2014-01-08

Subscribers to the paid version of Windows Secrets are familiar with Fred Langa’s weekly LangaList Plus. This week, everyone can enjoy the best of the 2013 columns.

These Q & A sessions are for computer users of all levels. Many paid Windows Secrets readers save these articles for future troubleshooting reference.

It appears that the most popular stories were those about keeping Windows XP alive and those on coping with Windows 8. Computing security was another hot topic. That’s really no surprise. All three topics reflect the significant challenges to personal computing during 2013.

(Editor’s note: Some of the information in the following stories has been updated.)

No-reformat reinstalls for all Windows versions

A nondestructive Windows reinstall completely refreshes the operating system but retains your user accounts, data, passwords, and/or installed programs. This type of repair takes a fraction of the time required for a standard, full reinstall — and it’s much, much easier to do.

I’ve covered nondestructive reinstalls for previous versions of Windows in several earlier stories. See, for example, the July 14, 2011, Top Story, “Win7′s no-reformat, nondestructive reinstall.” The process for Vista is nearly identical. For Windows XP, check out the 2006 InformationWeek article, “XP’s no-reformat, nondestructive total-rebuild option.”

Reader William Searle wondered about this capability in Windows 8.

“Is there a Win8 version of the ‘no-reformat, nondestructive reinstall?’”

Indeed there is, William. Microsoft made it easier than ever and built it right into the operating system; it’s nondestructive for your settings and user data and for native Win8 apps downloaded through the app store. (From-disc apps, however, might still have to be reinstalled the old-fashioned way.)

Here’s how to access the Win8 version of the reinstall process.

Open the Win8 Charms bar and click Settings (the gear icon). At the bottom of the Settings bar, click Change PC settings. On the PC Settings page, select General and then click the Get started button under Refresh your PC without affecting your files (as shown in Figure 1).



Figure 1. Win8's built-in version of a no-reformat, nondestructive reinstall is always just a few clicks away in the PC Settings menu.

The next screen tells you exactly what the refresh will do. Read it carefully. For example, it notes that applications you installed from disc or the Web will be removed. (Apps downloaded from the Windows Store are retained.)

It’s taken a long time for this capability to become a standard item in Windows, but it’s great that it’s finally there!

More free security tools from Microsoft

Reader Kevin Hobbs suggests another free security tool from Microsoft that wasn’t included in the April 4 Top Story, “Microsoft’s six free desktop security tools.”

“Fred Langa forgot one obvious security tool that prevents malware from getting onto your system — the Enhanced Mitigation Experience Toolkit (EMET). It works even with many zero-day threats.”

Thanks, Kevin. I agree that the Enhanced Mitigation Experience Toolkit is a worthy anti-malware app. When this story was originally published, EMET, the Microsoft Malware Prevention troubleshooter, and the MS Baseline Security Analyzer were not compatible with Windows 8, so I didn’t include them.

EMET 4.1 is now compatible with Win8. Windows Secrets covered it in Susan Bradley’s June 6, 2013, article, “Microsoft adds Windows 8 support to EMET.”

The Microsoft Malware Prevention troubleshooter (site) is a standalone fixit that checks whether various Windows settings (Policy, User Account Control, Proxy, etc.) are configured for maximum safety. If anything’s amiss, the troubleshooter can make changes for you automatically (Figure 2) — or let you make them manually.

However, try to run the Malware Prevention tool on Win8.1, and you get the error message shown in Figure 3.



Figure 2. The Microsoft Malware Prevention troubleshooter can apply recommended system settings for you in XP, Vista, and Win7.



Figure 3. The Malware Prevention site gives no mention of, or warnings about, Windows 8, but the fixit fails when you try to run it on the new OS.

Microsoft Baseline Security Analyzer Version 2.3 (site) reportedly supports Win8. It’s an installable utility originally intended for use by IT professionals to scan one or more PCs. (It can work across a network.) The analyzer, shown in Figure 4, checks about 24 different security-related system settings, ensuring they’re correctly configured. It checks, for example, that Windows Update is enabled, that all current Updates have been installed, that local system shares and passwords are correctly configured, and that macro security is enabled on installed MS Office products.

Figure 4. A professional-level tool, the Microsoft Baseline Security Analyzer can scan multiple systems across a network.

PC security after XP’s official end of life

On April 8, 2014, Microsoft officially drops support for its venerable operating system. John Foster is undoubtedly one of many Windows Secrets readers thinking through the ramifications of XP’s rapidly approaching end of life (EOL).

“After reading all of the articles on XP’s EOL, I wonder how vulnerable XP will really be after next April.

“If we keep our browsers up to date, are careful about the websites we visit, and have current anti-malware software running, will we be safe using XP?”

Sorry, no — even with all those precautions, XP still won’t be safe. Here’s why:

In Microsoft’s parlance, “end of life” means that the company will no longer write and issue security patches for XP. Many of those patches fix newly revealed vulnerabilities within the operating system itself. But after XP’s EOL, any unpatched security holes will go unfixed. (See Microsoft’s explanation; the April EOL also applies to Office 2003.)

You might think that all the major holes in XP have surely been found and patched by now! After all, XP’s been out for 12 years.

Sadly, that’s purely wishful thinking. As of September’s Patch Tuesday, Microsoft had released, just in 2013, more than 80 system-level patches and updates specifically for XP — plus dozens of additional patches for XP-related ancillary software such as Microsoft Security Essentials!

You can see for yourself. Open Windows Update on your XP system and click the Review your update history link (in the window’s left column, typically under Options). Note how many new patches there are — even 12 years into the game!

Despite extensive patching, XP is still far from perfect. Given its age and the number of XP systems still in use, the OS will remain an attractive target, possibly for years to come. In other words, when Microsoft stops writing patches for XP, it’ll be open season for hackers.

Using good third-party apps and tools such as fully current browsers and anti-malware software will help keep you safe — but only up to a point. They’ll do little or nothing to correct fundamental vulnerabilities in the base operating system.

There’s also declining third-party support for XP. Few mainstream software vendors will continue investing in a dying market — even if that market is still huge. Moreover, the quantity of tools designed for XP is in sharp decline, a trend that will only accelerate.

There’s no way to avoid the inevitable: after next April, XP will be far less safe than any of the more modern Windows versions. XP was truly great, but its day is done.

OK to run multiple always-on security tools?

A comment in the April 4 Top Story, “Microsoft’s six free desktop security tools,” prompted John to ask this question:

“In the article, you say, ‘… a PC should run only one real-time, anti-malware/anti-spyware tool at a time.’

“I have been using Microsoft Security Essentials (MSE) since you first recommended it. I also use Malwarebytes (paid version) and SUPERAntiSpyware.

“Is it okay to have those three running together?”

Like MSE, Malwarebytes Pro (site; paid) provides real-time protection. But as a Malwarebytes Product Support Questions page states, the product should be used to supplement other full-time AV tools — it should coexist without conflicts. The free version of Malwarebytes will also run alongside other AV products, but it’s active only when you manually launch it.

SUPERAntiSpyware is a whole other thing. I know it’s hugely popular, and I recently test-drove it again on multiple versions of Windows for last week’s Top Story, “A dozen tools for removing almost any malware.” But for several reasons, I decided to omit the product from the article.

For one thing, parts of its nomenclature seemed misleading. For example, the “SUPERAntiSpyware Portable Scanner Personal Edition” doesn’t really fit the common definition of a portable app. It’s a renamed .exe file that must be installed and run like other common Windows programs. I quickly lose confidence in products that claim something (e.g., portability) they don’t have. (The SUPERAntiSpyware site suggests the app is “portable” because it has all the latest virus definitions when you download it. So you don’t need an active Internet connection to run it.)

SUPERAntiSpyware also didn’t uninstall cleanly. This is 2013! Surely any decent Windows-based app or utility ought to remove itself fully when you uninstall it.

I can’t speak to SUPERAntiSpyware’s effectiveness. The red flags mentioned above caused me to put it aside. The anti-malware product category has many great tools — some mentioned in last week’s Top Story. So why waste time on apps that seem to have obvious flaws and/or drawbacks?

That said, if the three AV tools you’re using appear to be working, then great! You’re probably well protected. (But I’m guessing that Microsoft Security Essentials and Malwarebytes are doing most of the heavy lifting.)

Bottom line: You can run a second full-time scanner (such as Malwarebytes Pro) if it’s specifically designed to work with other full-time scanners.

Using multiple layers of security — an update

Bob, a long-time reader, sent in this plea:

“Over the years, you’ve commented on the use of multiple layers of security. But I often see news stories about computer crackers recovering data and emails from computers. Once, when I was sick, anyone could have entered my office and snooped for days.

“What can I use to protect against snoops accessing my programs and data? Help!”

Good timing, Bob; I was thinking about this just the other day! It was back in the 1990s that I first recommended using multilayered defenses for PC security. I updated that advice in the early 2000s and again a few years later. It’s time to revisit the concept — and to update the advice.

Today, complete PC protection means guarding against two different types of attacks: remote and local. Let’s discuss each in turn.

Protecting your PC against outside threats: The vast majority of computer breaches now occur over the Internet. There are stories every day about hackers successfully compromising some company’s computers. But everyone using the Net should be concerned about remote attacks, most of which are launched by malware (a virus, worm, Trojan, etc.) delivered to PCs via malicious sites or emails.

Protection from these threats requires four primary layers of defense:

Firewalls: No firewall is perfect, but a good one prevents external snoops from finding and accessing your PC via the Web. (See the March 11, 2010, LangaList Plus, “Let’s put your firewall to the test.”)

The firewalls built into Win7 and Win8 are effective; I run them on my systems, using their default settings with no special tweaks. Both are, however, highly customizable and configurable, as described in the March 17, 2011, LangaList Plus, “Outbound blocking for Windows Firewall.”

Vista’s built-in firewall is somewhat inferior to Win7′s, but it’s still adequate. Windows XP’s firewall is based on decade-old technology and is relatively weak — able to defeat only the most blatant kinds of external attacks. For that reason, I recommend using a third-party firewall with XP (and with Vista, too, if you need strong security). There are many good third-party firewalls — any Web search will turn up a dozen or more — but a favorite among Windows Secrets readers is Comodo (site; free and pro versions available).

Always-on anti-malware apps: The better anti-malware tools constantly guard against the delivery and activation of malicious software, regardless of the attack vector — browser, email, infected document, or whatnot.

You’ll find some anti-malware-tool comparisons in the Feb. 16, 2012, Top Story, “Is your free AV tool a ‘resource pig?’” I use the free Microsoft Security Essentials (MSE; site), but it’s not for everyone and there’s some debate over its effectiveness. (For more on this, look up the Dec. 20, 2012, LangaList Plus.)

On-demand anti-malware scans: Because even the best firewall/anti-malware software defenses can fail, it’s good practice to verify that your system is infection-free by routinely running one or more standalone security tools — for example, ESET’s Online Scanner (site), Microsoft’s Safety Scanner (site), or Trend Micro’s HouseCall (site).

Common sense: Malware doesn’t teleport itself into your PC; most Windows infections are allowed in when users are enticed or tricked into clicking phony links in websites or phishing email — or fall for a bogus “You’re infected!” popup. You can avoid all these infection vectors with a little care, common sense, and skepticism. For more on this, see the Dec. 20, 2012, LangaList Plus.

Protecting against local/physical treats: Obviously, stealing your data is easier if someone has direct access to your PC. They can, for example, download sensitive information to a thumbdrive by simply using your keyboard — or walk off with the entire system (or at least the hard drive)! And if they possess your PC, they can take all the time they need to methodically analyze and access your data. (If your office is not secure, consider buying cable locks for your systems.)

By the way, if your defenses against external attacks fail and the hacker installs remote-control malware, it’s effectively the same as if they’re sitting at your keyboard.

The best defenses against local attacks are these:

User-account passwords: Windows’ user-account passwords don’t provide heavy-duty security, but they’re better than nothing. Your user password will at least foil casual snoops and nosy coworkers. Every version of Windows allows the use of sign-in passwords; use them — even at home.

Hardware-level passwords: PCs often provide stronger, hardware-level password protection that’s independent of the operating system and managed typically with the PC’s BIOS or Unified Extensible Firmware Interface (UEFI) settings. This type of password protects the entire system (not just the OS) from unauthorized use by anyone who has physical access to your machine.

Almost all PCs let you set a primary, hardware-level, system password. You’re asked for this password when your PC first powers on (or resumes after hibernation or deep-sleep mode) and before any OS loads — whether it’s installed on the hard drive or booted via external media. You must enter the correct password before the system lets the OS boot or resume. Not only will system-level passwords foil casual or hurried snoops, they can impede even professional data thieves.

Some systems — especially portable PCs — also provide a secondary, hardware-level, power-on password for the hard drive(s). If a hacker gets past the primary password and boots the system from a floppy, CD, or USB drive, he still won’t be able to access data on the hard drive. When this password is handled by the hard drive itself, a thief is (in theory) locked out of the drive, even if it’s physically removed from your PC and placed into another system. This type of password is extremely difficult to bypass, even for pros.

The simplest way to tell which hardware-level password options your PC supports is to explore its BIOS/UEFI settings. Reboot and watch the screen for a line of text that says something like Press <F2> to enter BIOS setup. (Instead of “F2,” it might say F1, DEL, ESC, F10, or some other key.) Press whatever key is indicated, and you’ll enter the system setup pages.

Look for a page or tab labeled Security — or for something similar. Select it, and you should see options for setting a master Administrator or Supervisor password plus a separate User password. The Administrator or Supervisor password is more secure because it locks the entire PC (including BIOS access).

If your system supports hard-drive locking, you’ll also see an option for setting passwords for the system’s hard drives — often referred to as HDD0, HDD1, and so on.

Figure 5 shows a fairly typical system BIOS that lets you set Administrator/Supervisor or User passwords, set separate passwords for accessing either of two hard drives, and enable a “Password on boot” option, which prevents startup if an incorrect password is entered. Figure 6 shows a typical system-level, startup-password dialog box.

Figure 5. Settings like these (circled in yellow) add hardware-level password protection to your PC and its hard drives.

Figure 6. Once the BIOS-level password(s) is/are set, the correct password(s) must be entered into a power-on dialog box similar to this one — otherwise the PC won't boot, you can't enter the BIOS, and no software will run.

Encryption: Scrambling all the data on your hard drive (or at least scrambling your most sensitive data) offers excellent protection against even the most determined, professional-level snoops, no matter how they access your system — via local access, remote hacking, or malware.

On my systems, for example, I compress and scramble all my tax, financial, health-related, and similarly sensitive folders with the 256-bit Advanced Encryption Standard (AES) option built into the free 7-Zip tool (site). AES-256 is currently regarded as uncrackable — in any practical sense of the word. (For more on AES, see the related Wikipedia article.)

I protect those encrypted folders with different, complex, non-obvious passwords. I don’t try to remember all the passwords myself. Instead, I safely store all my passwords (including those used by 7-Zip) in RoboForm (U.S. $9.95 the first year, $20 thereafter; site), which uses its own 256-bit AES encryption. I just have to remember only one long, complex password (my RoboForm master password); the utility remembers all the rest for me. It also automatically fills in saved passwords on demand.

Thus, in the unlikely event someone stole my PC or its hard drive and managed to get past all the aforementioned security layers, they’d still have to crack my encryption to access my most personal, sensitive data.

There are other tools besides 7-Zip and RoboForm, of course; those just happen to be the ones I use. Two popular — and free — alternatives are TrueCrypt (site) and KeePass Password Safe (site), but a Web search will turn up many others. For more information and alternatives, including whole-disk encryption options, see the section of the Sept. 13, 2012, Top Story, titled “SAFE, step one: Encrypting all sensitive data.”

Some versions of Windows offer built-in file and folder encryption; others support Microsoft’s BitLocker whole-disk encryption. But there are limitations and problems with these, as explained in that same Sept. 13 Top Story — see the sections titled “Windows’ built-in encryption-tool limitations” and “Windows’ BitLocker offers whole-disk encryption.”

As safe as can reasonably be achieved: And there you have it: an up-to-date, highly secure, multilayered approach to PC security that will protect you against just about any form of attack, whether it’s remote or local, electronic or physical.

Bottom line: No single security strategy can protect you from today’s sophisticated threats. Safe computing requires the combined efforts of a firewall, always-on anti-malware, on-demand anti-malware scans, and some common sense in how you use your PC. A truly secure PC also requires multiple layers of passwords and data encryption. You have a lot of security options. Protecting your data is really up to you.

Are PC and router firewalls both necessary?

Reader Harry M. Ward is trying to sort out some firewall issues.

“I’ve read your excellent Feb. 28 article, ‘Using multiple layers of security — an update.’ I’ve also read the March 11, 2010, LangaList Plus item, ‘Let’s put your firewall to the test.’

“I just tested my router’s firewall, using the sites recommended in those stories. The tests that check the firewall’s ability to stop inbound connections found all of my ports ‘stealthed’ and invisible from the outside. But the firewall failed the leak tests — it doesn’t stop outbound connections. Should I be worried?

“Also, I’ve been told I don’t need a PC-based firewall because all ports are stealthed by the router. Is that true? (I run XP Pro SP3 on one computer and Windows 7 Pro SP1 on another.)”

Good questions, Harry. Let me answer them in reverse order:

I believe every PC should have its own internal firewall, even if a router or other external device has an operating firewall. Often there’s no obvious indication that an external firewall is working. If it fails and leaves you unprotected, you’re none the wiser.

Windows, on the other hand, constantly checks for a working PC-based firewall. If that firewall fails or is turned off by accident, malware, or some other cause, Windows alerts you via a security message in the notification area.

Although this monitoring works with various user-installed, third-party firewalls, it works best with Windows’ own firewall. I recommend — and use — the firewalls included with Vista, Windows 7, and Windows 8. They’re efficient and free, they add minimal overhead to the PC’s operation, and they have a negligible impact on network speed.

XP’s firewall, on the other hand, is 13-year-old technology that’s relatively primitive by current standards. For XP users, I recommend a third-party product such as Comodo Firewall (site; free and commercial versions). A Web search will yield many alternative choices as well.

As for inbound/outbound blocking, I believe a firewall’s main purpose is guarding against inbound attacks — attempts by unauthorized persons to find and access your PC from some external location on the Internet or other connected network. These inbound attacks are a real and persistent threat.

I’m far less concerned about a firewall’s ability to monitor and block malicious outbound connections — for example, malware phoning home. If malware is trying to phone home, you’ve already lost the battle! Your PC is infected and might already be thoroughly compromised.

If you have strong defenses that prevent malware infections and your PC stays clean, outbound/phone-home protection is effectively irrelevant.

With that said, you are, of course, free to use outbound blocking. You can use a third-party firewall that provides outbound blocking, or you can enable it in Windows’ built-in firewall. The March 17, 2011, LangaList Plus article, “Outbound blocking for Windows Firewall,” provides a description of tools and techniques.

Here’s an update to that article. The recommended Sphinx Software tool, Firewall Control, now comes in various free and commercial versions (with, of course, differing capabilities) and supports all versions of Windows from XP through Win8. See the Sphinx Software site for more information.

Bottom line: I definitely recommend using a PC-based firewall; don’t worry about outbound blocking.

Secure Internet use in public places

Gerald Gibson wondered about wireless security when on the road.

“When I travel, I like to use the wireless Internet available at hotels and motels. However, I use unsecured public connections only for general research — not for personal banking or credit-card accounts.

“What software can I use, or connection can I make, to securely check my accounts?”

Gerald, a virtual private network (VPN) will improve online security on public nets. A VPN connection uses a form of encryption to establish a secure, private channel between your PC and a VPN provider’s server. That private channel is often metaphorically referred to as a VPN tunnel because data passes directly and securely (via dedicated connections and/or encryption) through any and all intervening networks, even if they’re public and insecure. (For more, see Wikipedia’s VPN article.)

A VPN-tunnel provider becomes a trusted man in the middle for private connections to sensitive sites such as that of a bank or credit-card company.

To set up a secure VPN connection, start by establishing an encrypted link to a VPN server, usually using software supplied by a reputable VPN provider. This private connection is separate from any other connections you might have with the local Wi-Fi/Internet provider (ISP). This makes your VPN communication quite reasonably secure from any local snoops on the public (hotel, motel, cafe, etc.) network.

At the VPN-server end, your data is decrypted and passed along to its intended destination — such as your bank’s site. This leg of the connection is no more — or less — secure than, say, the connection from your home ISP to the bank. But it’s well beyond the reach of any snoops on a public net.

There’s an added benefit to using a VPN connection: your retransmitted data packets arrive at their destinations carrying the VPN provider’s IP addresses and localization data rather than yours. This means the site you’re communicating with won’t know your actual, originating IP address, location, or other identifying information — unless you specifically reveal it. Thus a VPN tunnel can be useful if you want to surf or visit sites anonymously.

The only catch to using VPN is that you have to trust your VPN provider. As the man in the middle, the provider knows who you are and where you are. An unscrupulous VPN provider could easily snoop your decrypted data. So it’s important to use only reputable companies.

The various free VPN providers are fine for lightweight, anonymous surfing. But for sensitive communications, where a security breach could have serious repercussions, it’s best to use an established commercial VPN provider with a good reputation. There are many to choose from, but here are a few to get you started:

openvpn.net: 100MB of free data transfer, with commercial accounts available for larger data volumes.

VPNReactor: free use for up to 30 minutes at a time, with paid accounts for unlimited use.

VPN Master: unlimited data transfer for U.S. $3.95 a month and up.

A Web search will show you many more VPN providers. But take your time and choose carefully!

Up against the 2TB drive-size ceiling

Reader Jeff Jones ran into a major snag when he tried to use his huge, new hard drive. That led in turn to several questions:

“I bought a new 4TB Seagate drive but then couldn’t do a Windows image or backup on it. Seagate support told me to download their DiscWizard tool and use that. The tech said all computers are outdated and Intel needs to produce a new chip to address all [new] hard drives. What is your take on this? I have a Windows 7 Home Edition PC.

“I’m a little scared to use DiscWizard or do anything that might change the system files, because I don’t have any backups and I’m currently using 213GB of my PC’s 500GB main drive. Searching Google was no help.

“Also, once I can make backups, how much space will I need for them? I presume the image of my 500GB main drive would be around 500GB.

“Finally, if I store my wife’s backups on the same external drive as my backups, is there a risk of a computer looking at the wrong files to restore?”

Those are all good questions, Jeff! Let me take them one by one:

Drive size: You’ve run into the key limitation of the Master Boot Record format currently used on almost all PCs. The MBR partition table has a 32-bit limit that caps partitions at 2.2TB. (The problem is analogous to the system-memory limitation in 32-bit systems.) If you want to format your 4TB drive using MBR, you need to split it into two 2TB partitions.

However, there are two alternatives that will allow use of all 4TB in one partition. The first (and best) method is GPT, which is designed to handle really large hard drives.

(The name GPT is actually a multilevel acronym: GPT means GUID Partition Table [Wikipedia entry]. But GUID is itself an acronym meaning Globally Unique IDentifier [Wikipedia entry]. So GPT in full is the Globally Unique Identifier Partition Table.)

GPT uses 64-bit addressing, which lets it handle drives up to nearly 10 zettabytes (ZB). (Zetta- indicates a one followed by 21 zeros! For comparison, a terabyte is designated by one followed by 12 zeros.) It’ll be a long, long time before we outgrow GPT.

The new format also lets you create more than four primary partitions on the same drive, bypassing another major MBR limitation. On PCs, full GPT support requires 64-bit Windows (Vista or later) and a UEFI (Universal Extensible Firmware Interface) BIOS. For more on UEFI, see Woody Leonhard’s Jan. 19, 2012, Top Story, “Say goodbye to BIOS — and hello to UEFI!”

The second method applies to systems with traditional BIOS and/or 32-bit Windows installed. These systems can work with partitions larger than 2TB, but to do so they need intermediary software (such as Seagate’s DiscWizard) to handle the necessary addressing conversions.

Here are additional resources and information on GPT and its issues:

Windows and GPT FAQ: Microsoft Developer Network (MSDN) article

Using GPT drives: MSDN article

Beyond 2TB: Seagate support information

Seagate DiscWizard tool: A site with a free download, user guides, and more

Backup size: Backups and images are almost always compressed to some degree, so they’re almost always smaller than the original (uncompressed) data size.

However, compression varies widely; document files, for example, typically compress by about half and .exe files by about 30 percent. Files formatted as .mp3, .jpg, .mpeg, and .zip are already compressed and won’t compress much more. On the other hand, empty space on a drive compresses almost 100 percent. So the final size of your image or backup will depend on the mix of file types you have.

If you’re currently using 213GB of a 500GB drive, I’d guesstimate an image file would be in the vicinity of 170–200 GB.

Accurate restores: The final issue you raise — the risk of restoring files from the wrong backup set — can be easily avoided by setting up separate backup folders for each PC. When you create a new image or backup set, double-check the save to location settings. That will ensure the files are written where you want them to go — and are not mixed in with another PC’s backups. If you have to do a restore, likewise verify that you’re restoring from the correct backup folder before you let the restore run.

Bottom line: Set up your 4TB drive using GPT, if you can. If you can’t, you’ll have to use a tool such as DiscWizard. Once Windows can see and access all of your enormous drive, you should be able to make your backups and images normally!

Finding and using Win8′s crash reports

Windows Secrets reader Jon wants help resolving a series of all-too-frequent crashes in Win8.

“Since installing Win8, I get a crash every few days. How can I find the crash reports and figure out what’s wrong?”

Jon, I suggest you first try Win8′s Refresh your PC without affecting your files option. (See the Aug. 15 Top Story, “A ‘no-reformat reinstall’ for Windows 8.”) The Refresh option is specifically designed to get Win8 back to a known-good state. Then, as you restore or reinstall your add-on programs one by one, you should find the program that’s triggering the problem.

But to answer your specific question: Win8 usually stores its crash data here:

C:\Memory.dmp

Some types of crashes also generate user-level data files here:

C:\Users\[username]\AppData\Local\CrashDumps

But interpreting the information in a crash-dump file isn’t fun or easy — you might have to install some extra software to help analyze what’s going on.

There’s lots of deep-geek information available online at MSDN, if you want it:

Crash dump analysis

Analyzing crash reports

Collecting user-mode dumps

Microsoft also offers some developer-level tools to help interpret the information in crash dumps. For example, the MSDN page, “Download and install debugging tools for Windows,” contains many links to free and paid tools.

You can also try the DaRT Crash Analyzer Wizard (TechNet info) if you’re a paid subscriber of Microsoft’s Software Assurance, MSDN, or TechNet.

But with luck, you won’t need any of that — a simple refresh will get you going again, fast!

Working with user accounts in Windows 8x

Reader Jim March ran into trouble when trying to change his Win8 user accounts from administrator to standard — and back.

“I just finished reading Susan Bradley’s [Nov. 7] Top Story on how to get Win8.1 installed with a local account. It was great!

“Having just struggled with most of the issues she raised, I noted one more issue not mentioned. It appears that Win8.1′s Control Panel no longer lets you set a user to either administrator or standard privileges.

In fact, if one uses a Microsoft account for the Win8.1 installation and then creates a local account, the first account is automatically set to administrator and the second account is set as standard. I could find no method to change their status.”

There are several ways to change account types in both Win8.0 and 8.1 — but there also are a few gotchas.

For example, Win8x tries to ensure there’s always at least one admin account available. This makes perfect sense — someone has to be in charge! So if there’s only one admin-level account on your PC, Win8x normally won’t let you downgrade that account to Standard until you’ve created another, separate, administrator-level account.

That said, here are three different ways to change account types in both Win8.0 and 8.1. In all cases, you should be in an administrator’s account to make the changes.

The Control Panel method is my preferred way of changing account types. It’s easy and straightforward.

Via the Windows key + X (Win-X) menu, open the Control Panel and click User Accounts and Family Safety/User Accounts.

In the User Accounts dialog box, note the section labeled Make changes to your user account, shown in Figure 7.

Figure 7. The Control Panel's User Accounts window lets administrators modify their own accounts or others' accounts.

If you wish to change your own account type, simply click Change your account type.

If you wish to change a different account, click Manage another account. In the next dialog box, select the account you wish to change; then select Change the account type.

Use the radio buttons to select the account type — Administrator or Standard. (Caution: Before changing an account from administrator to standard, make sure there’s at least one other administrator account on the system.) When you’ve made your choice, click Change account type at the bottom of the dialog box.

Exit the Control Panel.

The netplwiz User Accounts method is a little more complex, but it offers more options:

Open Windows’ Run dialog box, either by opening the Win-X menu and selecting Run or by pressing Windows key + R.

Type netplwiz in the text-entry box and then click OK. A User Accounts dialog box will open.

Select the account that you want to change and click the Properties button.

In the Properties dialog, select the Group membership tab.

Set the account to whatever type you wish: Administrator, Standard, or Other. Selecting Other opens a new list of available options (if any) for the selected account. Again, before downgrading any account from administrator, be certain you’ll leave at least one admin account on the system.

When you’re done, click OK and exit User Accounts.

The Metro-based PC Settings method is the one I don’t recommend. It introduces another variable — local account vs. Microsoft account — that can needlessly complicate the process. For that reason, I won’t go into its details here. But if you want more information, open Win8′s Help and Support dialog box and enter the search phrase Standard accounts versus administrator accounts.

One of these methods surely will let you accomplish your goals!

Win7′s XP Mode virtual disk can grow huge

Windows 7′s XP Mode is great! It’s a free, virtual-machine setup from Microsoft that comes with its own fully licensed copy of XP Pro SP3 inside. (See the Sept. 22, 2011, Top Story, “Using Windows 7′s XP Mode — step by step.”)

Like many readers, James Dejean uses XP Mode to run some ancient software on his current Win7 PC.

But, as he discovered, XP Mode’s virtual hard drive can become exceedingly bloated.

“I still need to run an old copy of MS Works, installed in XP Mode on my Win7 PC. It runs fine, but I have a concern.

“The baseline, parent virtual hard disk (.vhd), located in \Program Files\Windows XP Mode, is just 1.1GB in size. But the differencing virtual hard disk, in \Users\James\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines, has grown to almost 30GB — and shows no signs of stopping.

“Moreover, that second .vhd also exists in 27 unmovable fragments, scattered throughout a 120GB partition. I suppose those fragments contain the necessary programs and data. Defragmentation has no effect [on reducing the size of the virtual hard-disk file].

“I read a Microsoft TechNet article about compacting dynamically expanding virtual hard disks. It advises defragmenting and using a non-Microsoft utility to ‘zero-out’ deleted data. I’ve not attempted doing so; I’ve trepidation about screwing up.”

“How can I reduce the size of the 30GB file?”

James, the problem isn’t so much XP Mode’s use of a dynamically expanding virtual disk (one with no fixed size) but rather, as you noted, that it’s based on a differencing virtual disk.

A differencing disk uses a baseline virtual drive as a starting point but then keeps track of the changes you make as you use the virtual system. The original, baseline virtual drive is left unchanged; all changes — differences — between the untouched baseline system and the in-use system are written to the second differencing disk.

Unfortunately, the accumulating changes to the system eventually occupy a lot of space, as you discovered.

That drawback is offset by a potentially major benefit: a differencing disk may let you roll back changes. Think of it as an elaborate, disk-level undo. Because you always have the unaltered, original baseline disk, you can — in theory — roll all the way back to the original setup when you need to.

Again, in theory. Not all virtual PC setups have that roll-back capability. XP Mode, for example, is a limited, special-purpose kind of virtual PC. Although it uses a differencing disk, it doesn’t have a full roll-back option. In other words, XP Mode retains a differencing disk’s primary drawback — ever-increasing disk size — without providing the offsetting benefit of easy roll-backs.

But you’re not stuck; there are ways to control the size of XP Mode’s differencing disk.

The official method is called compacting, and it’s described in the TechNet article, “Modify a virtual hard disk.” The same instructions are accessible from inside XP Mode as well. Click Tool/Settings, select Hard Disk 1, and then click the link for More about creating and modifying virtual hard disks.

There are, however, two problems with the official method. First, I find it less reliable and more difficult than the instructions suggest. I’ve had hit-or-miss results — sometimes with permanent, fatal errors that ruin the XP Mode setup.

Second, the official method doesn’t tell you to make a backup first. Major disk operations of any sort — on real or virtual hard drives — always entail some risk. It only makes sense to preserve your files and data, either by making a full backup or, at the least, by exporting your data. Save the backup files or exported data to a safe location that’s not part of the current XP Mode setup — e.g., on your main hard drive, on an external drive, or on DVDs/CDs.

That said, I believe there is a better, simpler, safer solution for managing your XP Mode virtual drive. Export your MS Works and similar data to a safe place and then remove your current, messy XP Mode setup. Wipe it out completely!

There’s just one speed bump you’ll have to traverse: XP Mode doesn’t uninstall via the normal, Control Panel method. Instead, you must use the removal method described in the TechNet article, “Remove Windows XP Mode, virtual machines, or Windows Virtual PC.”

Once XP Mode and its virtual hard drive(s) are completely gone, you then can defragment your system in the usual way.

Finally, download and install a fresh copy of Win7′s XP Mode (free; site). Once your new XP mode setup is installed and running normally, reinstall Works (and any other applications you wish) and then import the related data from wherever you saved it.

You now have a lean, clean XP Mode setup, with the smallest-possible differencing hard disk.

Eventually, if the differencing disk gets overgrown again, simply repeat the process and start anew!

Note: There’s another option you should consider. Instead of using XP Mode’s limited, special-purpose virtual PC, use a full-blown, third-party virtual-PC setup such as Oracle’s free VirtualBox (site). You’ll have to provide your own, licensed copy of XP (or whatever operating system you wish). But you’ll have full control over your entire virtual environment. That will make it easier to manage disk type and size — and all other variables.

See the next item below for more information on using a third-party virtual machine. (That item focuses on Win8, but the information generally pertains to earlier Windows versions as well.)

Of course, if you don’t have your own, legit, copy of XP on hand, XP Mode is your go-to option; again, it comes with a licensed copy of XP Pro SP3 built in.

If you stick with XP Mode, use either the official compacting method or my export-reinstall-import method — you can then enjoy XP Mode’s benefits without having it consume an undue amount of your hard drive!

Running Windows XP–era software in Win8

Amanthia Merchant needs to use some old, XP-era software on her new Win8 PC.

“Hi! Can Windows XP be installed on a Windows 8 PC system? I have course software that’s made for Windows XP, and I’d like to know if I can do the work on my Win8 system?”

If you’re thinking about a dual-boot configuration with XP and Win8, I don’t recommend it. Win8′s Secure Boot and the EUFI BIOS in most newer PCs make dual-booting far more complicated than with earlier versions of Windows. (See the Oct. 3 LangaList Plus, “The pitfalls of Windows 8′s Secure Boot.”)

There are better, less complex, and far easier ways to get XP-era software running in Win8.

Windows Compatibility Mode: Win8 has a capable, built-in feature that might get many older programs running, automatically. Compatibility Mode provides whatever type and level of system services an older program expects to see. It can actually trick an older program into thinking it’s running on the Windows version it was designed for!

Compatibility Mode is easy to use — just try installing your XP-era software in the normal way. If that doesn’t work, manually invoke Win8′s Program Compatibility Assistant: Right-click the old software’s icon, select Troubleshoot compatibility, and then follow the on-screen instructions.

And if that doesn’t work, you can further explore Compatibility Mode using the instructions on the Microsoft support page, “Make older programs compatible with this version of Windows.” (That page is specifically for Win8.1, but the same basic steps also apply to 8.0.)

A virtual machine: If Compatibility Mode proves futile, the next option is to install a third-party virtual machine.

I recommend and regularly use Oracle’s VirtualBox (site). It’s free — but as with all third-party virtual machine software, you have to provide your own legitimate copy of whatever operating system you wish to install inside it. VirtualBox currently runs roughly 50 different operating systems (see list), including XP.

Here’s how it would work for you, Amanthia. Download and install VirtualBox (or the virtual machine software of your choice) on your Win8 PC. Next, install your copy of XP inside the virtual machine. Finally, install your old software in the virtualized XP setup. (For more on setting up VirtualBox, see the March 14, 2012, Top Story, “Step by step: How to safely test-drive Win8.” It was focused on setting up a Windows 8 virtual machine — but the steps are similar, and it’ll get you started.)

An application installed on the XP virtual machine doesn’t see the Win8 host system — the app thinks it’s installed on a totally normal, standalone, XP PC. But the XP virtual machine can access and use the Win8 PC’s hardware (keyboard, mouse, display, printer, etc.), networking connections (drives and other systems on the Net plus the Internet), and so on.

It works great! (See Figure 8.)

Figure 8. Here's XP Pro SP3 running in a virtual machine on my Win8.1 Pro system.

So, Amanthia, you have multiple options for getting old, XP-era software running on Win8. Try the automatic or manual Compatibility Modes first; if those fail, use a virtual machine.

The virtual machine option almost always works; it can get even some of the oldest, funkiest software running on today’s newest PCs and operating systems!

Show more