The best of LangaList Plus from 2013

The best of LangaList Plus from 2013

Subscribers to the paid version of Windows Secrets are familiar with Fred Langa’s weekly LangaList Plus. This week, everyone can enjoy the best of the 2013 columns.

These Q & A sessions are for computer users of all levels. Many paid Windows Secrets readers save these articles for future troubleshooting reference.

It appears that the most popular stories were those about keeping Windows XP alive and those on coping with Windows 8. Computing security was another hot topic. That’s really no surprise. All three topics reflect the significant challenges to personal computing during 2013.

(Editor’s note: Some of the information in the following stories has been updated.)

No-reformat reinstalls for all Windows versions

A nondestructive Windows reinstall completely refreshes the operating system but retains your user accounts, data, passwords, and/or installed programs. This type of repair takes a fraction of the time required for a standard, full reinstall — and it’s much, much easier to do.

I’ve covered nondestructive reinstalls for previous versions of Windows in several earlier stories. See, for example, the July 14, 2011, Top Story, “Win7’s no-reformat, nondestructive reinstall.” The process for Vista is nearly identical. For Windows XP, check out the 2006 InformationWeek article, “XP’s no-reformat, nondestructive total-rebuild option.”

Reader William Searle wondered about this capability in Windows 8.

• “Is there a Win8 version of the ‘no-reformat, nondestructive reinstall?'”

Indeed there is, William. Microsoft made it easier than ever and built it right into the operating system; it’s nondestructive for your settings and user data and for native Win8 apps downloaded through the app store. (From-disc apps, however, might still have to be reinstalled the old-fashioned way.)

Here’s how to access the Win8 version of the reinstall process.

Open the Win8 Charms bar and click Settings (the gear icon). At the bottom of the Settings bar, click Change PC settings. On the PC Settings page, select General and then click the Get started button under Refresh your PC without affecting your files (as shown in Figure 1).

The next screen tells you exactly what the refresh will do. Read it carefully. For example, it notes that applications you installed from disc or the Web will be removed. (Apps downloaded from the Windows Store are retained.)

It’s taken a long time for this capability to become a standard item in Windows, but it’s great that it’s finally there!

More free security tools from Microsoft

Reader Kevin Hobbs suggests another free security tool from Microsoft that wasn’t included in the April 4 Top Story, “Microsoft’s six free desktop security tools.”

• “Fred Langa forgot one obvious security tool that prevents malware from getting onto your system — the Enhanced Mitigation Experience Toolkit (EMET). It works even with many zero-day threats.”

Thanks, Kevin. I agree that the Enhanced Mitigation Experience Toolkit is a worthy anti-malware app. When this story was originally published, EMET, the Microsoft Malware Prevention troubleshooter, and the MS Baseline Security Analyzer were not compatible with Windows 8, so I didn’t include them.

EMET 4.1 is now compatible with Win8. Windows Secrets covered it in Susan Bradley’s June 6, 2013, article, “Microsoft adds Windows 8 support to EMET.”

The Microsoft Malware Prevention troubleshooter (site) is a standalone fixit that checks whether various Windows settings (Policy, User Account Control, Proxy, etc.) are configured for maximum safety. If anything’s amiss, the troubleshooter can make changes for you automatically (Figure 2) — or let you make them manually.

However, try to run the Malware Prevention tool on Win8.1, and you get the error message shown in Figure 3.

Microsoft Baseline Security Analyzer Version 2.3 (site) reportedly supports Win8. It’s an installable utility originally intended for use by IT professionals to scan one or more PCs. (It can work across a network.) The analyzer, shown in Figure 4, checks about 24 different security-related system settings, ensuring they’re correctly configured. It checks, for example, that Windows Update is enabled, that all current Updates have been installed, that local system shares and passwords are correctly configured, and that macro security is enabled on installed MS Office products.

PC security after XP’s official end of life

On April 8, 2014, Microsoft officially drops support for its venerable operating system. John Foster is undoubtedly one of many Windows Secrets readers thinking through the ramifications of XP’s rapidly approaching end of life (EOL).

• “After reading all of the articles on XP’s EOL, I wonder how vulnerable XP will really be after next April.

  “If we keep our browsers up to date, are careful about the websites we visit, and have current anti-malware software running, will we be safe using XP?”

Sorry, no — even with all those precautions, XP still won’t be safe. Here’s why:

In Microsoft’s parlance, “end of life” means that the company will no longer write and issue security patches for XP. Many of those patches fix newly revealed vulnerabilities within the operating system itself. But after XP’s EOL, any unpatched security holes will go unfixed. (See Microsoft’s explanation; the April EOL also applies to Office 2003.)

You might think that all the major holes in XP have surely been found and patched by now! After all, XP’s been out for 12 years.

Sadly, that’s purely wishful thinking. As of September’s Patch Tuesday, Microsoft had released, just in 2013, more than 80 system-level patches and updates specifically for XP — plus dozens of additional patches for XP-related ancillary software such as Microsoft Security Essentials!

You can see for yourself. Open Windows Update on your XP system and click the Review your update history link (in the window’s left column, typically under Options). Note how many new patches there are — even 12 years into the game!

Despite extensive patching, XP is still far from perfect. Given its age and the number of XP systems still in use, the OS will remain an attractive target, possibly for years to come. In other words, when Microsoft stops writing patches for XP, it’ll be open season for hackers.

Using good third-party apps and tools such as fully current browsers and anti-malware software will help keep you safe — but only up to a point. They’ll do little or nothing to correct fundamental vulnerabilities in the base operating system.

There’s also declining third-party support for XP. Few mainstream software vendors will continue investing in a dying market — even if that market is still huge. Moreover, the quantity of tools designed for XP is in sharp decline, a trend that will only accelerate.

There’s no way to avoid the inevitable: after next April, XP will be far less safe than any of the more modern Windows versions. XP was truly great, but its day is done.

OK to run multiple always-on security tools?

A comment in the April 4 Top Story, “Microsoft’s six free desktop security tools,” prompted John to ask this question:

• “In the article, you say, ‘… a PC should run only one real-time, anti-malware/anti-spyware tool at a time.’

  “I have been using Microsoft Security Essentials (MSE) since you first recommended it. I also use Malwarebytes (paid version) and SUPERAntiSpyware.

  “Is it okay to have those three running together?”

Like MSE, Malwarebytes Pro (site; paid) provides real-time protection. But as a Malwarebytes Product Support Questions page states, the product should be used to supplement other full-time AV tools — it should coexist without conflicts. The free version of Malwarebytes will also run alongside other AV products, but it’s active only when you manually launch it.

SUPERAntiSpyware is a whole other thing. I know it’s hugely popular, and I recently test-drove it again on multiple versions of Windows for last week’s Top Story, “A dozen tools for removing almost any malware.” But for several reasons, I decided to omit the product from the article.

For one thing, parts of its nomenclature seemed misleading. For example, the “SUPERAntiSpyware Portable Scanner Personal Edition” doesn’t really fit the common definition of a portable app. It’s a renamed .exe file that must be installed and run like other common Windows programs. I quickly lose confidence in products that claim something (e.g., portability) they don’t have. (The SUPERAntiSpyware site suggests the app is “portable” because it has all the latest virus definitions when you download it. So you don’t need an active Internet connection to run it.)

SUPERAntiSpyware also didn’t uninstall cleanly. This is 2013! Surely any decent Windows-based app or utility ought to remove itself fully when you uninstall it.

I can’t speak to SUPERAntiSpyware’s effectiveness. The red flags mentioned above caused me to put it aside. The anti-malware product category has many great tools — some mentioned in last week’s Top Story. So why waste time on apps that seem to have obvious flaws and/or drawbacks?

That said, if the three AV tools you’re using appear to be working, then great! You’re probably well protected. (But I’m guessing that Microsoft Security Essentials and Malwarebytes are doing most of the heavy lifting.)

Bottom line: You can run a second full-time scanner (such as Malwarebytes Pro) if it’s specifically designed to work with other full-time scanners.

Using multiple layers of security — an update

Bob, a long-time reader, sent in this plea:

• “Over the years, you’ve commented on the use of multiple layers of security. But I often see news stories about computer crackers recovering data and emails from computers. Once, when I was sick, anyone could have entered my office and snooped for days.

  “What can I use to protect against snoops accessing my programs and data? Help!”

Good timing, Bob; I was thinking about this just the other day! It was back in the 1990s that I first recommended using multilayered defenses for PC security. I updated that advice in the early 2000s and again a few years later. It’s time to revisit the concept — and to update the advice.

Today, complete PC protection means guarding against two different types of attacks: remote and local. Let’s discuss each in turn.

Protecting your PC against outside threats: The vast majority of computer breaches now occur over the Internet. There are stories every day about hackers successfully compromising some company’s computers. But everyone using the Net should be concerned about remote attacks, most of which are launched by malware (a virus, worm, Trojan, etc.) delivered to PCs via malicious sites or emails.

Protection from these threats requires four primary layers of defense:

• Firewalls: No firewall is perfect, but a good one prevents external snoops from finding and accessing your PC via the Web. (See the March 11, 2010, LangaList Plus, “Let’s put your firewall to the test.”)

  The firewalls built into Win7 and Win8 are effective; I run them on my systems, using their default settings with no special tweaks. Both are, however, highly customizable and configurable, as described in the March 17, 2011, LangaList Plus, “Outbound blocking for Windows Firewall.”

  Vista’s built-in firewall is somewhat inferior to Win7’s, but it’s still adequate. Windows XP’s firewall is based on decade-old technology and is relatively weak — able to defeat only the most blatant kinds of external attacks. For that reason, I recommend using a third-party firewall with XP (and with Vista, too, if you need strong security). There are many good third-party firewalls — any Web search will turn up a dozen or more — but a favorite among Windows Secrets readers is Comodo (site; free and pro versions available).

• Always-on anti-malware apps: The better anti-malware tools constantly guard against the delivery and activation of malicious software, regardless of the attack vector — browser, email, infected document, or whatnot.

  You’ll find some anti-malware-tool comparisons in the Feb. 16, 2012, Top Story, “Is your free AV tool a ‘resource pig?'” I use the free Microsoft Security Essentials (MSE; site), but it’s not for everyone and there’s some debate over its effectiveness. (For more on this, look up the Dec. 20, 2012, LangaList Plus.)

• On-demand anti-malware scans: Because even the best firewall/anti-malware software defenses can fail, it’s good practice to verify that your system is infection-free by routinely running one or more standalone security tools — for example, ESET’s Online Scanner (site), Microsoft’s Safety Scanner (site), or Trend Micro’s HouseCall (site).
• Common sense: Malware doesn’t teleport itself into your PC; most Windows infections are allowed in when users are enticed or tricked into clicking phony links in websites or phishing email — or fall for a bogus “You’re infected!” popup. You can avoid all these infection vectors with a little care, common sense, and skepticism. For more on this, see the Dec. 20, 2012, LangaList Plus.

Protecting against local/physical theats: Obviously, stealing your data is easier if someone has direct access to your PC. They can, for example, download sensitive information to a thumbdrive by simply using your keyboard — or walk off with the entire system (or at least the hard drive)! And if they possess your PC, they can take all the time they need to methodically analyze and access your data. (If your office is not secure, consider buying cable locks for your systems.)

By the way, if your defenses against external attacks fail and the hacker installs remote-control malware, it’s effectively the same as if they’re sitting at your keyboard.

The best defenses against local attacks are these:

• User-account passwords: Windows’ user-account passwords don’t provide heavy-duty security, but they’re better than nothing. Your user password will at least foil casual snoops and nosy coworkers. Every version of Windows allows the use of sign-in passwords; use them — even at home.
• Hardware-level passwords: PCs often provide stronger, hardware-level password protection that’s independent of the operating system and managed typically with the PC’s BIOS or Unified Extensible Firmware Interface (UEFI) settings. This type of password protects the entire system (not just the OS) from unauthorized use by anyone who has physical access to your machine.

  Almost all PCs let you set a primary, hardware-level, system password. You’re asked for this password when your PC first powers on (or resumes after hibernation or deep-sleep mode) and before any OS loads — whether it’s installed on the hard drive or booted via external media. You must enter the correct password before the system lets the OS boot or resume. Not only will system-level passwords foil casual or hurried snoops, they can impede even professional data thieves.

  Some systems — especially portable PCs — also provide a secondary, hardware-level, power-on password for the hard drive(s). If a hacker gets past the primary password and boots the system from a floppy, CD, or USB drive, he still won’t be able to access data on the hard drive. When this password is handled by the hard drive itself, a thief is (in theory) locked out of the drive, even if it’s physically removed from your PC and placed into another system. This type of password is extremely difficult to bypass, even for pros.

  The simplest way to tell which hardware-level password options your PC supports is to explore its BIOS/UEFI settings. Reboot and watch the screen for a line of text that says something like Press <F2> to enter BIOS setup. (Instead of “F2,” it might say F1, DEL, ESC, F10, or some other key.) Press whatever key is indicated, and you’ll enter the system setup pages.

  Look for a page or tab labeled Security — or for something similar. Select it, and you should see options for setting a master Administrator or Supervisor password plus a separate User password. The Administrator or Supervisor password is more secure because it locks the entire PC (including BIOS access).

  If your system supports hard-drive locking, you’ll also see an option for setting passwords for the system’s hard drives — often referred to as HDD0, HDD1, and so on.

  Figure 5 shows a fairly typical system BIOS that lets you set Administrator/Supervisor or User passwords, set separate passwords for accessing either of two hard drives, and enable a “Password on boot” option, which prevents startup if an incorrect password is entered. Figure 6 shows a typical system-level, startup-password dialog box.

  

  Figure 5. Settings like these (circled in yellow) add hardware-level password protection to your PC and its hard drives.

  

  Figure 6. Once the BIOS-level password(s) is/are set, the correct password(s) must be entered into a power-on dialog box similar to this one — otherwise the PC won't boot, you can't enter the BIOS, and no software will run.

• Encryption: Scrambling all the data on your hard drive (or at least scrambling your most sensitive data) offers excellent protection against even the most determined, professional-level snoops, no matter how they access your system — via local access, remote hacking, or malware.

  On my systems, for example, I compress and scramble all my tax, financial, health-related, and similarly sensitive folders with the 256-bit Advanced Encryption Standard (AES) option built into the free 7-Zip tool (site). AES-256 is currently regarded as uncrackable — in any practical sense of the word. (For more on AES, see the related Wikipedia article.)

  I protect those encrypted folders with different, complex, non-obvious passwords. I don’t try to remember all the passwords myself. Instead, I safely store all my passwords (including those used by 7-Zip) in RoboForm (U.S. $9.95 the first year, $20 thereafter; site), which uses its own 256-bit AES encryption. I just have to remember only one long, complex password (my RoboForm master password); the utility remembers all the rest for me. It also automatically fills in saved passwords on demand.

  Thus, in the unlikely event someone stole my PC or its hard drive and managed to get past all the aforementioned security layers, they’d still have to crack my encryption to access my most personal, sensitive data.

  There are other tools besides 7-Zip and RoboForm, of course; those just happen to be the ones I use. Two popular — and free — alternatives are TrueCrypt (site) and KeePass Password Safe (site), but a Web search will turn up many others. For more information and alternatives, including whole-disk encryption options, see the section of the Sept. 13, 2012, Top Story, titled “SAFE, step one: Encrypting all sensitive data.”

  Some versions of Windows offer built-in file and folder encryption; others support Microsoft’s BitLocker whole-disk encryption. But there are limitations and problems with these, as explained in that same Sept. 13 Top Story — see the sections titled “Windows’ built-in encryption-tool limitations” and “Windows’ BitLocker offers whole-disk encryption.”

As safe as can reasonably be achieved: And there you have it: an up-to-date, highly secure, multilayered approach to PC security that will protect you against just about any form of attack, whether it’s remote or local, electronic or physical.

Bottom line: No single security strategy can protect you from today’s sophisticated threats. Safe computing requires the combined efforts of a firewall, always-on anti-malware, on-demand anti-malware scans, and some common sense in how you use your PC. A truly secure PC also requires multiple layers of passwords and data encryption. You have a lot of security options. Protecting your data is really up to you.

Are PC and router firewalls both necessary?

Reader Harry M. Ward is trying to sort out some firewall issues.

• “I’ve read your excellent Feb. 28 article, ‘Using multiple layers of security — an update.’ I’ve also read the March 11, 2010, LangaList Plus item, ‘Let’s put your firewall to the test.’

  “I just tested my router’s firewall, using the sites recommended in those stories. The tests that check the firewall’s ability to stop inbound connections found all of my ports ‘stealthed’ and invisible from the outside. But the firewall failed the leak tests — it doesn’t stop outbound connections. Should I be worried?

  “Also, I’ve been told I don’t need a PC-based firewall because all ports are stealthed by the router. Is that true? (I run XP Pro SP3 on one computer and Windows 7 Pro SP1 on another.)”

Good questions, Harry. Let me answer them in reverse order:

I believe every PC should have its own internal firewall, even if a router or other external device has an operating firewall. Often there’s no obvious indication that an external firewall is working. If it fails and leaves you unprotected, you’re none the wiser.

Windows, on the other hand, constantly checks for a working PC-based firewall. If that firewall fails or is turned off by accident, malware, or some other cause, Windows alerts you via a security message in the notification area.

Although this monitoring works with various user-installed, third-party firewalls, it works best with Windows’ own firewall. I recommend — and use — the firewalls included with Vista, Windows 7, and Windows 8. They’re efficient and free, they add minimal overhead to the PC’s operation, and they have a negligible impact on network speed.

XP’s firewall, on the other hand, is 13-year-old technology that’s relatively primitive by current standards. For XP users, I recommend a third-party product such as Comodo Firewall (site; free and commercial versions). A Web search will yield many alternative choices as well.

As for inbound/outbound blocking, I believe a firewall’s main purpose is guarding against inbound attacks — attempts by unauthorized persons to find and access your PC from some external location on the Internet or other connected network. These inbound attacks are a real and persistent threat.

I’m far less concerned about a firewall’s ability to monitor and block malicious outbound connections — for example, malware phoning home. If malware is trying to phone home, you’ve already lost the battle! Your PC is infected and might already be thoroughly compromised.

If you have strong defenses that prevent malware infections and your PC stays clean, outbound/phone-home protection is effectively irrelevant.

With that said, you are, of course, free to use outbound blocking. You can use a third-party firewall that provides outbound blocking, or you can enable it in Windows’ built-in firewall. The March 17, 2011, LangaList Plus article, “Outbound blocking for Windows Firewall,” provides a description of tools and techniques.

Here’s an update to that article. The recommended Sphinx Software tool, Firewall Control, now comes in various free and commercial versions (with, of course, differing capabilities) and supports all versions of Windows from XP through Win8. See the Sphinx Software site for more information.

Bottom line: I definitely recommend using a PC-based firewall; don’t worry about outbound blocking.

Secure Internet use in public places

Gerald Gibson wondered about wireless security when on the road.

• “When I travel, I like to use the wireless Internet available at hotels and motels. However, I use unsecured public connections only for general research — not for personal banking or credit-card accounts.

  “What software can I use, or connection can I make, to securely check my accounts?”

Gerald, a virtual private network (VPN) will improve online security on public nets. A VPN connection uses a form of encryption to establish a secure, private channel between your PC and a VPN provider’s server. That private channel is often metaphorically referred to as a VPN tunnel because data passes directly and securely (via dedicated connections and/or encryption) through any and all intervening networks, even if they’re public and insecure. (For more, see Wikipedia’s VPN article.)

A VPN-tunnel provider becomes a trusted man in the middle for private connections to sensitive sites such as that of a bank or credit-card company.

To set up a secure VPN connection, start by establishing an encrypted link to a VPN server, usually using software supplied by a reputable VPN provider. This private connection is separate from any other connections you might have with the local Wi-Fi/Internet provider (ISP). This makes your VPN communication quite reasonably secure from any local snoops on the public (hotel, motel, cafe, etc.) network.

At the VPN-server end, your data is decrypted and passed along to its intended destination — such as your bank’s site. This leg of the connection is no more — or less — secure than, say, the connection from your home ISP to the bank. But it’s well beyond the reach of any snoops on a public net.

There’s an added benefit to using a VPN connection: your retransmitted data packets arrive at their destinations carrying the VPN provider’s IP addresses and localization data rather than yours. This means the site you’re communicating with won’t know your actual, originating IP address, location, or other identifying information — unless you specifically reveal it. Thus a VPN tunnel can be useful if you want to surf or visit sites anonymously.

The only catch to using VPN is that you have to trust your VPN provider. As the man in the middle, the provider knows who you are and where you are. An unscrupulous VPN provider could easily snoop your decrypted data. So it’s important to use only reputable companies.

The various free VPN providers are fine for lightweight, anonymous surfing. But for sensitive communications, where a security breach could have serious repercussions, it’s best to use an established commercial VPN provider with a good reputation. There are many to choose from, but here are a few to get you started:

• openvpn.net: 100MB of free data transfer, with commercial accounts available for larger data volumes.
• VPNReactor: free use for up to 30 minutes at a time, with paid accounts for unlimited use.
• VPN Master: unlimited data transfer for U.S. $3.95 a month and up.

A Web search will show you many more VPN providers. But take your time and choose carefully!

Up against the 2TB drive-size ceiling

Reader Jeff Jones ran into a major snag when he tried to use his huge, new hard drive. That led in turn to several questions:

• “I bought a new 4TB Seagate drive but then couldn’t do a Windows image or backup on it. Seagate support told me to download their DiscWizard tool and use that. The tech said all computers are outdated and Intel needs to produce a new chip to address all [new] hard drives. What is your take on this? I have a Windows 7 Home Edition PC.

  “I’m a little scared to use DiscWizard or do anything that might change the system files, because I don’t have any backups and I’m currently using 213GB of my PC’s 500GB main drive. Searching Google was no help.

  “Also, once I can make backups, how much space will I need for them? I presume the image of my 500GB main drive would be around 500GB.

  “Finally, if I store my wife’s backups on the same external drive as my backups, is there a risk of a computer looking at the wrong files to restore?”

Those are all good questions, Jeff! Let me take them one by one:

Drive size: You’ve run into the key limitation of the Master Boot Record format currently used on almost all PCs. The MBR partition table has a 32-bit limit that caps partitions at 2.2TB. (The problem is analogous to the system-memory limitation in 32-bit systems.) If you want to format your 4TB drive using MBR, you need to split it into two 2TB partitions.

However, there are two alternatives that will allow use of all 4TB in one partition. The first (and best) method is GPT, which is designed to handle really large hard drives.

(The name GPT is actually a multilevel acronym: GPT means GUID Partition Table [Wikipedia entry]. But GUID is itself an acronym meaning Globally Unique IDentifier [Wikipedia entry]. So GPT in full is the Globally Unique Identifier Partition Table.)

GPT uses 64-bit addressing, which lets it handle drives up to nearly 10 zettabytes (ZB). (Zetta- indicates a one followed by 21 zeros! For comparison, a terabyte is designated by one followed by 12 zeros.) It’ll be a long, long time before we outgrow GPT.

The new format also lets you create more than four primary partitions on the same drive, bypassing another major MBR limitation. On PCs, full GPT support requires 64-bit Windows (Vista or later) and a UEFI (Universal Extensible Firmware Interface) BIOS. For more on UEFI, see Woody Leonhard’s Jan. 19, 2012, Top Story, “Say goodbye to BIOS — and hello to UEFI!”

The second method applies to systems with traditional BIOS and/or 32-bit Windows installed. These systems can work with partitions larger than 2TB, but to do so they need intermediary software (such as Seagate’s DiscWizard) to handle the necessary addressing conversions.

Here are additional resources and information on GPT and its issues:

• Windows and GPT FAQ: Microsoft Developer Network (MSDN) article
• Using GPT drives: MSDN article
• Beyond 2TB: Seagate support information
• Seagate DiscWizard tool: A site with a free download, user guides, and more

Backup size: Backups and images are almost always compressed to some degree, so they’re almost always smaller than the original (uncompressed) data size.

However, compression varies widely; document files, for example, typically compress by about half and .exe files by about 30 percent. Files formatted as .mp3, .jpg, .mpeg, and .zip are already compressed and won’t compress much more. On the other hand, empty space on a drive compresses almost 100 percent. So the final size of your image or backup will depend on the mix of file types you have.

If you’re currently using 213GB of a 500GB drive, I’d guesstimate an image file would be in the vicinity of 170–200 GB.

Accurate restores: The final issue you raise — the risk of restoring files from the wrong backup set — can be easily avoided by setting up separate backup folders for each PC. When you create a new image or backup set, double-check the save to location settings. That will ensure the files are written where you want them to go — and are not mixed in with another PC’s backups. If you have to do a restore, likewise verify that you’re restoring from the correct backup folder before you let the restore run.

Bottom line: Set up your 4TB drive using GPT, if you can. If you can’t, you’ll have to use a tool such as DiscWizard. Once Windows can see and access all of your enormous drive, you should be able to make your backups and images normally!

Finding and using Win8’s crash reports

Windows Secrets reader Jon wants help resolving a series of all-too-frequent crashes in Win8.

• “Since installing Win8, I get a crash every few days. How can I find the crash reports and figure out what’s wrong?”

Jon, I suggest you first try Win8’s Refresh your PC without affecting your files option. (See the Aug. 15 Top Story, “A ‘no-reformat reinstall’ for Windows 8.”) The Refresh option is specifically designed to get Win8 back to a known-good state. Then, as you restore or reinstall your add-on programs one by one, you should find the program that’s triggering the problem.

But to answer your specific question: Win8 usually stores its crash data here:

C:\Memory.dmp

Some types of crashes also generate user-level data files here:

C:\Users\[username]\AppData\Local\CrashDumps

But interpreting the information in a crash-dump file isn’t fun or easy — you might have to install some extra software to help analyze what’s going on.

There’s lots of deep-geek information available online at MSDN, if you want it:

• Crash dump analysis
• Analyzing crash reports
• Collecting user-mode dumps

Microsoft also offers some developer-level tools to help interpret the information in crash dumps. For example, the MSDN page, “Download and install debugging tools for Windows,” contains many links to free and paid tools.

You can also try the DaRT Crash Analyzer Wizard (TechNet info) if you’re a paid subscriber of Microsoft’s Software Assurance, MSDN, or TechNet.

But with luck, you won’t need any of that — a simple refresh will get you going again, fast!

Working with user accounts in Windows 8x

Reader Jim March ran into trouble when trying to change his Win8 user accounts from administrator to standard — and back.

• “I just finished reading Susan Bradley’s [Nov. 7] Top Story on how to get Win8.1 installed with a local account. It was great!

  “Having just struggled with most of the issues she raised, I noted one more issue not mentioned. It appears that Win8.1’s Control Panel no longer lets you set a user to either administrator or standard privileges.

  In fact, if one uses a Microsoft account for the Win8.1 installation and then creates a local account, the first account is automatically set to administrator and the second account is set as standard. I could find no method to change their status.”

There are several ways to change account types in both Win8.0 and 8.1 — but there also are a few gotchas.

For example, Win8x tries to ensure there’s always at least one admin account available. This makes perfect sense — someone has to be in charge! So if there’s only one admin-level account on your PC, Win8x normally won’t let you downgrade that account to Standard until you’ve created another, separate, administrator-level account.

That said, here are three different ways to change account types in both Win8.0 and 8.1. In all cases, you should be in an administrator’s account to make the changes.

The Control Panel method is my preferred way of changing account types. It’s easy and straightforward.

• Via the Windows key + X (Win-X) menu, open the Control Panel and click User Accounts and Family Safety/User Accounts.
• In the User Accounts dialog box, note the section labeled Make changes to your user account, shown in Figure 7.
  

  Figure 7. The Control Panel's User Accounts window lets administrators modify their own accounts or others' accounts.

• If you wish to change your own account type, simply click Change your account type.
• If you wish to change a different account, click Manage another account. In the next dialog box, select the account you wish to change; then select Change the account type.
• Use the radio buttons to select the account type — Administrator or Standard. (Caution: Before changing an account from administrator to standard, make sure there’s at least one other administrator account on the system.) When you’ve made your choice, click Change account type at the bottom of the dialog box.
• Exit the Control Panel.

The netplwiz User Accounts method is a little more complex, but it offers more options:

• Open Windows’ Run dialog box, either by opening the Win-X menu and selecting Run or by pressing Windows key + R.
• Type netplwiz in the text-entry box and then click OK. A User Accounts dialog box will open.
• Select the account that you want to change and click the Properties button.
• In the Properties dialog, select the Group membership tab.
• Set the account to whatever type you wish: Administrator, Standard, or Other. Selecting Other opens a new list of available options (if any) for the selected account. Again, before downgrading any account from administrator, be certain you’ll leave at least one admin account on the system.
• When you’re done, click OK and exit User Accounts.

The Metro-based PC Settings method is the one I don’t recommend. It introduces another variable — local account vs. Microsoft account — that can needlessly complicate the process. For that reason, I won’t go into its details here. But if you want more information, open Win8’s Help and Support dialog box and enter the search phrase Standard accounts versus administrator accounts.

One of these methods surely will let you accomplish your goals!

Win7’s XP Mode virtual disk can grow huge

Windows 7’s XP Mode is great! It’s a free, virtual-machine setup from Microsoft that comes with its own fully licensed copy of XP Pro SP3 inside. (See the Sept. 22, 2011, Top Story, “Using Windows 7’s XP Mode — step by step.”)

Like many readers, James Dejean uses XP Mode to run some ancient software on his current Win7 PC.

But, as he discovered, XP Mode’s virtual hard drive can become exceedingly bloated.

• “I still need to run an old copy of MS Works, installed in XP Mode on my Win7 PC. It runs fine, but I have a concern.

  “The baseline, parent virtual hard disk (.vhd), located in \Program Files\Windows XP Mode, is just 1.1GB in size. But the differencing virtual hard disk, in \Users\James\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines, has grown to almost 30GB — and shows no signs of stopping.

  “Moreover, that second .vhd also exists in 27 unmovable fragments, scattered throughout a 120GB partition. I suppose those fragments contain the necessary programs and data. Defragmentation has no effect [on reducing the size of the virtual hard-disk file].

  “I read a Microsoft TechNet article about compacting dynamically expanding virtual hard disks. It advises defragmenting and using a non-Microsoft utility to ‘zero-out’ deleted data. I’ve not attempted doing so; I’ve trepidation about screwing up.”

  “How can I reduce the size of the 30GB file?”

James, the problem isn’t so much XP Mode’s use of a dynamically expanding virtual disk (one with no fixed size) but rather, as you noted, that it’s based on a differencing virtual disk.

A differencing disk uses a baseline virtual drive as a starting point but then keeps track of the changes you make as you use the virtual system. The original, baseline virtual drive is left unchanged; all changes — differences — between the untouched baseline system and the in-use system are written to the second differencing disk.

Unfortunately, the accumulating changes to the system eventually occupy a lot of space, as you discovered.

That drawback is offset by a potentially major benefit: a differencing disk may let you roll back changes. Think of it as an elaborate, disk-level undo. Because you always have the unaltered, original baseline disk, you can — in theory — roll all the way back to the original setup when you need to.

Again, in theory. Not all virtual PC setups have that roll-back capability. XP Mode, for example, is a limited, special-purpose kind of virtual PC. Although it uses a differencing disk, it doesn’t have a full roll-back option. In other words, XP Mode retains a differencing disk’s primary drawback — ever-increasing disk size — without providing the offsetting benefit of easy roll-backs.

But you’re not stuck; there are ways to control the size of XP Mode’s differencing disk.

The official method is called compacting, and it’s described in the TechNet article, “Modify a virtual hard disk.” The same instructions are accessible from inside XP Mode as well. Click Tool/Settings, select Hard Disk 1, and then click the link for More about creating and modifying virtual hard disks.

There are, however, two problems with the official method. First, I find it less reliable and more difficult than the instructions suggest. I’ve had hit-or-miss results — sometimes with permanent, fatal errors that ruin the XP Mode setup.

Second, the official method doesn’t tell you to make a backup first. Major disk operations of any sort — on real or virtual hard drives — always entail some risk. It only makes sense to preserve your files and data, either by making a full backup or, at the least, by exporting your data. Save the backup files or exported data to a safe location that’s not part of the current XP Mode setup — e.g., on your main hard drive, on an external drive, or on DVDs/CDs.

That said, I believe there is a better, simpler, safer solution for managing your XP Mode virtual drive. Export your MS Works and similar data to a safe place and then remove your current, messy XP Mode setup. Wipe it out completely!

There’s just one speed bump you’ll have to traverse: XP Mode doesn’t uninstall via the normal, Control Panel method. Instead, you must use the removal method described in the TechNet article, “Remove Windows XP Mode, virtual machines, or Windows Virtual PC.”

Once XP Mode and its virtual hard drive(s) are completely gone, you then can defragment your system in the usual way.

Finally, download and install a fresh copy of Win7’s XP Mode (free; site). Once your new XP mode setup is installed and running normally, reinstall Works (and any other applications you wish) and then import the related data from wherever you saved it.

You now have a lean, clean XP Mode setup, with the smallest-possible differencing hard disk.

Eventually, if the differencing disk gets overgrown again, simply repeat the process and start anew!

Note: There’s another option you should consider. Instead of using XP Mode’s limited, special-purpose virtual PC, use a full-blown, third-party virtual-PC setup such as Oracle’s free VirtualBox (site). You’ll have to provide your own, licensed copy of XP (or whatever operating system you wish). But you’ll have full control over your entire virtual environment. That will make it easier to manage disk type and size — and all other variables.

See the next item below for more information on using a third-party virtual machine. (That item focuses on Win8, but the information generally pertains to earlier Windows versions as well.)

Of course, if you don’t have your own, legit, copy of XP on hand, XP Mode is your go-to option; again, it comes with a licensed copy of XP Pro SP3 built in.

If you stick with XP Mode, use either the official compacting method or my export-reinstall-import method — you can then enjoy XP Mode’s benefits without having it consume an undue amount of your hard drive!

Running Windows XP–era software in Win8

Amanthia Merchant needs to use some old, XP-era software on her new Win8 PC.

• “Hi! Can Windows XP be installed on a Windows 8 PC system? I have course software that’s made for Windows XP, and I’d like to know if I can do the work on my Win8 system?”

If you’re thinking about a dual-boot configuration with XP and Win8, I don’t recommend it. Win8’s Secure Boot and the EUFI BIOS in most newer PCs make dual-booting far more complicated than with earlier versions of Windows. (See the Oct. 3 LangaList Plus, “The pitfalls of Windows 8’s Secure Boot.”)

There are better, less complex, and far easier ways to get XP-era software running in Win8.

Windows Compatibility Mode: Win8 has a capable, built-in feature that might get many older programs running, automatically. Compatibility Mode provides whatever type and level of system services an older program expects to see. It can actually trick an older program into thinking it’s running on the Windows version it was designed for!

Compatibility Mode is easy to use — just try installing your XP-era software in the normal way. If that doesn’t work, manually invoke Win8’s Program Compatibility Assistant: Right-click the old software’s icon, select Troubleshoot compatibility, and then follow the on-screen instructions.

And if that doesn’t work, you can further explore Compatibility Mode using the instructions on the Microsoft support page, “Make older programs compatible with this version of Windows.” (That page is specifically for Win8.1, but the same basic steps also apply to 8.0.)

A virtual machine: If Compatibility Mode proves futile, the next option is to install a third-party virtual machine.

I recommend and regularly use Oracle’s VirtualBox (site). It’s free — but as with all third-party virtual machine software, you have to provide your own legitimate copy of whatever operating system you wish to install inside it. VirtualBox currently runs roughly 50 different operating systems (see list), including XP.

Here’s how it would work for you, Amanthia. Download and install VirtualBox (or the virtual machine software of your choice) on your Win8 PC. Next, install your copy of XP inside the virtual machine. Finally, install your old software in the virtualized XP setup. (For more on setting up VirtualBox, see the March 14, 2012, Top Story, “Step by step: How to safely test-drive Win8.” It was focused on setting up a Windows 8 virtual machine — but the steps are similar, and it’ll get you started.)

An application installed on the XP virtual machine doesn’t see the Win8 host system — the app thinks it’s installed on a totally normal, standalone, XP PC. But the XP virtual machine can access and use the Win8 PC’s hardware (keyboard, mouse, display, printer, etc.), networking connections (drives and other systems on the Net plus the Internet), and so on.

It works great! (See Figure 8.)

So, Amanthia, you have multiple options for getting old, XP-era software running on Win8. Try the automatic or manual Compatibility Modes first; if those fail, use a virtual machine.

The virtual machine option almost always works; it can get even some of the oldest, funkiest software running on today’s newest PCs and operating systems!

Automatic one-man band is a collectable

The adage about beauty being in the eye — or ear — of the beholder certainly applies to musical instruments as fully as it might to any other object. As it happens, the oddity featured in this video belongs to a category of invention both cherished and reviled since the 19th century, when a lot of them appeared. It’s much more than a player piano. With a little help from an enthusiastic operator, it can make a lot of noise — um, music. See the video

When a hacker might look like a helper

Lounge member rgrosz was troubled by an email notifying him that his new gmail.com address had been created. He reported the event in the Security & Scams forum.

He also mentioned that it included a link to disallow the new address, which he had clicked. Forum members reacted.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Office 2013 Click-to-Run
Word Processing	Help with MS Word Catalogue/Directory mail merge tutorial
Spreadsheets	Need assistance with conditional formatting
Databases	Tie Access to online shop?
Presentation Apps	Install font in PowerPoint 2010
Visual Basic for Apps	Mandatory entry in column, if other column values less than 24
Microsoft Outlook	Archive folder location
Non-Outlook E-mail	Thunderbird messages too small
Other MS Apps	SkyDrive and changes in PDFs
Windows
General Windows	Moving data from XP PC to Win7 HomePro system
Windows 8	Win8.1 slow to close down
Windows 7	Post SP1 update: Folders/app data/files not showing
Windows Vista	Windows Vista update question
Windows XP	Two different XP VMs: Difficult to update
Windows Servers	Installing Windows Server in preparation for SQL Server
Internet/Connectivity
Internet Explorer	Green check marks next to results from Google search
Third-Party Browsers	Browsers don’t open
Application Servers	Password property for field in SharePoint list
Networking	Increasing wireless range
Social Media	Controlling Facebook newsfeed?
Software Development
Windows Programming	Stumped by PowerShell Arrays
Web Design & Development	Website user group
Other Technologies
Non-Microsoft OSes	Cheapest Android device useful for experimentation?
Security & Scams	Gmail hacked?
Maintenance	USB drive isolation
Hardware	Laptop boots only when CMOS battery removed/replaced
Graphics/Multimedia	FastStone viewer won’t retain view setting
Other Applications	Program still on computer after uninstall

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

Why and how to use an open-source password manager

You know you need a password manager. But did you know that one of the top managers is a free, open-source application?

Here’s why I think KeePass is the best solution for protecting your passwords — and for safely accessing the Web.

Password Managers 101: If you’re a regular Windows Secrets reader, you undoubtedly know that password managers are an indispensable tool for keeping and managing strong passwords. Password managers store passwords in a virtual safe or vault (actually, an encrypted database). When you sign in to a website or secure program, the manager enters the correct username and password for that particular site or app. That lets you give each site/app its own unique, impossible-to-guess password — an essential practice for PC security. You have to remember only one password: the master key to the password manager. (Obviously, that’s the one password you never want to forget!)

Many great password managers are offered, both paid and free. In his Nov. 14, 2013, article, “More good questions on password management,” Fred Langa nicely explained how password managers work. And in a related Top Story, he also noted that his preferred password manager is the paid RoboForm — in part because it’s what he’s used for years.

I’m going to tell you why I use the current KeePass 2.24 (site), which on its download page is called KeePass Professional. (Note that the program itself doesn’t use the Pro label.) I’ll also give some advice on the best ways to use it.

One reason I prefer KeePass is that it’s free! That’s nice, but it’s not the primary reason you should seriously consider this tool.

More options for securing your password manager

As stated above, the whole point of a password manager is to let you use strong passwords without the need to remember each and every one. But of course there’s one you must never forget — the password to your password manager. That one master password needs to be both strong and easy to remember. It’s the one you should consider carefully before implementing.

Most password managers give you only one master password option. KeePass gives you three: a password, a key file, and/or your Windows user account. You can use any of them individually or in combination (see Figure 1). If you use, for instance, a password plus a key file, you’ll have to provide both to open your password safe. (See a KeePass support article for more information on this capability.)

A password is the least convenient option; it must be entered every time you open the program. But the two other options have their own problems. For example, if you make the slightest change to your key file (which can be any file, including an image), you lose all KeePass-stored passwords. If you choose your Windows user account, anyone who can log onto your computer can easily access your password safe.

So I still prefer using a password. If you pick a strong, difficult-to-guess password, it’s secure enough for all practical purposes. Again, a good KeePass master password requires two potentially conflicting traits: it has to be strong, and it has to be something you can remember.

Strong passwords need to be long and include numbers, punctuation, and uppercase/lowercase letters. They should not include words found in dictionaries. (Brute-force attacks often try words found in dictionaries.) The best password looks like random gobbledygook. But because you have to remember it, it still has to make sense to you.

Keep in mind that the master password is the key to all your other passwords. Forget it, and you’ve potentially lost them all. (Unlike websites, good password managers don’t have a master password–recovery option.) Start with some phrase that’s memorable only to you. Then turn it around, find a strange pattern within it, switch letters to numbers where possible. In other words, make it look meaningless to anyone else. For instance, I took my …; no, I’m not going to tell you.

When you have something you think is safe, run it through a password checker such as How Secure Is My Password? (site) or How Big is Your Haystack (site).

Why an open-source password manager?

As noted above, KeePass is an open-source application. The code is available for all to read — or at least those with the technical know-how to read it. As a general rule, open-source security programs are safer than those whose codes are closed to everyone but a few company employees.

Yes, that does seem counterintuitive. If anyone can see how the program is built, then hackers can find flaws and crack it — just as the Rebel Alliance did with the Death Star in the Star Wars movie, “Episode IV — A New Hope.”

But consider this. If the Galactic Empire had openly published the Death Star plans, someone more sympathetic to the Dark Side would have found the flaw, and it would have been fixed before the Alliance exploited it — and Darth Vader would have lived happily ever after.

Back to reality. Suppose a password manager has a flaw that would let hackers crack the app’s encryption, or there’s an intentional back door. Sooner or later, the weakness will be exploited — potentially giving a hacker, a disgruntled former employee, or the NSA access to all stored passwords. It’s a good bet that this person won’t have your best interests in mind.

With open-source software, there can be many programmers looking through the code. And many of those programmers want to make the app better and safer. Any vulnerabilities — or back doors — in an open-source application don’t go unnoticed for long. They’re quickly reported and just as quickly fixed.

One more advantage of open-source software: Developers can incorporate components of an open-source app into other apps and environments. For example, I discussed a KeePass-compatible, Windows 8 app in the Oct. 24, 2013, article, “Three good Windows 8 apps — and two lousy ones.” You’ll find plenty of KeePass-compatible options for Android and iOS as well.

KeePass isn’t the only free, open-source password manager. I used Password Safe (site) for years but recently switched to KeePass because I prefer its user interface.

Saving and using passwords in KeePass

With KeePass installed, your first step will be to set up your master password. You can use File/Save As to create multiple password databases. Adding new website accounts to a KeePass password vault is relatively simple. Start by opening KeePass and placing it next to your browser window.

Next, select an appropriate KeePass group (eMail, Homebanking, Retail, and so on) from the left panel (see Figure 2). To create a new group, click the top entry in the left pane (which will probably have the same name as your KeePass database) and then select Edit/Add Group. Note: If you select a group and then create another one, you get a subgroup — it’s one of the features that sold me on KeePass.

When you’re in the right group, press Ctrl + I to create a new entry. Each entry contains fields for your sign-in name, password, and other information about the account. If you prefer using your mouse, click the Add Entry icon on the toolbar (see Figure 3).

Most of the fields in the Add Entry dialog box are self-explanatory. I trust you can figure out the meaning of “User name” and “URL.” But I will say something more about generating passwords.

You can, of course, simply make up a password. But you’ll get a better, harder-to-break password if you let KeePass generate it for you. The “Generate a password” icon is to the right of the Repeat field. The quickest options include 40-Bit, 128-Bit, and 256-Bit Hex Keys (see Figure 4), which produce random alphanumeric passwords of 10, 32, and 64 characters, respectively. But because Hex Keys contain only numbers and lowercase letters, they’re not as strong as they could be.

Instead, select Open Password Generator. In this dialog box, you can add uppercase letters and various forms of punctuation (see Figure 5). On the Advanced tab, you can even avoid look-alike characters (“Is that a zero or a capital O?”), although this can reduce security a bit.

When you’ve got a configuration you like, click the Save icon to record your new website entry. Thereafter, you can pick the appropriate entry from a drop-down menu in KeePass.

Signing in to a site with KeePass

When you want to use KeePass to sign in to a website, click the appropriate group and select the site’s name. Next, either click the Open URL icon in the toolbar (the green circle; see Figure 6) or press Ctrl + U. The site will open in your browser.

If you’ve visited the site before, chances are that your username will already be in the appropriate field on the sign-in page. If not, press Ctrl + B to copy your username to the clipboard; then go back to your browser and paste it into the appropriate field. Or double-click the site’s KeePass entry’s User Name field (see Figure 7). A third option: Click the User Name icon on the toolbar (it’s the one wearing a tie). KeePass clears your sign-in info from the clipboard after about 30 seconds.

The options for copying the password to the clipboard are similar. You can press Ctrl + C, double-click the password column, or right-click the Copy Password icon on the toolbar.

There’s an easier sign-in process that works on most sites. KeePass’s Perform Autotype tool lets you copy and paste the name and password together. Select the correct entry in KeePass, click the site’s name or email-address field in your browser, and then click the KeePass Perform Autotype icon. Or press Ctrl + V. This inserts your username and then moves to the next field — almost certainly Password — and pastes in your password.

Once you get the hang of it, KeePass makes a simple and effective way to keep your passwords both handy and secure. In an upcoming story, I’ll discuss add-on apps that make KeePass even handier.

Reaching into your desktop system remotely

Sooner or later, people who work outside the office discover that some critical document or bit of data was left back on the desktop.

Cloud storage can help solve that problem, but remote-access apps/services connect mobile devices directly to a remote PC.

Remote control versus cloud services

Many PC users might think that cloud services have made remote-desktop access and control apps obsolete. But the two technologies are, in fact, complementary tools. Cloud storage, for example, makes it easy to sync data between your mobile and desktop computers, share files with others, and have off-site data backup to boot.

Remote-access apps let you tap directly into your desktop — or the desktop of anyone who gives permission — from a remote location. In my case, I often need to make a minor, but immediate, update to one of the websites I host. I can do so, whether I’m in my office or out on the road. Remote-access apps let me make those changes without stuffing Adobe Dreamweaver on my laptop or filling up my cloud-storage accounts with every file for multiple websites.

Microsoft included its Remote Desktop Connection app (RDC; more info) with most business versions of Windows. For example, it comes with Professional, Ultimate, and Enterprise editions of Windows 7 plus Windows 8.1 Pro. A Microsoft download page provides a version for many earlier versions of Windows.

RDC is free, but it has some significant limitations. For example, you need to be on the same local network as the host computer (the machine you’re connecting to remotely), or the host computer must have a static IP address. Many businesses have static IPs, but most individuals connecting to the Web from home or a small business get dynamic IP addresses from their ISPs.

With a dynamic IP service, the IP address an ISP assigns to your router changes over time. If you’re trying to make a connection to the host system over the Internet, Remote Desktop doesn’t know where to go.

Most ISPs will provide their customers static IP addresses, but that typically means subscribing to a more expensive service or paying an additional charge.

Connecting through a DNS-managment servive

Another option is to use a DNS-management service, such as Dyn’s Remote Access (more info). A DNS-management service creates a hostname for your computer and links it to the computer’s current IP address. The service also installs software on your computer that automatically updates the hostname’s IP address as your dynamic IP address changes. A basic Dyn subscription costs U.S. $25 per year.

Another DNS-management service — No-IP (site) — offers a free version, but the hostnames expire every 30 days. So if you haven’t remembered to update, you won’t be able to reach your desktop. The paid version — Enhanced DNS — lets you specify persistent hostnames for just $14.95 per year.

DNS-management services are typically less expensive than leasing a static IP from an ISP, but they, too, have their limitations. For example, configuring routers and firewalls so that the local IP-address-monitoring applet communicates back to the DNS-management service can be a challenge.

If you don’t want to jump through configuration hoops, and you want a no-cost or low-cost way to reach your desktop, the easiest solution is a browser-based, remote-access service. The three leading options are LogMeIn, TeamViewer (site), and a relative newcomer — Chrome Remote Desktop (more info).

LogMeIn’s free version has fewer features than the paid product, and you might get nag messages to upgrade. TeamViewer states that its free edition is limited to personal use. Google’s product is a free Chrome add-on.

In this article, I’ll take you through LogMeIn. In the next installment, I’ll cover TeamViewer and Chrome Remote Desktop.

Quick and simple access to Windows systems

LogMeIn (site) proved easy to use right from the start. It was exceptionally simple to install and configure on the host system. No installation is needed on remote devices — everything is handled through a browser. (Again, the host system is typically the desktop PC sitting in your home or office. The remote system is the device you’re using to view and control the desktop; it could be a laptop, tablet, or phone — or even another desktop system.)

During installation, LogMeIn (LMI) is smart enough to check whether the computer is set to drop into sleep mode after some period of inactivity. That’s important, because you can’t connect to a sleeping host. When I set up a laptop as a host, LogMeIn offered to reset the machine so that it wouldn’t go to sleep when attached to AC power. The installation also leads you through setting up a LogMeIn account. You’ll need the account when you set up a remote-access session through the remote device’s browser.

After installing the host application, I was surprised to see that the paid LogMeIn Pro version was installed. LogMeIn initially sets you up with a 14-day trial copy; after that, you either pay $69.95 a year or revert to the free edition. LogMeIn Pro adds capabilities such as file transfer, remote-to-local printing, desktop sharing, file sharing, remote sound, and diagnostic tools.

(Note: Because of LogMeIn’s trial strategy, the screenshots accompanying this article show Pro features not available with the free version.)

Most LMI users can stick with the default host settings if they’re making simple connections back to the home or office system. But for more sophisticated applications, such as signing in to someone else’s PC, you might want change how the program behaves. To do so, select the Options tab and click the Preferences button (see Figure 1).

The options found under the General tab specify how the host will respond when a user signs in.

The Performance section lets you specify whether LogMeIn should disable host-display effects and whether to use LMI’s display accelerator. Disabling display effects is helpful if screen redraws are slow on the remote system. Typically, you’d disable display acceleration only if you encountered problems with Windows Aero on the host computer.

If you’re supporting another PC user, you should decide which system’s mouse should have priority — the host computer’s or the remote device’s. If you’re just accessing your own desktop, it doesn’t matter which you choose.

Your choice of host-side consent rules is similar to mouse priority. If you’re working with other users, you’ll want to require a consent request so you don’t interrupt their work. You can also specify what happens if the other user doesn’t give consent.

The Security tab (see Figure 2) lets you specify additional layers of security. By default, LogMeIn requires just a username and a password to sign in to the host computer. The User Access Control option (Figure 3) lets you specify a set of users who are allowed to initiate a session. You can also specify in detail what rights each user will have.

For added security, you can require an additional password from anyone attempting to initiate a session. You can also filter IP addresses, limiting connections solely to specified addresses or blocking specific addresses.

Some of the features listed in the Advanced tab (see Figure 4) — including remote printing and file-transfer compression — apply only to the Pro version of the program. Users with Wake-on-LAN enabled in BIOS will want to make sure that option is selected.

Users of the free version will want to check the automatic updates option, activated by default. Scroll down toward the bottom of the Advanced window.

LogMeIn warns users that they might need to make some adjustments to the host’s firewalls and to some security programs. I tested the program with both Windows Firewall and Norton Internet Security and encountered no problems.

Connecting to a host system via the browser

To allow LogMeIn connections, start by launching the LMI app on the host system. Then, on the remote device, simply open a browser window, go to logmein.com, and sign in to your account.

The first time you sign in to the site, LogMeIn requests that you download and install a browser plugin. After that, the site lists all host computers attached to the account. I simply selected the computer I wanted to control; the browser window then prompted me to enter the machine’s username and password. With the proper credentials entered, the host system’s screen appears in the remote LMI window. (A separate LMI product, Ignition for Windows, iOS, and Android, lets you remotely control a host system without going through a browser.)

A customizable LogMeIn toolbar at the top of the client window lets you switch monitors (if the remote computer is running multiple displays), adjust screen resolution and color, and make other changes.

The Options button on the toolbar offers access to a dozen other tools available only in the Pro version. They include a laser pointer, whiteboard, and chat utility — plus the ability to connect to attached drives and printers.

The performance of LogMeIn depends primarily on the speed of your Internet connection. With a broadband connection, the performance seemed acceptable — though, understandably, not as fast and responsive as working locally.

I also found it reassuring that LogMeIn sent me a notification when I inadvertently entered the wrong password. Also, by default, if someone tries to access your LogMeIn account but doesn’t enter the correct username or password five times, the host computer will be locked — and can be unlocked only locally.

LogMeIn, by the way, also offers applications for Macintosh, iPad, and iPhone.

The bottom line: If all you want is an easy way to remotely access your own computer, LogMeIn Free is an effective and easy-to-use solution. On the other hand, if you’re going to be connecting to other users’ machines and need to communicate with them, you should spring for the Pro version. You’ll also want the Pro version if you need to remotely access a printer attached to the host system or if you wish to stream sounds from the host computer to the remote device.

Clean out obsolete, space-consuming update files

All versions of Windows typically retain obsolete Windows Update files that can take up gigabytes of disk space. Here’s how to delete them.

Plus: Dealing with multiple “unknown folders,” assessing an official Microsoft Money replacement, and getting past a weird Error 9c47 problem when installing IE 11.

Various ways to clean out unneeded update files

Keeping older copies of Windows Update files is a valuable function; it lets you roll a system back to a fully functional state should a new update go awry.

But once an update is installed and working, any older updates it supersedes become obsolete. Unfortunately, Windows retains these no-longer-needed files essentially forever — and adds new ones in every update cycle. Accumulating over the years, those archived updates can consume a significant amount of disk space!

Happily, it’s not hard to remove outdated update files and recover wasted hard-drive space. The only catch: The various Windows versions store archived update files in different ways and in different places, thus requiring different methods to remove them.

That’s the problem reader Patrick Sullivan ran into when attempting to remove old update files from his PC.

• “I remember that Mr. Langa recommended reducing drive clutter in XP by removing unneeded Windows Update files. But after moving to Windows 7, I’m unable to locate the uninstaller files. Is this cleanup process no longer possible in Win7?”

It can still be done, Patrick. But Windows 8 and some versions of Windows 7 use one method; other Win7 versions require a different method; Vista uses its own, unique process; and XP uses still another! None of these various cleanup techniques is particularly difficult; you just have to know where Microsoft puts the update files in your particular Windows version — and how to remove them correctly and safely.

I’ll show you all removal methods in a moment, but first a few words of caution.

These cleanup methods should be used only on healthy systems that have all relevant Windows updates installed and operating as they’re supposed to. Once you remove the obsolete update files, you’ll no longer be able to roll back from a problematic Windows update. In other words, don’t do these cleanups if there’s a chance you’ll need to uninstall an update and return Windows to an earlier version.

Also, even though cleaning out old updates is a relatively low-risk procedure, it’s always smart to start with a full backup or system image.

Finally, give yourself some objective metrics. Before you begin, take note of the free space available on your system drive (typically C:). Open Windows/File Explorer, right-click your system drive, and select Properties. The General tab will list the amount of used and free space.

After cleanup, you can recheck the disk-space metrics and accurately gauge the results of your work.

Now, here’s how to clean up Windows Update files you no longer need:

► In Windows 7 and 8:

The Disk Cleanup wizard (cleanmgr.exe) built into Windows 8 — and optional in Windows 7 — detects and easily eliminates obsolete update files.

The wizard built into Win7 can’t remove unneeded update files. For that task, you need the separate Deployment Image Servicing and Management (DISM) tool. That method still works in Win7 — I described it in an April 4, 2012, LangaList Plus item. But Win7’s new Disk Cleanup wizard is easier and better.

You might already have the new wizard and not even know it — it was released about a year ago via an optional Windows update. The simplest way to tell which version you have is to carefully follow the instructions below. If your Disk Cleanup wizard looks different or acts differently from what’s described, you have the older version. In that case, download and install the new wizard (32-bit version or 64-bit version).

Win8’s Disk Cleanup and Win7’s most recent version operate almost identically; there are just a few minor (mostly cosmetic) differences. Here’s how to use them both:

• Launch cleanmgr by your preferred means. For example, click the Win7 Start button, enter cleanmgr into the search box, and click Enter. In Win8, use the Start screen Search box to call up cleanmgr, then click on its icon. Or, in either OS, navigate to the C:\Windows\System32 folder and double-click cleanmgr.exe.
• When the Disk Cleanup wizard opens, select the Windows system drive (usually C:) and then click OK. The app will churn for a bit as it scans your drive for unneeded files.
• When the Disk Cleanup tab appears, click the Clean up system files button (see Figure 1) and then click OK. A new dialog box will open.


Figure 1. In Win8 and Win7 systems that have the new Disk Cleanup wizard, click the Clean up system files button to start the process of removing unneeded update files.

• Reselect the system drive (again, usually C:). Click OK. The app will churn once more as it rescans your drive — this time looking specifically for unneeded system-level files, including obsolete Updates. A new dialog box will open.
• Disk Cleanup will display an expanded list of files available for deletion. Make sure that Windows Update Cleanup is checked along with any other obsolete system-level files you want to remove (see Figure 2). Click OK when you’ve made your selections. (Note: If your system doesn’t currently contain any unneeded update files — such as in new or recently cleaned systems — the Windows Update Cleanup item won’t appear.)
  

  Figure 2. In the list of files to delete, ensure Windows Update Cleanup is checked — plus any other of the offered files you wish to remove.

• Wait until the app finishes — it might take several minutes.

► In Vista:

Vista’s simple Disk Cleanup wizard can’t delete obsolete Windows Update files. There is, however, the semi-automated, command line–based Windows Component Cleaning Tool (compcln.exe).

To use COMPCLN, open an administrator-level command window, type the following command, and press Enter:

C:\Windows\system32\compcln

Read the warnings (shown in Figure 3) and follow the prompts (i.e., press Y when prompted to continue). Let the software run to completion, which could take several minutes.

► In Windows XP:

There’s no automated way to remove unneeded update files from XP, but it’s not difficult to do so manually.

XP stores its Windows Update uninstall files in the \Windows folder and gives each file following pattern:

$NtUninstall{xxx}$

The {xxx} variable is typically the MS knowledge base/support identifier for a specific patch. (See Figure 4.)

To remove obsolete XP update files, simply select and delete all the $NtUninstall{xxx}$ files en masse.

► All Windows versions:

When the cleanup wizard is done, recheck the available free space on your system drive — and see how much elbow room you’ve gained!

Where did all the “unknown folders” come from?

Patrick Corkran found some unexpected files and folders on his PC.

• “I have a lot of folders on my hard drive that are labeled ‘unknown folder’ followed by a number such as 5408. What are these folders, and are they safe to delete?”

Folders so named are usually created when Check Disk (CHKDSK or chkdsk.exe) scans your disk and finds incorrectly saved/deleted fragments of files and folders. These fragments can be left behind after software crashes, after powering off your PC before a shutdown has fully completed, and for other reasons.

The fragments are often junk — but not always!

There can be valuable information still residing in the fragments. To help you recover that data, CHKDSK reassembles the pieces as best it can, labeling the related folders and files in a numerical sequence.

You can then look inside the recovered files with an app such as Notepad and possibly recover important data.

But again, most of these folder/file fragments contain unreadable information. If your PC is running normally, you know you have access to all your important data files and — especially important — you have good backups tucked away somewhere, so you can safely delete all the recovered files and folders in the normal fashion.

An official Microsoft Money replacement

After reading the Dec. 12, 2013, LangaList Plus item, “Running MS Works and Money on Windows 8,” Neal Pinckney wrote in with this helpful suggestion:

• “Fred, here’s another alternative to Microsoft Money.

  “Microsoft offers Microsoft Money Plus Sunset for free. MS Support article 2118008 describes the app, and the downloads [there are two versions] are available via another MS page.

  I don’t use Money, but the Sunset edition works for a friend who used Money for all his financial dealings and needed to install the app on a replacement laptop.”

Thanks, Neal.

Yes, when Microsoft pulled the plug on Money, it threw a bone to users in the form of the limited Sunset edition.

It might work fine for some users, but it’s still obsolete, unsupported software. It also lacks some functions included in the original. For example, the Sunset edition offers thin help information, limited import/export abilities, and no online services.

Personally, I don’t see the point of using software with those limitations, except possibly for archival purposes (i.e., reading older Money files). There are better, more powerful, actively supported, and fully up-to-date alternatives available — the free Intuit Mint service, for example. Running a Web search with the term microsoft money replacement alternative will turn up many other options. A search using convert microsoft money will provide information on moving Money files to current applications.

Again, the Sunset edition might work for some — and I appreciate your mentioning it — but the app is just too old and too limited to recommend.

Can’t install IE 11 on Win7 due to Error 9c47

Numerous Windows 7 users are having trouble installing Internet Explorer 11 via Windows Update.

The installation error seems a bit unpredictable. For example, one of my Win7 PCs was affected, but others — identically set up and maintained — were not.

Here’s what happens when the IE 11 install fails: Windows Update offers to install the browser, but the installation process never completes. (It apparently doesn’t matter whether Windows Update is set to run automatically or manually — both ways fail.) Windows Update then tells you, again, that “Updates are available” and retries the installation — again and again and again.

In other words, the IE 11 installation process gets trapped in an endless loop of failed installs and error codes. (Error 9c47 is the most common.)

The simplest fix? Skip Windows Update and use the full, standalone IE 11 installer. It’s a free download on the MS info page (watch out for the prechecked Bing and MSN default offers) and should easily install on most Windows systems. Once the standalone version is up and running, Windows Update should stop nagging you to install IE 11.

Some users have solved the problem with Windows System File Checker (SFC). It didn’t help on my problematic Win7 system, but if you want to try it, open an admin-level Command window and enter sfc /scannow at the prompt. (Note: To make repairs, sfc.exe usually needs access to the original system files on a Windows setup CD or some other similarly accessible location.) See MS Support article 929833 for basic info on using the System File Checker in Vista, Win7, and Win8 systems; see article 310747 for SFC on Windows XP.

But again, I recommend trying the full, standalone IE 11 installer first. It worked for me — and it just might work for you!