Security → Windows Shared Computer ToolKit XP Details & Help

This FREE Windows Utility works on both XP Home and XP Pro and XP Tablet PC editions, other versions of XP and windows are not supported.

Basically you can read the documentation for in depth information but I will do my best to explain the advantages and disadvantages I have found using and installing this for clients as well as helping others use this at home.

The very first thing that needs to be explained is that this is an excellent tool even for home use. The documentation makes it seems like only very public systems like a library or school can benefit by the use of this tool, which is not really true.

The core of this tool is the windows disk protection which requires 1 Gig ("Or 10 percent of actual disk or partition size, whichever is greater") of use in unallocated disk space, what this unallocated area does is keep 2 disk images ("One to revert back to, much like one would use a system restore point for") in the event of problems, or change of mind on a modified setting.

This may at first seem like one is giving up a ton of disk space to use this product, however the results in safety and recovery under almost any malware or accidental change or deletion soon prove to be worth the space.

The actual space of the toolkit itself is only about 5 Megabytes, you will need to be using a Genuine version of Windows XP and may be prompted to install the User Profile Hive Cleanup Service before being allowed to install the toolkit.

If needed you can set a multitude of user restrictions based on user id, however you could just run as you are now and even with having Admin privileges once you restart your Windows drive is as it was before you logged on. This is because any changes of any kind are actually cached and not really written to your windows partition unless you authorize it.

So, you can do anything as Admin and have peace of mind that no matter what malware you encounter or accidental changes or deletions are done, you will be as you were before whatever happened happened.

Say you want to add software, because it would not normally be saved after the next restart ("Using this tool") it is as simple as changing the Windows Disk Protection to "Save Changes at Next Restart". Now say you go OMG what I installed had malware, I never noticed. Not a problem because you can always revert back to one disk image prior, by using F8.

If you have extensive tests or changes to do for new software that may require multiple restarts, you can set "Retain Changes Indefinitely".

The restrictions on a per user basis are extensive and very selective. You are not required to use them, but you may have a need.

So far I have seen nothing easier to use, that protects a system with rock solid logic of not allowing anything to change anything on the drive that windows is installed on, without permission. Since any and all changes to the windows drive during any logon are cached once the system is restarted there is no overhead, the only overhead of this beside the 1 Gig ("Or 10 Percent rule") initial overhead is when you save changes.

Persistence of user data can be done by selectively keeping user profiles on a disk or partition which is not located where Windows is installed. This allows the entire drive or partition where Windows is located to remain protected while allowing users to retain changes and without the need to save changes at restart. This could cause malware to be placed on that partition or drive, however since it has no launch ability it would remain dormant. I of course would still suggest using an A/V to be safe.

Users can also be allowed to run and install programs outside of the protected area where Windows is located and even if they installed malware doing this Windows would still remain protected for all other users because said malware could never embed anywhere for other users.

I have installed this in many client sites, and also for friends and family, and all I can say is there is nothing more user friendly and protective which provides this kind of flexibility.

I would like to keep this thread going for people that would like to take a crack at installing this and trying it. I will answer any questions and may be able to save some others some time about configuring and using this.

Pros

1. Complete protection of the entire partition or disk where Windows is located. It's like doing a total system restore in 2 seconds every restart, back to a known clean image of an entire partition or drive.

2. Awesome per user restrictions if needed, too many to list here.

3. A Malware testers dream, go anywhere even as Admin and have no fear. Because the entire partition or disk where Windows is located is copied to an un-allocated area on disk, would be very hard to infect.

4. Can be easily changed, including user changes as well as other features.

5. Lets you basically install anything, test it, and if you decide you don't want it, re-boot, and it's gone.

6. Even if you screw up and save an image, you can revert back to one image prior, so there is some forgiveness on that.

7. System Restore can still be used, but...you will need to do a "Save changes on next re-boot" the saved image retains your changes.

Cons

1. The required disk space of 1 Gig ("Or 10 percent of the disk size where Windows is located") at first is hard to stomach, even if one decided not to keep using this toolkit, you can always reclaim that space back. But it is a large chunk of disk for some. If you are a DVD/CD burner kind of person, you would want to increase this space to about 2 Gig larger if you store Lots of CD and or DVD data.

2. When you change an image it takes about 20 seconds to complete. This can be even longer if you don't move the Windows paging file to a partition or disk other than the one Windows is located on.

3. Anytime you make a change to Windows, of any kind, or install new software ("A/V Updates are handled automatically, and you can add scripts to handle other updates if needed") you will need to remember to set Windows Disk Protection to "Save Changes On Next Restart" otherwise any changes will not stick after restarts.

4. The documentation at times can be confusing, however the User Interface is very easy to use.

If anyone has any questions or needs help with setting this up just shout, if you want a FREE bullet-proof way to fortify your XP Home or XP Pro system, or need very selective user restrictions this rocks, both for corporate and home use.

Instant recovery without even a mouse click, it all goes back as it was on the next re-boot.

For more documentation about the toolkit please go here:

»www.microsoft.com/window ··· ult.mspx

Don't let the Public places documentation on this fool you. It's a great protection method period and ....it's Free!

The Microsoft Shared Computer Toolkit Handbook Overview can also be helpful here:

»www.microsoft.com/techne ··· ult.mspx

Here also is a FAQ as well:

»go.microsoft.com/fwlink/ ··· Id=47836

List of possible per user restrictions as well:

»www.microsoft.com/techne ··· h04.mspx

This sounds a little crazy...
Say you have 120GB disk, with a 50GB windows partition.
From the quote the utility requires 12GB of unallocated space. It should be 5GBs at most.
Why does the utility need to monitor the other 70GBs of disk space?

Based on your experience are there any other things users should do prior to installing? Any disc cleaning, defraging so forth to make install any easier or of that nature?

This seems to be a far better solution than what Mike was suggesting by far. This is going to be a good thread to keep an eye on for sure.

I've linked to it from my place as well as provided the newsgroup link as well:
»www.microsoft.com/commun ··· edaccess

Thanks for the info.

MS Alternative to Deep Freeze etc

Some useful contributions/experiences/screenies etc about in here -

»www.wilderssecurity.com/ ··· &t=96996

Spanner

If for example Windows was on a 50GB partition, since the rule is 10 Percent of the drive or partition space or 1GB whichever is greater it would be 5GB.

OK, this might sound insane but here goes.

On some XP home systems using F8 any user can revert to the prior image, so for security reasons this is what I would do, once you have installed the toolkit and done testing, and are sure you have a good baseline with any user restrictions in place.

1. Turn Off Windows disk protection.

2. Do a disk cleanup, use the advance feature and remove all but the most current restore point, then also do the normal disk cleanup.

3. Create another restore point.

4. Do a defrag.

5. Turn on Windows Disk Protection.

6. Uncheck the check box in the getting started window in "Show Getting Started at Startup" unless you want this pop-up for the Admin ID for the toolkit to see this every-time in the future ("You can launch getting started via the program start menu when needed").

Change Windows Disk Protection to "Save Changes On Next Restart".

7. Restart.

8. Change Windows Disk Protection to "Save Changes On Next Restart". Again and restart.

9. Make some change and restart to make sure it does not stick and you then know your setup is working.

The reason why is on some XP systems all users can use F8 and revert to the prior disk image, if that was missing some settings they might get by the protection, this way both stored disk images will be the same.

That pretty much does it. You should be able to change, delete anything, suck up any type of malware even a rootkit, and when you reboot, Poof...it's all back to normal.

Please note that if you allow users to have persistent data on other partitions or drives, or allow users to run programs on those drives, malware can still park there, but it will never be allowed to propagate to the Windows Partition, so you will have sand boxed it from embedding itself in Windows at least.

Of course, I would still be very careful when adding new things but even then, you can revert to one prior disk image if needed, or even use a restore point or worse case use an A/V to remove whatever and get back to a stable disk image.

If your careful, this is very hard to break.

It is also VERY important to change your BIOS to boot first from disk, otherwise if a CD or floppy is before the Hard Drive in the boot order, someone might be able to still enter the system using these methods, also add a strong password to your BIOS setup and you are covered.

My clients are doing back-flips over this, lol.

If anyone needs help on how to create a template .bat file to apply to many users the same restrictions let me know, it beats doing it manually.

Sounds interesting

Thanks ZOverLord

Thank you very much, ZOverLord! Excellent write up and very thorough. This really looks interesting!

I've bookmarked this topic and will be recommending this tool more often

Thanks for this...

I put in a plug for this thread over on the Microsoft forum...

»Microsoft

I used this tool a couple of weeks ago at a client that had about 6 or 7 public pcs. Its been working great. The pcs have about 3 or 4 icons on the desktop and a restart button in the start menu. If there are any issues with the pcs, my client just reboots the machine and everything is back.

I ran across that last week, I thought I had posted and asked about it. Glad to know it works so well.
As soon as I get this thing cleaned up I will install it.
Will be checking with you for advice later.

Question:

From what I've read about this tool so far, this sounds like Deep Freeze except it's free. Would that be accurate?

Mind you, I haven't much experience with Deep Freeze, but have seen it in action. This tool sounds similar.

Thanks for all the info on this. Would be something to consider...

I would like to see some screenshots please

You try looking thru here

»www.microsoft.com/window ··· ult.mspx

How many resources does it take?
Will it slowdown your windows experience?
Is it transparent to the user?
Is it transparent to the resources/performance?
I mean there is a fine line between security and turning your newest greatest 398349393Ghz system in a 486SX25Mhz.

It wouldnt install on my computer because my drive on which the OS runs on is not C:

This does sound like deep freeze (I use deep freeze). I'll have to check this out and compare. Now if I can find the time

How many resources does it take?

Answer:

The Initial un-named partition size of 1GB or 10 percent of the size of the Windows partition or disk.

Is it transparent to the user?

Answer:

If there are restrictions, they will notice those.

If you set it up that on Log Off a restart is required they will notice.

Other than that yes.

Is it transparent to the resources/performance?

Really what is happening is that any changes are just being written somewhere else, so the overhead is minimal.

However, when you make a change of any kind, such as add new programs, change user settings, add users, there is the extra step of setting "Save Changes on next restart" other than that there is no noticeable overhead other than the new image being created once at restart when you authorize changes.

That should not be a restriction, what was the error, and during what process did it fail?

1. User Hive Install

2. Toolkit Install

What was the exact error?

"Invalid drive C:\"

Is it a Dynamic disk?

There should be no limitation on drive letter, that's why I am trying to find out how far you got during the install.

Did you see my other question in my last post about where the install died?

Here is more info on disk requirements:

»www.microsoft.com/techne ··· h02.mspx

Not a Dynamic disk, it has 50 GB free, and heres a screenshot. It happens almost immediately after I run the installer

How many Partitions do you currently have on that physical drive?

Please read this as well:

»www.microsoft.com/techne ··· h0a.mspx

I guess what I am trying to find out, since I never have seen the error is..No Part of the toolkit ever installed prior to this error?

Also Dumb? Did you save the Toolkit install file to disk, or do a run at download time?

Only one partition (Primary partition). No part of the toolkit installed before since I got the same issue before. I did save the file to a folder on my desktop where I keep all of my Installers.

And the drive is NTFS? not FAT32?

This aspect of the toolkit needs the source, Microsoft, to clarify what they really meant. The "actual disk" is always going to be bigger than the "partition size" that resides on it. So again if Windows resides on a 50GB partition on a 120GB disk, then 10% of 50GB is 5GB and 10% of 120GB is 12GB. The 12GB is the the greater.
My feeling is MS mis-stated the required unallocated disk space for the toolkit. Thus, the requirement is not as bad as it first seems.

I only have one partition on the drive, so the space after NTFS formatting is 114 GB. Of course, I have used some of that so I have 50 GB left

All my drives are formatted with NTFS

As I said in my original post, the documentation is not well laid out, but they do qualify it better here:

»www.microsoft.com/techne ··· h02.mspx

Quote:

To calculate required size of unallocated disk space

If you need to determine the required size of the unallocated space, you can use one of the following procedures:

• Windows partition uses the entire disk. Divide the disk size in GB by 10. If the result is more than 1 GB, that is the required size of the unallocated space.

• Windows partition uses part of disk. Divide the size of the Windows partition by 10. If the result is more than 1 GB, that is the required size of the unallocated space.

If the tool you use to resize partitions reports space in MB, multiply the calculated figures by 1024 to convert gigabytes to megabytes.

Note:

Some tasks, such as creating or copying CDs, use significant amounts of disk space on a temporary basis. If your computer will be used for these tasks, ensure enough unallocated disk space exists before the protection partition is created to contain the full contents of two CDs or DVDs.

So I need to make my primary partition smaller to use this or are you talking about free space on the drive? If thats the case then I dont want to use this. But I doubt MS would require you to mess with partitions if this program is meant to make things simpler

This is the first time I have seen an error using drives other than "C:" and there are no known issues about this, so I wonder, did you use some 3rd party tool to format or create the partition?

Normally also, the install will not work until the User Profile Hive Cleanup Service has been Installed first, which is located here:

»www.microsoft.com/downlo ··· =NYB7R76