How to create a virtualized and bulletproof work-environment
Posted: Mon Feb 15, 2010 2:57 am
Note to moderators: this post mentions portable freeware applications AND portable payware applications. If necessary, move the thread.
I'm using portable applications not primarily for putting them on USB-sticks and stuff. Rather, i used portablized apps (and even in principle a fullblown portable windows environment) because i consider it the only sane way to structure apps.
On a normal windows system, you deal with:
- Apps are fixed to a windows install
- Your settings are fixed to a windows install
- Therefore, you in many case cannot easily do backups, especially not of your apps and settings
- and you cannot easily transfer your work environment to somewhere else (new computer, on the go, etc)
- windows selfdestructs over time
- windows slows down over time
- your apps selfdestruct over time and do all kinds of crap across the system
- you cannot easily simply "try" software without the danger of damage
- you typically need to constantly run a virus scanner in the background, slowing everything down
- and even then that virusscanner will only become active, AFTER stuff is already there
- the personal files you delete? will be recoverable for anyone with access to your pc
- and in general regarding privacy: what if you just have visitors and want to quickly let them to the pc - but without giving them access to certain files?
- if everything fails, prepare for reinstalling the whole system and its apps again - what fun!
My setup isn't affected by -any- of the above things. In fact:
- my -complete work environment- can be transfered in 5mins to somewhere else and run there. All apps, all settings, all fileassocs, shellenhancements, docs, mail, etc.
- these apps dont even need relative paths to function like that (registry entries and systemfiles however stay a problem)
- backups or transfer of the above, are a matter of copying 1 directory
- on reboot, my windows (C-drive) is exactly the same as before the boot - down to every single cluster
- as a result, its also blazingly fast - as fast as a fresh windows xp install (cause thats what it technically is)
- also, therefore no viruses or malware can be autorunning after a reboot. In fact, if it hooks into C, which it normally does, it wont exist anymore after a reboot.
- as a consequence, i can try software without any fear - not just regarding malware but also regarding crap/bloatware (messups of the system). I can also with a timeeffort of 5secs disconnect my apps and files from the system - so that any roguesoftware has no way at all do mess up for longer than it takes me to tip the power button two times.
- because of that, my virusscanner (clamwin portable) only is in memory when checking downloads, or when every few weeks, i do a full scan. Thats quite boring, because i haven't had a permanent infection in the whole 4 years
- since my apps are all portable, they dont clash with each other
- dismounting my personal files/apps from the system, takes 2 mouseclicks
- if everything fails: reuploading the entire system from a backup takes..... 5mins.
So in short, i'm living in some kind of computing-utopia How does that work in my case? Well, at its core, there are the following key applications:
- Deepfreeze (virtualizes the entire C-partition with no speed penality)
- Truecrypt (virtualizes driveletters, allows category-based access-control, easy backups, ensures safe deletion of stuff)
- Total Commander (portablizes fileassociations)
- PStart (portablizes startmenu, keyboard shortcuts and autostarts)
- Some reliable disk imaging software (protects C from hdd-crashes, configuration mistakes or other desasters)
The setup in detail (Warning: While it is very easy and comfortable to "use" my setup, the whole install process is a LOT of effort, and requires that you are experiences about using computers):
0. Get a disk imaging software. Backup your current OS and all your data to a seperate drive. Check that the backup is fine before proceeding. Make sure you have all needed drivers for a reinstall. Save license keys, login data and stuff somewhere.
1. Format C: and make it just big enough to hold windows, drivers and stuff. 4GB should be more than enough. Format at least one additional partition to hold all your other stuff later.
2. Install WinXP freshly (if you want to and know how, you can also slim it down via nLite beforehand) and place the swapfile on D:
3. Make an image from C and save it to your backup hdd.
4. Install drivers and common codecs. Test that everything works fine. If not, restore C from the image and try again.
5. Make another image from C and save it to your backup hdd
6. Make a folder "mydocs" on D:, then use tweakui to relocate the "my documents" folder to there. Disable unneeded services, purge braindead autostarts, etc.
7. Install deepfreeze and set it to virtualize only C:. Important! Keep the setup file! You can only remove deepfreeze later with that setup file. You can make sure that you wont lose it by for example putting it on C:\Program Files\ before freezing. Read the deepfreeze manual to understand how freezing works, and how to switch it on/off. Test that everything works fine. When deepfreeze is enabled (not-thawed), all changes to C, no matter what, will vanish after rebooting - deepfreeze does this by relocating any writes into a file, so that any changes to C get sandboxes into that file - on reboot, DF simply wipes the file and windows starts fresh again.
Congratz: You've just virtualized your system. You dont need "watchdogs" anymore for your system. If something goes wrong, just reboot (however, anything outside of C can still be attacked)
8. Make another image from C
9. Make a new folder on D: - it will contain all your apps, files, config - your entire "operation environment" except of windows itself. I will from now on call this directory your "virtual account"
10. Copy P-Start into a subdir of your vaccount. Copy truecrypt into another subdir. Create a new truecrypt filecontainer somewhere in your vaccount, and make it large enough to hold all your portable apps. In the future, ALWAYS mount this container to T: (for Tools). The reason for this is: By always mapping all your apps to the same driveletter, your apps no longer need to use relative paths for their stuff - they just need to be portable in other aspects. T: because its very late in the alphabet, so you can be quite sure that T: will not be reserved if you mount your stuff on someone elses pc. Copy your portable apps to T:
Congratz - you've just virtualized your startmenu and the filesystem of your apps - and you can now make a backup of your apps by copying just one file. Plus, you can now control execution of your apps - have a visitor who shouldn't use your apps? just dismount T: with 2 mouseclicks
11. Create more TC-volumes in your vaccount to hold your docs and media. You can go with one volume for everything, or have multiple depending on category. Having multiple ones has the advantage, that you have finer control over which stuff to mount at a given time, and that when making backups you can easily backup by category.
Speaking of backups - if you want to backup everything - apps, docs, media, settings, etc. - then you can now do that by simply copying the dir of your vaccount (you need to dismount all TC-volumes first). Actually, now is a good situation to do just that! However, keep at least one fully unencrypted backup of your stuff, in case something goes wrong (never happened to me in years, but some people seem to have had problems, and were dumb enough to not have backups)
12. Autostart management: Perhaps at every reboot needing to start truecrypt and mount stuff annoys you. Plus, perhaps you want to autostart certain other portable things at boot (i.e. shell enhancements - pitaschio FTW!). To do this, link pstart to window's autostart folder. Then manage all your other autostarts via pstart's ability to autostart apps when pstart is launched (so, you can automatically make the prompt for the password of your tc-volume come up at boot). Also, perhaps you like keyboard shortcuts - pstart can do that too.
Yup, portablized autostarts and keycombos. That may sound trivial, but its actually a quite big one - because it means that when moving your vaccount to somewhere else, your typical tweaks and autolaunches travel with you. If you find a way to save windows themes portable, even your desktop look can travel with you!
13. Portable fileassociations: Install total commander and make the needed settings to turn it portable. Also, be aware that TC has an internal var %COMMANDER_DRIVE% which you can use in many situations. Total commander also since 7.50 has internal fileassociations (yes, including own contextmenu entries). With TC, you can have a portable central filecontroller with which you can manage files, images, sounds, archives, isos, unpacking setups via uniextract with a rightclick, upxcompressing executables with a rightclick, and more.
14. Fileassocs in other portable apps: some apps have their own internal associations - like for example, firefox. These associations use absolute paths - but that is no problem anymore now for you, because all your apps are on that virtualized T: wherever you go. So, you can now properly set such associations without problems. Also, a good way to keep some security about incoming files without having to run a resident virusscanner all the time, is to install portable clamwin, and then let your apps - i.e. firefox, launch clamwin for finished downloads.
Done!
I'm using portable applications not primarily for putting them on USB-sticks and stuff. Rather, i used portablized apps (and even in principle a fullblown portable windows environment) because i consider it the only sane way to structure apps.
On a normal windows system, you deal with:
- Apps are fixed to a windows install
- Your settings are fixed to a windows install
- Therefore, you in many case cannot easily do backups, especially not of your apps and settings
- and you cannot easily transfer your work environment to somewhere else (new computer, on the go, etc)
- windows selfdestructs over time
- windows slows down over time
- your apps selfdestruct over time and do all kinds of crap across the system
- you cannot easily simply "try" software without the danger of damage
- you typically need to constantly run a virus scanner in the background, slowing everything down
- and even then that virusscanner will only become active, AFTER stuff is already there
- the personal files you delete? will be recoverable for anyone with access to your pc
- and in general regarding privacy: what if you just have visitors and want to quickly let them to the pc - but without giving them access to certain files?
- if everything fails, prepare for reinstalling the whole system and its apps again - what fun!
My setup isn't affected by -any- of the above things. In fact:
- my -complete work environment- can be transfered in 5mins to somewhere else and run there. All apps, all settings, all fileassocs, shellenhancements, docs, mail, etc.
- these apps dont even need relative paths to function like that (registry entries and systemfiles however stay a problem)
- backups or transfer of the above, are a matter of copying 1 directory
- on reboot, my windows (C-drive) is exactly the same as before the boot - down to every single cluster
- as a result, its also blazingly fast - as fast as a fresh windows xp install (cause thats what it technically is)
- also, therefore no viruses or malware can be autorunning after a reboot. In fact, if it hooks into C, which it normally does, it wont exist anymore after a reboot.
- as a consequence, i can try software without any fear - not just regarding malware but also regarding crap/bloatware (messups of the system). I can also with a timeeffort of 5secs disconnect my apps and files from the system - so that any roguesoftware has no way at all do mess up for longer than it takes me to tip the power button two times.
- because of that, my virusscanner (clamwin portable) only is in memory when checking downloads, or when every few weeks, i do a full scan. Thats quite boring, because i haven't had a permanent infection in the whole 4 years
- since my apps are all portable, they dont clash with each other
- dismounting my personal files/apps from the system, takes 2 mouseclicks
- if everything fails: reuploading the entire system from a backup takes..... 5mins.
So in short, i'm living in some kind of computing-utopia How does that work in my case? Well, at its core, there are the following key applications:
- Deepfreeze (virtualizes the entire C-partition with no speed penality)
- Truecrypt (virtualizes driveletters, allows category-based access-control, easy backups, ensures safe deletion of stuff)
- Total Commander (portablizes fileassociations)
- PStart (portablizes startmenu, keyboard shortcuts and autostarts)
- Some reliable disk imaging software (protects C from hdd-crashes, configuration mistakes or other desasters)
The setup in detail (Warning: While it is very easy and comfortable to "use" my setup, the whole install process is a LOT of effort, and requires that you are experiences about using computers):
0. Get a disk imaging software. Backup your current OS and all your data to a seperate drive. Check that the backup is fine before proceeding. Make sure you have all needed drivers for a reinstall. Save license keys, login data and stuff somewhere.
1. Format C: and make it just big enough to hold windows, drivers and stuff. 4GB should be more than enough. Format at least one additional partition to hold all your other stuff later.
2. Install WinXP freshly (if you want to and know how, you can also slim it down via nLite beforehand) and place the swapfile on D:
3. Make an image from C and save it to your backup hdd.
4. Install drivers and common codecs. Test that everything works fine. If not, restore C from the image and try again.
5. Make another image from C and save it to your backup hdd
6. Make a folder "mydocs" on D:, then use tweakui to relocate the "my documents" folder to there. Disable unneeded services, purge braindead autostarts, etc.
7. Install deepfreeze and set it to virtualize only C:. Important! Keep the setup file! You can only remove deepfreeze later with that setup file. You can make sure that you wont lose it by for example putting it on C:\Program Files\ before freezing. Read the deepfreeze manual to understand how freezing works, and how to switch it on/off. Test that everything works fine. When deepfreeze is enabled (not-thawed), all changes to C, no matter what, will vanish after rebooting - deepfreeze does this by relocating any writes into a file, so that any changes to C get sandboxes into that file - on reboot, DF simply wipes the file and windows starts fresh again.
Congratz: You've just virtualized your system. You dont need "watchdogs" anymore for your system. If something goes wrong, just reboot (however, anything outside of C can still be attacked)
8. Make another image from C
9. Make a new folder on D: - it will contain all your apps, files, config - your entire "operation environment" except of windows itself. I will from now on call this directory your "virtual account"
10. Copy P-Start into a subdir of your vaccount. Copy truecrypt into another subdir. Create a new truecrypt filecontainer somewhere in your vaccount, and make it large enough to hold all your portable apps. In the future, ALWAYS mount this container to T: (for Tools). The reason for this is: By always mapping all your apps to the same driveletter, your apps no longer need to use relative paths for their stuff - they just need to be portable in other aspects. T: because its very late in the alphabet, so you can be quite sure that T: will not be reserved if you mount your stuff on someone elses pc. Copy your portable apps to T:
Congratz - you've just virtualized your startmenu and the filesystem of your apps - and you can now make a backup of your apps by copying just one file. Plus, you can now control execution of your apps - have a visitor who shouldn't use your apps? just dismount T: with 2 mouseclicks
11. Create more TC-volumes in your vaccount to hold your docs and media. You can go with one volume for everything, or have multiple depending on category. Having multiple ones has the advantage, that you have finer control over which stuff to mount at a given time, and that when making backups you can easily backup by category.
Speaking of backups - if you want to backup everything - apps, docs, media, settings, etc. - then you can now do that by simply copying the dir of your vaccount (you need to dismount all TC-volumes first). Actually, now is a good situation to do just that! However, keep at least one fully unencrypted backup of your stuff, in case something goes wrong (never happened to me in years, but some people seem to have had problems, and were dumb enough to not have backups)
12. Autostart management: Perhaps at every reboot needing to start truecrypt and mount stuff annoys you. Plus, perhaps you want to autostart certain other portable things at boot (i.e. shell enhancements - pitaschio FTW!). To do this, link pstart to window's autostart folder. Then manage all your other autostarts via pstart's ability to autostart apps when pstart is launched (so, you can automatically make the prompt for the password of your tc-volume come up at boot). Also, perhaps you like keyboard shortcuts - pstart can do that too.
Yup, portablized autostarts and keycombos. That may sound trivial, but its actually a quite big one - because it means that when moving your vaccount to somewhere else, your typical tweaks and autolaunches travel with you. If you find a way to save windows themes portable, even your desktop look can travel with you!
13. Portable fileassociations: Install total commander and make the needed settings to turn it portable. Also, be aware that TC has an internal var %COMMANDER_DRIVE% which you can use in many situations. Total commander also since 7.50 has internal fileassociations (yes, including own contextmenu entries). With TC, you can have a portable central filecontroller with which you can manage files, images, sounds, archives, isos, unpacking setups via uniextract with a rightclick, upxcompressing executables with a rightclick, and more.
14. Fileassocs in other portable apps: some apps have their own internal associations - like for example, firefox. These associations use absolute paths - but that is no problem anymore now for you, because all your apps are on that virtualized T: wherever you go. So, you can now properly set such associations without problems. Also, a good way to keep some security about incoming files without having to run a resident virusscanner all the time, is to install portable clamwin, and then let your apps - i.e. firefox, launch clamwin for finished downloads.
Done!