
back up to one year. Also, we can change the view by days or weeks. The great thing about Reliability Monitor
is that we can see what happened and when it happened on our system. Prior to Windows 7 we couldn't do
that without searching multiple logs in the Event Viewer.
Note that in our case we had several critical events on the 24 of March 2015. We also had several installation
and configuration events. The Reliability Monitor also gives us a stability scale. If we have errors, the stability
index will start to come down. Any change you make to your computer or problem that occurs on your
computer affects the stability index. In our case the stability index is rising, since we didn't have any critical
events for several days.
322
www.utilizewindows.com
Optimization
Using Reliability Monitor in Windows 7
Action Center
One of the important tool to help us troubleshoot our system is the Action Center. The Action Center icon is
available in the Taskbar notification area (icon is marked yellow on the picture).
When we click the icon, we will see the current status. In our case we have 3 important messages. We can click
on the "Open Actin Center" to see more details.
323
www.utilizewindows.com
Optimization
Using Reliability Monitor in Windows 7
We can see different items grouped together, In our case we have one Security item (Firewall status), and two
maintenance items (problem with Adobe Reader, and backup).
Action Center will propose actions to resolve problems. For example, for the backup problem the solution is to
set up backup. For a problem with Adobe Reader, we can see message details. For Firewall we could enable it,
but this option is disabled by the system administrator in our case, since Firewall is installed and managed
elsewhere.
The typical and most important things in Action Center is the Security section. Action Center will warn us if we
have problems with virus protection, Windows Update, Firewall and malware.
We can disable all messages if we want, in the Action Center settings (link to settings is available in the left
menu).
324
www.utilizewindows.com
Optimization
Using Reliability Monitor in Windows 7
325
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
Performance Options
To change the performance settings, we can go to the properties of our computer. To do that, we can rightclick Computer and then choose the Properties option.
326
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
We well now see a Visual Effects tab. By default all of the visual settings are enabled. If we have a machine
with weaker hardware, we can select the "Adjust for best performance" option, or we can start unchecking
specific boxes to increase the performance of the machine.
327
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
Overall this will make the system a little bit more responsive as it will be using less graphical power.
On the Advanced tab, we can configure Processor Scheduling. We can choose if we want to adjust for best
performance of programs or background services.
328
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
Usually on desktops that are running programs we will choose the "Programs" option, but on servers or certain
desktops that are doing a lot of background applications like SQL databases, we would choose the
"Background services" option.
On this tab we can also configure the virtual memory of our computer. To do that we click on the Change
button on the Virtual Memory section.
329
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
By default Windows 7 configures Virtual Memory automatically. If we uncheck the "Automatically mange
paging file size for all drive", we will be able to change those settings. We can specify a custom value in MB.
We can set the initial size and a maximum size. It is recommended to specify a value one and a half times the
amount of physical memory we have. We can actually see the recommended values at the bottom of this
window. We can put the same value for initial and maximum size.
Also, if our computer has more than one physical separated disk it might be beneficial to store the page file on
a separate physical disk to improve performance.
330
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
When we install Windows 7, we are asked if we want to configure Windows updates. We can choose to
configure it immediately, to configure it later, or to never configure Windows updates. If we choose not to
configure Windows updates to automatically check for updates, we can always check for updates manually.
Let's look at some of the settings of Windows Update. To do that we can select "Change settings" option from
the menu on the left.
331
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
So, updates can be installed automatically, they can be downloaded but not installed, and they can be checked
for but not downloaded and installed. We can also choose not to install updates at all. We can also choose on
which day and at what time to install updates. For laptops the option to check for updates but not download
them is great. This way we can save battery.
Note that we also have an option to give us recommend updates the same way as important updates. We can
also enable or disable standard users to install updates on our computer.
332
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
We can click on "1 important update is available" and see what updates are available for install.
If we do that, it won't be installed and won't be brought up for installation in the future. We can also copy its
details. We can also view more information about the selected update on the right-hand side of the window.
333
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
If we hide an update, but we want to bring it back again and install it, we have to go to the "Restore hidden
updates" option in the Windows Update console.
In that window we will select the update we want to restore, and then click the Restore button.
334
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
This takes us to a website where we can choose to install a new version of Microsoft Update, which allows us
to download updates for not only Windows but also other products from Microsoft, such as Microsoft Office.
This upgrade can also be done through the Microsoft Office. Once we install Microsoft Office and run it for
the first time, it will ask us if we want to use Microsoft Update to get updates for Microsoft Office as well.
Once we upgraded the Windows Update to a newer version, we get two more option in Update settings.
335
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
Now we can choose to get (or disable) updates for other Microsoft products. We can also choose to get other
Microsoft software such as various add-ons or similar.
After the upgrade, we have checked for updates again, and now we have three updates available for install.
As we can see, whenever update is being installed, a restore point is created. This means that in case the update
causes a problem, we can revert back to the point of time before the update was installed.
Note that installing update will often require a reboot.
After the reboot, we can go back to Windows Updates and check the Update history on the left hand side.
336
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
Here we can see all updates that were installed, when it happened, the status of the installation, and the
importance of the update.
We can also right-click specific update in this list and see the details of the update installation.
We can gather more information about the update from the knowledgebase article in the update installation
details. This is particularly useful if we have an installation error and we need to fix it.
337
www.utilizewindows.com
Optimization
Visual Effects and Paging File Options in Windows 7
Uninstalling Updates
All updates that we install can be uninstalled. To do that we can go to the "Installed Updates" option on the
left hand side of the Windows Update window.
Here we will see a list of updates. We can right-click particular update and then uninstall it.
338
www.utilizewindows.com
Optimization
Configuring WSUS and Other Update Options in Windows 7
WSUS Configuration
By default, each Windows client contacts the Microsoft servers on Internet for updates. We can use local group
policies to connect our Windows 7 to the Windows Server Update Services server and download updates from
it. As we know, WSUS server resides locally within our network and allows us to connect to it from our client
without having to go through the Internet to get updates. So, we will open Group Policy Editor by entering
gpedit.msc in our search bar. In Editor, we will navigate to Computer Configuration > Administrative
Templates > Windows Components > Windows Update.
As we can see, using Group Policy we can manage almost all of the same settings that we can manage in the
Windows Update console. There are few important policies we need to configure to be able to connect to and
download updates from the local update server. The first one is "Specify intranet Microsoft update service
location". If we open this policy, we can enable it and specify the location of the WSUS server.
339
www.utilizewindows.com
Optimization
Configuring WSUS and Other Update Options in Windows 7
In our case the WSUS server is available at "http://w2k9". The update server and the statistics server are
usually the same server. The next thing we can configure is the "Configure Automatic Updates" policy.
340
www.utilizewindows.com
Optimization
Configuring WSUS and Other Update Options in Windows 7
In our case we have configured automatic download and notify for installation every day at 5 pm. Other
options are:
Auto download and schedule the install (with this we configure the schedule of when to apply
updates)
If we disable the "Configure Automatic Updates" policy, the automatic updates are not used. In this case users
can only go to the Windows Update website and then manually download and install updates. If that policy is
enabled, users cannot change the configured settings through the Windows Update console. Some of the other
group policies are:
Enable client-side targeting policy - enables us to allow clients to add themselves automatically to
target computer groups on the WSUS server.
Reschedule Automatic Updates Scheduled Installations policy - enables us to set the installation to
occur between 1 and 60 minutes after the system starts up.
341
www.utilizewindows.com
Optimization
Configuring WSUS and Other Update Options in Windows 7
No Auto-Restart For Scheduled Automatic Updates and Installations policy - allows Automatic
Updates to disregard a required restart when a user is logged on. The will receive a notification about
the restart but is not required to restart the machine.
Automatic Updates detection frequency policy - specifies the time period for clients to wait before
checking for updates.
Allow Automatic Updates immediate installation policy - specifies whether Automatic Updates should
automatically install certain updates that do not interrupt Windows Services and don't force a restart.
Delay restart of schedule installations policy - specifies how long Automatic Updates waits before
performing a restart. If not configured, the system waits 5 minutes before restarting. This policy only
applies when update installations are scheduled.
Re-prompt for restart with scheduled installations policy - specifies how long Automatic Updates waits
before prompting the user for a scheduled restart. If not configured, the system prompts every 10
minutes.
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy when enabled, the install update option will not be displayed. In this case, users will be unable to
choose not to install the updates, and updates will be installed when they try to shut down the
computer.
In our case we will also enable the "Turn on Software Notifications" policy, and also "Turn on recommended
updates via Automatic Updates" policy. If we now open Windows Update console, we will notice that the
interface looks a little different. It now tells us that we receive updates "managed by your system
administrator". That basically means we are contacting a local update server.
Now, we can actually force Windows updates in Windows 7 to contact the Microsoft update server on the
Internet, while the local policy stays the same. We can do that if we click on the "Check online for updates
from Windows Update" option on Windows Update console.
342
www.utilizewindows.com
Optimization
Configuring WSUS and Other Update Options in Windows 7
We can also use elevated command prompt to check for updates. To do that we can enter the command
wuauclt /detectnow
The Windows updates automatic updates command line tool (wuauclt) will contact the local Windows update
server and try to register for updates and then download available updates. WSUS server will scan the client to
check to see what updates it has installed and what updates it needs. At the WSUS server we could see the
status of our Windows 7 client computer, but that's a topic for another article.
343
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
The first time we use the Backup and Restore tool we can choose the "Set up backup" option. Have in mind
that we cannot have more than one backup job on a system at a time. When we click on the "Set up backup"
link, we will first have to choose the backup location.
344
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
In our case we will choose E: drive as our destination and click Next. On the next screen we choose if we want
to let Windows to choose what to back, or we can choose ourselves. In our case we will choose the "Let me
choose" option.
On the next screen we choose what to back up. Note that we can choose to include a system image of our
drives. This is also the case when we let Windows decide what to backup.
When we include a system image of drives, our entire system is backed up to a VHD file, so we can use it for
recovery. If our system stops working, and we have a system image of it, we can easily restore it back to the
point where we made the system image backup. Note that we can choose to backup users libraries and we can
choose to backup specific files and folders. In our case we have selected Kim Verson's and Students libraries,
and we have selected C:\Docs folder.
345
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
Note that we can also change the schedule of the backup. By default, once we create one backup, it will
automatically backup every Sunday at 7 PM. If we click on the Change Schedule, we will see this screen.
346
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
Note that we can also disable the schedule. We can also choose to run the backup daily, weekly, or monthly.
We will leave default options here.
We are also being warned that we might need a system repair disc if we want to restore a system image file. We
can boot from the Windows PE utility CD or we can boot from the Windows 7 media as well. We can now
click on the "Save settings and run backup" option.
During the backup, first shadow copies are created for our files. That way, in case we have any open files, they
can be backed up as well.
Note that on the Backup and Restore console, we have an option to create a system image directly.
347
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
This way we don't have to create a full backup together with the system image. We can only create a system
image. We can choose to save the image to a hard disk, have it burned directly to a CD or DVD, and save it to
a network location.
Note that we also have an option to create a system repair disc. For that we need to have a blank burnable
media like a CD or DVD. We actually don't have to create a system repair disk if we have a Windows PE or
Windows 7 bootable DVD.
Once the backup is complete, we can click on the "Manage space" option, which will show us how much space
our backups are taking up.
We can also view our backups to see all the previous backups we've made by clicking on the "View backups"
button.
348
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
We can even select the backup and delete it from here. For system images we can select how Windows retains
older system images by clicking on the "Change settings" button.
We can let Windows to manage space or we can choose to keep only the latest system image, to minimize
space usage.
We can always change settings for our backup by clicking the "Change settings" option. Keep in mind that we
can only have one backup configuration. We can't have multiple different scheduled backups.
Exploring Backup
If we open our backup location, we will see two items.
349
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
The first item is a backup file, and the second is a WindowsImageBackup folder. We can actually open that
WindowsImageBackup folder. In it we will see the folder for our specific machine. In that folder we will see
this.
The first item is a Backup Set folder (Backup 2015-04-29 073131). Within the backup set folder we will see two
VHD files.
350
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
One VHD file is smaller and contains system and BitLocker settings. The second VHD file is larger and
contains the actual system image. We can actually mount that VHD file. To do that we can go to Disk
Management, and select the "Attach VHD" option.
351
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
The VHD file will get a drive letter and the auto play will start up. In our case it got the letter F:, and if we
open it, we see that it has the same content as our C: drive.
We can actually now copy files to our F: drive, and those files will remain there as well. Let's now take a look at
our WIN-7-VM1 backup file. Windows 7 saves everything in a sort of compressed file. If we right-click it, we
will see the Restore option.
352
www.utilizewindows.com
Optimization
Setting Up Backup in Windows 7
We can also select the Open option. This will actually show the contents of the backup file.
We can browse inside the backup and go to backup files, open up the files one by one. So, this is actually a filebased backup, which makes restoring much easier. We can simply search for the file we want, and then restore
it.
353
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
Restoring Files
To restore and recover files in Windows 7, we can go to Control Panel > All Items > Backup and Restore
option. In our case we already have a backup completed.
To restore files from existing backup, we can click on the "Restore my files" button.
354
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
By default, all files will be restored to their latest version. However, we can click on the "Choose a different
date" option to select another date and time.
In our case we will leave the default option to restore latest version. So, when we click on the Search button,
we can search for a file to restore. For example, in our case we have entered "*.pdf" which will show us all files
with the .txt extension.
We will select that file and click OK. This will add that file to the list of files to be restored.
355
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
We can also choose specific files by clicking on the "Browse for files" option. Note that this takes us directly to
the Windows backup folder which we can browse.
So, from here we can browse all files and then select particular files that we want to restore. If we click on the
"Browse for folders" button, which will allow us to select particular folder to restore. When we have selected all
files and folders that we want to restore, we can click on the Next button. On the next screen we will be able to
choose where to restore our files.
356
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
We have selected to restore files to new location and selected the option to restore files to their original
subfolders. This means that actual folder tree and structures will be saved, instead of all the files thrown into
one single location. If we select the first option ("In the original location"), this will overwrite the existing files
if they exist. We can now click the Restore button, and take a look at our files.
In addition to doing restorations directly, we can choose to restore from another backup file. To do that, we
click on the "Select another backup to restore files from", on the Backup and Restore console. If we made a
backup to a removable device or to a network location, we would be able to select and restore from that
backup here.
357
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
By default the C: drive has system protection enabled. All other drives will have system protection disabled by
default. We can configure each partition with a different system protection setting. Lets select the C: drive and
click on the Configure button.
358
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
So, we can choose restore system settings and previous versions of files being saved, or we can choose to only
save previous versions of files, or we can turn off system protection completely. We can also configure the
amount of disk space that will be dedicated to system restore points. The more disk space we have dedicated,
the more restore points we will be able to save. We can also delete all previous restore points, including system
settings and previous version files by clicking the Delete button.
On partitions that we primarily only have data, and have no system settings, we can safely choose only previous
versions of files, when we enable system protection on that kind of drive.
If we go to System Protection tab again, we can see that we can manually create a restore point by clicking on
the Create button. When we do that, we will be asked for restore point description.
359
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
In addition to saving system settings that can allow us to restore our configurations in case our computer
becomes corrupted, system protection also saves previous versions of files. System protection can create
multiple previous versions of files, as long as they're available and we have enough space to keep multiple
previous versions of files. In that way, if we accidently make an undesired change to a file or if we delete it, we
can get the previous version of the file back from previous version feature. To get the previous version of the
file, we can right-click particular file, open its properties, and then go to the Previous Versions tab.
We can also right-click a particular folder, open its properties and then go to the Previous Versions tab. This
way we will be able to choose all changes for the whole folder.
360
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
So, we can select a particular version of file or folder (depending on what we selected) and then either open it,
copy it, or restore it, by clicking on the appropriate button.
Keep in mind that by default, previous versions are created every time a restore point is created. Now, as we
know, restore point is automatically generated when a system event such as update installation, driver
installations and other important events happen. It is also generated automatically at specific time of day, every
day. We can check when the restore point is going to be created in Control Panel > Administrative Tools >
Task Scheduler. In Task Scheduler we can navigate to Task Scheduler Library > Microsoft > Windows >
System Restore. Here we will see one task called "SR". If we select it and open the Triggers tab, we will see that
a system restore point is automatically created every day at 12 AM, and every time when the computer turns on.
361
www.utilizewindows.com
Optimization
Restoring Data from Backup in Windows 7
We can even go ahead and add more triggers. When we have this enabled, we can have an ongoing previous
versions of our files and our system information.
362
http//www.utilizewindows.com
Utilize Windows 7