Putting Wi-Fi router’s security to the test

A book to help you think — effectively

Many people enjoy puzzles as a means of entertaining themselves while exercising their minds. V. Anton Spraul uses puzzles to illustrate the ways real problems are solved by programmers. Spraul’s book Think Like a Programmer: An Introduction to Creative Problem Solving introduces concepts and methods of creative problem-solving to would-be programmers, but the strategies work for anyone with problems to solve. This month, all Windows Secrets subscribers can download an excerpt: Chapter 1, “Strategies for Problem Solving,” in which readers learn important terms and the importance of rules in problem-solving. If you want to download this free excerpt, simply visit your preferences page and save any changes; a download link will appear. All subscribers: Set your preferences and download your bonus Info on the printed book: United States

Putting Wi-Fi router's security to the test

If your Wi-Fi router supports Wi-Fi Protected Setup (WPS) — and most newer home/small-business routers do — it might easily reveal its passwords to a readily available hacking tool.

You can use that tool to be 100 percent certain your router isn’t vulnerable to malicious WPS hacking. Here’s how.

Recap: Why WPS routers are typically not secure

Think your Wi-Fi router’s safe because you use a long and complex passphrase? Think again! In the Dec. 13 Top Story, I discussed a fundamental security flaw in most routers using WPS technology.

In short, all WPS-enabled routers have a built-in, easily hackable back door: a simple, vendor-assigned PIN (personal identification number) of just six to eight numerals. This PIN can easily be guessed by free hacker tools that run on ordinary laptops — or even smartphones.

A hacked WPS PIN opens the door to your entire Wi-Fi network. With the correct PIN, an attacker can recover a router’s passphrase, giving him full access to a Wi-Fi network. Here are the key points from last week’s story:

• All WPS-enabled routers are vulnerable to this kind of PIN hacking.
• The only way to prevent this type of hacking is to disable WPS.
• Some routers are supposed to time-limit or otherwise automatically disable WPS, but there’s no obvious way to know whether this is working.
• Some router configuration software is faulty; even if you disable WPS in the router’s setup menus, WPS will actually still remain active — and vulnerable.
• The only sure way to determine whether your router is vulnerable to WPS PIN hacking is to test-hack it yourself. The easiest way to do so is with a free, open-source, white-hat hacking tool called Reaver.

In this article, I’ll walk you through the use of Reaver and some associated tools so you can see whether your own network is vulnerable to WPS hacking.

Note: Reaver’s intended use is to sniff out router vulnerabilities so they can be corrected. However, black-hat hackers can also use it to steal PINS or for other malicious purposes. I shouldn’t have to say this, but for the record:

Please don’t use Reaver for any purpose other than testing your own router’s security!

Let’s get started!

Building a bootable Linux system with BackTrack

Reaver is a Linux-based tool that’s almost absurdly easy to use. A simple, one-line command sets off its WPS PIN-sniffing process. If your router is vulnerable, Reaver will find its PIN within a few hours. It will then use the PIN to recover and reveal the router’s passphrase — as simple as that.

For many Windows users, the hardest part of using Reaver is getting Linux going and gathering the Wi-Fi configuration information Reaver requires.

Fortunately, there’s an easy shortcut: run Reaver via a preconfigured, live Linux installation on a bootable DVD. There’s almost no setup or configuration involved; no partitioning, reformatting, or any similar operations; and your original Windows setup remains untouched and unchanged.

There are many bootable Linux distributions (versions) available, but I picked BackTrack 5, a self-contained, free, bootable, Debian Linux installation that’s optimized for network security testing. The BackTrack home page has links to hardware and Wi-Fi compatibility information, how-tos, troubleshooting, training info, FAQs, and more. It’s worth spending some time there.

Here’s how to install BackTrack 5, step by step.

• When you’re ready to go, grab a free copy of BackTrack from its download page. As shown in Figure 1, I chose a 32-bit, ISO, Gnome-desktop version of the BackTrack Live DVD, downloaded directly (not via Torrent) to my Windows-based PC. All following screenshots are based on that version of BackTrack.
  

  Figure 1. My selected options for downloading BackTrack

• Once the 3.1GB download finished, I burned it to DVD. (Need help? See Microsoft’s article, “Burn ISO images natively in Windows 7.”)
• Now insert the bootable BackTrack disc into your Wi-Fi-capable desktop or laptop and reboot.

  Initially, the BackTrack DVD boots to a plain screen showing just a line of informational text and a Linux command prompt that says, simply, boot. When you see that prompt, press Enter.

  

  Figure 2. BackTrack's initial Linux command-line boot prompt

• Next, you’ll see a screen labeled BackTrack 5 CD. BackTrack’s boot process pauses to let you select various optional configurations. For our purposes, the default choice — BackTrack Text (selected in Figure 3) — is fine. Press Enter — or do nothing and let BackTrack automatically boot in 30 seconds.
  

  Figure 3. BackTrack will automatically launch.

• After a flurry of system activity, you’ll see at the bottom of the screen a text-mode command prompt. Mine read: root@bt:~#, but yours might be slightly different, depending on your setup.
  

  Figure 4. Look for the command prompt (typically something like root@bt:~#) at the bottom of a long screen of text.

• Now launch BackTrack’s full graphical desktop interface. Type startx at the command prompt and press Enter.
  

  Figure 5. Entering startx at the command prompt launches BackTrack's graphical desktop interface.

• After a few moments, BackTrack’s desktop will appear. You now have a familiar point-and-click environment that’s conceptually much like Windows.
  

  Figure 6. BackTrack's Windows-like desktop

• Currently, BackTrack 5 does not come with Reaver preinstalled, but it’s simple to add it. To start, you need to connect temporarily to your Wi-Fi network.

  On BackTrack’s main screen, click Applications/Internet/Wicd Network Manager.

  

  Figure 7. Connecting to Wi-Fi via BackTrack's Wicd Network Manager

• If your network is broadcasting its service-set identifier (SSID — your network’s name), select it from the resulting list. Click Connect and enter your Wi-Fi network’s normal passphrase.

  If you’ve previously disabled SSID broadcasting, click Wicd Network Manager’s Network button and select Find a Hidden Network. Type in your network’s SSID and passphrase.

  To download and install Reaver — and to do your test-hacking later — you need to open a Linux command-line Terminal window.

  

  Figure 8. Look for BackTrack's command-line Terminal button at the top of the screen.

• Next, update BackTrack’s list of available apps by typing the following string at the command prompt:

  apt-get update

  

  Figure 9. Updating BackTrack's applications

• When the update is finished, install Reaver by typing the following text at the command prompt:

  apt-get install reaver

  

  Figure 10. Installing Reaver from the terminal command prompt

• With Reaver installed (it has no graphical interface; just follow the text that appears on-screen), go back to the Wicd Network Manager window and click Disconnect to turn off your Wi-Fi connection.

Identifying your specific wireless LAN

The next step is to gather some information about your specific Wi-Fi interface and setup. Fortunately, all the tools you’ll need are built into BackTrack.

• Start by finding your system’s wireless LAN (wlan) interface identifier. It’s easy: At a Terminal window’s command prompt, type iwconfig and press Enter. Next, look for an entry labeled wlan[X], where [X] is a number such as 0, 1, or 2. Most systems’ wireless LAN interface will be wlan0, as highlighted in Figure 11.
  

  Figure 11. My system's wireless LAN interface identifier, highlighted in yellow

• Now, put your wireless card into monitor mode so it can listen passively to all the Wi-Fi routers within range. Enter the following command at a terminal window’s prompt:

  airmon-ng start wlan0

  (If your wireless interface was identified as wlan1, wlan2, or some other designator, use that instead of wlan0.)

• You’ll see output that looks something like what’s shown in Figure 12. Make note of the monitor mode enabled on mon[X] line (again, [X] will be a number such as 0, 1, 2, etc.). In most cases, the monitor mode will be mon0.
  

  Figure 12. In passive-monitoring mode, the monitoring mode's numeric designator is typically mon0.

A brief technical aside might make the next step easier to understand. As mentioned earlier, your Wi-Fi router’s SSID is the network name it broadcasts. But an SSID actually has two separate, independent components: the human-friendly name of a Wi-Fi network, formally known as the ESSID (extended service set identifier); and a manufacturer-assigned, alphanumeric, machine-friendly BSSID (basic service set identifier).

• The next step is to find your router’s BSSID. In a terminal window, type:

  airodump-ng wlan0

  As before: if necessary, change the wlan0 to match your Wi-Fi LAN’s designator.

• The above command will produce a live display (or dump) of information from all Wi-Fi LANs in range of your system. Find your LAN’s ESSID (human-friendly name) on the right side of the list, and then make a note of its associated BSSID on the left. In this case, my ESSID is NETGEAR and the BSSID is A0:21:B7:B0:D1:A1.
  

  Figure 13. Finding your router's BSSID by looking for its ESSID. (I've blurred some of the information from my neighbors' routers to protect their privacy.)

If you previously disabled SSID broadcasting, and your router does not appear on the airodump-ng listing, congratulations! Your router should not be vulnerable to WPS hacking. You’re done — you don’t have to go on to the next steps.

On the other hand, if your router does appear on the list, it’s time to get, ah, cracking with Reaver.

Letting Reaver do its PIN-cracking thing

A Reaver run typically takes two to 10 hours. It’s best to start Reaver in the evening (when you don’t need your PC or your Wi-Fi) and let it run overnight. You can check the results in the morning.

The following steps will work in the majority of cases, but if you run into trouble getting Reaver to work, check out its wiki, FAQ, hardware-compatibility info, etc. on the Reaver site. If that doesn’t help, there’s a list of additional resources at the end of this article.

• Set Reaver loose on your network with the following one-line command, entered in a BackTrack Terminal window. Replace the items in square brackets with your network’s specific designators.

  reaver -i mon[X] -b [BSSID] -vv

  For example, using my mon0 monitor interface and A0:21:B7:B0:D1:A1 BSSID, my command is:

  reaver -i mon0 -b A0:21:B7:B0:D1:A1 -vv

• Press Enter; Reaver will then try to initiate a WPS session with your router (repeatedly, if necessary) and will then try to hack in by plodding through all possible WPS PIN codes — one after another.

  Figure 14 shows the kinds of messages it might display as it attempts to hack your WPS PIN.

  

  Figure 14. Reaver tells you everything it's doing, including the status of its connection attempts and the PINs it's trying.

If you previously turned off WPS and/or disabled SSID broadcasting in your router’s configuration screens (as recommended in last week’s Top Story), Reaver will fail to find a working PIN and passphrase. If so, congratulations! You’re safe from WPS hacking.

But if Reaver finds a working PIN (and/or the router’s passphrase), it will be displayed on-screen. In that case, you’ll know that your router is vulnerable to WPS hacking. Thank your lucky stars that you found this vulnerability before local hackers did!

To possibly eliminate the WPS vulnerability, check your router manufacturer’s support pages to see whether there’s a new firmware update available for your router. If so, download and install the new firmware, and then re-test the new setup with Reaver.

If the updated firmware also succumbs to Reaver, your only real options are to get a better, newer router that properly controls and disables WPS, or replace the factory firmware with third-party firmware from a resource such as the open-source dd-wrt.com (site).

And of course, test the new router or firmware with Reaver, too!

Additional instructions, info, and tools

These links to online sites should provide everything you could want to know about WPS and Reaver.

• Wikipedia: Wi-Fi Protected Setup
• Smallnetbuilder.com: How is WPS supposed to work?
• Threatpost.com: Attack tool released for WPS PIN vulnerability
• Arstechnica.com: Researchers publish open-source tool for hacking Wi-Fi Protected Setup
• H-online.com: Wi-Fi Protected Setup made easier to brute force
• Reaver-wps: Wiki, FAQ, etc.
• Tacnetsol.com: Cracking Wi-Fi Protected Setup with Reaver
• Arstechnica.com: Hands-on: hacking Wi-Fi Protected Setup with Reaver
• Lifehacker.com: How to crack a Wi-Fi network’s WPA password with Reaver

Generous in the Lounge all year 'round

For excellent examples of what’s great about folks who use the Windows Secrets Lounge, take a look at the Hardware forum.

In particular, see the problem posed by Lounge member Linda, who can’t decide whether she should attempt to install a new internal hard drive by herself. Whereupon Hardware forum members walk her through the task — carefully, kindly, and with screen shots.

You too might benefit from the tutorial assembled for Linda.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Help upgrading from Office 2000 to Office 2013
Word Processing	Underlining list elements in Word 2010
Spreadsheets	Auditing utility accounts (with pivot table?)
Databases	Way to import external data automatically?
Presentation Apps	Movie Maker settings for PowerPoint
Visual Basic for Apps	Broken revision object in Word VBA
Microsoft Outlook	Calendar lost appointments
Non-Outlook E-mail	Fifty photos in one e-mail message?
Windows
General Windows	What are Xmarks bookmarks?
Windows 8	Interesting thing happened on the way to the forum
Windows 7	Still no restore points or backups after hours of waiting
	Windows Update losing update history
	Windows 7 wireless and other problems
Windows Vista	Should Java be on or off in Windows Vista?
Windows XP	Problem with MSE
Windows Servers	Error in backup
Internet/Connectivity
Internet Explorer	IE 9 and HTTPS
Third-Party Browsers	Firefox plugins
Application Servers	Looking for new e-mail service
Networking	Random, regular Cox Cable Internet-service disconnect
Social Media	Always up-to-date Facebook privacy guide
Other Technologies
Security & Scams	Links might look real, but they’re false!
Maintenance	Reminder to make backup images
Hardware	Installing internal hard drive
Graphics/Multimedia	Do I need Nvidia software?
Other Applications	Microsoft popups in SkyDrive

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

Real law applies to you et al. at Facebook

When it comes to the ownership of content posted on Facebook, most users are either misinformed or completely unaware. A few are simply self-deluded. You might have noticed this recent trend on the mammoth social-networking site — friends posting copyright declarations on their Facebook walls (er, timelines) and requiring their consent for any commercial use of their Facebook content. Well, friends, here’s a witty presentation of the facts. It’s food for thought on what you post — on Facebook or any other site. Play the video

MS Security Essentials: Poor showing in new test

Recently, a steady stream of reader mail shows concern about Microsoft’s consumer antivirus software’s decertification by a third-party AV testing site.

It’s important to put AV testing results into context before deciding whether it’s time to switch security tools.

Test finds MS Security Essentials inadequate

In its September/October malware test report, AV-TEST gave Microsoft’s free anti-malware utility low AV protection scores and revoked its certification of MSE. It’s not the first time MSE has fared poorly in independent antivirus tests — and probably won’t be the last.

Although I’ve recommended MSE in several stories, I’ve also written about past failures. For example, I deliberately re-created one of MSE’s most publicized early failures for the April 7, 2011, Top Story, “LizaM**n infection: a blow-by-blow account.” (I’ve obscured the name of the malware so as not to trigger hyperactive e-mail filters.)

I wrote about MSE shortcomings in the May 19, 2011, LangaList Plus item, “MSE delivers mixed results in antivirus tests,” and again in the recent Nov. 8 item, “New tests pan Microsoft Security Essentials.”

It might be worthwhile to go back and quickly reread those articles, which provide context and details I don’t have space to repeat here.

If these failures make you not trust MSE, then by all means switch to another tool! No software is ideally suited for every configuration, every situation, and every user. In fact, in that Nov. 8 story, I wrote:

“MSE is probably not the best choice for novice users and those who rarely think about PC security — users who click any link that interests them and who ignore security warnings. Those users need lots of protection — mostly from themselves!”

The most important point: Viruses and malware don’t teleport into your PC — they’re let in. In almost all cases, that means opening a seemingly innocent attachment, clicking a bogus “You’re infected!” popup, or visiting malware havens such as porn sites.

With a modicum of common sense, you can avoid these all-too-common infection vectors. Include basic browser-level protection against bad links, bad sites, and phishing (all the major browsers now have that protection built in and turned on by default), add in real-time/full-time anti-malware tools, and you’re pretty well protected.

Not without some consideration, I’ve been using MSE on all 14 (four physical systems and 10 virtual PCs) of my Windows systems for several years now. I use MSE alone on 13 of the systems but add Malwarebytes (site) as a backstop on my primary system — just to be extra safe.

Some of these systems are online 24/7; all are used heavily. Yet not one of these 14 systems has ever succumbed to malware of any kind (with the exception of that deliberate, manually induced LizaM**n infection).

How do I know my systems are safe? I do regular, periodic verification scans with independent, standalone security tools such as ESET’s Online Scanner (site), Microsoft’s Safety Scanner (site), or Trend Micro’s House Call (site).

I don’t dispute the lab-test findings, but I also know that in real-life conditions, MSE has worked fine for me.

It’s also worth noting that malware testing is a snapshot in time. Malware and anti-malware are in a constant game of one-upmanship. For every move made by a malware maker, there are countermoves by anti-malware vendors — and vice-versa. This means that an anti-malware product that fails today might succeed tomorrow — and then fail again with some new strain of malware. No matter which AV tool you use, there are no guarantees.

That’s why good security begins with good Internet habits.

Bottom line: I’m still comfortable using MSE. It’s proven reliable on my systems, and it’s easy to use. If you’re not comfortable with MSE, then pick another tool! There are many other good products available, both free and paid. I list six products in the Feb. 16 Top Story, “Is your free AV tool a ‘resource pig’?”

You should always weigh any recommendations — pro and con, from me or anyone else — against your criteria, experience, and operational needs.

Using Microsoft Virtual PC with Win8

Reader Paul Coulter wants to test-drive Win8 inside a Microsoft Virtual PC.

• “Although I have a multiboot system, I’d like to boot Win8 into a Microsoft Virtual PC, where I have XP residing. There have been instructions on using other virtual machines with Win8, but I’ve not seen a Windows Secrets article on how to install Win8 into Microsoft Virtual PC. Is it possible?”

Short answer: Nope! Sorry. Microsoft Virtual PC (more info) currently doesn’t support ACPI 2.0 (Advanced Configuration and Power Interface version 2; info), which Windows 8 requires.

An MSDN blog post states that Win8 cannot run on any of these virtualization tools:

• Microsoft Virtual PC (all versions, including the Win7 variant called “Windows Virtual PC”)
• Microsoft Virtual Server (all versions)
• Windows 7 XP Mode
• VMware Workstation 7.x or older

But that same blog post says that Win8 will run fine in these virtual environments:

• Microsoft Hyper-V (the successor to Microsoft Virtual PC; built into Server 2012 and Win8; TechNet info)
• VMware Workstation 8.0 (and above) for Windows (free; site)
• VirtualBox 4.1.2 (and above) for Windows (free; site). VirtualBox is what I both use and recommend to run virtualized Windows 8.

By the way, if you’d like a free copy of Windows Server 2012 (U.S. $750; includes Hyper-V), you can download a fully functional, six-month trial version, gratis, from a Microsoft Software Downloads site.

Solid state–drive installation problems

Stan is wondering about adding an SSD to his system.

• “Your [July 5] Top Story, ‘Some ugliness installing an after-market SSD,’ struck my fancy. I just love it. I’m a strong believer in modifying gadgets to fit and work as we want and need.

  “I admire your willingness to sacrifice warranties by removing the fins and taking apart the SSD drive. Great job.

  “Question: Would the SSD without the case (just the board) fit into the bay with the fins/ribs untouched? I am planning a similar setup, hence the question.”

There’s so much variation in SSD and notebook design that there’s no way to give a universal answer. But even partly disassembled, the drive wouldn’t fit into my system without the fin-ectomy.

If you’re interested in fitting an SSD into your system without having to do hardware surgery, I suggest you shop for half-height drives and buy only from a vendor with a liberal return policy.

Even at that, “half-height” isn’t a firm specification. But it will get you smaller/shorter SSDs than are typical. Plus, there are a lot more half-height SSDs available now than when I shopped for mine.

When the SSD arrives, don’t plug it in or format it or move any data to it. In fact, don’t do anything with it at all, except to test whether it fits into the target drive bay. If it does, great! You then can go about setting up the drive as you wish.

If the drive is simply too big, send it back, unused. The SSD — and your laptop’s warranty — will still be intact!

Free BUTOZIP Backup Tool

Reader Jeffrey Knauth would like to share a custom back-up script he wrote. Intended for intermediate-to-advanced users, it lets you create custom backups of whatever files and folders you specify. The backups are compressed into ZIP files (hence the name “BUTOZIP” — “back up to ZIP”).

• “Fred, I recall you wrote long ago about automating a daily backup of key files. That led me to write a tool — BUTOZIP — which does just that job on my systems. When invoked, it creates a .zip file, uniquely named with a sequence number, the date and time it was invoked, and the user ID of whoever launched it (to handle multi-user systems). This naming lets me keep many well-organized generations of backups in the same target directory.

  “I run the tool once a day via the Task Scheduler, as well as manually if needed — e.g., a one-shot backup to a flash drive. Although I back up fairly large amounts of data (mail logs, FTP source files, financial files, macros, etc.), it all gets zipped into an under-100MB file, which copies quickly to a hard drive or flash drive.

  The process has been particularly useful for me. With many generations of easily accessible and readily identifiable backup files available, I can quickly get a copy of a needed file — exactly as it existed days, weeks, months, or years ago.

  “I originally wrote this tool for Windows XP, and I’ve carried it forward to subsequent Windows versions. (It still runs on Windows XP.) Because it’s a simple .bat file, the only thing that needs to be installed is the free 7-Zip program (command line version; site). The tool is described on my BUTOZIP.BAT site.”

Thanks, Jeff. Nice work!

Jeff’s sample script, ready for modification and/or editing, can be copied from an online text file; the instructions are on his site, referenced above.

I currently use Windows’ built-in back-up tools, because they adequately serve my needs. (See the May 12, 2011, Top Story, “Build a complete Windows 7 safety net.”) But if you need a custom backup solution, Jeff’s tool might be just the ticket.

Thanks again, Jeff!

Eight simple steps for setting up Windows 8

Here you are, faced with a new Windows 8 computer — a gift, perhaps, or maybe a machine you have to get going for a friend or family member.

What on earth do you do with it? How do you start without, uh, Start? Let me take you through eight easy steps toward Win8 enlightenment.

Step 1: Make sure you got the right version

Before you even take that new computer out of its box, make sure you have the version you want and can use. That might sound stupid, but it truly isn’t. A distressingly large number of new computer buyers are getting (or giving) Windows RT tablets/convertible laptops without understanding that Windows RT can’t run traditional Windows programs.

There’s nothing inherently wrong with Windows RT. Microsoft Surface tablets run RT, and those devices seem like a good solution for doing light-duty work with Word or Excel on a light, portable device. But if you have or receive a Windows RT tablet and are anticipating running common programs such as, oh, 7-Zip, Foxit Reader, Firefox or Chrome, or Windows Live Mail, you’re in for a rude surprise.

If you have any doubts about the differences between Windows RT (which isn’t really a Windows operating system at all — at least not in the sense that you’re thinking) and Windows 8, read my Oct. 25 Top Story, “Win8 vs. Windows RT: What to know before you buy.”

Here’s another version difference to note. As I explained the April 26 Top Story, there are two primary versions of Windows 8: one called (imaginatively) Windows 8 and another, Windows 8 Pro. The differences between the two are similar to the differences between Windows 7 and Windows 7 Professional.

Both Pro versions can join corporate domains and include the Encrypting File System and the Group Policy Editor. They can also act as a server (or host) in a Remote Desktop session.

New to Windows 8 Pro is a desktop version of Hyper-V, Microsoft’s virtual machine product. I’ve used Hyper-V often, and I like it. Those of you struggling with XP Mode in Win7 Professional should take a look at Hyper-V in Win8 Pro. It’s impressive.

One more additional capability appeared only last month: If you have a Win8 Pro machine, you automatically qualify for downgrade rights. In theory, at least, you don’t need to buy anything additional to change your Win8 Pro machine to Win7 Professional. I say “in theory” because the major hardware manufacturers aren’t making the downgrade easy. Still, if you want to buy a Windows 8 machine and have the comfort of knowing you can switch back to Windows 7, make sure you get Windows 8 Pro.

Step 2: Get yourself educated and oriented

If you’ve used Windows for a while and are just starting with Windows 8, the first blast of the Metro Start screen will leave you wondering whether you’re in Kansas anymore.

Do yourself a favor. Work your way through my Windows 8 orientation article — the Nov. 1 Top Story, “Win8 boot guide: Your first hour with the new OS.”

Work all the way through it. Don’t worry. I’ll wait.

Step 3: Get rid of the preinstalled junk

I thought the hardware manufacturers had finally gotten a clue and stopped installing crapware into their new Win8 machines. Man, was I wrong.

Some hardware companies insist on putting third-party antivirus products on new Win8 machines. I won’t bother to elaborate what I think of the rest of the extras.

If you got stuck with a pile of factory-installed garbage, now’s the time to clean it out. Unfortunately, you can’t do a simple Windows 8 Reset or Refresh to remove the junk. The manufacturers rig the refresh image so it includes all the unwanted stuff they originally put on the computer.

Decrapifying a Windows 8 computer is identical to cleaning up a Win7 system — except the Control Panel is initially a bit harder to find. The easiest way is to press Windows key + X to pop up the hidden Win-X menu. Click Control Panel and continue as you have in Windows 7. In the default view, under Programs, choose the link to Uninstall a Program. Then go through the list of software and mercilessly cull, cull, cull. (Yes, you can safely get rid of the manufacturer’s support programs, demo versions of any software, browser plugins, and that stupid antivirus/firewall program your manufacturer so helpfully put on your machine.)

Step 4: Change some basic Windows settings

I always make Windows show me file-name extensions. For years, many Windows users have been burned in odd ways by not being able to see the (usually) three-letter extensions, such as .exe or .doc.

To make Win8 show you file-name extensions, swing over to the old-fashioned Windows desktop by clicking the Desktop tile on the Start window. Click the file-folder icon in the taskbar at the bottom of the screen. (We used to call the program that appears Windows Explorer; now it’s File Explorer. Fair enough.) At the top of File Explorer, click the View ribbon tab. Next, check the box marked File Name Extensions. While you’re at it, check the next box, too — Hidden Items.

If your computer has only one account, it’s an administrator account. Although Windows 8 now makes it considerably more difficult to shoot yourself in the foot when using an admin account, I generally recommend that people set up a second — standard — account and use it most of the time. You can also use a second account to switch back and forth between a Microsoft account and a local account — a topic I discussed at length in the Nov. 15 Woody’s Windows article, “Microsoft Accounts: The good, bad, and indifferent” (paid content).

To set up a new account in Win8, you have to move over to the Metro side of things. (If you try to set up a new account via the traditional Control Panel, it will eventually switch you over to a Metro-style window.) Press or tap the Windows key to bring up the Metro Start screen. Swipe from the right or hover your mouse in the upper-right corner (or press Windows key + C) to bring up the Charms bar. Click or tap the Settings icon at the bottom. Click or tap Change PC Settings. On the left side of the PC Settings window, choose Users and then click or tap Add a user. Follow the instructions, keeping my tips about using a Microsoft account in mind.

Finally, I always turn off automatic updates in Windows Updates. (For more on Windows 8 updating, see Susan Bradley’s special-edition Patch Watch in this issue.) If you’re setting up a computer for somebody who isn’t particularly interested in its care and feeding, by all means, turn on Windows Automatic Update. But if you’re attentive enough to read Patch Watch or follow my patching advice on AskWoody.com, you’re sophisticated enough to wait each month to see whether Microsoft messes up another round of Black, er, Patch Tuesday patches before installing them.

Here’s a quick how-to for taking automatic updating into your own hands. Pop up the Win-X menu and select Control Panel. Click or tap System and Security. Under Windows Update, click or tap Turn Automatic Updating On or Off. In the Important updates drop-down box, select Check for updates but let me choose whether to download and install them. Click OK.

Step 5: Install key (and free) software

I mentioned in Step 2 how you should go through my Windows 8 orientation article. Part of that article recommends that you install these common and useful apps:

VLC media player: Let it take over all supported audio and video files.

Foxit Reader: It’s a good Adobe Reader alternative, but I recommend it somewhat grudgingly because recent versions have also included all sorts of crapware in the installer. Be careful when you install it.

Picasa or IrfanView: Both are excellent for viewing pictures.

I recommend installing those programs because they’ll keep you on the traditional Windows desktop and away from the dark, ah, Metro side of the force.

No doubt you’ve seen the admonishment to “Get Your Google Back” (and I, for one, enjoy the way Google Chrome runs on Windows 8). To get the right version of Chrome, go to the Get Your Google Back site and click or tap on the link to Get Google Chrome. If you’re a Firefox fan, you’ll have to wait — Firefox’s Metro effort is still too buggy to recommend.

Finally, I always install and use Secunia Personal Software Inspector to keep me up to date on patches for all the programs on my Windows 8 machines. Fred Langa has a good overview of Secunia PSI in his July 26 Top Story.

Step 6: Put most-used apps on the Taskbar

In a new installation, the Windows 8 taskbar has two (count ’em, just two) icons — one for Internet Explorer and the other for File Explorer. If you’re going to minimize your trips to the Metro Start screen, your best strategy is to put all your frequently used programs on the taskbar, just as some of you do with Win7.

Don’t shoot me. I’m just the messenger. I know some Win7 users find it hard to organize icons on the taskbar and sometimes a bit confounding to match icon pictures to program names. (Granted, it’s easy to remember the dead cat is IrfanView.) You can make tiles for all your apps in the Win8 start screen, but it’s far more efficient to use the taskbar. (And I didn’t whine about the dearly departed Start menu even once, did I?)

There are two ways to pin a program — put an icon — on the taskbar. If you installed an app on the Desktop via IE, the app probably set up a shortcut on the desktop. Right-click its icon, and you can pick Pin to Start (which creates a Metro tile on the Metro Start screen) or Pin to Taskbar — or both.

You can also start on the Metro Start screen. Find the program you want, right-click (or tap and hold) on the program tile, and a new bar pops up at the bottom of the Start windows. Click Pin to Taskbar. Flip back over to the old-fashioned desktop and, sure enough, the icon appears on the Taskbar. (This does not work for Metro-native apps.)

After an icon is on the Taskbar, you can move it or otherwise manage it as you do in Windows 7.

Step 7: Set up a Windows networking Homegroup

Setting up (or joining) a Windows homegroup in Windows 8 is similar to doing so in Windows 7. If you have two or more Win7 and/or Win8 PCs on your network, it’s worth taking the time to connect them in a homegroup. It makes sharing files, printers, and media much, much simpler.

Windows 7 drew a distinction between home and work networks — a distinction that confused the living daylights out of most people who bumped into it. Windows 8 doesn’t bother. If you’re on a public network — in a coffee shop, for example — you tell Win8 and that’s it. But if you tell Win8 that you aren’t on a public network, then you’re automatically set up for a homegroup.

If you have to connect to a homegroup manually, the settings are over on the Metro side. Go to PC Settings (Charms bar/Settings/Change PC Settings), choose Homegroup, and Windows will step you through the rest.

Step 8: Get automatic daily backups working

If your computer has only one hard drive, buy an external USB drive that’s as big as the one inside the machine. When you first plug it in, you’ll see a toaster notification that asks whether you want to use the external hard drive as a backup drive. Tap or click on the notification, follow the instructions, and you’ll be generating nightly backups on the external drive in no time.

If you want to back up to a second drive on your computer or run backups to a network drive, pop up the Win-X menu and click Control Panel. Click or tap System and Security; then, under File History, click or tap Save backup copies of your files with File History. Locate a suitable backup drive, click or tap Turn On, and follow the instructions.

Your first File History backup could take a long time. But after the initial run, the daily backups won’t take much time at all.

One final note. Some people spend a lot of time fine-tuning their Metro Start screens. It’s relatively easy to drag and drop Start screen tiles and put them into groups. (To create a new group, drag a tile way over to the right.) You can then assign names to the groups: pinch the screen or click on the minus sign in the lower-right corner of the Start screen, and then right-click each group. I usually take a few minutes to set things up so that my most-often-used programs are on the left side of the Metro Start screen, making them easier to find. But they’re usually on my desktop taskbar anyway — I don’t use Metro tiles often.

If you follow the steps outlined in this article, you should be able to spend almost all of your time on the old-fashioned desktop, with very rare excursions over to the Metro Start screen. If that’s the way you plan to work with Windows 8, it doesn’t make much sense to spend a lot of time tweaking the Metro Start screen, eh?

Special Windows 8/RT Patch Watch edition

Windows 8 is hardly out the door, and it’s already having its share of patching problems — including some never seen on previous Windows platforms.

If you’re trying to sort through Windows 8 security, here are some tips that might save time and effort.

Initial changes while setting up Win8

Some of us might find a new Windows 8 system under the tree. Or you might be setting one up for someone you particularly like (and not really hate, according to Philip Greenspun’s take on Windows 8). In either case, there will be updates that need installing as soon as possible and tweaks that will better protect the new system.

It starts at the initial Windows 8 setup. Select the customize option and disable automatic updates. Especially during these early days, we want the ability to review updates before installing them. It also helps eliminate possible update conflicts and delays during the setup process.

What to do: During setup, select Don’t set up Windows Update (not recommended) (see Figure 1) and turn off Automatically get device drivers, apps, and info for new devices (see Figure 2). (Don’t worry; you’ll turn that second option back on, once the setup process is complete.)

Figure 1. During setup, disable Windows Update.

Figure 2. Turn off Automatically get device drivers, apps, and info for new devices.

Manually configure Windows Update your way

Regular Patch Watch readers will undoubtedly have seen my advice about Windows Update: select either Download updates but let me choose whether to install them or Check for updates but let me choose whether to download and install them.

So your first stop after installing Windows 8 (or running through the initial setup on a preinstalled copy) is to check that Windows Update is set to one of those two options. The easiest way to launch Windows Update in Win8 is to pop up the Windows + X (Win-X) menu, select Control Panel, and find Windows Update in the Small icons view. A somewhat more circuitous route is to open the charms menu, select Settings, and then start typing Windows Update. Click Windows Update in the results list; click See details; and then, at the bottom of the window, click Choose important updates to install ….

(Old habits die hard — I miss the Windows 7 Start menu. So I’ve installed Stardock’s Start8 utility (U.S. $4.99; site), which puts the familiar Start menu back into Win8.)

What to do: I prefer to select Download updates but let me choose whether to install them. Once you’ve picked your preferred option, go through the updates list and uncheck all updates.

Get all updates — not just Windows patches

To properly set up Windows 8, you need all available updates. Microsoft makes this unnecessarily confusing by providing updates via Windows Update — patches just for the OS — and Microsoft Update — patches for other Microsoft software, such as Office and SQL.

To flip over to MS Update, go to Windows Update, select Change settings, and then check the box next to Give me updates for other Microsoft products when I update Windows. (If you have Start8 installed, you can also select Control Panel/Windows Update. Scan for updates; when that’s complete, look for the option Get updates for other Microsoft products at the bottom of the window, as shown in Figure 3. Agree to the EULA [see Figure 4], and your system will default to Microsoft Update.)

Figure 3. Microsoft Update updates more than just Windows.

Figure 4. Click the Terms of Use box to get all MS software updates.

What to do: Download all software updates via Microsoft Update.

2771431

Install this patch before all others

New Windows 8 users have already reported problems with some updates. Installing KB 2771431 (a servicing-stack patch) before any other update should fix most of those issues — such as driver failures, update-installation failures, and high CPU usage while Windows Update is running. We’ve seen this last problem before, with Microsoft Update on Windows XP. In fact, if you have a Windows XP system with less than 1GB of memory, you are probably still seeing this problem.

KB 2771431 fixes issues with several cumulative updates, as reported in a Win8 forum. Without KB 2771431, for example, attempts to install KB 2756872 (a system-performance and reliability fix) fail. You might not, in fact, even see KB 2756872, KB 2770917, or KB 2779768 until KB 2771431 is installed.

What to do: Click the check box for KB 2771431 in Windows Update and install it before selecting any other updates. (It should not require a reboot.)

2756872, 2770917, 2779768

Applying Win8’s first (virtual) service pack

You’re now ready to install Windows 8 Service Pack 1. (Win8 SP1? She’s obviously had too much eggnog!) Three updates are, in my opinion, the equivalent of a service pack.

KB 2756872 improves application compatibility with Windows 8, increases battery life in portables, and fixes audio-playback issues. Note: According to the update’s Microsoft Support page, the update might not install if Kingsoft Internet Security is already on the system. The page also notes that some Win8 tiles and icons might disappear after the update is installed.

There’s still one other lingering issue with KB 2756872 that might not be fixed for several weeks, according to a post in a Microsoft Community thread. The update refuses to install on some OEM Windows 8 machines due to a hardware-driver licensing problem.

KB 2770917 improves performance when you wake the computer from sleep mode, and KB 2779768 is the cumulative update for December.

What to do: In Windows Update, check the install checkboxes for KB 2756872, KB 2770917, and KB 2779768, and click the Install button (restart required). If KB 275672 fails, you’ll have to wait for a fixed version.

2751352, 2768703, 2769165, 2772501, 2779562

Finishing up that virtual service pack

The next updates are more “fit and finish” fixes — which you would also typically find in a service pack. KB 2769165 ensures that Win8 systems are not affected by any update containing an incorrect code-signing certificate — an issue noted in Security Advisory KB 2749655.

KB 2751352 fixes a problem with the display of logos in Win8 tiles; KB 2768703 corrects errors with Win8 protected-content playback. KB 2772501 fixes a flaw which prevents the display of Favorites in Internet Explorer.

What to do: Install KB 2751352, KB 2768703, KB 2769165, KB 2772501 (another restart required). The only update I consider completely optional (unless you live in Bahía, the Azores, Fiji, or Jordan) is KB 2779562 — the December cumulative time-zone patch.

2769034, 2777294, 2779444, 2780541

Optional updates that aren’t so optional

If you don’t find the following updates in the Important section of Windows Update, look for them under the Optional tab, along with two Silverlight and Bing updates. During Win8 setup, you might not have chosen to display both optional and recommended updates in the same way.

The Silverlight-Bing updates are optional; these other four should be installed:

• KB 2769034 ensures that Windows’ Recovery Environment (if triggered) will actually work after a reboot.
• Under specific circumstances, Win8’s Program Compatibility Assistant displays an unexpected error when you attempt to install apps such as MediaShow, PaintShop Pro, WinDVD, and MoviePhotoMenu. KB 2777294 corrects that flaw.
• KB 2779444 adds support for camera-specific file formats to the Microsoft Camera Codec Pack.
• KB 2780541 fixes a keyboard layout/language problem that might occur if you use Win8’s Push Button Reset option. It might make it difficult to enter your password.

What to do: Install KB 2769034, KB 2777294, KB 2779444, and KB 2780541 — restart required.

Windows RT’s secretive firmware updates

Firmware updates are not uncommon with routers and other dedicated devices. They’re far less common with Windows systems. But in addition to the typical Windows patches listed above, Windows RT systems will also get firmware updates from time to time, as noted in an MS Surface support document.

In a Windows Community forum post, an ASUS Vivo Tab user reported a system lockup after installing a firmware upgrade. Unfortunately, there are few published details about what exactly is contained in RT firmware updates, as Paul Thurrott reports in a WinSuperSite.com blog post.

What to do: If you have an RT device, make sure you install firmware updates before your support window runs out. By their nature, firmware updates are usually critical.

Getting Windows Defender to automatically defend

Setting Windows 8 to download updates but not automatically install them has one drawback: you don’t get automatic updates to Windows Defender (Microsoft’s Win8 reincarnation of Microsoft Security Essentials [MSE]). As noted in a recent omnidirecttech blog post, you’ll find Defender updates awaiting your approval (unlike MSE, which updates itself silently and automatically, no matter what update process you’ve chosen in Windows Update). Defender respects your update settings — possibly to your detriment.

If you rely on Windows Defender and you’re not installing updates automatically, I strongly recommend following these omnidirecttech instructions for updating Defender definitions automatically.

• In Windows 8, use the search charm to find Windows Task Scheduler (in the Apps section).
• Right-click the heading Task Scheduler (Local) and select Create Task.
• In the Name box, enter an intuitive title such as Definition Update.
• Click the Change User or Group button and enter system. Click the Check Names box to ensure you have a valid object. This is a reserved, low-level account that allows certain functions such as updating to occur. Click OK and then check the box next to Run with highest privileges.
• Now click the Triggers tab and click the New button. In the New Trigger window, set up the event to run at least daily. When you’re done, click OK.
• In the Actions tab, click New and, in the Program/script box, type “C:Program FilesWindows DefenderMpCmdRun.exe” (include the quotation marks); click OK. Next, enter -SignatureUpdate -MMPC into the Add arguments (optional) box. (See Figure 5.)
  

  Figure 5. Enter program path and launch arguments as shown.

• Finally, in the Settings tab, change the default settings by checking the If the task fails … box and setting it to restart every 30 minutes. Set Stop the task if it runs longer than: to one hour. Click OK. Review your settings in the Task Scheduler Library.

Special Windows 8 problem-patch chart

This table provides a summary of the current Windows 8/RT patches.

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.