Page 1 of 1

How to create a virtualized and bulletproof work-environment

Posted: Mon Feb 15, 2010 2:57 am
by lyx
Note to moderators: this post mentions portable freeware applications AND portable payware applications. If necessary, move the thread.

I'm using portable applications not primarily for putting them on USB-sticks and stuff. Rather, i used portablized apps (and even in principle a fullblown portable windows environment) because i consider it the only sane way to structure apps.

On a normal windows system, you deal with:
- Apps are fixed to a windows install
- Your settings are fixed to a windows install
- Therefore, you in many case cannot easily do backups, especially not of your apps and settings
- and you cannot easily transfer your work environment to somewhere else (new computer, on the go, etc)
- windows selfdestructs over time
- windows slows down over time
- your apps selfdestruct over time and do all kinds of crap across the system
- you cannot easily simply "try" software without the danger of damage
- you typically need to constantly run a virus scanner in the background, slowing everything down
- and even then that virusscanner will only become active, AFTER stuff is already there
- the personal files you delete? will be recoverable for anyone with access to your pc
- and in general regarding privacy: what if you just have visitors and want to quickly let them to the pc - but without giving them access to certain files?
- if everything fails, prepare for reinstalling the whole system and its apps again - what fun!

My setup isn't affected by -any- of the above things. In fact:
- my -complete work environment- can be transfered in 5mins to somewhere else and run there. All apps, all settings, all fileassocs, shellenhancements, docs, mail, etc.
- these apps dont even need relative paths to function like that (registry entries and systemfiles however stay a problem)
- backups or transfer of the above, are a matter of copying 1 directory
- on reboot, my windows (C-drive) is exactly the same as before the boot - down to every single cluster
- as a result, its also blazingly fast - as fast as a fresh windows xp install (cause thats what it technically is)
- also, therefore no viruses or malware can be autorunning after a reboot. In fact, if it hooks into C, which it normally does, it wont exist anymore after a reboot.
- as a consequence, i can try software without any fear - not just regarding malware but also regarding crap/bloatware (messups of the system). I can also with a timeeffort of 5secs disconnect my apps and files from the system - so that any roguesoftware has no way at all do mess up for longer than it takes me to tip the power button two times.
- because of that, my virusscanner (clamwin portable) only is in memory when checking downloads, or when every few weeks, i do a full scan. Thats quite boring, because i haven't had a permanent infection in the whole 4 years
- since my apps are all portable, they dont clash with each other
- dismounting my personal files/apps from the system, takes 2 mouseclicks
- if everything fails: reuploading the entire system from a backup takes..... 5mins.

So in short, i'm living in some kind of computing-utopia ;) How does that work in my case? Well, at its core, there are the following key applications:

- Deepfreeze (virtualizes the entire C-partition with no speed penality)
- Truecrypt (virtualizes driveletters, allows category-based access-control, easy backups, ensures safe deletion of stuff)
- Total Commander (portablizes fileassociations)
- PStart (portablizes startmenu, keyboard shortcuts and autostarts)
- Some reliable disk imaging software (protects C from hdd-crashes, configuration mistakes or other desasters)

The setup in detail (Warning: While it is very easy and comfortable to "use" my setup, the whole install process is a LOT of effort, and requires that you are experiences about using computers):

0. Get a disk imaging software. Backup your current OS and all your data to a seperate drive. Check that the backup is fine before proceeding. Make sure you have all needed drivers for a reinstall. Save license keys, login data and stuff somewhere.

1. Format C: and make it just big enough to hold windows, drivers and stuff. 4GB should be more than enough. Format at least one additional partition to hold all your other stuff later.

2. Install WinXP freshly (if you want to and know how, you can also slim it down via nLite beforehand) and place the swapfile on D:

3. Make an image from C and save it to your backup hdd.

4. Install drivers and common codecs. Test that everything works fine. If not, restore C from the image and try again.

5. Make another image from C and save it to your backup hdd

6. Make a folder "mydocs" on D:, then use tweakui to relocate the "my documents" folder to there. Disable unneeded services, purge braindead autostarts, etc.

7. Install deepfreeze and set it to virtualize only C:. Important! Keep the setup file! You can only remove deepfreeze later with that setup file. You can make sure that you wont lose it by for example putting it on C:\Program Files\ before freezing. Read the deepfreeze manual to understand how freezing works, and how to switch it on/off. Test that everything works fine. When deepfreeze is enabled (not-thawed), all changes to C, no matter what, will vanish after rebooting - deepfreeze does this by relocating any writes into a file, so that any changes to C get sandboxes into that file - on reboot, DF simply wipes the file and windows starts fresh again.

Congratz: You've just virtualized your system. You dont need "watchdogs" anymore for your system. If something goes wrong, just reboot (however, anything outside of C can still be attacked)

8. Make another image from C

9. Make a new folder on D: - it will contain all your apps, files, config - your entire "operation environment" except of windows itself. I will from now on call this directory your "virtual account"

10. Copy P-Start into a subdir of your vaccount. Copy truecrypt into another subdir. Create a new truecrypt filecontainer somewhere in your vaccount, and make it large enough to hold all your portable apps. In the future, ALWAYS mount this container to T: (for Tools). The reason for this is: By always mapping all your apps to the same driveletter, your apps no longer need to use relative paths for their stuff - they just need to be portable in other aspects. T: because its very late in the alphabet, so you can be quite sure that T: will not be reserved if you mount your stuff on someone elses pc. Copy your portable apps to T:

Congratz - you've just virtualized your startmenu and the filesystem of your apps - and you can now make a backup of your apps by copying just one file. Plus, you can now control execution of your apps - have a visitor who shouldn't use your apps? just dismount T: with 2 mouseclicks

11. Create more TC-volumes in your vaccount to hold your docs and media. You can go with one volume for everything, or have multiple depending on category. Having multiple ones has the advantage, that you have finer control over which stuff to mount at a given time, and that when making backups you can easily backup by category.

Speaking of backups - if you want to backup everything - apps, docs, media, settings, etc. - then you can now do that by simply copying the dir of your vaccount (you need to dismount all TC-volumes first). Actually, now is a good situation to do just that! However, keep at least one fully unencrypted backup of your stuff, in case something goes wrong (never happened to me in years, but some people seem to have had problems, and were dumb enough to not have backups)

12. Autostart management: Perhaps at every reboot needing to start truecrypt and mount stuff annoys you. Plus, perhaps you want to autostart certain other portable things at boot (i.e. shell enhancements - pitaschio FTW!). To do this, link pstart to window's autostart folder. Then manage all your other autostarts via pstart's ability to autostart apps when pstart is launched (so, you can automatically make the prompt for the password of your tc-volume come up at boot). Also, perhaps you like keyboard shortcuts - pstart can do that too.

Yup, portablized autostarts and keycombos. That may sound trivial, but its actually a quite big one - because it means that when moving your vaccount to somewhere else, your typical tweaks and autolaunches travel with you. If you find a way to save windows themes portable, even your desktop look can travel with you!

13. Portable fileassociations: Install total commander and make the needed settings to turn it portable. Also, be aware that TC has an internal var %COMMANDER_DRIVE% which you can use in many situations. Total commander also since 7.50 has internal fileassociations (yes, including own contextmenu entries). With TC, you can have a portable central filecontroller with which you can manage files, images, sounds, archives, isos, unpacking setups via uniextract with a rightclick, upxcompressing executables with a rightclick, and more.

14. Fileassocs in other portable apps: some apps have their own internal associations - like for example, firefox. These associations use absolute paths - but that is no problem anymore now for you, because all your apps are on that virtualized T: wherever you go. So, you can now properly set such associations without problems. Also, a good way to keep some security about incoming files without having to run a resident virusscanner all the time, is to install portable clamwin, and then let your apps - i.e. firefox, launch clamwin for finished downloads.


Re: How to create a virtualized and bulletproof work-environment

Posted: Mon Feb 15, 2010 4:58 am
by appsuser
To do something similar with freeware, you can use Windows SteadyState and PortableFileAssociator for file associations.

Re: How to create a virtualized and bulletproof work-environment

Posted: Mon Feb 15, 2010 5:32 am
by tproli
Actually I'm doing this for years now, without DeepFreeze though (I used it and Clean Slate for a while but at the end I removed).

Some issues:
- fonts: you have to disable/enable DeepFreeze if you install them, or use a font management tool that can load them temporarily - cumbersome for dtp works
- viruses/trojans/etc: some can inject code to your exe/dll/etc files even if they are outside the system partition - so don't feel secured even if DF is running

Re: How to create a virtualized and bulletproof work-environment

Posted: Mon Feb 15, 2010 5:48 am
by lyx
In general, if you rely on apps/content which integrate in the system (so, also system fonts), then this setup wont work for you. It only works comfortable if your needs can be (almost) completely covered by portable software (though, i guess if thinapp were affordable, it could solve most cases - not the fonts one though).

As for malware infecting executables outside my system:
1. that never ever happened to me in years (though, perhaps its also because i don't even install software which just "advertizes" itself with an invasive attitude - common sense 2.0 and stuff)
2. the setup doesn't make a virusscanner unnecessary. It just makes a resident virusscanner unnecessary.
3. lets say my apps (T:) gets infected..... so? i'll catch it at the latest on the next fullsystem scan, and will do what? just replace my T:-container from a 1month old backup, which takes less than 5mins. The damage of malware-infections for the infected user mostly comes from: A) difficulty of reliable removal, B) risk of system malfunction, C) risk of app malfunction, D) the high cost of recovering from all those things. When malware cannot cause expensive damage anymore, then whats the problem?

P.S.: I consider the phrase "virusscanner" and "virusinfection" highly misleading nowadays, because virusses almost dont exist anymore nowadays. The vast majority of malware nowadays are: 1. crap/bloatware (yes, that stuff which is considered "legitimate"), 2. ad/spyware, 3. fraudware, 4. trojans/backdoors/botnets. All those are mostly only interested in stuff which is on C, because they hook into the system. The few virusses which nowadays still exist come in the form of "worms", and those in turn mostly spread via known insecure but very popular software.

For example, i only rarely and selectively apply windows updates. Why? I have just the bare minimum of services running, gagged IE, dont use mediaplayer, dont use outlook, dont use windows messenger, dont use remote desktop, dont use adobe acrobat reader - in other words, the majority of all security holes fixed every day, just arent present on my system in the first place.

Re: How to create a virtualized and bulletproof work-environment

Posted: Mon Feb 15, 2010 8:48 am
by Napiophelios
Nice article :)

I use a similar setup to build and test portables cuz my computer doesnt run virtual OS very well
and its simply freakin aggravating to use one in general (for me any way :mrgreen: )
So I have just a small partition (3gb) setup using Redllar's guidelines for setting up a virtual PC with DeepFreeze installed.
Except for drivers and a firewall, I have no programs installed on it (all portables :) )

Re: How to create a virtualized and bulletproof work-environment

Posted: Mon Feb 15, 2010 6:04 pm
by -.-
you can use returnil's program for same thing.

Normally I just use sandboxie :S simple to use and don't really need to worry much.
Anything I download gets ran in sandboxie, avira will pick up most viruses and such.

Plus I know what I'm downloading... that gets rid of most of the viruses...

Re: How to create a virtualized and bulletproof work-environment

Posted: Tue Feb 16, 2010 2:37 am
by lyx
The beginning post mentions "a few" more advantages, than simply being able to "try out" software sandboxed. I'm aware that the initial post is a bit long to read - still, you're basically replying to another thread :) This one discusses the following goals:

1. bulletproof and fast OS
2. complete virtual and portable "user account" - so, being able to transfer/backup/run your apps, settings, interface, associations, mail, docs, media to somewhere else - with one mouseclick - where it will work exactly the same without any modifications.